Separating Fact From Hype On Mobile Malware 46
wiredmikey writes with this quote from an article about determining whether the recent doom-and-gloom reports about malware on mobile devices are justified:
"As twilight approaches for 2011, security vendors have set their gaze on the rise of Android malware during the year and what is ahead. Last week, Juniper Networks entered the fray, declaring the number of malware samples it observed targeting devices running Google Android had shot up nearly 500 percent since July. Today, McAfee released its threats report for the third quarter of the year, which found that the amount of malware targeting Android devices jumped 37 percent since the second quarter. While there is no doubt the amount of malicious programs with Windows in their bull's eye dwarfs the amount of threats to mobile devices, the focus on Android malware have left some wondering how to separate fact from hype."
Allow users to set permissions? (Score:5, Interesting)
Other than CM, where one can set permissions of apps, the only real way to limit app permissions is with use of DroidWall.
This way, if a game wants the whole world for perms, it might get the ability to call home for high scores, but that is it.
Re:Allow users to set permissions? (Score:5, Informative)
There are a couple apps out there that do this (most needing root). They essentially re-write the manifest to not ask for the permission -- sometimes by decompiling/recompiling. This crashes a lot of apps as devs dont expect to need to check for a SecurityException. The other problem with this level of granularity comes user confusion. The more granularity, the more confused a user can get. It also breaks the "agreement" between the dev/publisher and the user, much like ad-blocking in web browsers does. This is unfortunate because it's really hard to fault users for wanting that kind of control when "permission creep" is growing wildly out of control. Honestly, I'm not sure there is an easy answer/fix to this. Open markets mean a bit of chaos is likely to emerge -- that's a good thing. But the only way to combat the unscrupulous is through educating users and having the community diligent in it's policing and reporting.
The worst offenders though are the carrier bloatware apps (IMHO).
Full disclosure: I have myself written a security guide for Android (CC license), and have an app for sale that provides information for novice users as well as permission search (to see what apps are using what permissions). I say this because obviously my work will bias my thoughts on the matter.
The link in case anyone is interested: http://alostpacket.com/2010/02/20/how-to-be-safe-find-trusted-apps-avoid-viruses/ [alostpacket.com] :)
Please note the guide is intened for novice users, which is unlikely to apply to most of the Slashdot crowd
Re:Allow users to set permissions? (Score:4, Interesting)
What I find ironic is that the blogger under the "separate fact from hype" talks only about viruses, which as far as I know are pretty much non-existent in the mobile market, he ignores the fact that most of these stories are about malware ranging from various 'texting' apps that run up bills, those that dial 900 numbers, those that steal info ranging from contacts to key loggers, etc. None of these are viruses, but dangerous regardless.
Also while I don't doubt the explosion of 'malware', I also take it with a grain of salt that the numbers might be so small now that any increases will make a trend look huge, at least initially. That doesn't mean that the Android market doesn't have a problem. I think people tend to be more lax on smartphones than they are on computers since they are relatively new. A little caution and more proactive action from Google would be a smart move.
Just sayin'...
Re:Allow users to set permissions? (Score:4, Insightful)
it's really hard to fault users for wanting that kind of control when "permission creep" is growing wildly out of control.
This.
Permission creep is the real problem, not malware. Actual malware (viruses, worms, spambots et al) are not prolific enough to cause real concern and I dont see them becoming big enough. It's the subtle data miners, a wallpaper or "free" game that requests "read/write contacts" and "full access to the internet" that are the real issue for end users. This is also not Android specific, IOS is just as vulnerable, even more so as Apple has pretty much given them permission to do so and do not check to see if programs do this. It's pretty much reached the point where personal data is worth more then most botnets.
As alostpacket said, we cant really fault the users for this, controls need to be more fine grained and personal data needs to be better firewalled.
Nice guide BTW.
Re: (Score:3)
The problem is that Android's permissions, like most of the API, does a good job of offering general-purpose ways to do things, but does a piss poor job of bundling things into neatly-packaged convenience methods that make it easy to just Do The Right Thing.
Nobody (at Google) has ever really sat down and said, "How can we provide a system-level library that can support the needs of a service like AdMob (without being specific to AdMob itself), then create a specific set of permissions that grant exactly wha
Re: (Score:2)
Thanks - it's in need of an update (the screenshots anyways) but am working on a tablet version :)
Background apps (Score:2)
The biggest bane of my existence is apps that start up and run in the background, much like the gazillion things that start up with windows in the "run" subsection of the registry and pepper you with tray icons or background apps.
Games, media players, etc DO NOT need to start up with my damn phone and background. I've uninstalled plenty of apps just for doing so (when they don't have an option to select that disabled autostart).
FUD? (Score:5, Insightful)
Re:FUD? (Score:5, Insightful)
Re: (Score:2, Informative)
How about this.
Websites. Go only to the big spots. No little iffy websites.
Apps. Do not be one of the first 50k to download.
Those two things and most people will be really safe.
For a mom who does not know anything about tech get her a Jitterbug or if she needs to feel important an iPhone.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
I use a lot less than 200 minutes a month (about 15 last month), and I love my android phone.
Re:FUD? (Score:4, Informative)
Me: "rely on your past experience battling viruses on Windows." Mom: "You're my least favorite son. I hate you."
I'm afraid you'll have to find other excuses for your Oedipal crises. The news stories are mostly FUD.
Modern smartphones are much more secure than old ones, and much more resistant than Windows, though you wouldn't know it given the hype in the news. Did anyone notice how there were no hard numbers of malware sources or infections, just the alarming percentage increase? Even the white paper it's based on has no details. The closest it gets to the truth is here:
Symbian and Microsoft Windows Mobile platforms are the oldest and most researched mobile platforms, and devices running those mobile operating systems have been the targets of the most prolific and effective malware known to affect mobile devices. These platforms have been targeted by a range of malicious applications that run the full spectrum of known malware categories, including SMS trojans that send SMS messages to premium rate numbers unbeknownst to users, background calling applications that charge the victim for exorbitant long distance calls, keylogging applications, and self-propagating code that infects devices and spreads to additional devices listed in the address book. The Juniper Networks Global Threat Center also sees polymorphic malware, which changes its characteristics during propagation to avoid detection, on the Symbian and Microsoft Windows Mobile platforms.
http://www.juniper.net/us/en/local/pdf/whitepapers/2000415-en.pdf [juniper.net]
Re: (Score:2)
Even Symbian stopped having any significant malware after they introduced S60 3rd edition in late 2005, which refused to install unsigned apps by default.
Re: (Score:3)
While I have no doubt Android is a increasing target, why do I get the sense this is hype from Android competitors and anti-virus software makers? Just don't install any strange apps without research and think about where your browsing and I don't anticipate problems. At least I've had none in the year or so I've been on Android phones.
You could say the same thing for the Internet: don't download random stuff, research it and ensure it is safe. Hell that could apply to almost any activity like going to a restaurant: make sure that the kitchen is clean and that they buy safe ingredients.
The problem is that no one actually does either of those checks.
Re:FUD? (Score:4, Interesting)
Well, it's called Dancing Pigs [wikipedia.org]. A user is confronted with a scary looking permissions list with "install" and "cancel". User wants to play this kewl game they were shown. User taps Install. It'll happen often enough to matter.
And it also applies if said app costs money and they can get it for free - people will pirate apps. And just like on the desktop world - pirated apps can contain all sorts of wrappers that install malware.
I suppose the only interesting thing about Android is why malware uathors haven't bothered taking paid apps, adding their own crap to it, and then releasing it "for free" to show up on searches as a full version of app for free. (I've seen ebooks that did this - they take some Harry Potter epub and package it with a reader (pirated?) and release it as one app.
Then again - should the user be expected to do these checks? Does your mechanic/plumber/doctor/nurse/etc. go and say "I cannot fix your $FOO for you today - I need to research to make sure the new software we're transitioning to is safe"? No, they just install it. Heck, they normally have "IT" take care of that stuff for them. Or their neighbour's kid.
I suppose it's why people are going for "app stores" and "appliances" rather than full-fledged PCs. Computers literally have gotten to the point where it really is a scary place out there and anyone who doesn't do it as a full time occupation is easily overwhelmed into thinking that next click would steal all their banking information and the identities. (Or worse yet, ignorance and clicking somewhere that really does do it).
Anyone's who's had to clean out their relative's PC over the holidays (hey US Thanksgiving...) can attest to that...
Re: (Score:2)
The Dancing Pigs thing is very true.
Wat bothers me about the Android Market though is that some apps request access to some feature of the phone... but there's no explanation why.
Now usually that to me means I'll go look for an alternative first, look for an explanation from the developer second.
But it would be nice if the Android Market required these explanations per requested feature.
The down side of course is that people can lie or just not tell the whole truth, without careful review - which means it w
Re: (Score:1)
Re: (Score:2)
the new version is doing exactly that for some time now
Re: (Score:2)
No software can protect against stupidity. If the user gives sensitive permissions to a malware that's not the OS's fault. The real question is if a malware can get permissions without the user, or circumvent the system somehow.
Re: (Score:1)
I think the fundamental issue is the binary choice of "install" or "cancel". Adding on a granulated permission system doesn't in itself solve the problem because all that happens is that developers push users to give them greater and greater permissions, even when it's not really nece
Re: (Score:2)
think about where your browsing
Or just use a secure browser.
Re: (Score:1)
Absolutely no malware on Windows, either (Score:2)
Why the emphasis on percentages? (Score:5, Interesting)
500% this, 37% that...
One of the first tricks they teach you in "how to lie with numbers" is to use percentages to inflate otherwise small numbers.
If they want to pimp a percentage, I would love to ask them...what percentage of the Android market share is infected? Somehow I think they wouldn't want to share that number, because all the 0's to the right of the decimal point may call into question exactly how much that very same company's products and services are needed.
Re: (Score:2)
It is very important to also write an article rebutting the claims with its own set of misleading statistics, especially if the data does not support your particular ideology.
Re: (Score:2)
"Oh, people can come up with statistics to prove anything. 14% of people know that" - the Immortal words of Homer Simpson
500%? Man, that's nothing... (Score:5, Funny)
500%? Man, that's nothing... why, at the beginning of the year Apple still claimed zero malware in the App Store, then this happened:
http://apple.slashdot.org/story/11/11/07/2029219/charlie-miller-circumvents-code-signing-for-ios-apps [slashdot.org]
Briefly, malware in the Apple App Store increased by one divided by zer-OH SHI
Re: (Score:1, Insightful)
Who needs malware in the App Store when browsing to the right website can hack your phone?
Re: (Score:2)
Where did they claim zero malware by the way?
Amount is irrelevant (Score:3, Insightful)
It really does not matter whether there is a lot of malware. There always is and will be malware that incompetent users have to do stupid things to install. There always will be a lot of incompetent users. What matters is the level of sophistication of the malware. As this is generally not mentioned, my take is that basically these companies want to sell you something and select the numbers that support the illusion that you need what they sell. Then, if you are an incompetent user, you may actually need what they sell.
On the other hand, quality levels of AV software is really, really bad these days. I recently evaluated several scanners, and ran into things like automatic deletion of suspect files (a borderline criminal approach), deletion without the possibility to object, massive negative impact on disk performance, etc. As I had exactly one piece of spyware in the last 10 years and zero viruses, I am now back to running without AV software, except for MS security essentials with real-time stuff switched off.
Which Android are we speaking of? (Score:2)
The most recent one or the ones actually (sometimes imperfectly) implemented?
Most security *is* theater (Score:5, Insightful)
I say this as an Infosec professional. If you remove all the hype/FUD and look at actual exploit/breach rates, the entire industry would change and shrink drastically. But they don't. So we have what we have - lots of snake oil and irrelevant/useless tools pushed to solve imaginary problems. Honestly, I am ashamed of myself but the money's too good :-)
I 3 twilight (Score:1, Funny)
As twilight approaches for 2011
Twilight isn't approaching, it's already here! [rottentomatoes.com] Jacob is so sexy! I went on opening night. Who else saw it?
This cheeses me to no end... (Score:1)
I'm not talking a few hundred megabytes of malware definitions, I'm talking around 2
security vendors have set their gaze on the rise o (Score:2)
Hmmmm... know anyone that's found a "malware" application lately... at least one that didn't specify permissions up front?
I suspect that the only malware out there MIGHT be some Trojans that users installed and fat, dumb, and ignorantly gave permission for the program to OWN their device...
I haven't even found a real "virus" on a PC for years, only Trojans using some crude social engineering designed to appeal to
"to separate fact from hype" (Score:1)
This article doesn't "separate fact from hype" - it's just a highly partisan rant against AV companies, containing no substantiating evidence in support of either position.
All hype, even on Windows malware (Score:2)
Seriously this is getting old. All this spyware, malware apocalypse shit is just FUD spread by "research" backed by companies that have an interest in selling AV software.
Now the same will happen to Android, as it becomes more popular. Wake up people!!