http://www.guardian.co.uk/technology/blog/2011/mar/02/android-market-apps-malware

Looks like Google needs to do some serious security work on the Android platform. From a link off the above post looks like the malware got root from an exploit of android's init/udev mechanism.

Too much time counting money not enough time on code quality.

Also part of the responsibility goes to the user who downloads said app. A vulnerability was bound to be exposed sooner or later.

I don't know how sloppy the vulnerability was but Google couldn't possibly think of every possibility and someone's bound to find a hole somewhere, they always do.

A trojan is a trojan is a trojan. If you give the user any kind of freedom about what to install, the user can be stupid and install malware.

I also think Apple's vetting of the app store is overrated. Remember that kid who snuck a tethering app into the app store under the guise of it being a flashlight app? Apple didn't catch that one until it had been leaked into the press.

Users need to stop relying on Apple, Google, Microsoft, etc. to play "big brother" and protect them. They need to use common sense.

If you gave your car keys and registration to a carjacker, would you blame Toyota or Ford for selling you an easily stolen car?

You can perfectly secure a system, it is possible

It becomes insecure once a user touches it.

Too much time counting money not enough time on code quality.

You can't have it both ways. You can either have it like the Android market where it's open development and anyone can enter their apps without having to wait on approval, or like the iTunes app store where devs are forced to follow Apple's strict regulations and just hope at the chance to get approved if your app happens to be what Apple is looking for.

How can you blame Google when they're gracious enough to allow anyone to develop apps without micromanaging them?

You can't have it both ways. You can either have it like the Android market where it's open development and anyone can enter their apps without having to wait on approval, or like the iTunes app store where devs are forced to follow Apple's strict regulations and just hope at the chance to get approved if your app happens to be what Apple is looking for.

How can you blame Google when they're gracious enough to allow anyone to develop apps without micromanaging them?
I disagree.

Apple has random arbitrary guidelines about what is approved or not. (It's too adult, it duplicates core functionality, it's too political, etc.)

Google has no guidelines.

It would be quite simple for Google's guideline to simply be "Cannot be malware."

Don't be evil.

You can perfectly secure a system, it is possible

It becomes insecure once a user touches it.

The most secure system I know of is one which gets buried somewhere out of reach, disconnected from absolutely everything it is capable of being connected to. Dismantling it and encasing the parts in concrete as an extra precaution won't hurt either.

The most secure system I know of is one which gets buried somewhere out of reach, disconnected from absolutely everything it is capable of being connected to. Dismantling it and encasing the parts in concrete as an extra precaution won't hurt either.

In three hundred years there still will be someone stupid enough enough to dig it up and put an infected usb key in it...

the safest computer is the one that blew up in the atomic bomb testing

Really, I'm just glad it's only this. I've been worried that someone was going to find a vulnerability in a core Android application somewhere, and the headline troubled me for that reason - I'm glad it's only a third-party app.


Too much time counting money not enough time on code quality.

They're not spending all that much time counting money. There's a reason that devs are still flocking to Apple and maybe porting to Android a few months later even though Android's market share is actually greater at present.

If someone had to read every bit of code that went into an Android app to look for malicious potential before it could launch, it'd be quite a strain the Marketplace's viability, and it'd be a lot more involved than what Apple's doing.

I disagree.

Apple has random arbitrary guidelines about what is approved or not. (It's too adult, it duplicates core functionality, it's too political, etc.)

Google has no guidelines.

It would be quite simple for Google's guideline to simply be "Cannot be malware."

They could, but then they would have to change the whole process to where your apps have to be reviewed and approved. That would end up making it almost as much of a pain as the iTunes app store. That's better for the user, but harder on the developer, and it's supposed to be more "open", right?

They'll probably end up doing that anyway, though.

A trojan is a trojan is a trojan. If you give the user any kind of freedom about what to install, the user can be stupid and install malware.

I also think Apple's vetting of the app store is overrated. Remember that kid who snuck a tethering app into the app store under the guise of it being a flashlight app? Apple didn't catch that one until it had been leaked into the press.

Users need to stop relying on Apple, Google, Microsoft, etc. to play "big brother" and protect them. They need to use common sense.

If you gave your car keys and registration to a carjacker, would you blame Toyota or Ford for selling you an easily stolen car?

What if you give your keys to a valet who then uses them to steal your car? Is that your fault?

This is a similar scenario.

The malware hiding in the app store wasn't branded "hey I'm a trojan, install me!!!1".

It would be quite simple for Google's guideline to simply be "Cannot be malware."

Malware writer: Oh, a "no malware policy"? curses. (teehee)

What if you give your keys to a valet who then uses them to steal your car? Is that your fault? If the valet is not actually a valet, then, yes. Funny how people are a lot more aware of con artists in person than they are of con artists in the virtual world.

Can you imagine someone falling for a random stranger saying "Hey, I'm going to give you a haircut. I'll need access to a list of all your friends and their phone numbers, and I'll also need the keys to your apartment"? And yet plenty of people will install a supposed flashlight program that requests access to everything on their Android systems.

I'm so thankful I resisted the urge to download Screaming Sexy Japanese Girls...

Freedom comes at a price; everything does.

If the valet is not actually a valet, then, yes. Funny how people are a lot more aware of con artists in person than they are of con artists in the virtual world.

Can you imagine someone falling for a random stranger saying "Hey, I'm going to give you a haircut. I'll need access to a list of all your friends and their phone numbers, and I'll also need the keys to your apartment"? And yet plenty of people will install a supposed flashlight program that requests access to everything on their Android systems.

Blaming the victim of a crime isn't the right answer. Your reply is akin to blaming a rape victim for being raped.

Blaming the victim of a crime isn't the right answer. Your reply is akin to blaming a rape victim for being raped.

While you are correct that it's wrong, and shouldn't be done, an ounce of prevention is worth a pound of cure.

If I leave my front door open, it doesn't give someone the right to steal my stuff, but it does make it a lot more likely.

I am not surprised. Google has been busy getting all this money and they completely ignore the study to keep their system secure. This is why there is a very common type of adware that will intercept your google searches and redirect you to an ad site. stupid google.

...Google has been busy getting all this money and they completely ignore the study to keep their system secure.Peoples who blame Google: have you read at least overview of Android SDK? This OS has very good balance between security and ...freedom. The more secure system the less freedom for programmers and more problems for users who wants to do something, but they aren't allowed. Every app is sandboxed, but it can access almost every part of HW if it's needed - that's in short. Thanks to that, I can use my crappy, non-upgradable iRobot (Android 1.6) as complete HVAC control and visualisation, because it's still supported by SDK tools and I can have full root access to the system - otherwise I could only throw this device out of the window :)

Peoples who blame Google: have you read at least overview of Android SDK? This OS has very good balance between security and ...freedom. The more secure system the less freedom for programmers and more problems for users who wants to do something, but they aren't allowed. Every app is sandboxed, but it can access almost every part of HW if it's needed - that's in short. Thanks to that, I can use my crappy, non-upgradable iRobot (Android 1.6) as complete HVAC control and visualisation, because it's still supported by SDK tools and I can have full root access to the system - otherwise I could only throw this device out of the window :)

Actually that is a good point, but there is no excuse for the flaw exposing the ability to contract malware. That is like Windows all over again

A trojan is a trojan is a trojan. If you give the user any kind of freedom about what to install, the user can be stupid and install malware.


Sure. But if I see a nice app for my scheduling- how can I be not so stupid and recognize malware if I am not any kind of a coder? Surely I can expect to stay safe while installing apps for my Ubuntu only from repos, but how can I stay safe on Android? Should I study programming and check every code I install or this should be app store provider's care?
And you know what- if I would purchase some medicine from a drug store and I would get some poison instead of it- I would surely sue this poor store for a decent amount of cash or just blow that store out;)

Blaming the victim of a crime isn't the right answer. Your reply is akin to blaming a rape victim for being raped.
It is not at all the same.

If a con artist who is trying to steal your car is obviously a con artist and you fall for it, you shouldn't blame the car manufacturer for making the car easy to steal.

Yes, the criminal is most certainly at fault, but the user was stupid, and "antivirus" won't help in that situation.

Sure. But if I see a nice app for my scheduling- how can I be not so stupid and recognize malware if I am not any kind of a coder? Surely I can expect to stay safe while installing apps for my Ubuntu only from repos, but how can I stay safe on Android? Should I study programming and check every code I install or this should be app store provider's care? No, you shouldn't do any of that. If you look at the malware in the Android Market, it's quite obvious, though. Find me an app that is published by a known corporation (Rovio, Google, Microsoft, Dropbox), that has a lot of downloads, and all positive reviews... and is also malware.

There are clues. Read them.

I am not a programmer, and yet I somehow manage to avoid installing malware on my Android phone.

More importantly, so-called "antivirus" will not help the situation. What will help is Google vetting the Market for malware. Ubuntu and other Linux distributions are pretty good at this. They aren't vetting programs for how offensive or useful or high quality they are, but they would definitely not let malware into the repositories.

So here's what should happen: Google should start screening app submissions for malware. Users should actually be careful about what they download. No one should imagine "antivirus" will do anything useful for Android. People should stop confusing trojans with viruses.

It is not at all the same.

If a con artist who is trying to steal your car is obviously a con artist and you fall for it, you shouldn't blame the car manufacturer for making the car easy to steal.

Yes, the criminal is most certainly at fault, but the user was stupid, and "antivirus" won't help in that situation.

I never said con artist, I said valet. I obviously implied that it was not obvious (just as a trojan by definition is non-obvious). ;)

No, you shouldn't do any of that. If you look at the malware in the Android Market, it's quite obvious, though. Find me an app that is published by a known corporation (Rovio, Google, Microsoft, Dropbox), that has a lot of downloads, and all positive reviews... and is also malware.

Unintentional, but not beyond the realm of possibility.
Microsoft ships Nimda with .NET (oops) - http://www.securityfocus.com/news/480
Apple ships IPod with Virus (oops) - http://www.apple.com/support/windowsvirus/
Seagate ships hard drives with a virus (oops) - http://www.pcworld.com/article/139576/seagate_ships_virusladen_hard_drives.html



There are clues. Read them.

I am not a programmer, and yet I somehow manage to avoid installing malware on my Android phone.


You can't really say that with 100% certainty. You can be reasonably certain though.



More importantly, so-called "antivirus" will not help the situation. What will help is Google vetting the Market for malware. Ubuntu and other Linux distributions are pretty good at this. They aren't vetting programs for how offensive or useful or high quality they are, but they would definitely not let malware into the repositories.


I agree with this, Google should inspect all submissions for malware. Linux distributions are *OK* at this, but I wouldn't say that we are good because there is just too much code to audit and the rumor of 1,000,000 eyes on the code has failed us often.



So here's what should happen: Google should start screening app submissions for malware. Users should actually be careful about what they download. No one should imagine "antivirus" will do anything useful for Android. People should stop confusing trojans with viruses.

- yes
- yes
- no, one should always expect the unexpected.
- I believe the term used was malware which catagorizes both viruses and trojans.

I never said con artist, I said valet. I obviously implied that it was not obvious (just as a trojan by definition is non-obvious). ;)
Then we aren't sharing assumptions.

From what I can tell, trojans are obvious.

Con artists in real life are not.

Unintentional, but not beyond the realm of possibility.
Microsoft ships Nimda with .NET (oops) - http://www.securityfocus.com/news/480
Apple ships IPod with Virus (oops) - http://www.apple.com/support/windowsvirus/
Seagate ships hard drives with a virus (oops) - http://www.pcworld.com/article/139576/seagate_ships_virusladen_hard_drives.html Those are mistakes, though. Those aren't deliberately malicious. Apple didn't say "Heh, heh. Let's put a virus on our iPods!"

Trojans by definition are intended to be secretly malicious.


You can't really say that with 100% certainty. You can be reasonably certain though. Nobody can say that with 100% certainty. 100% certainty doesn't matter because it's not logically achievable. And please no one make me barf by saying they can be 100% certain because they ran an "antivirus" scan.


I agree with this, Google should inspect all submissions for malware. Linux distributions are *OK* at this, but I wouldn't say that we are good because there is just too much code to audit and the rumor of 1,000,000 eyes on the code has failed us often. The failure isn't in spotting malware so much as fixing security holes. Since apps are in a sandbox, all Google should have to inspect for the Market is malware.

Then we aren't sharing assumptions.

From what I can tell, trojans are obvious.

Con artists in real life are not.

A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms the system.[1] The term is derived from the Trojan Horse story in Greek mythology.

A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid a computer of viruses but instead introduces viruses onto the computer.
The term comes from the Greek story of the Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy.

- http://en.wikipedia.org/wiki/Trojan_horse_(computing)

Those are mistakes, though. Those aren't deliberately malicious. Apple didn't say "Heh, heh. Let's put a virus on our iPods!"


I agree, which is why I implied it was unintentional. The very fact that it happens though implies that one can be careful, and still get infected (or attacked, or rooted, or insert appropriate word here).



Trojans by definition are intended to be secretly malicious.


Yes.



Nobody can say that with 100% certainty. 100% certainty doesn't matter because it's not logically achievable. And please no one make me barf by saying they can be 100% certain because they ran an "antivirus" scan.


The sky is blue, my argument is invalid?



The failure isn't in spotting malware so much as fixing security holes. Since apps are in a sandbox, all Google should have to inspect for the Market is malware.

I agree, except that there is history of malware escaping sandboxed Java environments.

http://www.winplanet.com/article/2656-.htm

The day I assume I am too cleaver to be caught out by Malware is the day I will stop using computers.

The day I assume I am too cleaver to be caught out by Malware is the day I will stop using computers.
I'm not saying all malware, only the obvious ones. So far all the trojans in the Android Market have been obvious.

I don't know when it suddenly became arrogance to expect people to use common sense.

I'm not saying all malware, only the obvious ones. So far all the trojans in the Android Market have been obvious.

Google announced that the number is closer to 60 just a bit ago.

http://www.bbc.co.uk/news/technology-12667540

Complete list:

http://blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/

More info including info on the DroidDream trojan:

http://www.pcworld.com/article/221478/googles_droiddream_cleanup_faq.html

I'm not saying all malware, only the obvious ones. So far all the trojans in the Android Market have been obvious.

I don't know when it suddenly became arrogance to expect people to use common sense.

It's not arrogance to expect common sense. My statement is common sense.

It's not arrogance to expect common sense. My statement is common sense.
Yes, we should all have the common sense to know we aren't invincible and all-knowing and the common sense to recognize easily recognizable malware and not install it.