Android DroidDream Malware - Page 2 - Canadian TV, Computing and Home Theatre Forums

Reply
 
LinkBack Thread Tools Search this Thread Display Modes

post #16 of 26 (permalink) Old 2011-03-05, 08:50 AM
Member #1
 
Join Date: Dec 2001
Location: Toronto
Posts: 47,716
Anyone making this an Android vs. iOS thing is way off base.

This is an Android security issue only. Android manufacturers have to ensure that your "typical" consumer has absolutely nothing to worry about.

Android Market has to ensure that the products it sells are safe.

Personally, I think that the manufacturers need to say "hey, we'll contribute $5 or $10 a phone" to creating a robust and safe marketplace for our phones where apps are scrutinized before they are put on sale.



hugh is offline  
Sponsored Links
Advertisement
 
post #17 of 26 (permalink) Old 2011-03-05, 11:51 AM
Moderator
 
Join Date: Jun 2009
Location: Toronto
Posts: 4,002
Quote:
Originally Posted by GrimJack View Post
I took a quick look at the Android SDK and didn't see anything about NDK (native code) requiring special permissions so perhaps you can correct me if in fact it does.
When you install an app, before you can actually install the app, the market will bring up a list of 'permissions' the app needs; basically a list of functions things the app will have access to, in both technical terms and plain english. For example Google Maps has access to "Your personal information (read contact data, write contact data)" and "Services that cost you money (directly call phone numbers)", among others. When an app has access to things it shouldn't need, you shouldn't install it.

I think manufacturers would be far better served by investing that $5-10 in keeping phones up to date and (hopefully) more secure. Even if they work to keep the market clean things would still occasionally slip by (they even do in Apple's rigorous testing) and they can't prevent third party markets or web exploits anyway.
TorontoColin is offline  
post #18 of 26 (permalink) Old 2011-03-05, 01:07 PM
Moderator
 
Join Date: Jun 2009
Location: Toronto
Posts: 4,002
If anyone is interested, the list of affected apps is available here.

Some of them look like they could fool people if they weren't careful, but some of them (such as 'Best Password Safe') should be obvious scams.
TorontoColin is offline  
 
post #19 of 26 (permalink) Old 2011-03-05, 01:08 PM
 
Join Date: Jun 2006
Posts: 216
Quote:
Originally Posted by TorontoColin View Post
When you install an app, before you can actually install the app, the market will bring up a list of 'permissions' the app needs; basically a list of functions things the app will have access to, in both technical terms and plain english. For example Google Maps has access to "Your personal information (read contact data, write contact data)" and "Services that cost you money (directly call phone numbers)", among others. When an app has access to things it shouldn't need, you shouldn't install it.
Right. But no requirement for an app that includes native code to ask for permissions if the thing it's exploiting isn't in the list. At most to use the one exploit cited in the article you would ask for access to the internet, that probably wouldn't set of any alarm bells for most games that now have scoreboards and such.

Once you execute the exploit you no longer need to have permission to do anything, you have administrative root access to the phone, you can access information in every application. This person was sloppy, its quite possible this exploit methodology has been operating unnoticed in the android marketplace for some time. Much like people who use trojans to build networks of drone pc's I can see people thinking the value of doing the same with smart phones.

It's pretty irresponsible for google to be shipping a linux kernel with old known exploits, they have enough money to attract someone who could keep on top of these things.
GrimJack is offline  
post #20 of 26 (permalink) Old 2011-03-05, 02:15 PM
 
Join Date: Dec 2007
Location: Edmonton
Posts: 328
Apple fans seem to think that malware will never effect the iOs platform because their apps are closely monitored by Apple.


Quote:
Stonesoft: Apple’s iOS will see malware in 2011
By: Geoff Duncan *•January 17, 2011

For years security firms have been predicting that Apple operating systems’ run of luck avoiding almost all malware and spyware would be coming to an abrupt end…and, although it hasn’t happened yet, network security firm Stonesoft is joining McAfee in forecasting 2011 will bring serious threats to Apple’s iOS mobile operating system. But, like all security firms, Stonesoft doesn’t think iOS will be the only security story in 2011: the firm also forecasts more sophisticated malware, increased targeting of smartphone platforms, and an increase in politically motivated attacks.
http://www.digitaltrends.com/mobile/...lware-in-2011/
Hilman is offline  
post #21 of 26 (permalink) Old 2011-03-05, 03:10 PM
 
Join Date: Jun 2006
Posts: 216
While I expect that the amount of malware will increasingly target smart phones their design is better than Windows PCs in that apps are always compartmentalized by default, the system is easily updated and it is very simple (At least in iOS, I assume Android as well) to simply re-flash to a clean version of all your apps and OS. Compare this to what's involved in rebuilding a PC.

The iOS store isn't 100% proof against a bad app sneaking through, but it's certainly more than what you currently have on a PC where people generally google up something and install it without really being sure where it's from or what it's actually doing. (Not to mention the rampant illegal software/video which is probably the primary source of trojan infection)

Guidance from people who make their living selling security solutions should always be taken with a grain of salt.
GrimJack is offline  
post #22 of 26 (permalink) Old 2011-03-06, 02:44 AM
Moderator
 
Join Date: Jun 2009
Location: Toronto
Posts: 4,002
Google has posted an official response on their blog, including the following steps they're taking to remedy the situation.

Quote:
  1. We removed the malicious applications from Android Market, suspended the associated developer accounts, and contacted law enforcement about the attack.
  2. We are remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.
  3. We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from [email protected] over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.
  4. We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.
The important takeaway, as far as I'm concerned, is that they can and will fix it remotely and patch the hole.
TorontoColin is offline  
post #23 of 26 (permalink) Old 2011-03-06, 11:50 AM
 
Join Date: Dec 2007
Location: Edmonton
Posts: 328
It looks like it affected devices that do not have 2.2.2 or higher.

Quote:
The applications took advantage of known vulnerabilities which don’t affect Android versions 2.2.2 or higher.
Hilman is offline  
post #24 of 26 (permalink) Old 2011-03-06, 01:29 PM
 
Join Date: Jun 2006
Posts: 216
Quote:
Originally Posted by Hilman View Post
It looks like it affected devices that do not have 2.2.2 or higher.
This is another thing Google has to take control of, they don't necessarily have to have the vendors pushing out new feature versions of Android, but they do need to enforce the need to push out regular security patches.
GrimJack is offline  
post #25 of 26 (permalink) Old 2011-03-06, 07:39 PM Thread Starter
Veteran
 
Join Date: Jun 2007
Location: /dev/null
Posts: 3,022
Quote:
Originally Posted by Hilman View Post
It looks like it affected devices that do not have 2.2.2 or higher.
Which unfortunately is 90% of the in-service base.

This highlights another challenge with the "openness" of Android. The myriad of hardware makes firmware updating very complex, far more so than most consumers accustomed to just runninng Microsoft Update would expect.

I'm not panning Android, in fact I quite like it, but the thread topic is whether or not the open approach can win over the curated iOS approach. I think that the very same thing that appeals most to savvy folks like DHCers will be a signifncant hinderance to growth in the general marketplace.
99semaj is offline  
post #26 of 26 (permalink) Old 2011-03-07, 10:44 PM Thread Starter
Veteran
 
Join Date: Jun 2007
Location: /dev/null
Posts: 3,022
Further to the above post, from CNN:

Quote:
The vulnerability was fixed months ago in the Android 2.2.2 release, but because Android's model doesn't entice carriers or manufacturers to continue updating after a sale (and most Android phones are locked to prevent users from doing so), almost no Android devices are protected.
and from the same article:

Quote:
Since Droid Police initially found the 21 apps, a security firm has found 30 more apps by a few more developers.
99semaj is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Canadian TV, Computing and Home Theatre Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools Search this Thread
Show Printable Version Show Printable Version
Email this Page Email this Page
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome