back to article Google can't hold back this malware running riot in its Play store

Security researchers have discovered a strain of Android malware that keeps finding its way onto Google Play – despite the store supposedly being scrubbed clean of infiltrated apps. The software nasty – Android.Spy.277.origin – is hidden in more than 100 applications on Google Play. Sketchy programs harboring the malware …

  1. conscience

    What chance ordinary users to stay safe?

    It's not a great state of affairs, is it? The first company to offer a safe, supported with updates experience with a clean app store (or better defences) could well clean up and make the market their own.

    1. EddieD

      Re: What chance ordinary users to stay safe?

      I believe that they're called Apple.

      Unfortunately.

      1. gbyers

        Re: What chance ordinary users to stay safe?

        "I believe that they're called Apple"

        Erm... http://techcrunch.com/2015/09/21/apple-confirms-malware-infected-apps-found-and-removed-from-its-chinese-app-store/

        1. sabroni Silver badge

          Re: What chance ordinary users to stay safe?

          Until all Android devices start getting security updates like iOS devices do Android will always be less secure, whatever makes it's way into the app store.

    2. Rob Gr

      Re: What chance ordinary users to stay safe?

      The only way I can see the situation really improving is if a clean slate O/S was available that verified (properly) all code before it is executed. That means different, safe, languages as well as vast changes in the O/S architecture.

      Sadly, most of the world seems to think the state of the art is a command-line based O/S developed in the 1970's (or clones thereof).

      MS, to their credit, did some good research projects in this area: Singularity (http://research.microsoft.com/en-us/projects/singularity/) and Midori (http://joeduffyblog.com/2015/11/03/blogging-about-midori/). Sadly, they don't seem to have been taken further.

      1. BristolBachelor Gold badge

        Re: What chance ordinary users to stay safe?

        Just out of curiosity, how does this OS verify all code before execution? Maybe ban it if it sends data to the Internet? Maybe block anything that reads from the memory card? Takes a foto? Uses the microphone to listen? How do you tell unwanted from wanted?

        1. Dan 55 Silver badge

          Re: What chance ordinary users to stay safe?

          How do you tell unwanted from wanted?

          You change the architecture so instead of letting apps run riot around the contacts, the app asks for a contact and the phone pops up the standard addressbook asking you to choose one.

          Instead letting apps silently have access to your camera, the app asks for a photo and the phone pops up the standard camera screen and waits for a photo to be taken.

          Instead of letting apps record from the mic, the app asks for a recording and the phone pops up the standard voice recorder and waits for something to be recorded.

          Etc...

          No need for install permissions either as it's obvious what the app is doing.

          I believe Android can be used in this way already, but nobody does.

          1. asdf

            Re: What chance ordinary users to stay safe?

            >No need for install permissions either as it's obvious what the app is doing.

            >I believe Android can be used in this way already, but nobody does.

            Cyanogenmod has privacy guard just for this very reason but yeah flashing after market roms is not something most Grannies do.

          2. Anonymous Coward
            Anonymous Coward

            Re: What chance ordinary users to stay safe?

            "Instead letting apps silently have access to your camera, the app asks for a photo and the phone pops up the standard camera screen and waits for a photo to be taken."

            But then you could only ever use the one camera app that is included with the OS and not take advantage of any aftermarket ones. You also couldn't use any video apps - e.g. blackbox recorders or realtime effects or streaming, or video calling etc.

            If it asked you every time an app tried to connect to the internet it would drive you crazy and users would just click through without considering it after a while. You still wouldn't be able to tell whether the internet access it was seeking was legitimate or not.

            Similar for other such items.

            Presently you can individually set which permissions you wish an App to access in Android, with the latest apis it will ask before using it and you can refuse or you can go into the resource permissions and disable it for any app you wish.

            The only real safe way is a curated app store where the actual code (and every update) is read by infosec professionals and great programmers before being allowed, but this is obviously unworkable.

            1. Dan 55 Silver badge

              Re: What chance ordinary users to stay safe?

              Most apps just need to call the system camera app, obviously if you download a replacement camera app or what have you then yes you do need a camera permission. But that camera permission would not be so widespread as now and it would make people think.

              For Internet it would just need to pop up a question with a "remember my answer" checkbox. It may make people wonder just why their wallpaper needs the Internet.

              It's not perfect but it's better.

          3. fuzzie
            Unhappy

            Re: What chance ordinary users to stay safe?

            It's a really nasty case of technical debt that's now vesting. Symbian had very strict requirements for publication in their app stores, i.e. each application had to be digitally signed. In addition, the permissions model was much more granular and enforced just-in-time by the OS.

            Developers could write a single app with various levels of features, and, only when I used feature X that required permission Y, would I be prompted for permission: Once, Never, Always.

            The combination of signed apps with fine-grained permissions goes a long way to keep nasties at bay and, should a nasty be found, you have the developer's details on hand to wield the Big Stick(tm).

            Android ignored both these, because developers found it annoying/cumbersome and consequently not having it reduced friction to Android developer adoption.

      2. Doctor Syntax Silver badge

        Re: What chance ordinary users to stay safe?

        "Sadly, they don't seem to have been taken further."

        Maybe they'd not be backwards-compatible with their existing OS. That clean slate is a problem for everyone who's got an existing product. Just like Unix, MS has a heritage extending back into the '70s.

        The 70s/early 80s had a big advantage. There was new hardware without any OS. Although Bell labs were working with hardware that did have an OS that was nullified because they'd been working on an abandoned line of OS research, Multics, so they also had a clean slate. It's going to be hard for anyone to push themselves back to that position and then try to compete against existing platforms with existing app-stores, however flawed.

    3. Mark 85

      Re: What chance ordinary users to stay safe?

      I daresay that we all will be (or should be) watching the MS store since that's the way they're headed with Win10. I can see where the malware writers would love to get into that as it's a one-stop drop with potentially a very large return. It won't just be home users but corporates as well.

  2. gollux
    Mushroom

    Intensely good news!!!

    I've been told to quit whining about the lack of OS updates on the Samsung and HP abandonware that I stupidly bought because even though the last OS upgrade was a year and a half ago, I only had to worry if I had enabled downloading apps from anywhere else but the Google Store. Google Knows Best, serves out the very thing I was told by various Android FanBois that I didn't have to worry about as long as I didn't install from untrusted sources or root my tablet.

  3. Anonymous Coward
    Anonymous Coward

    "masquerade as legitimate popular games"

    How are they doing this? Angry B1rds?

  4. asdf

    F-Droid only, way to go if you can

    Still no malware found on F-Droid huh? Granted it won't do for the kids these days but works brilliantly on my backup phone with an after market AOSP rom with zero account logins.

    1. Palpy

      Re: F-Droid... is it really clean?

      It is apparently vetted to some degree, but its curators are quick to admit that they cannot guarantee that every app is clean. Ran across the following, dated March 30 2016:

      "CopperheadOS is a hardened open-source Android based on AOSP, that is available for download and installation on many Nexus devices. The Guardian Project develops popular free and open-source privacy-enhancing apps like Orbot (Tor for Android), ChatSecure, and ObscuraCam, and software libraries like NetCipher, SQLCipher and PanicKit, for developers who want to enable similar features in their own apps. F-Droid is an installable catalogue of free and open source Android software, that is built into CopperheadOS, as the default app store. It enables decentralized and verifiably secure app distribution by any individual or organization."

      Interesting, though no use to me at the present since I do not own a Nexus device. Other than the implicit vote of confidence for F-Droid, which I do use.

    2. andy 28

      Re: F-Droid only, way to go if you can

      Yep, fdroid with no accounts on the phone works good enough for me too. Plus removed/disabled as much of the google stuff I could without rooting and get a week of battery instead of a day. Result.

  5. Anonymous Coward
    Anonymous Coward

    This is easy to fix....

    ...as people keep banging on, all you need to do is to only download apps from the Play Store and run the latest OS supplied by your vendor.

    Oh wait...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like