back to article Another month, another malware outbreak in Google's Play Store

Google has had to pull 50 malware-laden apps from its Play Store after researchers found that virus writers had once again managed to fool the Chocolate Factory's code checking system. The malware was dubbed ExpensiveWall by Check Point security researchers because it was found in the Lovely Wallpaper app. It carries a payload …

  1. Syntax Error

    Useless Google

    Google need to employ people with software to test and analyse new apps. Not just rely on software. Its lazy and easily affordable to employ people with the profits they make. Fooling software is easy.

    Get your act together Google or flog Android to someone who cares.

    1. Gene Cash Silver badge

      Re: Useless Google

      I wonder just how many new apps and revisions of old apps get uploaded daily to the Google & Apple app stores.

      I'm sure it's a number far larger than would be practicable to have people screen them individually.

      1. Anonymous Coward
        Anonymous Coward

        Re: Useless Google

        I wonder just how many new apps .... get uploaded daily ...I'm sure it's a number far larger than would be practicable to have people screen them individually.

        Well the shitty and inadequate robo-screening of software clearly isn't working. I suggest there are only four high level options:

        1) Limit the number of apps uploaded to something they can properly screen with current approaches.

        2) Observing that Alphabet made almost $20 billion net profit last year, they could actually recruit an entire army of testers, and hold back new apps until they have been tested properly. That'd still make barely a dent in that profit. Hiring a thousand testing staff at $70k cost would be less than half of one per cent of net profits (and it'd be fully tax deductible anyway).

        3) As a poster above notes, if Google won't fix Android security, then they should sell it to somebody who does care, and will.

        4) Do nothing. Stamp on costs, continue as Wall Street's bitch, and just cruise on until the Play store gets hit by some absolutely disastrous malware outbreak that destroys the Android brand.

        1. Headley_Grange Silver badge

          Re: Useless Google

          @Ledswinger - another option might be for governments to make store owners criminally liable for malware in their stores.

          1. Anonymous Coward
            Anonymous Coward

            Re: Useless Google

            @Headley Grange:

            That would trigger action, hopefully, but it doesn't give Google any more options?

            I suppose they could say "Heck, keep doing what we're doing and then just pay the lawsuits off" and that might seem an option, but I don't think they'd get away with that for very long.

            1. Headley_Grange Silver badge

              Re: Useless Google

              @Led - that's why I said "criminally liable". It wouldn't be about lawsuits, it would be about Google's directors going to prison.

              I once worked for a UK company with a US parent and it had a US MD. A customer had just pointed out a safety problem with an installation. At an internal review the MD told the PM to tell them to pay for the changes or sod off and we'd see them in court. The PM told the MD that in the UK people could be held personally responsible for H&S problems and do jail time. The MD called in the company legal director - who told him the same thing and requested that the meeting be formally minuted to record the MD's instructions. The MD went white and told the PM to fix the problem and do it sharpish, whatever the cost.

              What could Google do? - I don't know, but with virtually limitless funds and the the threat of using hairy soap for a couple of years I bet they'd find a way pretty quickly

              1. Anonymous Coward
                Anonymous Coward

                Re: Useless Google

                It wouldn't be about lawsuits, it would be about Google's directors going to prison.

                I can see that concentrating people's minds, but given the malign political influence of Google that is already visible in government policy on copyright, data protection etc, is that really going to happen?

                Even if a law was passed for that, the US government won't extradite its own citizens, so the real power players are immune so long as they stay out of the UK, the UK government is a patsy for the US government and probably wouldn't have the balls to try, and if applied to UK Google employees, the board of Alphabet would happily throw them under a bus if that kept the profits rolling.

                A more interesting approach might be to make the business liable, with the penalty being suspension of sales by group companies to UK customers (something similar can already be applied to energy suppliers and financial services companies). I can assure you that putting a choke around a company's revenues really does make them think. But again, I can't see our useless government doing that, either.

                1. Headley_Grange Silver badge

                  Re: Useless Google

                  Good idea about the sales - and I don't believe that a law would ever be passed. But if it were, even though the US won't extradite it would mean that the Google directors could never go to a country with a UK extradition treaty.

                  BTW Google has a UK MD - he'd be the one going to prison.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Useless Google

                    BTW Google has a UK MD - he'd be the one going to prison.

                    Would he? The Play store is provided by Google (in legal terms) from their Mountain View lair. I suspect that the money handling element is bound to be domiciled somewhere else with low tax, low transparency, and lax regulation, but either way, the Play store is a service provided from a non UK location. Even the neatest Google DC is Dublin. Under the various treaties that politicians have rubber stamped there's not much our government can do about that, I suspect. You can certainly push personal accountability UP the leg of a corporate family tree, but I really can't see how you'd then bring it down an adjacent leg,and imprison a manager for the actions of other managers in another division, in a foreign jurisdiction. Not a chance that would stick.

                    You could however hold the group accountable, and thus inflict any punishment on their UK business in that manner.

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Useless Google

                      When there were several high profile widespread malware outbreaks shortly after XP was released (which Microsoft thought would fix the malware problem, since it finally did away with the DOS underpinning of previous consumer Windows versions) Microsoft finally had to take security seriously. But it was corporate pressure that caused that, if it was just consumers getting infected Microsoft would have ignored them - where were they going to go, Mac? Linux? Of course not, they were stuck with Windows.

                      I think it would be the same with Google. They aren't going to care about stuff that infects consumers, because they have no alternatives for smartphones. Maybe Samsung will care since they control the vast majority of the high end Android market, and some of those people might go to Apple. The rest are sticking with Android, for better or for worse. So long as the malware doesn't impact the advertising revenue they derive from those customers, why should Google care?

                      Even the corporate market may not make them care, because Google doesn't get a cut from sales of phones sold to corporations, and those will be locked down so much there might not be much advertising revenue Google can derive from them. Android is far too large of a market for corporations that do BYOD to say "we only allow iPhones for BYOD, all you Android users can sod off". No, what they'd do is just firewall the phones off on a segment where they can't do anything they couldn't already do from the internet, like access corporate email so that infected phones don't matter.

                      If there was ever Android malware that somehow replaced ads that give Google money with ads that give someone else money, you can bet they'd spare no expense in killing that very quickly, however!!!

                      1. Naselus

                        Re: Useless Google

                        "...Microsoft finally had to take security seriously."

                        And even then it didn't make a big difference. No serious corporate relies only on MS security features, or even on just MS security products in addition to the in-built stuff.

                        The simple fact is, whichever operating system has dominant market share is always going to be a security hellhole. It's a huge target with the potential for a vast payoff, and so people will make correspondingly more effort to attack it. It's kind of the inverse of the security-through-obscurity which Apple and Linux benefited from throughout the 1990s-2000s, where there were just as many (if not more, certainly in the case of '90s Apple) vulnerabilities as Windows, but no serious incentive for anyone to try and exploit them. Linux's growing dominance in the server room and the IoT has been causing a corresponding rise in Linux vulnerabilities being revealed over the last decade or so, in spite of the fact that it's vastly more security-friendly than it's rivals. No software or system is ever 100% secure, and so people WILL find a way to break it, given a good enough reason to try.

                        And, for the bulk of users, security is never, ever a real selling point. Ever. Oh, they'll say they want good security... until there's a tiny slowdown, or the slightest increase in effort required to use it, and then they'll turn it off. Just look at the complaints about Apple's 20-times-as-secure-as-fingerprint face recognition in the iPhone X - 'this now means I need to look at the phone to unlock it! Ugh! I have to move my arm slightly to point it at my own face! I'm never buying an iPhone again!!!'. Or consider the number of people you know who have turned off their antivirus because 'it makes the internet run slow'. For about an hour, once a week. Until they are personally compromised in some way and lose out from it, they will not think safeguarding against attack is worth any effort on their own part, let alone spending more money, or actually bothering to research different phone OSes to figure out which one they need.

        2. Naselus

          Re: Useless Google

          "4) Do nothing. Stamp on costs, continue as Wall Street's bitch, and just cruise on until the Play store gets hit by some absolutely disastrous malware outbreak that destroys the Android brand."

          Thing is, I don't even see a truly apocalyptic malware outbreak destroying Android. There's not much competition. Apple have no interest in selling phones for under $500, which neatly cuts them off from 90% of the world market; Windows Phone is dead in the water; no other competitor can bring the resources to the table to challenge a mostly-free OS with Android's reach. And Android's security reputation is already awful, so it's not like malware outbreaks appear to have much negative impact anymore.

          Basically, it'll end up taking the Windows route, where home users will live in a horrifying malware hellscape riven with endless digital plagues, while corporate types will hire specialists who lock the phone down to the point where it needs permission from an administrator to do anything more complex than take pictures, make phone calls and send emails. Which is more or less all that's required for the average executive anyway; we may as well have left them on Symbian.

          1. Anonymous Coward
            Anonymous Coward

            Re: Useless Google

            Maybe. But look how quickly Android killed Symbian and the assorted Nokia OS variants.

            Android started gaining recognisable market share in 2009, by 2011 Symbian was all but dead in sales terms. Google are sitting pretty for lack of competitors, and we've had a whole range of misfires (Tizen, Sailfish, Ubuntu, Firefox OS, BB10, Cyanogenmod).

            However, the dominance of Google Android won't last forever. Corporate history over the past hundred or more years shows that dominant companies don't stay dominant forever, and they rarely see the bus that hits them. When these things happen, the swapover from one dominant product to another can go very quickly. That's something that most of the big US tech giants are hoping won't happen, I'm predicting it will, but that could be anytime between tomorrow and 2040.

            Probably your gloomy Android hellscape will be the near term - but I think that's what will trigger the emergence of new approaches, with (for example) people choosing to actually pay more for a more secure OS - not the outrageous prices that Apple demand, but imagine what BB10 might have been combined with low cost Android hardware?

          2. Anonymous Coward
            Anonymous Coward

            Re: Useless Google

            "Android's security reputation is already awful,"

            Can you actually point to ANY real world infections???? Nope thought not... Android is vastly more secure than Windows.

            This noise from security snake oil vendors is just noise, there is no correlation between the scare stories and real world problems..

      2. sal II

        Re: Useless Google

        "I wonder just how many new apps and revisions of old apps get uploaded daily to the Google & Apple app stores."

        This is not an excuse. If independant researchers can do it, how come multi-billion company can't?

        There are many ways to mitigate that like:

        - Tier system for developers - by all means use the bots to scan trusted developers apps. If there is something wrong with an app - ban the developer and all other of his apps or enforce penalty etc. Full manual scan for first time devs

        - At all times manually verify only basic sanity points like - Why does a flashlight/wallpaper etc. app needs access to calls/sms and internet? This will take 1 min per app and can be done by human drones for pennies.

    2. a_yank_lurker

      Re: Useless Google

      Testing apps, whether automated and/or manual, is at best hit or miss. The problem is there is no perfect, foolproof way to absolutely sure the procedures will catch all malware. You will get a rate of false positive/negatives but never perfect.

      1. Anonymous Coward
        Anonymous Coward

        'there is no perfect, foolproof way'

        Sure, as 'sleeper-agent' apps can remain dormant for some time before calling out and downloading a Toxic payload. But that really shouldn't prevent Google staff from listening to User Comments either. Its unforgivable, but hey Google has Android Monopoly...

    3. TVU Silver badge

      Re: Useless Google

      "Google need to employ people with software to test and analyse new apps. Not just rely on software. Its lazy and easily affordable to employ people with the profits they make. Fooling software is easy.

      Get your act together Google or flog Android to someone who cares".

      ^ Spot on analysis.

    4. Anonymous Coward
      Anonymous Coward

      Re: Useless Google

      Useless checkpoint, forgetting to mention some very important mitigation points in their scaremongering story.

      For starters, Every android phone in the last 5 years has been unable to send SMS to premium numbers without a popup warning you about the costs.... There are at least 5 other mitigation points they fail to mention, but this is checkpoint, they have zero credibility left these days, and anyone trusting their products is frankly a fool.

  2. Anonymous Coward
    Anonymous Coward

    Amazing...

    No matter how many users get burned they keep coming back for more... Never seems to hurt Google's bottom line. How much damage will it take from Malware writers before people let up on mobile, especially Android???

    1. LaeMing
      Facepalm

      Re: Amazing...

      I dunno. How long did it take everyone do stop using Windows on their deskstops?

      1. Tim Seventh
        Coat

        Re: Amazing...

        "I dunno. How long did it take everyone do stop using Windows on their deskstops?"

        It took them long enough, especially when they had a hard time finding out that windows should be on the window frames instead of being on the desktop.

    2. This post has been deleted by its author

    3. This post has been deleted by its author

    4. Mikel

      Re: Amazing...

      Remember that these are people who think a wallpaper might need to send text messages for some reason.

      1. John Brown (no body) Silver badge

        Re: Amazing...

        "Remember that these are people who think a wallpaper might need to send text messages for some reason."

        Yeah, that struck me as a bit odd too. After all the press over the years, why are people still installing apps that request permissions outside of what is reasonable? I stopped allowing auto-updates of apps a long, long time ago. Every once in a while I manually check the listed available updates and any apps which want more permissions than I already accepted, get left as-is unless the permission relates to new functions and are reasonable. I also keep a separate copy of the relevant APK files so I reinstall the one with the limited permissions I've agreed to, not the newest version that wants much more.

    5. Anonymous Coward
      Anonymous Coward

      Re: Amazing...

      So exactly how many users are getting burnt??? Not many, if any. Despite over 2 billion active android devices, more than Windows, I have never ever come across malware infected android device, nor ever heard of a real world issue. I see infected windows machines piling up every day however....

      Seems some people need to disconnect from the internet, as they clearly have trouble spotting news from fakenews

  3. This post has been deleted by its author

  4. Anonymous South African Coward Bronze badge

    Ne'er-do-wells will just code their nasty payload with a timer, so that for n days it'll be a benign app - but after n+1 days the malware portion will kick in.

  5. Anonymous Coward
    Anonymous Coward

    The store's not the problem

    Stupidity is the problem and it's getting worse year on year.

  6. Anonymous Coward
    FAIL

    It's the bloody permissions again.

    "Once downloaded, the malware asks for permission to access the internet and send and receive SMS messages."

    Right this is a wallpaper app.

    Google could easily go.

    Dear developer. Justify this.

    ....

    They come back with valid reason or disappear of the face of the Earth.

    Then even with a valid reason, the OS goes, this app is trying to connect to a premium rate SMS / Phone number.

    Block until allowed.

    Ask user with a bloody great warning. This App is trying to connect to a service with high call charges. Do you accept the risks.

    It's not that hard.

    I'd go further than that.

    All Apps should have "Deny ALL" until they can justify each and every access control they ask for.

    1. Charles 9

      Re: It's the bloody permissions again.

      Vista tried that. We ended up with Click Fatigue.

  7. Mahhn

    Class action law suit

    Google needs to be hit with a Class action law suit over NOT notifying people that have downloaded these malicious apps that google removed.

    The Play store requires a valid Email address to download files. If any other vendor did not alert customers that the files they provided to them were infected there would be hell to pay.

    Google should not be distributing software if it can't be responsible about it. And since the only thing they listen to is dollar signs, it's time to make them listen.

  8. YARR
    Boffin

    5. Have a button to report / record suspicious behaviour for an app which someone at Google will investigate pronto.

    6. Support permission sandboxing / raised security, which when enabled the user is asked whether to allow the app to access (specific device / resource / URL etc.) right now. This way the user can see if an app is doing something unwarranted. (Allow such metrics to be logged and voluntarily submitted to Google for analysis. Google can scan these logs for unexpected changes in app behaviour. ).

    7. Have an author reputation system built into the app store so users can choose to ignore apps from authors with lower ratings, i.e. to easily identify indie apps from full apps.

    8. Don't allow apps to download an executable payload (as some on this forum have suggested they can).

    9. Don't allow device makers to made default apps uninstallable. My phone's YouTube app is identified as a "harmful app" by the Play store but can't be uninstalled. Deactivating it causes an infinite loop at startup!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like