Forgot your password?
typodupeerror
Android IOS Iphone Security Apple

Separating Fact From Hype On Mobile Malware 46

Posted by Soulskill
from the viruses-in-your-pocket dept.
wiredmikey writes with this quote from an article about determining whether the recent doom-and-gloom reports about malware on mobile devices are justified: "As twilight approaches for 2011, security vendors have set their gaze on the rise of Android malware during the year and what is ahead. Last week, Juniper Networks entered the fray, declaring the number of malware samples it observed targeting devices running Google Android had shot up nearly 500 percent since July. Today, McAfee released its threats report for the third quarter of the year, which found that the amount of malware targeting Android devices jumped 37 percent since the second quarter. While there is no doubt the amount of malicious programs with Windows in their bull's eye dwarfs the amount of threats to mobile devices, the focus on Android malware have left some wondering how to separate fact from hype."
This discussion has been archived. No new comments can be posted.

Separating Fact From Hype On Mobile Malware

Comments Filter:
  • by Anonymous Coward on Monday November 21, 2011 @06:45PM (#38130614)

    Other than CM, where one can set permissions of apps, the only real way to limit app permissions is with use of DroidWall.

    This way, if a game wants the whole world for perms, it might get the ability to call home for high scores, but that is it.

    • by alostpacket (1972110) on Monday November 21, 2011 @07:08PM (#38130776) Homepage

      There are a couple apps out there that do this (most needing root). They essentially re-write the manifest to not ask for the permission -- sometimes by decompiling/recompiling. This crashes a lot of apps as devs dont expect to need to check for a SecurityException. The other problem with this level of granularity comes user confusion. The more granularity, the more confused a user can get. It also breaks the "agreement" between the dev/publisher and the user, much like ad-blocking in web browsers does. This is unfortunate because it's really hard to fault users for wanting that kind of control when "permission creep" is growing wildly out of control. Honestly, I'm not sure there is an easy answer/fix to this. Open markets mean a bit of chaos is likely to emerge -- that's a good thing. But the only way to combat the unscrupulous is through educating users and having the community diligent in it's policing and reporting.

      The worst offenders though are the carrier bloatware apps (IMHO).

      Full disclosure: I have myself written a security guide for Android (CC license), and have an app for sale that provides information for novice users as well as permission search (to see what apps are using what permissions). I say this because obviously my work will bias my thoughts on the matter.

      The link in case anyone is interested: http://alostpacket.com/2010/02/20/how-to-be-safe-find-trusted-apps-avoid-viruses/ [alostpacket.com]
      Please note the guide is intened for novice users, which is unlikely to apply to most of the Slashdot crowd :)

      • by DJRumpy (1345787) on Monday November 21, 2011 @08:49PM (#38131604)

        What I find ironic is that the blogger under the "separate fact from hype" talks only about viruses, which as far as I know are pretty much non-existent in the mobile market, he ignores the fact that most of these stories are about malware ranging from various 'texting' apps that run up bills, those that dial 900 numbers, those that steal info ranging from contacts to key loggers, etc. None of these are viruses, but dangerous regardless.

        Also while I don't doubt the explosion of 'malware', I also take it with a grain of salt that the numbers might be so small now that any increases will make a trend look huge, at least initially. That doesn't mean that the Android market doesn't have a problem. I think people tend to be more lax on smartphones than they are on computers since they are relatively new. A little caution and more proactive action from Google would be a smart move.

        Just sayin'...

      • by mjwx (966435) on Monday November 21, 2011 @09:08PM (#38131752)

        it's really hard to fault users for wanting that kind of control when "permission creep" is growing wildly out of control.

        This.

        Permission creep is the real problem, not malware. Actual malware (viruses, worms, spambots et al) are not prolific enough to cause real concern and I dont see them becoming big enough. It's the subtle data miners, a wallpaper or "free" game that requests "read/write contacts" and "full access to the internet" that are the real issue for end users. This is also not Android specific, IOS is just as vulnerable, even more so as Apple has pretty much given them permission to do so and do not check to see if programs do this. It's pretty much reached the point where personal data is worth more then most botnets.

        As alostpacket said, we cant really fault the users for this, controls need to be more fine grained and personal data needs to be better firewalled.

        Nice guide BTW.

        • The problem is that Android's permissions, like most of the API, does a good job of offering general-purpose ways to do things, but does a piss poor job of bundling things into neatly-packaged convenience methods that make it easy to just Do The Right Thing.

          Nobody (at Google) has ever really sat down and said, "How can we provide a system-level library that can support the needs of a service like AdMob (without being specific to AdMob itself), then create a specific set of permissions that grant exactly wha

        • Thanks - it's in need of an update (the screenshots anyways) but am working on a tablet version :)

      • The biggest bane of my existence is apps that start up and run in the background, much like the gazillion things that start up with windows in the "run" subsection of the registry and pepper you with tray icons or background apps.

        Games, media players, etc DO NOT need to start up with my damn phone and background. I've uninstalled plenty of apps just for doing so (when they don't have an option to select that disabled autostart).

  • FUD? (Score:5, Insightful)

    by AHTuttle (1270388) on Monday November 21, 2011 @06:53PM (#38130672)
    While I have no doubt Android is a increasing target, why do I get the sense this is hype from Android competitors and anti-virus software makers? Just don't install any strange apps without research and think about where your browsing and I don't anticipate problems. At least I've had none in the year or so I've been on Android phones.
    • Re:FUD? (Score:5, Insightful)

      by cheeks5965 (1682996) on Monday November 21, 2011 @06:59PM (#38130714)
      Mom: "honey, how should I avoid viruses on my new phone?" Me: "first, be sure to research your apps before you download them." Mom: "what? where do I do that? didnt Sprint already do that?" Me: "then, don't browse to web pages that might contain malware" Mom: "how should I know what sites are ok and what are not?" Me: "rely on your past experience battling viruses on Windows." Mom: "You're my least favorite son. I hate you."
      • Re: (Score:2, Informative)

        by Dishevel (1105119)

        How about this.
        Websites. Go only to the big spots. No little iffy websites.
        Apps. Do not be one of the first 50k to download.

        Those two things and most people will be really safe.

        For a mom who does not know anything about tech get her a Jitterbug or if she needs to feel important an iPhone.

        • All she wants is something with 12 button keys. she uses maybe 200 minutes a month. android is overkill because the sleazy cell phone salesmen push it on people who don't need it / want it. People end up spending $100 a month instead of $20 a month, and use the same functionality.
          • by xorsyst (1279232)

            I use a lot less than 200 minutes a month (about 15 last month), and I love my android phone.

      • Re:FUD? (Score:4, Informative)

        by ozmanjusri (601766) <aussie_bob@hotmail.cOPENBSDom minus bsd> on Monday November 21, 2011 @09:53PM (#38132020) Journal

        Me: "rely on your past experience battling viruses on Windows." Mom: "You're my least favorite son. I hate you."

        I'm afraid you'll have to find other excuses for your Oedipal crises. The news stories are mostly FUD.

        Modern smartphones are much more secure than old ones, and much more resistant than Windows, though you wouldn't know it given the hype in the news. Did anyone notice how there were no hard numbers of malware sources or infections, just the alarming percentage increase? Even the white paper it's based on has no details. The closest it gets to the truth is here:

        Symbian and Microsoft Windows Mobile platforms are the oldest and most researched mobile platforms, and devices running those mobile operating systems have been the targets of the most prolific and effective malware known to affect mobile devices. These platforms have been targeted by a range of malicious applications that run the full spectrum of known malware categories, including SMS trojans that send SMS messages to premium rate numbers unbeknownst to users, background calling applications that charge the victim for exorbitant long distance calls, keylogging applications, and self-propagating code that infects devices and spreads to additional devices listed in the address book. The Juniper Networks Global Threat Center also sees polymorphic malware, which changes its characteristics during propagation to avoid detection, on the Symbian and Microsoft Windows Mobile platforms.

        http://www.juniper.net/us/en/local/pdf/whitepapers/2000415-en.pdf [juniper.net]

        • by Rexdude (747457)

          Even Symbian stopped having any significant malware after they introduced S60 3rd edition in late 2005, which refused to install unsigned apps by default.

    • by Meshach (578918)

      While I have no doubt Android is a increasing target, why do I get the sense this is hype from Android competitors and anti-virus software makers? Just don't install any strange apps without research and think about where your browsing and I don't anticipate problems. At least I've had none in the year or so I've been on Android phones.

      You could say the same thing for the Internet: don't download random stuff, research it and ensure it is safe. Hell that could apply to almost any activity like going to a restaurant: make sure that the kitchen is clean and that they buy safe ingredients.

      The problem is that no one actually does either of those checks.

      • Re:FUD? (Score:4, Interesting)

        by tlhIngan (30335) <.slashdot. .at. .worf.net.> on Monday November 21, 2011 @07:24PM (#38130866)

        You could say the same thing for the Internet: don't download random stuff, research it and ensure it is safe. Hell that could apply to almost any activity like going to a restaurant: make sure that the kitchen is clean and that they buy safe ingredients.

        The problem is that no one actually does either of those checks.

        Well, it's called Dancing Pigs [wikipedia.org]. A user is confronted with a scary looking permissions list with "install" and "cancel". User wants to play this kewl game they were shown. User taps Install. It'll happen often enough to matter.

        And it also applies if said app costs money and they can get it for free - people will pirate apps. And just like on the desktop world - pirated apps can contain all sorts of wrappers that install malware.

        I suppose the only interesting thing about Android is why malware uathors haven't bothered taking paid apps, adding their own crap to it, and then releasing it "for free" to show up on searches as a full version of app for free. (I've seen ebooks that did this - they take some Harry Potter epub and package it with a reader (pirated?) and release it as one app.

        Then again - should the user be expected to do these checks? Does your mechanic/plumber/doctor/nurse/etc. go and say "I cannot fix your $FOO for you today - I need to research to make sure the new software we're transitioning to is safe"? No, they just install it. Heck, they normally have "IT" take care of that stuff for them. Or their neighbour's kid.

        I suppose it's why people are going for "app stores" and "appliances" rather than full-fledged PCs. Computers literally have gotten to the point where it really is a scary place out there and anyone who doesn't do it as a full time occupation is easily overwhelmed into thinking that next click would steal all their banking information and the identities. (Or worse yet, ignorance and clicking somewhere that really does do it).

        Anyone's who's had to clean out their relative's PC over the holidays (hey US Thanksgiving...) can attest to that...

        • The Dancing Pigs thing is very true.

          Wat bothers me about the Android Market though is that some apps request access to some feature of the phone... but there's no explanation why.

          Now usually that to me means I'll go look for an alternative first, look for an explanation from the developer second.

          But it would be nice if the Android Market required these explanations per requested feature.

          The down side of course is that people can lie or just not tell the whole truth, without careful review - which means it w

          • I'd love it if the Market stopped pushing the permissions in everyone's faces for every update of an app (even if the permissions didn't change) and allow the notes of WHAT changed to be visible on that screen. But, I feel like I'm in the minority on that one.
        • by Hentes (2461350)

          No software can protect against stupidity. If the user gives sensitive permissions to a malware that's not the OS's fault. The real question is if a malware can get permissions without the user, or circumvent the system somehow.

        • Well, it's called Dancing Pigs [wikipedia.org]. A user is confronted with a scary looking permissions list with "install" and "cancel". User wants to play this kewl game they were shown. User taps Install. It'll happen often enough to matter.

          I think the fundamental issue is the binary choice of "install" or "cancel". Adding on a granulated permission system doesn't in itself solve the problem because all that happens is that developers push users to give them greater and greater permissions, even when it's not really nece

    • by Hentes (2461350)

      think about where your browsing

      Or just use a secure browser.

    • I agree, however you need to keep in mind that most users think that computers equal windows. They have not been educated enough to understand the consequences of their actions (Nor the lack of them). The makers of virus detection software take advantage of this ignorance to spread their marketing FUD. Our first job is education, the rest will follow.
    • While I have no doubt Windows is a increasing target, why do I get the sense this is hype from Windows competitors and anti-virus software makers? Just don't install any strange apps without research and think about where you're browsing, and I don't anticipate problems. At least I've had none in the year or so I've been on Windows.
  • by DeadCatX2 (950953) on Monday November 21, 2011 @06:55PM (#38130684) Journal

    500% this, 37% that...

    One of the first tricks they teach you in "how to lie with numbers" is to use percentages to inflate otherwise small numbers.

    If they want to pimp a percentage, I would love to ask them...what percentage of the Android market share is infected? Somehow I think they wouldn't want to share that number, because all the 0's to the right of the decimal point may call into question exactly how much that very same company's products and services are needed.

    • It is very important to also write an article rebutting the claims with its own set of misleading statistics, especially if the data does not support your particular ideology.

    • by Digicrat (973598)

      "Oh, people can come up with statistics to prove anything. 14% of people know that" - the Immortal words of Homer Simpson

  • by QuasiSteve (2042606) on Monday November 21, 2011 @06:58PM (#38130704)

    500%? Man, that's nothing... why, at the beginning of the year Apple still claimed zero malware in the App Store, then this happened:
    http://apple.slashdot.org/story/11/11/07/2029219/charlie-miller-circumvents-code-signing-for-ios-apps [slashdot.org]

    Briefly, malware in the Apple App Store increased by one divided by zer-OH SHI

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Who needs malware in the App Store when browsing to the right website can hack your phone?

    • by Kartu (1490911)

      Where did they claim zero malware by the way?

  • by gweihir (88907) on Monday November 21, 2011 @07:02PM (#38130736)

    It really does not matter whether there is a lot of malware. There always is and will be malware that incompetent users have to do stupid things to install. There always will be a lot of incompetent users. What matters is the level of sophistication of the malware. As this is generally not mentioned, my take is that basically these companies want to sell you something and select the numbers that support the illusion that you need what they sell. Then, if you are an incompetent user, you may actually need what they sell.

    On the other hand, quality levels of AV software is really, really bad these days. I recently evaluated several scanners, and ran into things like automatic deletion of suspect files (a borderline criminal approach), deletion without the possibility to object, massive negative impact on disk performance, etc. As I had exactly one piece of spyware in the last 10 years and zero viruses, I am now back to running without AV software, except for MS security essentials with real-time stuff switched off.

  • The most recent one or the ones actually (sometimes imperfectly) implemented?

  • by Anonymous Coward on Monday November 21, 2011 @07:14PM (#38130816)

    I say this as an Infosec professional. If you remove all the hype/FUD and look at actual exploit/breach rates, the entire industry would change and shrink drastically. But they don't. So we have what we have - lots of snake oil and irrelevant/useless tools pushed to solve imaginary problems. Honestly, I am ashamed of myself but the money's too good :-)

  • from TFS:

    As twilight approaches for 2011

    Twilight isn't approaching, it's already here! [rottentomatoes.com] Jacob is so sexy! I went on opening night. Who else saw it?

  • Not because I have a security system set up, but because I contacted them three years ago about incorporating actual security into their operating system using a format that is only limited by internet, and to an extent, by hardware latency. What I was told was, "We only accept ideas from Fortune 500 companies". Fuck that. Seriously. I'm willing to bet money that they use the same (or extremely similar) format I have.

    I'm not talking a few hundred megabytes of malware definitions, I'm talking around 2
  • "security vendors" are concerned about the "rise of malware" on the Android platform...

    Hmmmm... know anyone that's found a "malware" application lately... at least one that didn't specify permissions up front?

    I suspect that the only malware out there MIGHT be some Trojans that users installed and fat, dumb, and ignorantly gave permission for the program to OWN their device...

    I haven't even found a real "virus" on a PC for years, only Trojans using some crude social engineering designed to appeal to
  • by Anonymous Coward

    This article doesn't "separate fact from hype" - it's just a highly partisan rant against AV companies, containing no substantiating evidence in support of either position.

  • Seriously this is getting old. All this spyware, malware apocalypse shit is just FUD spread by "research" backed by companies that have an interest in selling AV software.

    Now the same will happen to Android, as it becomes more popular. Wake up people!!

God doesn't play dice. -- Albert Einstein

Working...