Millions of Android users hit by malicious data theft app

13468911

Comments

  • Reply 101 of 216
    space2space2 Posts: 4member
    Quote:
    Originally Posted by st3v3 View Post


    This site is entertaining because its like a giant nerd-fest of people defending their products like they were personally attacked



    Speaking of which: I didn't had any signal loss problems with my Sony-Ericsson X10... nor was Sony-Ericsson even mentioned in the "antennagate" ... so I lived happily ever after ;-)
  • Reply 102 of 216
    tulkastulkas Posts: 3,757member
    So, a more open platform has disadvantages (not that something like this can't happen with the Apple model), but that doesn't mean a closed platform doesn't also have disadvantages. It is strange how people can't see that while Apple's closed model has some major advantages, like security, that it doesn't mean it is perfect. It is possible for Apple's closed model to remain secure and yet allow more flexibility.
  • Reply 103 of 216
    asciiascii Posts: 5,936member
    I don't think it's fair to blame Google for this. People know it's an open marketplace, so it's their responsibility to check out the developer, make sure they're reputable, before installing something. They have to think of their phone as same as a PC in that respect.
  • Reply 104 of 216
    space2space2 Posts: 4member
    Quote:
    Originally Posted by ctwise View Post


    They probably scanned the binary files (on the iPhone that would require jailbreaking the device) and looked for linkages. Those would tell you what code was being used. If their statistics are trustworthy it means that 1/4 of iPhone apps use third-party libraries and 1/2 of Android apps do. That only means something if there are malware code libraries floating around that people are using.



    But then it means that if a 3rd party app is simply using another 3rd party library (maybe just for decoding a jpeg image), then it's immediately flagged as malicious?!



    Quote:
    Originally Posted by ctwise View Post


    The points to take away from the story are that Android apps aren't thoroughly "sandboxed". That means the apps on the phone are restricted in terms of what data they can access. On iOS devices apps can't access other apps data and have only limited access to user data. So it wouldn't be possible for an iOS app to access your SIM card unless the app writer found an iOS defect.



    The second point is that no one really looks at the apps in the Android market place. Apple actually tries each and every app and rejects those that don't do what they say they do. They also run some automated binary analysis routines looking for red flags. That said, a malware writer could possibly sneak something like this into the App Store. But it wouldn't be able to access the same amount of data that the Android app would and there's a much higher possibility of detection before it gets into the store.





    Android has a sandboxing model as well: by default an application cannot access another application's data (since each app has it's own user id, and the data folders are protected). To access other apps (or system) data, application needs permissions. To make it user-friendly, the user has to accept all permissions at once, when intsalling. IMHO this is still better compared to the old java era when you were asked every time when an app accessed the internet, and then every time when it tried to read the contacts, etc.



    So as I see, the problem is the following:

    * Android is more open, more flexible: applications can access a wider range of data. But users (including me of course ;-) ) tend to ignore the permission list, they just accept it.

    * iOS is more strict, apps can access only a very limited data, hence iOS is more secure.



    Question: is the above correct? Is it really the case that an iOS app cannot access the browser history at all? Even if the app supposed to do that (for example if the app is called BrowserHistorySynchronizer?)



    If this is the case, then the problem is a matter of preference: does one prefer to live a bit more dangerously but have more functionality in the phone or not.
  • Reply 105 of 216
    rindrind Posts: 66member
    harmoniousDISCORD



    You think this place is bad go to Droidforums.net the Apple Bashing is much worse than the Android discussions I have seen here.



    Apple haters have to grab every little detail they can to put down the iPhone.



    For me the iPhone works perfectly out of the box.

    Both Android and iOS have there benefits.

    Since I am moving to Verizon I am looking at the new Droid and learning about how it exist in my environment.



    Syncing Outlook with iOS is easy and requires no 3rd party application. From what I have gathered you cant do that with Android out of the box.

    I like Motorola as thats all I used before switching to Apple. but they also dont provide functionality in a device they market as an iPhone Killer.
  • Reply 106 of 216
    Quote:
    Originally Posted by donarb View Post


    Press conference!!! And free bumpers for everybody!!!



    Free Anti-App Virus protection thanks to lockline or norton for everybody..
  • Reply 107 of 216
    space2space2 Posts: 4member
    Quote:
    Originally Posted by Rind View Post


    Syncing Outlook with iOS is easy and requires no 3rd party application. From what I have gathered you cant do that with Android out of the box.



    You can, since Android 2.1
  • Reply 108 of 216
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by davesw View Post


    well we (iPhone owners) wouldn't know. ask DaHarder



    Let your words be sweet and tender. You may have to eat them tomorrow.
  • Reply 109 of 216
    djmikeodjmikeo Posts: 180member
    It seems someone is already taking advantage of people trying to jailbreak their iPhones. It appears to affect Windows machines. Here is the link regarding the trojan that is disguised as a jail-breaking program.

    http://news.softpedia.com/news/iPhon...e-149613.shtml



    Beware.
  • Reply 110 of 216
    daveswdavesw Posts: 406member
    Quote:
    Originally Posted by NSXROX View Post


    Goodbye Mac vs. PC ads. Hello iPhone vs. Droid ad campaign.



    "Hi, I'm an iPhone"

    "And I'm a Droid"



    "Hey Droid, do you have problems with viruses?"

    "Well actually, iPhone, I..." [battery dies]



    Rofl
  • Reply 111 of 216
    matrix07matrix07 Posts: 1,993member
    harmoniousDISCORD, frankly I think Android fanboys are much worse, speaking from my experience here.
  • Reply 112 of 216
    anonymouseanonymouse Posts: 6,854member
    Quote:
    Originally Posted by jpcg View Post


    ... You have to remember that a lot of parts of Android are closed source and I believe there must be a reason for that. ...



    The reason is that they want to claim Android is "open", yet, at the same time, they want to maintain control of Android and not have device manufacturers forking it and creating versions independent of what they want it to be. (Google is nefarious enough without us having to invent even more nefarious scenarios than what they actually do.)



    Interestingly, the Chinese have forked Android and replaced the proprietary parts with their own proprietary parts, so that the version of Android that is being implemented their isn't really Android at all, and thus of little or no value to Google.
  • Reply 113 of 216
    edsteredster Posts: 2member
    Quote:
    Originally Posted by space2 View Post


    But then it means that if a 3rd party app is simply using another 3rd party library (maybe just for decoding a jpeg image), then it's immediately flagged as malicious?!



    Android has a sandboxing model as well: by default an application cannot access another application's data (since each app has it's own user id, and the data folders are protected). To access other apps (or system) data, application needs permissions. To make it user-friendly, the user has to accept all permissions at once, when intsalling. IMHO this is still better compared to the old java era when you were asked every time when an app accessed the internet, and then every time when it tried to read the contacts, etc.



    So as I see, the problem is the following:

    * Android is more open, more flexible: applications can access a wider range of data. But users (including me of course ;-) ) tend to ignore the permission list, they just accept it.

    * iOS is more strict, apps can access only a very limited data, hence iOS is more secure.



    Question: is the above correct? Is it really the case that an iOS app cannot access the browser history at all? Even if the app supposed to do that (for example if the app is called BrowserHistorySynchronizer?)



    If this is the case, then the problem is a matter of preference: does one prefer to live a bit more dangerously but have more functionality in the phone or not.



    Yes you are correct. It seems based on the comments I've read that most people don't understand what sandboxing and 3rd party libraries mean. I can't speak for Android, only as an iOS developer.



    3rd party libraries include such things as analytics packages and as you say some help frameworks that make life easier. It's possible that such a lib could have malware embedded in it. However...



    Sandboxing: People, this means that apps can't see each others data at all. Two sandboxed apps might as well be running on two different phones. On iOS there is no possibility to "Ask for permission" to enable such acces, it just doesn't exist.



    The only possibility for malware would be some sophisticated inter-process messaging or exploiting a hole in the APIs from Apple. Writing such malware would be hard to sneak by Apple's analysis tools.



    Everything is possible of course, but it's extremely unlikely that this is going to happen. Especially when there are so many other easier to target options available to hackers.
  • Reply 114 of 216
    Quote:
    Originally Posted by solipsism View Post


    How do you say that is Mandarin?



    Kua da
  • Reply 115 of 216
    ruel24ruel24 Posts: 432member
    I think this makes it evidently clear that Apple's more closed and scrutinized app store model is much better than something so wide open.
  • Reply 116 of 216
    Quote:
    Originally Posted by Market_Player View Post


    I love the (Walled Garden)



    What kind of idiot installs a wallpaper app that warns you it will be accessing your personal information?
  • Reply 117 of 216
    Quote:
    Originally Posted by Firefly7475 View Post


    Hmmm... Using fear to justify draconian control and censorship... I wonder if that has ever been used in the past...









    No Nazi or Adolph Hitler reference - if you're going to go there - go all the way!!



  • Reply 118 of 216
    Quote:
    Originally Posted by space2 View Post


    Speaking of which: I didn't had any signal loss problems with my Sony-Ericsson X10... nor was Sony-Ericsson even mentioned in the "antennagate" ... so I lived happily ever after ;-)



    I'm pretty much a SE "fanboi", if you will, but I don't find the X10 to be a compelling phone at all. First of all, there are many users reporting poor battery performance, though there are users saying it's great. It's the uncertainty that I don't like. But absolutely WORST of all reasons not to get an X10 is one of the problems with Android itself. The X10 currently ships with Android 1.6. It's not even 2.1. 2.1 for X10 is "expected" in October of this year. Which probably means it'll ship in February 2011. 2.2 isn't even on the map, and there's no indication whatsoever whether 2.2 or greater version will ever be released for the phone.



    There are a good number of high-profile Android apps from major developers that REQUIRE 2.0 or greater. As 2.2 becomes more widely available, there will be many apps that require that version, etc. But your X10 cannot run them.



    With iOS, we are guaranteed that the iPhone 4 will be upgraded to every version of iOS 5.x. All iPhone 4s (and iPod Touch 4.0 after it's released) will be upgradable to iOS 5.x, to the last of whatever "x" is before iOS 6.0 is released.



    Forget Flash. Android 1.6 can't even run HTML5.



    It's unbelievable that a phone that ships TODAY runs a version of Android that was obsolete 9 months ago. Not only that... at the time the X10 was released, Android 2.0 was already almost 6 months old. I don't have to worry about that with iOS. My September, 2009 iPod Touch is working fantastic with full support for iOS 4.0, and can run every single iOS app that doesn't require the camera, telephone or GPS.
  • Reply 119 of 216
    gin_tonicgin_tonic Posts: 163member
    Quote:
    Originally Posted by Gwydion View Post


    I though you wouldn't know.



    By the way, with those permissions an app can't read most of the thing the reports says.



    Do you think the fanboys here know that they are talking about? No way! The same about editors, especially about Daniel and Prince.



    Have anyone of them read about manifest file in android apps and Android security program? Do anyone know that an Android application executes in its own sandbox and have no access to another application data? Do they know that user must look through all permissions he gives the application before it is downloaded?



    And I recall about some strange SMS that gives hackers access to user data on iPhone. Is it fixed in iOS 4 ?
  • Reply 120 of 216
    firefly7475firefly7475 Posts: 1,502member
    Quote:
    Originally Posted by ascii View Post


    I don't think it's fair to blame Google for this. People know it's an open marketplace, so it's their responsibility to check out the developer, make sure they're reputable, before installing something. They have to think of their phone as same as a PC in that respect.



    IMO this is the one major difference between the application stores. With Apple you are guaranteed that when you install an application it comes from the developer you think it does (because they are all signed). You have no such guarantee with the Android application store.



    Apart from that the stores seem similar. Apple give no guarantee that applications vetted for the store are free from malware. There is a surprising number of people that have this false belief that Apple will somehow protect them from the evils of the world where that is simply not the case.



    I'm also surprised that AI haven't put an update on the article. At this point there is nothing to indicate any kind of malicious act and everything to indicate that it was not.



    Not to say that something wrong hasn't been done here. Personal information (phone number, carrier id and message bank number) was gathered without user consent, but the tracking of user data is a industry concern with a scope that reaches far beyond one Android application.



    I think this was the point of the security conference rather than simply calling out one application.
Sign In or Register to comment.