or Connect
AppleInsider › Forums › Mobile › iPhone › First malware in the wild found exploiting Bluebox's Android app signing flaw
New Posts  All Forums:Forum Nav:

First malware in the wild found exploiting Bluebox's Android app signing flaw - Page 3

post #81 of 101
Quote:
Originally Posted by Alfiejr View Post

gee, you must have missed my post not too far above on this page 2 ...

 

 

"... to see the real world outcome of that vulnerability, let me direct your attention to some hard facts reported by no less than Android Authority:

 

http://www.androidauthority.com/1-4-million-real-malware-infections-204748/

 

it reports that NQ Mobile has reported that in 2012 about 11.5 million Android phone worldwide had "real" malware - 1.1 million of which are in the USA! (they screwed up their math and report a higher number of 1.4 million, but hey, it's an droid fan site so ...). 25% of the total was in China, 20% India, 18% Russia, 10% Saudia Arabia and USA ...

 

and this total was triple 2011's. how do you think it's going this year?"

 

... sounds kinda real to me. that's ok, i don't read all the comments before posting either.

 

If you read the report, it actually didn't increase in the USA from 2011 to 2012, just in other countries. So yes, less than 2% of all Android phones in the United States most likely have some form of malware on it that specializes in stealing data. The report cites (and this is new) that people who sideload and use application vendors outside of Google Play are most likely the ones infected. The report cites that mostly a younger generation of users who do this. 

 

So lets do some math.

 

Young People + Sideloading outside applications = Pirating. Yup. Bobby and Sarah at your local University live off ramen and probably pirate Doodle Jump when they should be studying. 

 

Before I switch gears I also wanted to note the irony of the Google Play store logo as the front page picture for this story, as Google Play is the default App store and isn't affected by this issue.

 

--

 

But to be fair, I have an iPhone because I enjoy getting my updates the moment Apple releases them. It's an incredible feature, however: 

 

  • I give Android leeway in some of these issues because Google cannot make OEM's and Wireless Carriers certify and release updates.
  • Google is remedying this problem by slowing down the pace of their OS updates. Jelly Bean is a slow moving creature these days, getting incremental updates. Slowly the pie chart will fill out with mostly Jelly Bean devices.
  • Google's Android OS has been the faster improving Mobile OS. It's seen some incredible jumps in interface and features over the past four years. Many lower end devices just got left behind. iOS in contrast has been incremental.

 

If we are having a debate where you said to me "iOS is more secure than Android", it wouldn't be much of a debate because I agree. But I don't believe we're in an epidemic of Android malware. The default setup of Android is secure, and allows people to own a phone with larger screens, different types of battery life and whatever customization they want. Every single article about Android malware always has a stipulation where people turn off some key settings in their phone to get it to install. That's just not scary, and it's not worth sounding the alarms. Get back to me when malware installs through Google Play or you just turn the phone on and infections spring up. 

post #82 of 101

I see my comment about calling out the author making stuff up was deleted. The author states that the Android Facebook app was harvesting a user's entire phone book. He then links to an article he himself wrote that says the Facebook app was actually only transmitting the user's phone number. Granted, that's still not great but it's not the sensationalist "harvesting a user's entire phone book" claim stated in the article.

 

I shall henceforth accept everything Dilger writes as the gospel truth, no matter how inaccurate, biased, or cherry-picked the information may be.

 

I deeply apologize for calling out the author's blatant lies.

post #83 of 101
Quote:
Originally Posted by Corrections View Post

Yes Vista's throwing up nonsense messages ad nauseam is not better than Google's EULA style "take it or leave it bullshit agreement before you install an app" nonsense.

But let's talk non-nonsense. Is there anything better than the iOS app store restricting app developers from doing terrible things, and making them ask for permission before recording, accessing location, contacts, etc? Seems like the right balance to me. 

Then you will certainly like Google's improvements in permissions coming with Android 4.3.

Not only does it list the permissions before you install the app as Android has for some time, it will also allow specific permissions to be denied within specific apps. The right balance just like you said.
http://www.engadget.com/2013/07/26/hidden-permissions-manager-android-4-3/
Edited by Gatorguy - 7/26/13 at 6:43am
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #84 of 101
Quote:
Originally Posted by caliminius View Post

I see my comment about calling out the author making stuff up was deleted. I shall henceforth accept everything Dilger writes as the gospel truth, no matter how inaccurate, biased, or cherry-picked the information may be.

You don't have to accept the article but you do have to avoid insulting the author. Insulting article authors is treated the same as insulting other forum members.
post #85 of 101
post #86 of 101
Quote:
Originally Posted by mrrodriguez View Post

Seems like Google just found a way to cover 95% of devices with a hidden update http://m.blogs.computerworld.com/android/22552/google-android-security?mm_ref=http%3A%2F%2Fplus.url.google.com%2Fmobileapp

It doesn't matter, if it isn't Apple it will be crucified on this board, regardless. These articles are posted here to incite the dark side in human nature and not to actually have an intellectual conversation on the technology. Just continual shots over the bow of any and all, either your with us or against us, mine is better then yours and all that malarkey. I personally use all sorts of gizmos and technology from all walks of the spectrum, I take zero sides as I find value in all. I'm just so amazed and in awe that I live in such a time where things like smart phones and tablets are possible. Preferences in platform or especially vulnerabilities, don't really get my juices flowing, what is possible with said tech does.
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #87 of 101
Quote:
Originally Posted by LAKings33 View Post

You might claim not to hate anything in technology, but you certainly spend enough time focusing on topics that encourage hate.

 

You'll cover a malware 'outbreak' on Android, but you won't spend time on something such as Ubuntu Edge (http://www.indiegogo.com/projects/ubuntu-edge). A device that strives for innovation, a benefit to all mobile consumers.

 

When asked by an iOS user about the Ubuntu Edge, Mark Shuttleworth had this to say: "the Edge is a very interesting new way to signal to Apple what you consider cool in hardware (and software)." (http://www.reddit.com/r/IAmA/comments/1j166z/hi_im_mark_shuttleworth_founder_of_ubuntu/)

 

--

 

What about software innovation such as OpenGL ES 3.0? Android, not iOS, is the one making the push. There are over 30 Android devices currently on the market that offer hardware support for OpenGL ES 3.0, meanwhile Apple doesn't have a single iOS device on the market capable of utilizing OpenGL ES 3.0. The first game to use OpenGL ES 3.0 features will be launching early August, Asphalt 8. Unity 4.2, the newest edition to a very popular game engine, will be offering GLES3 support for Android.

 

So every time an article is written about Samsung and Apple, there's complaints about AI being "Samsung Insider!!!" But when some inconsequential hobbyist Linux distro which has released a series of initiatives that have never gone anywhere, does a kickstarter for an extreme niche Linux smartphone concept that has no relevance to Apple and its users whatsoever, it's something AI should be covering in detail.

 

I think you're thinking of LinuxInsider. Why don't you go there and talk about it?  

post #88 of 101
Quote:
Originally Posted by LAKings33 View Post

You might claim not to hate anything in technology, but you certainly spend enough time focusing on topics that encourage hate.

You'll cover a malware 'outbreak' on Android, but you won't spend time on something such as Ubuntu Edge (http://www.indiegogo.com/projects/ubuntu-edge
). A device that strives for innovation, a benefit to all mobile consumers.

When asked by an iOS user about the Ubuntu Edge, Mark Shuttleworth had this to say: "the Edge is a very interesting new way to signal to Apple what you consider cool in hardware (and software)." (
http://www.reddit.com/r/IAmA/comments/1j166z/hi_im_mark_shuttleworth_founder_of_ubuntu/
)

--

What about software innovation such as OpenGL ES 3.0? Android, not iOS, is the one making the push. There are over 30 Android devices currently on the market that offer hardware support for OpenGL ES 3.0, meanwhile Apple doesn't have a single iOS device on the market capable of utilizing OpenGL ES 3.0. The first game to use OpenGL ES 3.0 features will be launching early August, Asphalt 8. Unity 4.2, the newest edition to a very popular game engine, will be offering GLES3 support for Android.


Isn't that the coolest phone you have ever seen, not just talking looks here but what canonical envisions the workflow to be like. My biggest dream is to have one device that does it all and it just might be that my dream will come to light. I was one of the first to pledge for this project, I sure hope it becomes a reality.
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #89 of 101
Quote:
Originally Posted by mrrodriguez View Post

Seems like Google just found a way to cover 95% of devices with a hidden update http://m.blogs.computerworld.com/android/22552/google-android-security?mm_ref=http%3A%2F%2Fplus.url.google.com%2Fmobileapp

 

 

Did you read the article? How is Google going to scan apps on the devices that never plug into Google Play, the very users at risk here? 

 

Or were you just impressed that this guy from "Android Power" (I'm not making that up) assured you that there's no problem and nobody should even be talking about any of these problems that are being uncovered.

 

Why are Android fans like this blogger so into censorship and so opposed to open information and free speech?  

post #90 of 101
Quote:
Originally Posted by Corrections View Post

 

So every time an article is written about Samsung and Apple, there's complaints about AI being "Samsung Insider!!!" But when some inconsequential hobbyist Linux distro which has released a series of initiatives that have never gone anywhere, does a kickstarter for an extreme niche Linux smartphone concept that has no relevance to Apple and its users whatsoever, it's something AI should be covering in detail.

 

I think you're thinking of LinuxInsider. Why don't you go there and talk about it?  

Clearly you didn't bother to read or take the time looking into why the device is being made. How the technology being used will likely end up on a future Apple iOS device. No mobile technology enthusiast should be against this device.

 

You also completely ignored my mention of OpenGL ES 3.0, something that will eventually come to Apple iOS devices when they start using PowerVR Series 6 GPUs.

post #91 of 101
Quote:
Originally Posted by Gatorguy View Post


Then you will certainly like Google's improvements in permissions coming with Android 4.3.

Not only does it list the permissions before you install the app as Android has for some time, it will also allow specific permissions to be denied within specific apps. The right balance just like you said.
http://www.engadget.com/2013/07/26/hidden-permissions-manager-android-4-3/

 

That's great, a major improvement. It's taken directly from iOS, isn't it? Which is fine, there doesn't seem to be anything (that should be) patented here. 

 

Now, given that we all agree that Android following iOS's security best practices is great, can we also agree that when Android blows out some feature (like say, app switching or a notification page) before Apple releases its own version of the same thing, and which it has clearly been working on for years, we don't have to listen to Android fans talking about how Apple "stole" such incremental features from Google? 

 

I hope you agree. Thanks.

post #92 of 101
Quote:
Originally Posted by Corrections View Post


How is Google going to scan apps on the devices that never plug into Google Play, the very users at risk here? 

That's silly, that would mean the user never uses the device with the internet or they sideload all apps in which case it's a waste of time because they'll have to hunt down all of the individual apk's. If you have apps, your using Google Play, maybe not for everything but even sideloaded apps are registered in Google Play upon installation unless it's a custom app, your reaching here.
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #93 of 101
Quote:
Originally Posted by Corrections View Post

That's great, a major improvement. It's taken directly from iOS, isn't it? Which is fine, there doesn't seem to be anything (that should be) patented here. 

Now, given that we all agree that Android following iOS's security best practices is great, can we also agree that when Android blows out some feature (like say, app switching or a notification page) before Apple releases its own version of the same thing, and which it has clearly been working on for years, we don't have to listen to Android fans talking about how Apple "stole" such incremental features from Google? 

I hope you agree. Thanks.

Yes I do.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #94 of 101
Quote:
Originally Posted by Corrections View Post

Did you read the article? How is Google going to scan apps on the devices that never plug into Google Play, the very users at risk here? 

From the article:

 

"It's the widespread launch of a universal app-scanning system -- a system that watches your device for any new application, even one loaded directly onto the device ("sideloaded") from outside of the Google Play Store, and instantly checks the app for malicious or potentially harmful code.

That's huge. And while we've been busy focusing on new devices and fun features, Google's been busy making sure every Android user has that system on his phone -- whether he realizes it or not.

Google initially launched the feature, known as Verify Apps, with Android 4.2 last November (Android VP of Engineering Hiroshi Lockheimer discussed it with me exclusively at the time). Now, Google has pulled the program out of the OS and made it automatically available to every device running Android 2.3 or higher. That covers almost every phone and tablet out there -- about 95 percent of the actively running products, according to Google's latest platform measurements."

post #95 of 101
Do no evil... *snicker
post #96 of 101
Quote:
Originally Posted by tribalogical View Post

Do no evil... *snicker

Yeah, you'll go blind.
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #97 of 101
Quote:
Originally Posted by Relic View Post


That's silly, that would mean the user never uses the device with the internet or they sideload all apps in which case it's a waste of time because they'll have to hunt down all of the individual apk's. If you have apps, your using Google Play, maybe not for everything but even sideloaded apps are registered in Google Play upon installation unless it's a custom app, your reaching here.

I think he's referring to devices that don't get their apps from Google Play, like the Kindle Fire or the various Chinese OS's based on AOSP.

post #98 of 101
Quote:
Originally Posted by d4NjvRzf View Post

I think he's referring to devices that don't get their apps from Google Play, like the Kindle Fire or the various Chinese OS's based on AOSP.

Okay fair enough, then their on their own. It's like when people who side-load apps on their iPad's or use Cydia, they can't blame Apple if they* get a malware. The majority of the Malware comes from questionable apps, if a user sticks with main stream apps they will never have a problem. I have never had a virus or malware on any of my devices since the Michelangelo virus in 91 because I follow safe practices. If I run a questionable applications I do so in a virtual environment where the container file is deleted when I'm finished.
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #99 of 101
Quote:
Originally Posted by koop View Post

 

If you read the report, it actually didn't increase in the USA from 2011 to 2012, just in other countries. So yes, less than 2% of all Android phones in the United States most likely have some form of malware on it that specializes in stealing data. The report cites (and this is new) that people who sideload and use application vendors outside of Google Play are most likely the ones infected. The report cites that mostly a younger generation of users who do this. 

 

So lets do some math.

 

Young People + Sideloading outside applications = Pirating. Yup. Bobby and Sarah at your local University live off ramen and probably pirate Doodle Jump when they should be studying. 

 

Before I switch gears I also wanted to note the irony of the Google Play store logo as the front page picture for this story, as Google Play is the default App store and isn't affected by this issue.

 

--

 

But to be fair, I have an iPhone because I enjoy getting my updates the moment Apple releases them. It's an incredible feature, however: 

 

  • I give Android leeway in some of these issues because Google cannot make OEM's and Wireless Carriers certify and release updates.
  • Google is remedying this problem by slowing down the pace of their OS updates. Jelly Bean is a slow moving creature these days, getting incremental updates. Slowly the pie chart will fill out with mostly Jelly Bean devices.
  • Google's Android OS has been the faster improving Mobile OS. It's seen some incredible jumps in interface and features over the past four years. Many lower end devices just got left behind. iOS in contrast has been incremental.

 

If we are having a debate where you said to me "iOS is more secure than Android", it wouldn't be much of a debate because I agree. But I don't believe we're in an epidemic of Android malware. The default setup of Android is secure, and allows people to own a phone with larger screens, different types of battery life and whatever customization they want. Every single article about Android malware always has a stipulation where people turn off some key settings in their phone to get it to install. That's just not scary, and it's not worth sounding the alarms. Get back to me when malware installs through Google Play or you just turn the phone on and infections spring up. 

well, we can quibble about words all day. but as far as i'm concerned, 19 million worldwide - assuming that report is valid - malware infected droid phones = "an epidemic." i think anytime something gets into 8 figures, it is "significant" beyond any question. and 1 million in the USA is also a big enough number in this one country to be "important." the report also said the total was 3x the year before. i would certainly consider that to be "alarming." we will see what happens in 2013. 

post #100 of 101

Facebook must love this Android event.

Spy on guys!

post #101 of 101
Quote:
Originally Posted by Alfiejr View Post

1 million in the USA is also a big enough number in this one country to be "important." the report also said the total was 3x the year before. i would certainly consider that to be "alarming." we will see what happens in 2013.

I'd expect it's over 1 million already due to what happened a couple of months ago in the Google Play store:

http://www.techrepublic.com/blog/google-in-the-enterprise/malware-in-the-google-play-store-enemy-inside-the-gates/

"Last month a form of malware called BadNews was downloaded several million times from the Google Play store. This malware impersonated an ad network and leaked personal information from affected phones to a designated offshore server. It also prompted users to install a Trojan application (AlphaSMS) which produces expensive text charges. All in all, it wasn't pretty.

According to an article on arstechnica.com, Google examines all apps uploaded to Play (they use a cloud service called Bouncer to verify new apps against known malware signatures and test them for malware-like behavior). In this instance the BadNews-related apps were clean upon upload. The designers introduced the malware components to these programs several weeks later."

Then there's emails that don't get the protection of a curated store:

http://www.techweekeurope.co.uk/news/japan-poker-android-malware-arrests-123059

"A president of a Japanese IT firm has been arrested following a police investigation into an Android malware campaign.

Masaaki Kagawa, the 50-year-old president of IT firm Koei Planning, was apprehended along with eight other individuals, over their alleged involvement in spreading spam emails that carried Android malware that collected contact details from a victims device. He is said to be a prolific poker player, earning over a million dollars from his gambling.

Kagawa’s company was said to have earned around $3.9 million (£2.5m) by running a fake dating service. The spam messages directed people to that site, whilst also carrying the malware. The malware was used to hoover up more contact details to constantly expand the scope of the illicit campaign.

Security giant Symantec aided police in the investigation. It said the operation began around September 2012 and ended in April 2013. Around 150 domains were used to host the malicious apps, and reports suggested around 37 million email addresses from 810,000 Android devices were collected by the malware.

The Enesoluty malicious program is believed to have connections to other campaigns, the security firm said.

“We also believe Android.Maistealer and Android.Enesoluty share common source code with another malware, called Android.Uracto, and that a different group of scammers were maintaining the latter, as the distribution strategy of the malware differs considerably,” it said.

“It is believed that this other group has yet to be identified, so there will probably be another few twists and turns to this story in the future.”

Mobile threats are increasingly causing genuine problems, particularly for Android users. Google’s OS is responsible for 92 percent of all known mobile malware, according to Juniper Networks."

See, you can make money from Android users.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • First malware in the wild found exploiting Bluebox's Android app signing flaw
AppleInsider › Forums › Mobile › iPhone › First malware in the wild found exploiting Bluebox's Android app signing flaw