back to article Android adware that MUST NOT BE NAMED threatens MILLIONS

A popular mobile ad library used by multiple Android apps poses a severe malware threat, researchers at infosec firm FireEye have warned. The security researchers said that altogether 200 million affected apps had been downloaded. This ad library aggressively collects sensitive data and is able to perform dangerous operations …

COMMENTS

This topic is closed for new posts.
  1. Dave Perry

    Apple (someone had to raise this)

    This would far less likely get through on the iTunes Store - yes it's sometimes annoying how they do their what gets published and what doesn't approach, but security at least they are very tight on.

    1. Loyal Commenter Silver badge

      Re: Apple (someone had to raise this)

      Hmmm. I'm going to go with...

      bollocks

      I don't doubt for a second that there are any number of iOs apps out there with adware, and of those, that some of these adware providers are less that 100% on the ball with their security.

      The only thing that Apple seem to be 'very tight on' is preventing people from producing apps that do things they don't want them to, such as provide a cheaper/better version of some functionality they want to sell to you themselves.

      1. WhoaWhoa

        Re: Apple (someone had to raise this)

        "The only thing that Apple seem to be 'very tight on' is preventing people from producing apps that do things they don't want them to, such as provide a cheaper/better version of some functionality they want to sell to you themselves."

        On a point of information, they're pretty good at silence about their bugs and hardware problems, too. In fact, veritable Man Booker nominees, I should think.

    2. HollyHopDrive

      Re: Apple (someone had to raise this)

      The only reason its far less likely is because the ipolice say which advert libraries you can use. I.e. theirs. While that does limit the risk it also means all your eggs are in one basket should theirs turn out to have a flaw. It also is pretty crappy for the developer to not be able to use best of breed / best revenue return etc that he chooses. So its not as simple as saying ios is more secure (let just say 'phone chargers with malware'!) - its just a vunrability that exists on all platforms when a shared library is compromised by a flaw/bug/whatever...

      So what I'm saying is with freedom comes responsibility - if android users accept stupid level of permissions for their chosen app then expect nonsense like this. If you don't want that level of responsibility and freedom, buy an iPhone and let apple decide what is good for you.

      Personally, I'll stick with the little green android but each to their own. But neither side should be smug about this - "malware - its not just for windows" ;-)

      1. SuccessCase

        Re: Apple (someone had to raise this)

        "So what I'm saying is with freedom comes responsibility"

        Mega platitude. Sounds impressive. But think about it, really think about it, instead of just skimming the words and its as clear as can be that what you have said is actually total nonsense and the best argument against the position you have adopted. It has the the outward clothes of a Shakespearean quote with the inner profundity of Benny Hill.

        With freedom comes freedom, that's all. Freedom for instance to install malware if you so choose.

        What I think you meant to say is that with freedom comes the need to be careful, but then if you actually said that it would have sounded a bit crap.

        1. HollyHopDrive

          Re: Apple (someone had to raise this)

          Sir, you are a fool and an idiot.

          Lets take a slightly easier to understand argument about choice, freedom and responsibility :

          In america you have the freedom to own a firearm. You can have the freedom to shoot whatever you want. However- you have the responsibility of using it wisely and from hurting other people with it. - however responsibility means its not a licence to kill people - when you look down the barrel you CHOOSE whether to pull the trigger - check the target before you fire - YOU ARE RESPONSIBLE FOR YOU ACTIONS with said firearm.

          freedom = gun = *responsible* for own actions and freedom to choose but probably higher risk of getting hurt.

          locked down freedom = no gun = no "difficult" choices to make but can still get shot though not fault of own.

          And thats my point, if you choose android (like I have) I choose to take more precautions before I install software (pull the trigger) and if I don't like what I see, I don't. With IOS I have to assume thats all been done for me. Doesn't mean I won't get hurt - its just somebody else is responsible.

          And if you don't get that I'm assuming the smart phone in your pocket is owned by a dumb ass.

          1. SuccessCase

            Re: Apple (someone had to raise this)

            HollyHopDrive, I apologise for taking the piss out of your post. Re-reading what I wrote I probably thought my reply was funnier than it came across.

            You see there are two ways of taking the meaning of responsibility. As an attribute of how you act or as a something to be faced up to. You will notice I (rather dismissively - apologies again) said your argument was nonsense and the best argument against your position at the same time. Nonsense because when your use of the word "responsible" is taken, as most people take it to mean, as an attribute someone has, you find most people clearly don't want it in relation to keeping malware off their mobile devices.

            With your reply you seem to have ruled out responsibility as an attribute, but instead refer to responsibility, the thing you acquire when you make choices. Responsibility and control being flip sides of the same coin.

            But this is the strong argument against the position you have adopted that I referred to. If I arrive at the edge of the Saharah I am free to trek across it. However I want a guide and I don't want to take responsibility for making all choices about the journey because:

            a) I'm not Ray Mears and don't know the desert

            b) If I make a wrong choice I die

            c) There are other things I *choose* get on with that aren't desert orienteering and survival, such as mountain biking and Skiing

            d) There are guides who are experts and better at it than me.

            Now the thing is regarding my smart-phone and technology, as it happens, I, like many on these forums, actually am a little like Ray Mears. I'm perfectly capable of trekking across the technology "desert" without incident - avoiding viruses, dropping to the command line as needed. But, even so, I still happy for a lift and a guide through the desert, because I've got my mountain biking and skiing and other stuff to concentrate on. I simply not interested in spending my time desert orienteering. And in the mobile world I want to focus on the things I really want to do with my life instead of managing virus scanners on my bloody mobile phone.

            The iPhone is a device, and can only reasonably compared to a police state by way of metaphor and on strict understanding it is a metaphor. Some people on here forget it is a device in civil-life and that Stalin isn't sitting on your shoulder telling you you can never take your eyes off that walled garden displayed on it's screen. You won't be thrown in the Gulag if you decide at some time you want to buy a Nexus 7 instead.

            It is a tool which frees people to do more of what they want to do (getting across the desert to go Skiing and Mountain biking) and less of what they don't want to do (configuring security settings, installing malware defences, auditing app permissions).

            People have freedom over what to do with their lives and can perfectly responsibly choose to delegate desert orientation to experts. Installing AV software, auditing security settings, etc. is simply not an efficient use of most people's time. We are free to choose to do more with our time than that.

          2. PJI

            Re: Apple (someone had to raise this)

            And you are a blinkered, sanctimonious idiot.

            If you think the American way with guns - responsibility works, you must be in a tiny minority. I understand that there are individual American cities with higher death rates through these responsible gun owners than the murder figures for the whole of Britain, or Germany or other countries.

            You also seem to think that, to own or use a mobile 'phone, you must have a good technical understanding and background that was unnecessary to use a land line.

            Or are you suggesting that, for every item one uses, one should have a thorough understanding of it and the design behind it? Do you? When you go to buy, say, a new microwave, do you understand all the computing within it? All the electronics? The mechanics, in working detail, or all the moving parts? Do you insist small children pass a test in how to use a mobile phone, or open the fridge?

            Most of us have enough to do just keeping up with our own professions and living busy lives. Few people even bother to read the instructions of most things that they buy and, most things are well enough built and designed that this is fine. Apple understands this and provides for this market as well as for those who want to go deeper. As Android matures, its resellers and packagers are learning this too, which is one reason why Samsung is doing well.

            Now you need to learn and understand it.

            1. Chimp

              Germany...

              ... over time, has more gun deaths than the US in total, not excepting the Civil War. Largely state owned, interestingly.

              1. Anonymous Coward
                Anonymous Coward

                Re: Germany...

                > ... over time, has more gun deaths than the US in total, not excepting the Civil War. Largely state owned, interestingly.

                Not excepting the world wars either, eh? Other than that your statement would appear to not hold up:

                United States 10.3 (2011) - firearm-related deaths per 100,000 people

                Germany 1.24 (2010) - firearm-related deaths per 100,000 people

                --> http://en.wikipedia.org/wiki/List_of_countries_by_firearm-related_death_rate

                1. Chimp

                  Re: Germany...

                  Dead is dead. And no, let's not except two world wars.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Germany...

                    > Dead is dead. And no, let's not except two world wars.

                    OK, so the US with its civil war, Hiroshima, Nagasaki, Vietnam, Iraq, etc. has caused fewer gun deaths than the Nazis, the most vicious killing machine of all time. Congratulations, what an achievement!

                    I still struggle to see your point though. Does that mean in your estimation that US gun laws which today contribute to many times more deaths than Germany's are a good thing? And by extension (a long shot anyway) that Android's permissioning system must thus be better than that of other mobile OSs?

            2. Anonymous Coward
              Anonymous Coward

              Re: Apple (someone had to raise this)

              You are an IGNORANT twat...learn to read statistics dumbass. The cities that have high murder rates are suffering from GANG Violence and Drug Wars.

              These cities are NOT suffering at the hands of responsible gun owners. Responsible gun owners handle guns safely, criminals do not. Even YOUR criminals have guns though you do not.

              These gang members will always have access to guns as they are criminals and no amount of laws or other regulations will ever matter to them. They don't get their guns from legal channels.

              I really wish you people would stop pontificating on subjects that you have absolutely no experience with or using allegories that have no correlation to reality.

              1. Anonymous Coward
                Anonymous Coward

                Re: Apple (someone had to raise this)

                Dear dear! So not only do you have more guns and gun owners out of control, you also have gang and drug problems on the scale of a minor civil war in your major cities. Hmm.

                Odd, many of the "random" incidents of murder of fellow students, workers and so on seem to be committed by people who neighbours, friends, family often thought were decent, quiet types with a normal interest in guns that they had acquired legally, presumably after checks for their responsibility.

                Now you will tell me that all these responsible gun owners managed to stop most of the irresponsible ones. One dreads to think how many more murderous incidents there could be without the responsible owners. You fail to explain why American criminal gangs etc. seem so much better armed, numerous and murderous than their European counterparts. Must be all those responsible gun owners they've got as neighbours.

                Hey, back to "responsible" gadget owners, you know, mobile telephones, microwaves, that sort of thing and the test you would have to make sure only "responsible" people get them, and how you would define "responsible".

                Perhaps it would be better to have design and implementation reflect reality and cater to the end user. That does not prevent the supply of specialist kit for those who want to assemble their own device, just like buying a kit car or a crystal radio kit.

        2. WhoaWhoa

          Re: Apple (someone had to raise this)

          " It has the the outward clothes of a Shakespearean quote with the inner profundity of Benny Hill."

          At least Mr. Hill cut to the chase.

      2. ThomH

        Re: Apple (someone had to raise this) (@HollyHopDrive)

        Apple doesn't stipulate which advert libraries you can use.

        Example third-party libraries with explicit iOS SDKs include Google AdMob (https://developers.google.com/mobile-ads-sdk/download), Flurry AppCircle (http://www.flurry.com/appCircle-a.html), InMobi (http://www.inmobi.com/products/sdk/) and MoPub (http://www.mopub.com/resources/open-source-sdk/).

        The main reason this is far less likely on iOS is that Apple doesn't allow any application to collect text messages, phone call history or contacts. There are no APIs at all for the first two, and contacts can be collected only by a call that shows some Apple-defined user interface and eventually returns a single contact if the user confirms that course of events.

        So on the iOS side it'd have to be a security privilege raising exploit as well as a trojan, rather than merely a trojan.

    3. Anonymous Coward
      Anonymous Coward

      Re: Apple (someone had to raise this)

      The whole Android OS is bascially Adware.

      1. Anonymous Coward
        Anonymous Coward

        Re: Apple (someone had to raise this)

        BULL. The core OS is open-source. If you don't like it, go download the source code and suggest changes.

      2. WhoaWhoa

        Re: Apple (someone had to raise this)

        "The whole Android OS is bascially Adware."

        Yep.

        Ditto iOS.

        Ditto all of them, really.

    4. Captain Scarlet Silver badge
      Trollface

      Re: Apple (someone had to raise this)

      If you are worried about spyware get a Blackberry, no bugger wants to develop on it :(

      1. Fihart

        Re: Apple (someone had to raise this) @ Captain Scarlet

        I wonder if no-one writes apps for Blackberry is because Blackberry (the company) is a bugger to deal with. They seem the same sort of control freaks as Apple. What with PIN numbers and restriction of the so-called Blackberry Internet Service I'm beginning to wish the bloody thing would break (again) so I'd have to buy an Android. Mind you I'd then have to negotiate with T Mobile to unlock my SIM and credit for use with a non Blackberry phone.

        I guess I'm just not the "prosumer" their delusional mindset imagines will buy the new overpriced OS10 hardware they are pushing, just as consumers, resellers and the banks desert them

    5. WhoaWhoa

      Re: Apple (someone had to raise this)

      "This would far less likely get through on the iTunes Store"

      "iveté, iveté, they've all got naiveté", as Kenneth Williams said. Or something like that.

      http://www.youtube.com/watch?v=kvs4bOMv5Xw

    6. Daniel B.
      Boffin

      Re: Apple (someone had to raise this)

      This would far less likely get through on the iTunes Store

      They already had a boo-boo years ago. Can't remember the name of the apps or the vendor, but it was something like iMob or something like that; the app would slurp your contact list and other stuff and send all that data to the company selling the games. And they had all those apps get through the iBone Store! Which shows that the whole iTunes Store approval process is more of a security theater thing.

  2. Woodgie
    FAIL

    Only just this morning I was reading this...

    http://www.macrumors.com/2013/10/08/eric-schmidt-says-android-is-more-secure-than-the-iphone-prompting-laughter/

    There's so much egg on his face he MUST have been yolking!

    What? It wasn't that bad a joke, was it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Only just this morning I was reading this...

      Android more secure than iphone (comparing OS vs a phone again)

      No fragmentation problem

      I half expected him to wave a piece of paper in the air Chamberlain style!

      1. Anonymous Coward
        Anonymous Coward

        Re: Only just this morning I was reading this...

        "Android more secure than iphone (comparing OS vs a phone again)"

        You are kidding or deluded. Android is based on Java on top of Linux. Both are pretty much top of the pops for security vulenrabilities in their respective fields....

        Not that IOS is much better, but it is better.

        1. Anonymous Coward
          Anonymous Coward

          Re: Only just this morning I was reading this...

          Oops, you've just pointed at the big fat elephant and said "big fat elephant !" Downvotes get levied on truth tellers in proportion to droid rage induced. It's nothing to do with the truth old bean.

          1. ThomH

            Re: Only just this morning I was reading this... (@2nd AC)

            I think the downvotes are more because the Linux kernel and its team are actually pretty good at security, and because Android implements Java via its own Google-specific virtual machine, using none of Oracle's code and therefore shouldn't be tainted with the same brush.

            1. Anonymous Coward
              Anonymous Coward

              Re: Only just this morning I was reading this... (@2nd AC)

              "I think the downvotes are more because the Linux kernel and its team are actually pretty good at security"

              They really are not. There have been well over 900 security vulnerabilities in the Linux kernel alone so far. To put that in perspective, the whole of Windows XP is only on about 500!

              1. Intractable Potsherd

                Re: Only just this morning I was reading this... (@2nd AC)

                "There have been well over 900 security vulnerabilities in the Linux kernel alone so far. To put that in perspective, the whole of Windows XP is only on about 500!"

                Any reliable evidence for this assertion?

        2. WhoaWhoa

          Re: Only just this morning I was reading this...

          "You are kidding or deluded. Android is based on Java on top of Linux. Both are pretty much top of the pops for security vulenrabilities in their respective fields...."

          The part of your argument that won me over was the well-sourced examples and references to comprehensive studies.

  3. Cliff

    Ouch!

    That's nasty. :-(

  4. Jamie Jones Silver badge

    What hasn't been mentioned....

    Whilst the ad app developer has been contacted about the vulnerabilities, no-one seems to have addressed why on Earth the software had this capability in the first place.

    I often authorise apps that ask for excessive permissions, and then disable those permissions (using 'android tuner') one installed. If the app breaks, it is deleted.

    Users should be able to accept/deny certain permissions on install, not just the current 'all or nothing' approach.

    1. Steve Davies 3 Silver badge

      Re: What hasn't been mentioned....

      You raise a good point BUT how many of the millions of average Android users know (or care) about this stuff.

      Sad as it may seem, sometime the Walled Gardens of Apple and Microsoft do have their advantages.

      Perhaps there is a need for a 'security enhanced Android?' that would become the default for the masses but with the ability for us 'geeks' to disable it (at our own risk naturally...)

      1. Zaphod BOFH
        Pint

        Re: What hasn't been mentioned....

        "Perhaps there is a need for a 'security enhanced Android?" - I'd say definitely there is a need for that, but maybe not that way... Why can't we simply manage app permissions, unless we have a rooted device? Or am i missing something?

        1. Anonymous Coward
          Anonymous Coward

          Re: What hasn't been mentioned....

          "Perhaps there is a need for a 'security enhanced Android?"

          May not be possible - the main reason for Android IS data collection (given who created it), so I cannot see Google making your road to non-data supplier a smooth one.

          I think there may be a chance with the Ubuntu phone, as long as none of their own UI guys gets to design the front end (as in "noooo - not Unity...").

          1. Anonymous Coward
            Anonymous Coward

            Re: What hasn't been mentioned....

            ""Perhaps there is a need for a 'security enhanced Android?""

            Or you could just use Windows Phone. It is FIPS 140-2 certified without requiring bolt-ons like Knox on Android....

      2. Chet Mannly

        Re: What hasn't been mentioned....

        "sometime the Walled Gardens of Apple and Microsoft do have their advantages."

        You mean like all those apps on iOS that were caught out deliberately downloading your entire contact list and messages to the app servers a little while back?

        Good protection that...

        1. sabroni Silver badge

          @Chet

          Hmm. Nice argument, but doesn't really address the specific issue, which is a dodgy malware component loaded into loads of apps. A single app in the app store isn't quite the same thing.

          It's not impossible to get malware into the Apple store, but we don't currently have any reports of a compromised library that has made it's way into lots of apps in the Apple store.

          So, better protection than the Play store. Unless you can provide info to the contrary....?

          1. WhoaWhoa

            Re: @Chet

            "A single app in the app store isn't quite the same thing."

            Certainly isn't!

            If I recall correctly the information was being squirted straight back to Apple Mision Control... no third party apps benefiting at Apple's expense.

    2. Tech Hippy

      Re: What hasn't been mentioned....

      That would be an absolute nightmare for app developers.

      How do you deal with an angry user who's blocked a fundamentally required permission for your app and then starts reviewing it poorly because "it doesn't work"?

      1. sabroni Silver badge
        Stop

        Re: What hasn't been mentioned....

        Maybe you should ensure that when your app is denied a permission it fails gracefully and informs the user clearly why it has failed? Or is catching exceptions just too difficult in native Android apps?

        The idea that we shouldn't bother with security because it makes life difficult for developers is ludicrous.

        1. sorry, what?
          Facepalm

          Re: What hasn't been mentioned....

          Sorry... saying it yet again... Google should look at the model that Symbian had for permissions. A user could permanently, or on a case by case basis (interactively), allow or deny the app permission to perform specific actions and the developers knew this was the case so they wrote their code to handle it. A programmer worth his salt knows how to code 'defensively' and how to pop up a message telling the user that if they disallow feature X then the app can't work...

          1. Anonymous Coward
            Anonymous Coward

            Re: What hasn't been mentioned....

            Google should look at the model that Symbian had for permissions. A user could permanently, or on a case by case basis (interactively), allow or deny the app permission to perform specific actions

            Ah. I knew Apple took that idea from somewhere (iOS gives you that control too).

        2. Anonymous Coward
          Anonymous Coward

          Re: What hasn't been mentioned....

          Well, he did say "app developers", not "software developers". Big difference :)

      2. Gannon (J.) Dick
        Coffee/keyboard

        Re: What hasn't been mentioned....

        My little brother gave my big sister an iPad and set it up for her.

        His first set up instruction was ..

        1. Sit back, take a deep breath and imagine you are Swiss*

        Followed by ...

        2. do stuff

        3. Done

        * Whatever is not forbidden is required

      3. Sean Timarco Baggaley

        Re: What hasn't been mentioned....

        'That would be an absolute nightmare for app developers.'

        Tough. It's not the user's job to make life easier for the developer. It's the developer's job to make life easier for the user.

        Android's APIs clearly need a serious rethink if this is such a chore for developers to deal with. iOS app developers have to deal with this kind of thing too and most do so without kicking up a big fuss. (It helps that the relevant iOS APIs are pretty easy to use. Perhaps Google should be aware that the "I" in "API" stands for "Interface" – i.e. developers need good UIs too!)

        'How do you deal with an angry user who's blocked a fundamentally required permission for your app and then starts reviewing it poorly because "it doesn't work"?'

        Oh, I don't know... how about being better at app design and development, catching the errors caused by disabled permissions, and failing gracefully with suitably clear messages and notices to the user explaining why a feature isn't working?

    3. Anonymous Coward
      Anonymous Coward

      Re: What hasn't been mentioned....

      You might but the vast majority of users do not know how to do this.

    4. Nick Ryan Silver badge

      Re: What hasn't been mentioned....

      Whilst the ad app developer has been contacted about the vulnerabilities, no-one seems to have addressed why on Earth the software had this capability in the first place.

      Exactly. Command-and-control functionality doesn't get "accidentally" coded and put into an app library.

      1. WhoaWhoa

        Re: What hasn't been mentioned....

        "Command-and-control functionality doesn't get "accidentally" coded and put into an app library."

        Be reasonable.

        After all, code to harvest wi-fi details and passwords got accidentally put into their roving spy-cars, didn't it?

    5. Anonymous Coward
      Anonymous Coward

      iOS authorisation is easier..

      I often authorise apps that ask for excessive permissions, and then disable those permissions (using 'android tuner') one installed. If the app breaks, it is deleted.

      This is actually what I prefer in iOS, the fact that it is quite granular about permissions. The "Android way" is to have it all or the app won't install, where an iOS app will happily install but will then tell you that it needs xyz access to do its job. TomTom, for instance, is rather pointless without location services, but I don't let it access my contacts for addresses - it's a choice I get to make on iOS.

      I see from the comment that you can download an Android app to retro-actively adjust permissions to something more sensible, but in my opinion that should be part of the OS. I don't trust Google at the best of time, and I want to know why Google itself has an app killswitch and app remote load ability - AFAIK, Apple hasn't tried to pull that one yet.

    6. Roland6 Silver badge

      Re: What hasn't been mentioned....

      Also what hasn't been mentioned is the changes Google made to their Developers Policy and the Content policy section back in August 2013, which seems to outlaw some of the behaviours being seen.

      Another point is that looking at related research on the web, it would seem that the functionality of the ad library may also be different depending upon whether the app was downloaded from Play or a third-party site...

  5. Robert Ramsay

    MUST NOT BE NAMED

    ...is it called Hastur?

    1. ratfox
      Happy

      Re: MUST NOT BE NAMED

      Who?

      1. Destroy All Monsters Silver badge

        Re: MUST NOT BE NAMED

        fnord!

        1. Not That Andrew

          Re: MUST NOT BE NAMED

          The King in Yellow, you mean?

    2. Roland6 Silver badge

      Re: MUST NOT BE NAMED

      Web searches reveal that FireEye aren't the first to tread these waters in recent times and a Trend report does name the worst offenders (yes more than one!).

  6. Destroy All Monsters Silver badge
    Holmes

    Quite likely a "deniable" spy & control effort by some TLA/MLA

    Do Androids dream of electric trojan horses?

    Clearly served.

    What's that? You want a black helicopter icon? Really, now. This is 2013.

  7. Crisp

    Detailed information will be provided to FireEye's customers

    And that I suspect is why they aren't naming the culprit.

    Screw the poor users. FireEye wants money!

    1. sabroni Silver badge

      Re: Screw the poor users. FireEye wants money!

      How unusual! Most companies run on fairy dust and pixie tears!

      1. Vector

        Re: Screw the poor users. FireEye wants money!

        "How unusual! Most companies run on fairy dust and pixie tears!"

        Yeah, yeah, and all that, but this is security where, generally, public safety outweighs the bottomline, at least to some extent. What if all security companies started hoarding their vulnerabilities? So, in order to have a secure device, I have to subscribe to a dozen different security apps? Might as well get out now...

        I hope, at some point, a list of affected apps does get published. I don't just let my apps auto-update (see the latest Google Maps fiasco for a good example of why), so I'd like to know if any of my apps need updating.

        1. sabroni Silver badge

          Re: Yeah, yeah, and all that, but this is security

          No, no, and all that, it's business.

    2. Roland6 Silver badge

      Re: Detailed information will be provided to FireEye's customers

      "FireEye Mobile Threat Prevention applies a unique approach and technology that made it possible to discover the security issues outlined in this post quickly and accurately despite these challenges." [Source: FireEye blog: http://www.fireeye.com/blog/technical/2013/10/ad-vulna-a-vulnaggressive-vulnerable-aggressive-adware-threatening-millions.html ].

      Suspect that soon we will be seeing other's offering similar service enhancements to their security apps.

    3. Intractable Potsherd

      Re: Detailed information will be provided to FireEye's customers

      But as far as I can tell from FireEye's website, they don't have any products for Android.

  8. This post has been deleted by its author

  9. Anonymous Coward
    Anonymous Coward

    If they know its name, they should say so, so people can chose whether they want it.

    Libraries and apps should be rated by security companies.

  10. Joey

    Ah but...

    ...they are cheaper than iPhones and more customisable. Can't have it both way :?(

  11. Piro Silver badge

    Prizes for the first to find it out and post (no actual prizes)

    Horrible stuff, but really, Google should have allowed permission denying on an app long ago.

    May I also suggest a very simple idea?

    If an application wants certain permissions considered dodgy, maybe Google should require the source for review, or even charge for the permission use (paying for a code review, effectively).

    How can they avoid being charged every time they update?

    Put all the code that requires review in a separate function that can be checksummed easily without delay to ensure it hasn't changed..

    1. Gav

      Re: Prizes for the first to find it out and post (no actual prizes)

      What permissions are considered "dodgy" then? By who? Are they listed under a separate "Dodgy" section of the Android manual?

      How dodgy the permissions required and used by an app are entirely dependant on context. What may be consider dodgy on your "Fart App", could be perfectly reasonable on your "Personal Diary App". Determining this, of course, requires an intelligent review of the actual app. It is not something that a blanket policy can draw the line on which apps should have it, and which should not.

      So your simple idea could only ever work if it applied to all apps. Which is kind of what Apple does and Google doesn't.

      1. Piro Silver badge

        Re: Prizes for the first to find it out and post (no actual prizes)

        Of course, I didn't go into those details exactly, because I'm not actually paid to develop Android's security policy.

        So for me to say "running as a background process" "running on startup".. "accessing account information".. "sending emails without confirmation".. and so on and so on very specifically would be a fair waste of time.

  12. Nanners

    The hand that feeds

    Google analytics ... IMO.

  13. Anonymous Coward
    Anonymous Coward

    vulna?... 5 letters, MoPub or AdMob?

  14. Anonymous Coward
    Anonymous Coward

    I'm waiting for the tsunami of Android malware to hit - so many old and vulnerable handsets - all with decent processing power and Internet connected - it's really an accident waiting to happen.

    1. Anonymous Coward
      Anonymous Coward

      Fukkkkashima all over again.

  15. Anonymous Coward
    Anonymous Coward

    And yet....

    Android is better because its open rightttttt......google could care less it seems what is in the play store so long as it has the numbers. I predict that some time soon google is going to run into a privacy or anti-trust issue and receive a big old beat down.

    1. Piro Silver badge

      Re: And yet....

      I'm confused; you are implying that Google cares to some degree, yet the tone seems to be negative.

      1. cyborg

        Re: And yet....

        "Could care less" = Americanism of "Couldn't care lass" - which actually makes sense.

        1. Not That Andrew
          Big Brother

          Re: And yet....

          The problem is, that mentioning the word "care" in the same sentence as Google is that it implies that they understand the concept.

        2. Thorsten
          Headmaster

          Re: And yet....

          You're right about that horrible Americanism, but:

          "Couldn't care lass" - which actually makes sense.

          Does it really?

          1. Admiral Grace Hopper

            Re: And yet....

            When I have reached my minimum level of caring then I couldn't care less no matter how much I tried.

          2. cyborg

            Re: And yet....

            "Does it really?"

            Even then it does although I did not actually intend to infer I was talking with a lass.

        3. Nick Ryan Silver badge
          Coat

          Re: And yet....

          "Could care less" = Americanism of "Couldn't care lass" - which actually makes sense.

          Why do the Americans bring sexism into everything? :)

          1. WhoaWhoa

            Re: And yet....

            Americanism this. Americanism that.

            It's just a matter of thinking through what the phrase means ('could care less').

            Those for whom it's an unmanageable task are still allowed to post gnarled meaning here, but people know to smile and say, 'Yes, dear. We know what you're trying to say'.

            1. Anonymous Coward
              Anonymous Coward

              Re: And yet....

              To me, Could Care Less is the very opposite of the English, Could not care less.

              The former says, I could care less than I do, or, in English, I do care a bit.

              The English says, I care as little as it is possible for me to care, or, I do not care at all. Rather different. Just another example of American being English spoken by foreigners. Think through it all you like, in literal terms, they have opposite meanings.

              1. Duffy Moon

                Re: And yet....

                I always assumed (based on nothing but my own theory) that the American version was basically a shortened form of the phrase "as if I could care less", which would be closer in meaning to "I couldn't care less".

      2. Anonymous Coward
        Anonymous Coward

        No I was implying that google does not care even a little bit about any of its customers so long as they are generating ad revenue by any means necessary. Might be time that they start policing the app store a bit though ehhh?

  16. DrXym

    Constant spam from ad companies

    I have a few android apps on the market and multiple ad companies have scraped my contact email to spam me. The spam is always the same - do you want to earn some preposterously high eCPM? Great! Then install this ad software in your app and you'll be swimming in cash!

    Then you go to see what permissions the ad software actually uses and how it will affect your app. It wants permissions for gps, internet, receive texts, see running processes etc., it wants to shit icons and notifications all over the user's home screens, bury your app under interstitials, videos and other nonsense.

    Basically it's malware in all but name. Maybe it really does increase the eCPM - briefly - but then the hate from users would doom the app to oblivion. I think I would rather a lower eCPM, a better app rating and happier users from ad software which knows its place and doesn't step out of place.

    1. Chet Mannly

      Re: Constant spam from ad companies

      "It wants permissions for gps, internet, receive texts, see running processes etc., it wants to shit icons and notifications all over the user's home screens, bury your app under interstitials, videos and other nonsense.

      Basically it's malware in all but name"

      So don't install it then!!!

      1. DrXym

        Re: Constant spam from ad companies

        I think the point I was making is that it's the ad software which is malware and some app authors see the dollar signs and don't think of the consequences of what the ad software is potentially capable of or what impact it will have on the app's rating.

    2. poohbear

      Re: Constant spam from ad companies

      After running a rooted S2 and S3 for two years, I've moved onto a Note 3 which is not yet rooted. I am quite shocked at the level of advertising, from things like GoSMS ... those interstituals are really annoying.

  17. Anonymous Coward
    Anonymous Coward

    Android Permissions Model

    The Android permissions model is not working sometimes, because of the fact that most of the apps need internet access to gather viable data. And one some app developers are putting advertising SDKs in their apps to gain some bucks from ads, they don't even realize the threads they are making for their users. A typical example was the Airpush SDK which was able to make GCM/Push notifications like ads (wtf?!) ...

    Yesterday, I found a new app on Google Play called Network Connections which shows all connections made from my phone to remote servers, and I should tell you that apart from the standard ones made to Google, Sync contacts, Analytics, Flurry, etc. there are many strange ones to IPs in China....

  18. btrower

    Sadly ...

    This is a trust issue and sadly there is not a single entity in the entire ecosystem that is actually worthy of trust.

    Stuff like this *can* be fixed, but by properly disabling one bad guy you disable them all and since the bad guys are running the show, well...

    FWIW, I think it is possible for the good guys to run the show, but our window of opportunity is rapidly closing.

  19. Michael Shelby

    I only hope...

    ... that Temple Run is not on the list of affected apps. I AM SOOOO CLOSE TO ESCAPING THE STUPID TEMPLE AND FINALLY BEATING TEH GAME!!!!1

    1. Anonymous Coward
      Anonymous Coward

      Re: I only hope...

      I hope the game doesn't have a bug that zaps your play history when you're 1 point away from success.

      It would be evil, and it would be so totally me to implement that :p.

  20. Steve Graham

    I have a few free apps which think they have adverts, but they all work OK (and ad-free) with network access firewalled off.

    Am I ripping off the developers by skipping their ads? Yes.

    Do I feel bad about that? No.

  21. wayne 8
    FAIL

    Been wondering why a flashlight app or an alarm clock would need privs

    to read the phone's information and even a caller's id.

    Fricking ridiculous.

  22. Anonymous Coward
    Anonymous Coward

    I got my first android phone about 6 months ago.

    I was surprised when a few of the latest updates wanted access to parts of my phone that don't concern them.

    I noticed for instance that a free LIGHTER app had permission to access my contacts and access to the internet !!! WTF!!! It's only a picture of a zippo lighter. Same thing with a picture of a candle. When I realised this I deleted both.

    Why do these simple apps want my contacts and to get on to the internet with my phone???

    I don't like it. My next phone will be... will be... will there be anything else other than iphone or Android?

  23. GaryDMN

    Google is an advertising company, what would you expect?

    Google IS an advertising company and over 95% of their profits come from advertising, so why wouldn't you expect to be tracked and haunted by adware? It's Google's business model, pure and simple.

  24. Fihart

    Don't like Google, don't use it.

    Start by switching away from their basic product, the search engine. There are lots of choices, though I find Duck Duck Go seems relatively un-evil.

  25. John D. Blair
    WTF?

    I hope they release the name of the library and/or the affected apps soon...

    I would like to know if I've installed any of them so I can remove them from my phone ASAP.

    1. Jamie Jones Silver badge
      Thumb Up

      Re: I hope they release the name of the library and/or the affected apps soon...

      Do a search on the play store for "airpush ad detector" which is a handy app for discovering and dealing with dodgy ad code in apps

  26. WhoaWhoa

    "Smart" 'phones?

    Dumb users.

    High correlation.

  27. Neoc

    Not mentioned

    What I don't see mentioned is the fact that there is a built-in permission manager in Android 4.3

    Now all I got to do is get a non-branded version of 4.3 which works on my S4 (currently running 4.2.2)

    1. Duffy Moon

      Re: Not mentioned

      Indeed. Come along Samsung, pull your finger out. It's not as if you're short of money to pay programmers.

  28. CAPS LOCK

    I love these threads where Fandroids and Fanbois try to ...

    ... piss in each others wellies.

This topic is closed for new posts.

Other stories you might like