Google's Android Market web store opens new malware threat

Posted:
in iPhone edited January 2014
Security researchers at Sophos are urging Google to remove automatic over-the-air installation of apps as a feature from its new web store, noting that it makes the silent addition of malware and spyware to Android users' devices far too easy.



Google announced its new web-based Android Market last week at its Android 3.0 Honeycomb introduction, as part of an effort to kickstart slow Android app sales, something the company said it was "not happy" about.



However, just days later security firm Sophos has issued a warning that says Google's implementation of app sales via its website is flawed because there is no acceptance step by users on their phone.



Unlike Apple's iTunes Preview website, which allows users to browse for apps on the web but then directs them to iTunes to securely complete their purchase, Google's new web-based Android Market allows users to select and buy apps directly on the web site and then have the apps remotely installed on their device, something that is touted as a unique feature.



What if somebody else installs an app on your account?



Purchased apps are then streamed directly to the user's handset and automatically installed. The problem, researchers say, is that there is no approval mechanism that would indicate to a user that apps are being installed. Therefore, if a third party were able to access a user's account information, they could easily install apps on the user's phone without that person being aware this was even happening.



Additionally, apps on Android have far broader access to features on the phone; Google leaves the security ramifications related to apps up to the user when the app is being purchased. For example, an app that wants the ability to read all data on the phone, send fee-based SMS messages, and track the user's location must note these requests in Android Market, leaving it up to the user to decide if those requests are justified or reasonable.



However, because the new web store makes it easy for a malicious third party to bypass these choices and simply install apps behind the users' back, Android users must now be extra vigilant to monitor what apps are installed on their phone, because there is no curation by Google and no installation approval on the device itself.



In contrast, iOS apps must first pass Apple's review process and then the user must manually download the apps through iTunes or directly from their iPhone via the App Store app; Apple never beams apps directly to users' devices for unattended, quiet install.



Fishing for Passwords



Android's new security problem requires users' passwords to be intercepted by a malicious third party. Apple's iTunes users have already been regularly targeted by multiple attempts to either guess, crack or simply "phish" their passwords by malicious users seeking to obtain access to their accounts.



The difference is that with iTunes account information, all a malicious user can really do is make unauthorized purchases. This has created a booming market for stolen iTunes account credentials, inducing Apple to take steps to require users to select harder to guess passwords and to verify their credit card information on new devices the first time they are set up. This has greatly reduced the value of stolen iTunes accounts, as it prevents thieves from making purchases using new devices unless they have the accounts' full credit card information.



In contrast, with a stolen Android Market account, malicious parties can not only make purchases, but also set up targeted, powerful malware that is "sold" to the user without their knowing and silently installed on their device wirelessly with no notification. These apps can then track the user, access their calling information, collect all kinds of sensitive information on their phone, and then upload it to foreign servers before the user is even aware that a new app was installed.



"The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence," Sophos' Vanja Svajcer wrote. "The phishers' intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user's Android devices instead."



Oops I did it again



"Google should make changes to the remote installation mechanism as soon as possible," Svajcer warned. "As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed."



Until Google takes notice of the problem, Svajcer recommended that Android users choose a strong password. The millions of new Android users will also want to make sure they don't fall for phishing scams the way millions of iTunes users have. Rather than facing refundable unauthorized purchases, they could find their personal smartphone loaded up with malware, recreating the security meltdown similar to the one Microsoft faced with Windows XP.
«1345

Comments

  • Reply 1 of 93
    We used to call this "drive by installs" back when people would surf the web with unpatched copies of Windows XP.
  • Reply 2 of 93
    I guess it's one more facet of being "open" (as in "leaving the door open")...



    Why don't people realise Google's model is all wrong?!
  • Reply 3 of 93
    Thanks for the 411 AndroidInsider!
  • Reply 4 of 93
    gwydiongwydion Posts: 1,083member
    Oh, another FUD and bashing post from Mr. Daniel.



    If my GMail account is compromised, the least of my worries is auto installing of Android apps.
  • Reply 5 of 93
    I'm not sure if Appleinsider is going for objectivity but this article doesn't really help if it is. I love Apple products more than anyone, while it may be true that Android is more likely to have phishing going on, if you give out your password to your iTunes account, bad things can also happen. Is installing apps remotely worse? It could give them more information, but both systems still rely on the user keeping a secret password and people can still be phished through email and websites even on the iPhone. Besides, remote app installing is something Apple could easily add too and users would still need to keep their password a secret as always. The only thing this article is really bringing up is that Android doesn't curate apps and that doesn't really have much to do with remote over-the-air installing. In the end, Apple relies just about as much on users keeping their passwords a secret. Android a bit more, but again, this article doesn't really seem to make this site look good.
  • Reply 6 of 93
    I'm so glad I'm an Apple user. I don't have to bother with researching through too many options, an the iTunes layer keeps us all protected from this kind of crap. I'd take a flashless phone over an insecure one any day.
  • Reply 7 of 93
    Google must scare the bejesus out of you Apple fanboys, since you now seem to spend more time bashing Google and Android than talking about Apple products.



    I would suggest that Sophos actually use the web-based Android Market before criticizing it. Any app that is downloaded to an Android phone shows up in the notification bar and the user must manually clear the notification to make it go away. It's hardly an "unattended, quiet install." Then again maybe the editors at AppleInsider don't understand a properly functioning notification system, because Apple has failed in its implementation on iOS.



    I used to enjoy AppleInsider, but you've all gone round the bend with your slavish worship of all-things Apple and willingness to bash Google without even considering whether or not your arguments make sense.
  • Reply 8 of 93
    noirdesirnoirdesir Posts: 1,027member
    Quote:
    Originally Posted by zencowboy View Post


    but you've all gone round the bend with your slavish worship of all-things Apple and willingness to bash Google without even considering whether or not your arguments make sense.



    I think you then need to extend that flattery to Sophos as well.

    (But then again, it is pretty much accepted wisdom that one should take security alerts from security software companies with a large pinch of salt.)
  • Reply 9 of 93
    Sure, you can install apps remotely.

    But they can't run for the first time on their own.



    So if a random app appears to have been randomly installed on your phone, first of all change your Gmail password, but secondly, don't open it and uninstall it.



    Problem solved.
  • Reply 10 of 93
    sheffsheff Posts: 1,407member
    Quick fix with a dialogue message on androids part. The idea itself is fairly good, but again why not just go and download the app straight from the phone instead of going on the web. I don't think I bought a single app from iTunes itself in recent memory, it's all been through the phone. But as I said the concept is interesting from purely technological point of view.
  • Reply 11 of 93
    noirdesirnoirdesir Posts: 1,027member
    Quote:
    Originally Posted by Gwydion View Post


    If my GMail account is compromised, the least of my worries is auto installing of Android apps.



    I agree with that (not least since I do not own any Android device ) but this is still an example that there rarely is such thing as a free lunch (ie, there is often enough just one more thing to think about with any given new feature).
  • Reply 12 of 93
    Quote:
    Originally Posted by Gwydion View Post


    Oh, another FUD and bashing post from Mr. Daniel.



    If my GMail account is compromised, the least of my worries is auto installing of Android apps.



    I don't see it as FUD. He's just reporting what this security researcher is reporting. This is the kind of thing people want to know. We each have our own risk aversion, if it doesn't bother you, so be it, but people want to know what's what...



    AI also reports negative news about Apple. Relax.
  • Reply 13 of 93
    Quote:
    Originally Posted by zencowboy View Post


    Google must scare the bejesus out of you Apple fanboys, since you now seem to spend more time bashing Google and Android than talking about Apple products.



    // snip //



    I used to enjoy AppleInsider, but you've all gone round the bend with your slavish worship of all-things Apple and willingness to bash Google without even considering whether or not your arguments make sense.



    Agreed. This site, along with others like electronista, have become full-time Android-bashing sites. It's almost as if the Apple fanboys are immature children who are upset that their device is no longer the only hot thing on the scene. Seriously, I've seen an incredible amount of ridiculous, hypocritical, contradictory pseudo-arguments on here in the past few months defending everything Apple does as perfect and everything Google and Microsoft do as horrible and yucky. It's a shame.
  • Reply 14 of 93
    quadra 610quadra 610 Posts: 6,757member
    Quote:
    Originally Posted by zencowboy View Post


    Google must scare the bejesus out of you Apple fanboys,



    That depends.



    Which model phone? HTC, Samsung, Huawei, ZTE, etc., etc.?



    Which (probably non-updated) version of Android?



    So far there's a lot more confusion than fright.
  • Reply 15 of 93
    penchantedpenchanted Posts: 1,070member
    Quote:
    Originally Posted by derekmorr View Post


    Agreed. This site, along with others like electronista, have become full-time Android-bashing sites. It's almost as if the Apple fanboys are immature children who are upset that their device is no longer the only hot thing on the scene. Seriously, I've seen an incredible amount of ridiculous, hypocritical, contradictory pseudo-arguments on here in the past few months defending everything Apple does as perfect and everything Google and Microsoft do as horrible and yucky. It's a shame.



    You know, your posts might be taken more seriously if you could refrain from your frequent use of the invective "fanboy". Just a suggestion.



    And to be fair, the Apple fans need to curtail their use of "fandroid/phandroid".



    Using any of these does nothing to encourage intelligent discussion.
  • Reply 16 of 93
    Quote:
    Originally Posted by penchanted View Post


    You know, your posts might be taken more seriously if you could refrain from your frequent use of the invective "fanboy". Just a suggestion.



    I'd refrain from it if the posts here warranted it. I didn't use it in the past, but as the comments on here became increasingly shrill and closed-minded, it seemed appropriate. No matter. I've given tired of trying to talk sense into anyone here. It's a hopeless endeavor, since folks ignore evidence, have double standards, and, when all else fails, just make things up.
  • Reply 17 of 93
    tbelltbell Posts: 3,146member
    I honestly have no idea about how Google's security is in relation to others. However, the WiKi Leak documents revealed that Google lost tons of user data by being hacked most likely by the Chinese government. That likely includes stuff like Gmail and all that personal information Google collected by copying people's wi-fi communications. .



    I don't know if it is related, but my stepfather recently was locked out of his gmail account because somebody gained access. Since then they have been sending spam to friends using his actual account. Moreover, he not too long after got a call from his Visa card folks asking him did he make a purchase in India for about $17, 000 for clothes. The guy is pushing ninety. He hasn't bought anything other then underwear and socks in years.



    Further, the biggest annoyance with Google is its customer service really really stinks. You can't call Google on the phone. At least the company tries to make it real hard for you to do so. My step father never could get back into his account because there was nobody at Google to get on the phone and Google would only respond to him with form letters. The original Nexus One purchasers also had nobody to call for help because Google didn't have customer service people and T-Mobile said Google didn't provide it support documents. This was the same problem my step dad used to have with his Windows computer (he now happily uses a Mac). He'd call up Dell to ask about a problem. Dell would say, call Microsoft it is a Window's problem. Microsoft would say call up Dell, as it is responsible for the support. With Apple you know who to call.



    Further, the benefit with Apple is there is always somebody at Apple to talk to. I once wrote Jobs an email. A day later one of his assistants called and personally addressed my issue. I had a five year old Mac that had repeated problems and technically was out of warranty. Apple paid to have the Mac fixed. I can always understand Apple's support people as well.
  • Reply 18 of 93
    chiachia Posts: 714member
    Quote:
    Originally Posted by derekmorr View Post


    It's a hopeless endeavor, since folks ignore evidence, have double standards, and, when all else fails, just make things up.



    Welcome to Planet Earth.
  • Reply 19 of 93
    tbelltbell Posts: 3,146member
    I was taught in first grade name calling is childish. Apparently, you weren't taught the same thing. Otherwise, you wouldn't address people as "fanboys."



    Further, the website is called "Appleinsider." That means people here are probably fans of Apple. There are plenty of sites you can find where bashing Apple and Microsoft are full time occupations.







    Quote:
    Originally Posted by derekmorr View Post


    Agreed. This site, along with others like electronista, have become full-time Android-bashing sites. It's almost as if the Apple fanboys are immature children who are upset that their device is no longer the only hot thing on the scene. Seriously, I've seen an incredible amount of ridiculous, hypocritical, contradictory pseudo-arguments on here in the past few months defending everything Apple does as perfect and everything Google and Microsoft do as horrible and yucky. It's a shame.



  • Reply 20 of 93
    freerangefreerange Posts: 1,597member
    Originally Posted by derekmorr

    Agreed. This site, along with others like electronista, have become full-time Android-bashing sites. It's almost as if the Apple fanboys are immature children who are upset that their device is no longer the only hot thing on the scene. Seriously, I've seen an incredible amount of ridiculous, hypocritical, contradictory pseudo-arguments on here in the past few months defending everything Apple does as perfect and everything Google and Microsoft do as horrible and yucky. It's a shame.



    Quote:
    Originally Posted by penchanted View Post


    You know, your posts might be taken more seriously if you could refrain from your frequent use of the invective "fanboy". Just a suggestion.



    And to be fair, the Apple fans need to curtail their use of "fandroid/phandroid".



    Using any of these does nothing to encourage intelligent discussion.



    derekmorr, if you follow his posts, is an obvious troll and/or techtard who thinks everything should be free and hates apple's success and business model. He just hangs around here waiting to pounce on insightful conversation and insight.
Sign In or Register to comment.