Android Users Hit with Malware App

| News

Google's Android platform was recently hit with a malware app thanks to one developer's efforts to slip an application into the Android Marketplace, Google's equivalent of Apple's iPhone App Store, that collects user's bank account information.

The app, called Droid09, posed as an online banking interface, but instead was a phishing tool designed to gain bank logins and account numbers. The app has since been removed from the Android Marketplace.

While Droid09 is a bad mark for the Android platform and the Android Marketplace, it doesn't necessarily mean the Google's smartphone operating system is unsafe. It does, however, show that there's room for improvement in the app screening process at the Android Marketplace.

Droid09 also serves as a reminder that other companies, including Apple, need to watch their app screening processes closely to help avoid similar apps from slipping through in the future.

[Thanks to Slashdot for the heads up.]

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

23 Comments Leave Your Own

prak

Those bastards at Apple would never have approved this app. It’s my right to do as I want with my information. Apple should not prevent me from giving it to a malicious third party if that’s what I want to do. Apple’s approval process violates my freedoms!I’m so getting a google phone. They don’t violate my right to be exploited.

Bosco (Brad Hutchings)

It’s really no worse a mark for Android than finding an equivalent pfishing app on MacUpdate or VersionTracker would be for the Mac.

Coincidentally, I listened to a very interesting audiobook this weekend, “Virus of the Mind” by Richard Brodie (yes, he worked for Microsoft, disqualify him now Mac fanbots). His book is about memetics and he identifies four powerful biological based responses through which memes (loosely: “ideas”) spread. One of these responses is fear, and in today’s world where we probably aren’t going to freeze to death or be attacked by a wooly bully mastodon, the biological response is usually exaggerated beyond likely consequences or even worst case consequences.

I bring this up because of Jeff’s last paragraph. A new fear of phishing apps on phones apparently means that developers and users should be inconvenienced by exhaustive app screening processes. Such a process would be completely unable to catch a sophisticated phishing that actually logged you into such an account and made unauthorized use of the credential data on the back end, unless it prohibited all apps that could conceivably hide such an operation. For example, web browsers and mail apps would be totally out (just like on iPhone). Yet our fears justify, even invite, such ineffective intervention, just to placate the fears rather than actually make us safer. Anyone else reminded of the TSA and digital body cavity searches?

Jeff Gamet

Hey Bosco -

You totally hit the nail on the head. While app distributors like Apple and Google have a responsibility to do their part to ensure quality, it’s ultimately up to the end user to follow safe practices to protect themselves.

geoduck

Well said prak.
Though there have been problems with the Apple approval process, this shows why you can’t have an open free-for-all market. The risk is too great for a laissez-faire attitude. Malware can and will not only hurt the one who downloads it, zombie botnets will hurt everyone. There have to be controls. This is why I will be going with an iPhone (once that is I get out from under the $!@#!!&% Rogers Cell contract I’m currently shackled to)

Constable Odo

If I were a hacker, I’d probably have a lot of fun uploading all sorts of malware and disruptive apps, just to screw around with Android fanboys who’d rather tinker with the platform than just use it as a normal user would.  If there were enough problems, I’d like to see if Google would change it’s stance on having any apps being uploaded.  Probably not.  Google doesn’t care one way or another.

Bosco (Brad Hutchings)

People don’t hold you hostage with guns any longer. They use your fears or even your greatest desires. And most don’t even do it consciously. I doubt anyone at Apple has been thinking “hey, if we make them fear all the consequences of being to install their own apps on the iPhone, they’ll be very loyal to us”. But when they stumble upon playing on the fears and the victims react by getting played, the dynamic is just reinforced.

Ultimately, reviewing apps is costly, cumbersome, and not nearly as effective as many would imagine. As Jeff said, as a user of any platform, you need to be cautious about where and how you give account credentials. Just like when people call you on the phone. Just like when you visit web pages. Pay attention to user reviews and user ratings. They are far better indicators of product safety and quality than approval by a gatekeeper. Of course, when a problem is brought to their attention, the storefronts and distributors have a moral obligation (and strong reputation incentive) to stop distributing badly behaved apps. That’s a balanced response that keeps power from shifting too far away from consumers.

P.S. It’s funny to me that geoduck has me blocked. His post is nearly a caricature of overblown fear response as described by Brodie. It’s textbook. Somebody please paste my original post and help him out grin.

doogie

I think that the problem is more one of perception than reality.  Apple owns the app store and it is very closely associated with them.  If they fail to screen out such an app despite the implied promise to do so they get a black eye to their corporate image.

By distancing themselves from the approval process, they would suffer less damage to corporate image, but the iPhone itself would suffer.  Because of the close iPhone/Apple association, Apple loses anyway.

Google seemed to be keeping some distance with Android previously (in the public eye) by branding it separately.  With a release of their own phone, will the association hurt google?  Is Android a big enough project at Google to warrant caring?

Obviously, Apple has a lot of prestige riding on iPhone’s success.

dude

You totally hit the nail on the head. While app distributors like Apple and Google have a responsibility to do their part to ensure quality, it?s ultimately up to the end user to follow safe practices to protect themselves.

This makes no sense. What exactly can the user do here? What “safe practices”? Vague language that carries no meaning.

The only thing that can reasonably be done is for the vendor to monitor reports and do its due diligence, and then react quickly to things as they arise.

jbelkin

Yea, the first to complain about Apple’s system will be the first to have a borked phone - bwwhahahaha.

David Dennis

When I visited the Philippines in February 2006, I made friends with a very nice lady who owned a Nokia 6600 smartphone - much more sophisticated than what we’ve been using in America.  I was impressed by the very nice looking big (for the time) color LCD.  In fact, at that time Philippine cellphones were generally more sophisticated than they are in the US, and were status symbols in a similar way cars are in the USA.

Filipinas love their cellphones, far more at the time than Americans did.  (Now Americans seem to have caught up in the intervening few years).  They are obsessed with texting!  I used to get jealous of them and finally surrendered, so her cellphone was Celly, part of the family.

“I think Celly is sick,” my friend said one day.  “It’s running very slow.”  And sure enough, it was.  It was sending MMS messages containing a virus to everyone in her phone directory.  It turned out that we had just found one of the first cellphone viruses.  It sent MMS messages with some kind of sexual come-on to try and get people to call a premium phone number.  Worse, it was embarassing to her because she was pretty much a prim and proper lady (at least in public), and here she was sending dirty messages all over!

I was able to find F-Secure’s tool to get rid of her virus, but it still left her with a $300 phone bill.  And the phone companies of the Philippines don’t forgive this kind of thing as US phone companies do.  I don’t know if she eventually paid it because we lost touch after my trip, but her income was about $1,000 a month (high for the Philippines) and so this was very harmful to her financially.

Ever since that incident, I’ve been grateful to companies like Apple that vet applications so that malicious people don’t create viruses like that one.  I know the cryptography is a big pain, but I’m glad to see it keeping us safe.  Or at least as safe as we can be in this crazy age.

D

Mikuro

I don’t think we need more screening for applications so much as for developers. There’s no way any application screening process will find a trojan horse that was designed well. Granted, it will take more effort to design a convincing app to get through intensive screening (it might need at least some real functionality), so it would raise the bar a little, but the returns diminish quickly as you try to add more and more barriers.

As in the real world, there’s really no good way to prevent malicious actions here. We can try to make it harder, and we can succeed to a limited degree, but in the cat-and-mouse game, my money will always be on the cat, the predator. The cat only needs to be one step ahead for a moment to win; the mouse needs to be one step ahead indefinitely.

How many man-hours do you want them to spend on screening apps when you know it will NEVER be enough to stop an intelligent enemy? You know you’ll be the one to pay the bill in the end.

So what’s the solution? Well, it’s basically the same as in the real world. There is no solution that will make you feel warm and fuzzy inside. Sorry. We can’t really prevent people from murdering someone, either. Every day I run across thousands of people who could VERY EASILY pull out a knife, gun, or whatever was handy and kill me. If anyone really wants to kill me, all we as a society can do is punish them after the fact and hope that will make the crime unappealing to begin with.

Apple and Google could screen developers. If they verify the identities of the developers before they accept apps, then the developers can be held legally accountable for whatever they do.

That’s really all there is for it: legal enforceability and the emotional fortitude to get through the day in the face of uncertainty. Same as in the real world.

Joe

@Bosco:
“Ultimately, reviewing apps is costly, cumbersome, and not nearly as effective as many would imagine.”

Really? So why is it that with > 100,000 apps over 2 years, there has never been this type of malware on the Mac App Store?

Google, with only a tiny fraction as many users and a few thousand apps has at least one example.

So what type of bizarre logic allows you to conclude that Apple’s reviewing of apps is not effective?

Note: I’m not saying that it’s completely impossible to have malware on the iPhone, but it looks as though Apple has been pretty successful in keeping it away so far - in contrast to your silly assertion.

Joe

@Mikuro
“Apple and Google could screen developers. If they verify the identities of the developers before they accept apps, then the developers can be held legally accountable for whatever they do.”

That’s silly. All the malware authors would have to do is create one legitimate app to get on Apple’s approved list and then start generating malware.

As for the legal responsibility, that clearly doesn’t work. How many virus authors do you know who have been held accountable for their crimes? And what makes you think that Apple wouldn’t get blamed if suddenly malware started popping up in the App Store? Everyone knows Apple would get blamed big time.

Gertrude

The iPhone is inherently more susceptible to attack than an Android device. Apps running on the Android can’t affect other apps or system settings.

Bosco (Brad Hutchings)

Joe, if you want to be held hostage by your fears, you are the silly one. Obviously, you’re not the smart one at any rate. There are plenty of apps on the App Store that gather login credentials for various services that could easily divert these for nefarious purposes. The app screening process has absolutely no way to identify whether apps do this. They would need to be removed after malicious behavior is discovered.

Now, do you think that Apple will announce every app it removes over malware concerns? I know for a fact that it does not because I know of a case where a customer concern was presented to a developer, behavior was explained to Apple, and the app eventually reappeared. Neither party had any interest in making a spectacle of it.

Intruder

The iPhone is inherently more susceptible to attack than an Android device. Apps running on the Android can?t affect other apps or system settings.

Proof of this, please?

Mikuro

@Joe:
“As for the legal responsibility, that clearly doesn?t work. How many virus authors do you know who have been held accountable for their crimes?”

How many had to verify their identities to the places that distributed their viruses? It’s not easy to identify the authors of viruses.

On the occasions when virus makers are identified, they ARE tried. A quick Google search reveals many instances. I remember some as far back as the mid-90s. A few viruses you might remember:

http://abcnews.go.com/Technology/story?id=98866&page=1
http://www.internet-security.ca/internet-security-news-005/sasser-virus-author-arrested.html
http://www.techspot.com/news/25886-cell-phone-virus-author-arrested.html

prak

@geoduck: thanks!

I don’t want to get too off-topic here, so I’ll minimize this unless I’m asked to elaborate. I don’t think Bosco is entirely correct. Since iPhone developers are required to be registered, the most harm they can do is to the point where they are detected. I’m certain once an iPhone app is discovered to be malicious in some way Apple will revoke that developer’s access. They’ve done it for marketing fraud, so it would make no sense for them not to do it for a virus/malware!

Here’s the off topic bit. The rest of Bosco’s explanation sounded quite valid, and brought to mind the most current airline security situation. People seem to be operating under several delusions. One of these is that air travel is an inalienable human right. Another is the odd idea that screening SOME of the people ought to protect us from all terrorism. The only thing that can do that is complete screening of EVERYONE in contact with the plane. I don’t know if such a thing is even possible. But, today’s system is, at the root, a method of guessing who might be dangerous. As long as you’re guessing, you’re going to be wrong sometimes no matter how good you are!

Bosco (Brad Hutchings)

@prak, If you look at my last comment and extrapolate, you might conclude that there has been software removed from the App Store for all sorts of reasons and that some removals have not come to light.

But you’re dead wrong on your airline security and thus, completely wrong on its analogy to app screening. Forget the fact that all of the successful and would-be airplane terrorists since 9/11 have had a particular religious and regional connection. Forget that this is relevant because most religious and philosophical traditions are not compatible with blowing one’s self up along with 200-300 others on an airplane. The problem is information overload. With more items to screen, the error rate along the accept/reject axis will necessarily go up. Furthermore, as exploits are discovered, the amount of screening per item (and thus, cost per item) goes up as we chase the last threat.

It is far better for all of us that we confront fear and put it in perspective, then make sure that we have a course of action when bad things happen. In the case of airplane terrorists, we have the Flight 93 guys and that Dutch kid who kicked the crap out of the taint bomber on Christmas Day. In the case of app stores, we have the ability to remove rogue apps. All the extensive screening is just a show to make us feel safe when we really are not.

gslusher

The iPhone is inherently more susceptible to attack than an Android device. Apps running on the Android can?t affect other apps or system settings.

Proof? As I understand it, iPhone apps are “sandboxed” and kept away from each other’s data.

In Android phones, the “multitasking” can lead to just the sort of phishing and other malware problems discussed. Android allows apps to run in the background without the user being aware of them. One of the most popular apps for Android phones is a “task killer” that lets the user determine which tasks are running and selectively them. (Rather like Activity Monitor, I would guess.) The primary purpose is to shut down processes that are slowing down the phone and eating up battery life, but it could also be used to stop malware, if one can figure out what each process is doing from cryptic names.

gslusher

That?s silly. All the malware authors would have to do is create one legitimate app to get on Apple?s approved list and then start generating malware.

If they do, Apple can literally kill all their apps the next time an iPhone is synced. They’ve already done that.

I agree with Bosco about the airline security—to a point. There is certainly SOME benefit from screening: potential passengers have been caught with banned stuff, including loaded weapons. A student works for TSA. Her crew has found knives, throwing stars, etc. in carry-on luggage. (Those are OK in checked luggage.) However, there are rapidly diminishing returns to ever-tighter screening and Bosco is right that what is needed is a way to respond when something does happen. Some airline pilots lobbied for the right to carry handguns. The ability to disperse a non-lethal incapacitating agent through the ventilation system might be another option. It might injure or even kill some vulnerable passengers, but could prevent more serious disasters. A policy of ignoring threats, even to passengers and flight attendants, could also help. Sometimes, one may have to risk harming a few to save many.

Intruder

Gertrude sounds like drive-by astroturfing.

Chas

This might seem like a silly question to all of you who are apparently omnipresent and extremely well-informed, but it seems obvious to me: “Why is everyone assuming that when Apple ‘vets’ an app, they don’t check and see where information is being transmitted and require the company to provide proof of its end-use?”

I ask because, correct me if I’m wrong, but ALL information on the Internet is ultimately traceable, usually pretty easily.  In order to transmit information, you have to transmit it somewhere, using something, and those Somewheres and Somethings are extensively monitored and recorded.

Any thoughts?

Log-in to comment