back to article Android adware that MUST NOT BE NAMED threatens MILLIONS

A popular mobile ad library used by multiple Android apps poses a severe malware threat, researchers at infosec firm FireEye have warned. The security researchers said that altogether 200 million affected apps had been downloaded. This ad library aggressively collects sensitive data and is able to perform dangerous operations …

COMMENTS

This topic is closed for new posts.

Page:

  1. Dave Perry

    Apple (someone had to raise this)

    This would far less likely get through on the iTunes Store - yes it's sometimes annoying how they do their what gets published and what doesn't approach, but security at least they are very tight on.

    1. Loyal Commenter Silver badge

      Re: Apple (someone had to raise this)

      Hmmm. I'm going to go with...

      bollocks

      I don't doubt for a second that there are any number of iOs apps out there with adware, and of those, that some of these adware providers are less that 100% on the ball with their security.

      The only thing that Apple seem to be 'very tight on' is preventing people from producing apps that do things they don't want them to, such as provide a cheaper/better version of some functionality they want to sell to you themselves.

      1. WhoaWhoa

        Re: Apple (someone had to raise this)

        "The only thing that Apple seem to be 'very tight on' is preventing people from producing apps that do things they don't want them to, such as provide a cheaper/better version of some functionality they want to sell to you themselves."

        On a point of information, they're pretty good at silence about their bugs and hardware problems, too. In fact, veritable Man Booker nominees, I should think.

    2. HollyHopDrive

      Re: Apple (someone had to raise this)

      The only reason its far less likely is because the ipolice say which advert libraries you can use. I.e. theirs. While that does limit the risk it also means all your eggs are in one basket should theirs turn out to have a flaw. It also is pretty crappy for the developer to not be able to use best of breed / best revenue return etc that he chooses. So its not as simple as saying ios is more secure (let just say 'phone chargers with malware'!) - its just a vunrability that exists on all platforms when a shared library is compromised by a flaw/bug/whatever...

      So what I'm saying is with freedom comes responsibility - if android users accept stupid level of permissions for their chosen app then expect nonsense like this. If you don't want that level of responsibility and freedom, buy an iPhone and let apple decide what is good for you.

      Personally, I'll stick with the little green android but each to their own. But neither side should be smug about this - "malware - its not just for windows" ;-)

      1. SuccessCase

        Re: Apple (someone had to raise this)

        "So what I'm saying is with freedom comes responsibility"

        Mega platitude. Sounds impressive. But think about it, really think about it, instead of just skimming the words and its as clear as can be that what you have said is actually total nonsense and the best argument against the position you have adopted. It has the the outward clothes of a Shakespearean quote with the inner profundity of Benny Hill.

        With freedom comes freedom, that's all. Freedom for instance to install malware if you so choose.

        What I think you meant to say is that with freedom comes the need to be careful, but then if you actually said that it would have sounded a bit crap.

        1. HollyHopDrive

          Re: Apple (someone had to raise this)

          Sir, you are a fool and an idiot.

          Lets take a slightly easier to understand argument about choice, freedom and responsibility :

          In america you have the freedom to own a firearm. You can have the freedom to shoot whatever you want. However- you have the responsibility of using it wisely and from hurting other people with it. - however responsibility means its not a licence to kill people - when you look down the barrel you CHOOSE whether to pull the trigger - check the target before you fire - YOU ARE RESPONSIBLE FOR YOU ACTIONS with said firearm.

          freedom = gun = *responsible* for own actions and freedom to choose but probably higher risk of getting hurt.

          locked down freedom = no gun = no "difficult" choices to make but can still get shot though not fault of own.

          And thats my point, if you choose android (like I have) I choose to take more precautions before I install software (pull the trigger) and if I don't like what I see, I don't. With IOS I have to assume thats all been done for me. Doesn't mean I won't get hurt - its just somebody else is responsible.

          And if you don't get that I'm assuming the smart phone in your pocket is owned by a dumb ass.

          1. SuccessCase

            Re: Apple (someone had to raise this)

            HollyHopDrive, I apologise for taking the piss out of your post. Re-reading what I wrote I probably thought my reply was funnier than it came across.

            You see there are two ways of taking the meaning of responsibility. As an attribute of how you act or as a something to be faced up to. You will notice I (rather dismissively - apologies again) said your argument was nonsense and the best argument against your position at the same time. Nonsense because when your use of the word "responsible" is taken, as most people take it to mean, as an attribute someone has, you find most people clearly don't want it in relation to keeping malware off their mobile devices.

            With your reply you seem to have ruled out responsibility as an attribute, but instead refer to responsibility, the thing you acquire when you make choices. Responsibility and control being flip sides of the same coin.

            But this is the strong argument against the position you have adopted that I referred to. If I arrive at the edge of the Saharah I am free to trek across it. However I want a guide and I don't want to take responsibility for making all choices about the journey because:

            a) I'm not Ray Mears and don't know the desert

            b) If I make a wrong choice I die

            c) There are other things I *choose* get on with that aren't desert orienteering and survival, such as mountain biking and Skiing

            d) There are guides who are experts and better at it than me.

            Now the thing is regarding my smart-phone and technology, as it happens, I, like many on these forums, actually am a little like Ray Mears. I'm perfectly capable of trekking across the technology "desert" without incident - avoiding viruses, dropping to the command line as needed. But, even so, I still happy for a lift and a guide through the desert, because I've got my mountain biking and skiing and other stuff to concentrate on. I simply not interested in spending my time desert orienteering. And in the mobile world I want to focus on the things I really want to do with my life instead of managing virus scanners on my bloody mobile phone.

            The iPhone is a device, and can only reasonably compared to a police state by way of metaphor and on strict understanding it is a metaphor. Some people on here forget it is a device in civil-life and that Stalin isn't sitting on your shoulder telling you you can never take your eyes off that walled garden displayed on it's screen. You won't be thrown in the Gulag if you decide at some time you want to buy a Nexus 7 instead.

            It is a tool which frees people to do more of what they want to do (getting across the desert to go Skiing and Mountain biking) and less of what they don't want to do (configuring security settings, installing malware defences, auditing app permissions).

            People have freedom over what to do with their lives and can perfectly responsibly choose to delegate desert orientation to experts. Installing AV software, auditing security settings, etc. is simply not an efficient use of most people's time. We are free to choose to do more with our time than that.

          2. PJI

            Re: Apple (someone had to raise this)

            And you are a blinkered, sanctimonious idiot.

            If you think the American way with guns - responsibility works, you must be in a tiny minority. I understand that there are individual American cities with higher death rates through these responsible gun owners than the murder figures for the whole of Britain, or Germany or other countries.

            You also seem to think that, to own or use a mobile 'phone, you must have a good technical understanding and background that was unnecessary to use a land line.

            Or are you suggesting that, for every item one uses, one should have a thorough understanding of it and the design behind it? Do you? When you go to buy, say, a new microwave, do you understand all the computing within it? All the electronics? The mechanics, in working detail, or all the moving parts? Do you insist small children pass a test in how to use a mobile phone, or open the fridge?

            Most of us have enough to do just keeping up with our own professions and living busy lives. Few people even bother to read the instructions of most things that they buy and, most things are well enough built and designed that this is fine. Apple understands this and provides for this market as well as for those who want to go deeper. As Android matures, its resellers and packagers are learning this too, which is one reason why Samsung is doing well.

            Now you need to learn and understand it.

            1. Chimp

              Germany...

              ... over time, has more gun deaths than the US in total, not excepting the Civil War. Largely state owned, interestingly.

              1. Anonymous Coward
                Anonymous Coward

                Re: Germany...

                > ... over time, has more gun deaths than the US in total, not excepting the Civil War. Largely state owned, interestingly.

                Not excepting the world wars either, eh? Other than that your statement would appear to not hold up:

                United States 10.3 (2011) - firearm-related deaths per 100,000 people

                Germany 1.24 (2010) - firearm-related deaths per 100,000 people

                --> http://en.wikipedia.org/wiki/List_of_countries_by_firearm-related_death_rate

                1. Chimp

                  Re: Germany...

                  Dead is dead. And no, let's not except two world wars.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Germany...

                    > Dead is dead. And no, let's not except two world wars.

                    OK, so the US with its civil war, Hiroshima, Nagasaki, Vietnam, Iraq, etc. has caused fewer gun deaths than the Nazis, the most vicious killing machine of all time. Congratulations, what an achievement!

                    I still struggle to see your point though. Does that mean in your estimation that US gun laws which today contribute to many times more deaths than Germany's are a good thing? And by extension (a long shot anyway) that Android's permissioning system must thus be better than that of other mobile OSs?

            2. Anonymous Coward
              Anonymous Coward

              Re: Apple (someone had to raise this)

              You are an IGNORANT twat...learn to read statistics dumbass. The cities that have high murder rates are suffering from GANG Violence and Drug Wars.

              These cities are NOT suffering at the hands of responsible gun owners. Responsible gun owners handle guns safely, criminals do not. Even YOUR criminals have guns though you do not.

              These gang members will always have access to guns as they are criminals and no amount of laws or other regulations will ever matter to them. They don't get their guns from legal channels.

              I really wish you people would stop pontificating on subjects that you have absolutely no experience with or using allegories that have no correlation to reality.

              1. Anonymous Coward
                Anonymous Coward

                Re: Apple (someone had to raise this)

                Dear dear! So not only do you have more guns and gun owners out of control, you also have gang and drug problems on the scale of a minor civil war in your major cities. Hmm.

                Odd, many of the "random" incidents of murder of fellow students, workers and so on seem to be committed by people who neighbours, friends, family often thought were decent, quiet types with a normal interest in guns that they had acquired legally, presumably after checks for their responsibility.

                Now you will tell me that all these responsible gun owners managed to stop most of the irresponsible ones. One dreads to think how many more murderous incidents there could be without the responsible owners. You fail to explain why American criminal gangs etc. seem so much better armed, numerous and murderous than their European counterparts. Must be all those responsible gun owners they've got as neighbours.

                Hey, back to "responsible" gadget owners, you know, mobile telephones, microwaves, that sort of thing and the test you would have to make sure only "responsible" people get them, and how you would define "responsible".

                Perhaps it would be better to have design and implementation reflect reality and cater to the end user. That does not prevent the supply of specialist kit for those who want to assemble their own device, just like buying a kit car or a crystal radio kit.

        2. WhoaWhoa

          Re: Apple (someone had to raise this)

          " It has the the outward clothes of a Shakespearean quote with the inner profundity of Benny Hill."

          At least Mr. Hill cut to the chase.

      2. ThomH

        Re: Apple (someone had to raise this) (@HollyHopDrive)

        Apple doesn't stipulate which advert libraries you can use.

        Example third-party libraries with explicit iOS SDKs include Google AdMob (https://developers.google.com/mobile-ads-sdk/download), Flurry AppCircle (http://www.flurry.com/appCircle-a.html), InMobi (http://www.inmobi.com/products/sdk/) and MoPub (http://www.mopub.com/resources/open-source-sdk/).

        The main reason this is far less likely on iOS is that Apple doesn't allow any application to collect text messages, phone call history or contacts. There are no APIs at all for the first two, and contacts can be collected only by a call that shows some Apple-defined user interface and eventually returns a single contact if the user confirms that course of events.

        So on the iOS side it'd have to be a security privilege raising exploit as well as a trojan, rather than merely a trojan.

    3. Anonymous Coward
      Anonymous Coward

      Re: Apple (someone had to raise this)

      The whole Android OS is bascially Adware.

      1. Anonymous Coward
        Anonymous Coward

        Re: Apple (someone had to raise this)

        BULL. The core OS is open-source. If you don't like it, go download the source code and suggest changes.

      2. WhoaWhoa

        Re: Apple (someone had to raise this)

        "The whole Android OS is bascially Adware."

        Yep.

        Ditto iOS.

        Ditto all of them, really.

    4. Captain Scarlet
      Trollface

      Re: Apple (someone had to raise this)

      If you are worried about spyware get a Blackberry, no bugger wants to develop on it :(

      1. Fihart

        Re: Apple (someone had to raise this) @ Captain Scarlet

        I wonder if no-one writes apps for Blackberry is because Blackberry (the company) is a bugger to deal with. They seem the same sort of control freaks as Apple. What with PIN numbers and restriction of the so-called Blackberry Internet Service I'm beginning to wish the bloody thing would break (again) so I'd have to buy an Android. Mind you I'd then have to negotiate with T Mobile to unlock my SIM and credit for use with a non Blackberry phone.

        I guess I'm just not the "prosumer" their delusional mindset imagines will buy the new overpriced OS10 hardware they are pushing, just as consumers, resellers and the banks desert them

    5. WhoaWhoa

      Re: Apple (someone had to raise this)

      "This would far less likely get through on the iTunes Store"

      "iveté, iveté, they've all got naiveté", as Kenneth Williams said. Or something like that.

      http://www.youtube.com/watch?v=kvs4bOMv5Xw

    6. Daniel B.
      Boffin

      Re: Apple (someone had to raise this)

      This would far less likely get through on the iTunes Store

      They already had a boo-boo years ago. Can't remember the name of the apps or the vendor, but it was something like iMob or something like that; the app would slurp your contact list and other stuff and send all that data to the company selling the games. And they had all those apps get through the iBone Store! Which shows that the whole iTunes Store approval process is more of a security theater thing.

  2. Woodgie
    FAIL

    Only just this morning I was reading this...

    http://www.macrumors.com/2013/10/08/eric-schmidt-says-android-is-more-secure-than-the-iphone-prompting-laughter/

    There's so much egg on his face he MUST have been yolking!

    What? It wasn't that bad a joke, was it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Only just this morning I was reading this...

      Android more secure than iphone (comparing OS vs a phone again)

      No fragmentation problem

      I half expected him to wave a piece of paper in the air Chamberlain style!

      1. Anonymous Coward
        Anonymous Coward

        Re: Only just this morning I was reading this...

        "Android more secure than iphone (comparing OS vs a phone again)"

        You are kidding or deluded. Android is based on Java on top of Linux. Both are pretty much top of the pops for security vulenrabilities in their respective fields....

        Not that IOS is much better, but it is better.

        1. Anonymous Coward
          Anonymous Coward

          Re: Only just this morning I was reading this...

          Oops, you've just pointed at the big fat elephant and said "big fat elephant !" Downvotes get levied on truth tellers in proportion to droid rage induced. It's nothing to do with the truth old bean.

          1. ThomH

            Re: Only just this morning I was reading this... (@2nd AC)

            I think the downvotes are more because the Linux kernel and its team are actually pretty good at security, and because Android implements Java via its own Google-specific virtual machine, using none of Oracle's code and therefore shouldn't be tainted with the same brush.

            1. Anonymous Coward
              Anonymous Coward

              Re: Only just this morning I was reading this... (@2nd AC)

              "I think the downvotes are more because the Linux kernel and its team are actually pretty good at security"

              They really are not. There have been well over 900 security vulnerabilities in the Linux kernel alone so far. To put that in perspective, the whole of Windows XP is only on about 500!

              1. Intractable Potsherd

                Re: Only just this morning I was reading this... (@2nd AC)

                "There have been well over 900 security vulnerabilities in the Linux kernel alone so far. To put that in perspective, the whole of Windows XP is only on about 500!"

                Any reliable evidence for this assertion?

        2. WhoaWhoa

          Re: Only just this morning I was reading this...

          "You are kidding or deluded. Android is based on Java on top of Linux. Both are pretty much top of the pops for security vulenrabilities in their respective fields...."

          The part of your argument that won me over was the well-sourced examples and references to comprehensive studies.

  3. Cliff

    Ouch!

    That's nasty. :-(

  4. Jamie Jones Silver badge

    What hasn't been mentioned....

    Whilst the ad app developer has been contacted about the vulnerabilities, no-one seems to have addressed why on Earth the software had this capability in the first place.

    I often authorise apps that ask for excessive permissions, and then disable those permissions (using 'android tuner') one installed. If the app breaks, it is deleted.

    Users should be able to accept/deny certain permissions on install, not just the current 'all or nothing' approach.

    1. Steve Davies 3 Silver badge

      Re: What hasn't been mentioned....

      You raise a good point BUT how many of the millions of average Android users know (or care) about this stuff.

      Sad as it may seem, sometime the Walled Gardens of Apple and Microsoft do have their advantages.

      Perhaps there is a need for a 'security enhanced Android?' that would become the default for the masses but with the ability for us 'geeks' to disable it (at our own risk naturally...)

      1. Zaphod BOFH
        Pint

        Re: What hasn't been mentioned....

        "Perhaps there is a need for a 'security enhanced Android?" - I'd say definitely there is a need for that, but maybe not that way... Why can't we simply manage app permissions, unless we have a rooted device? Or am i missing something?

        1. Anonymous Coward
          Anonymous Coward

          Re: What hasn't been mentioned....

          "Perhaps there is a need for a 'security enhanced Android?"

          May not be possible - the main reason for Android IS data collection (given who created it), so I cannot see Google making your road to non-data supplier a smooth one.

          I think there may be a chance with the Ubuntu phone, as long as none of their own UI guys gets to design the front end (as in "noooo - not Unity...").

          1. Anonymous Coward
            Anonymous Coward

            Re: What hasn't been mentioned....

            ""Perhaps there is a need for a 'security enhanced Android?""

            Or you could just use Windows Phone. It is FIPS 140-2 certified without requiring bolt-ons like Knox on Android....

      2. Chet Mannly

        Re: What hasn't been mentioned....

        "sometime the Walled Gardens of Apple and Microsoft do have their advantages."

        You mean like all those apps on iOS that were caught out deliberately downloading your entire contact list and messages to the app servers a little while back?

        Good protection that...

        1. sabroni Silver badge

          @Chet

          Hmm. Nice argument, but doesn't really address the specific issue, which is a dodgy malware component loaded into loads of apps. A single app in the app store isn't quite the same thing.

          It's not impossible to get malware into the Apple store, but we don't currently have any reports of a compromised library that has made it's way into lots of apps in the Apple store.

          So, better protection than the Play store. Unless you can provide info to the contrary....?

          1. WhoaWhoa

            Re: @Chet

            "A single app in the app store isn't quite the same thing."

            Certainly isn't!

            If I recall correctly the information was being squirted straight back to Apple Mision Control... no third party apps benefiting at Apple's expense.

    2. Tech Hippy

      Re: What hasn't been mentioned....

      That would be an absolute nightmare for app developers.

      How do you deal with an angry user who's blocked a fundamentally required permission for your app and then starts reviewing it poorly because "it doesn't work"?

      1. sabroni Silver badge
        Stop

        Re: What hasn't been mentioned....

        Maybe you should ensure that when your app is denied a permission it fails gracefully and informs the user clearly why it has failed? Or is catching exceptions just too difficult in native Android apps?

        The idea that we shouldn't bother with security because it makes life difficult for developers is ludicrous.

        1. sorry, what?
          Facepalm

          Re: What hasn't been mentioned....

          Sorry... saying it yet again... Google should look at the model that Symbian had for permissions. A user could permanently, or on a case by case basis (interactively), allow or deny the app permission to perform specific actions and the developers knew this was the case so they wrote their code to handle it. A programmer worth his salt knows how to code 'defensively' and how to pop up a message telling the user that if they disallow feature X then the app can't work...

          1. Anonymous Coward
            Anonymous Coward

            Re: What hasn't been mentioned....

            Google should look at the model that Symbian had for permissions. A user could permanently, or on a case by case basis (interactively), allow or deny the app permission to perform specific actions

            Ah. I knew Apple took that idea from somewhere (iOS gives you that control too).

        2. Anonymous Coward
          Anonymous Coward

          Re: What hasn't been mentioned....

          Well, he did say "app developers", not "software developers". Big difference :)

      2. Gannon (J.) Dick
        Coffee/keyboard

        Re: What hasn't been mentioned....

        My little brother gave my big sister an iPad and set it up for her.

        His first set up instruction was ..

        1. Sit back, take a deep breath and imagine you are Swiss*

        Followed by ...

        2. do stuff

        3. Done

        * Whatever is not forbidden is required

      3. Sean Timarco Baggaley

        Re: What hasn't been mentioned....

        'That would be an absolute nightmare for app developers.'

        Tough. It's not the user's job to make life easier for the developer. It's the developer's job to make life easier for the user.

        Android's APIs clearly need a serious rethink if this is such a chore for developers to deal with. iOS app developers have to deal with this kind of thing too and most do so without kicking up a big fuss. (It helps that the relevant iOS APIs are pretty easy to use. Perhaps Google should be aware that the "I" in "API" stands for "Interface" – i.e. developers need good UIs too!)

        'How do you deal with an angry user who's blocked a fundamentally required permission for your app and then starts reviewing it poorly because "it doesn't work"?'

        Oh, I don't know... how about being better at app design and development, catching the errors caused by disabled permissions, and failing gracefully with suitably clear messages and notices to the user explaining why a feature isn't working?

    3. Anonymous Coward
      Anonymous Coward

      Re: What hasn't been mentioned....

      You might but the vast majority of users do not know how to do this.

    4. Nick Ryan Silver badge

      Re: What hasn't been mentioned....

      Whilst the ad app developer has been contacted about the vulnerabilities, no-one seems to have addressed why on Earth the software had this capability in the first place.

      Exactly. Command-and-control functionality doesn't get "accidentally" coded and put into an app library.

      1. WhoaWhoa

        Re: What hasn't been mentioned....

        "Command-and-control functionality doesn't get "accidentally" coded and put into an app library."

        Be reasonable.

        After all, code to harvest wi-fi details and passwords got accidentally put into their roving spy-cars, didn't it?

Page:

This topic is closed for new posts.

Other stories you might like