More Malicious Apps Found On Google Play

suraj.sun writes "We've seen quite a few Android malware discoveries in the recent past, mostly on unofficial Android markets. There was a premium-rate SMS Trojan that not only sent costly SMS messages automatically, but also prevented users' carriers from notifying them of the new charges, a massive Android malware campaign that may be responsible for duping as many as 5 million users, and an malware controlled via SMS. Ars Technica is now reporting another Android malware discovery made by McAfee researcher Carlos Castillo, this time on Google's official app market, Google Play, even after Google announced back in early February that it has started scanning Android apps for malware. Two weeks ago, a separate set of researchers found malicious extensions in the Google Chrome Web Store that could gain complete control of users' Facebook profiles. Quoting the article: 'The repeated discoveries of malware hosted on Google servers underscore the darker side of a market that allows anyone to submit apps with few questions asked. Whatever critics may say about Apple's App Store, which is significantly more selective about the titles it hosts, complaints about malware aren't one of them.'"

Re:It drives me crazy

[alostpacket]

AFAIK, contrary to popular belief Google does not make much off of app sales. That money goes to the user's carrier. Rumor has it this was a back-room deal in the early days of Android to prevent carrier app stores (which were terrible back in the BREW days).

Re:Permissions

[pd0x]

It seems that a good number of apps do this to "find friends" using the app. It would certainly be much better if upon app installation your associated account e-mail was hashed using SHA256 (or some alternative hashing algorithm) and stored by the service. Rather than upload a users entire contact list the apps could then submit hashes of contact e-mail addresses looking for matches without being able to identify users not using the service in question.

Re:And Apple addressed it

[93 Escort Wagon]

And how is that solution different from Android? Android already requires users to authorize apps to read contact details, the problem is that most people don't care. These Android apps are being called malware because they upload the contacts list without permission, which is exactly the same as many ios apps do.

Either you've never looked into this, or you're dissembling. I have an Android phone; and at the time an app is installed Android provides a somewhat generic list of all the things the app will have access to - there are usually a half dozen or so items on that list, and it would be very easy to overlook contact Info since it's somewhat buried among the generic stuff like phone state, network access, and so on.

With iOS, when an app tries to access Contacts - you get a pop-up at that time telling you that and asking if it should be allowed. It's a dramatic improvement over what it used to be, and over what Android currently does.

Re:And Apple addressed it

[Electricity Likes Me]

This, so much this.

Telling me something wants a bunch of vague permissions is about as useless as the iPhone "This app may read private data" message, since pretty much everything wants to do that.

What I want is to be able to see exactly what it's planning to do. If an eBook reader app wants SD cart access, maybe I want to only give it access to the "Books" directory on the card, since it has no reason to look anywhere else. If something wants full web access...well I'd like to prevent that, and then see if the app has any actual problems. Or I'd like to be notified about the hostname's being contacted and whitelist/blacklist them selectively.

Of course, these aren't Android or even smartphone specific problems IMO - it's a problem with providing user security on every single platform in existence. No one's made it suitably simple to tell what an app is doing, or wants to do, and allow or deny that with reasonable, but not owerpowering, fidelity.