New Android "RAT" infects Google Play apps, turning phones into spyware zombies

1356710

Comments

  • Reply 41 of 186
    Dan_DilgerDan_Dilger Posts: 1,583member
    Quote:
    Originally Posted by Gatorguy View Post





    You claimed "Most of these will never receive security updates" which is easily proven false. Granted there may be some vulnerabilities that go unpatched (do you have any example) but that's not at all the same as going overboard with "No security updates for you" scareware. Google has demonstrated it's commitment to protecting it's users while still allowing a high degree of customizing. I think they've done pretty well finding a middle ground that fills most of it's buyers needs while avoiding a hard lockdown of the ecosystem. Android was never intended to be an OS controlled from top to bottom by a single manufacturer.

     

    If it’s easy, go ahead and prove that most Android phones that shipped with an outdated version subsequently received security updates.

     

    All evidence proves you are wrong.

     

    Now you can claim that Google has tried to patch most of the flaws it has discovered. But the problem that’s obvious to anyone apart from the most desperate of Android apologists is that many end users never receive these, either because the update process is flawed (and users don’t do them), or because the carrier or the manufacturer isn’t interested in preparing and delivering the updates. Google couldn’t even get its partners to agree to support their phones for 18 months in the "Google Update Alliance."

     

    Android is a pure mess. Sure you can only look at brand new, premium models and say that yes, these get updates for at least a year. But those devices represent only about a third of Android shipments. The majority of Google’s platform is an unmanaged heap of junk that is never going to be updated, just like the vast majority of Windows PCs. 

     

    Also remember that "it is" as a contraction becomes its not it’s. 

  • Reply 42 of 186
    jungmarkjungmark Posts: 6,924member
    No surprise here. Googs didn't design Android to be safe.
  • Reply 43 of 186
    bobschlobbobschlob Posts: 1,074member

    Ayyye, I gottch'r "Trojan payload" right here. Ayyyee…!

  • Reply 44 of 186
    jungmarkjungmark Posts: 6,924member

    Also remember that "it is" as a contraction becomes its not it’s. 

    You mean as a possessive noun.
  • Reply 45 of 186
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Dick Applebaum View Post



    Is DDOS or DOS against the law?

    Sure since 2006 in the US. But can it be prosecuted is a different question.

  • Reply 46 of 186
    apple ][apple ][ Posts: 9,233member

    What else is new? Another day, another new Android malware/virus/security threat. <img class=" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" />

     

    This is what you get when you go cheap. Android is a terrible OS. You couldn't pay me to use it.:smokey:

  • Reply 47 of 186
    dick applebaumdick applebaum Posts: 12,527member
    snova wrote: »
     
    snova wrote: »
     
    Can you block/refuse access to your servers based on platform and OS version -- or can that be easily spoofed?
    Unfortunately, you can't prevent bandwidth usage if it requires no flow control.   They just clog up your pipe bandwidth and there is little you can do about it. Block it all you want to the final destination (if your router can handle the load), but the fact of the matter is quality of service of passing good packets into the network will be unusable.


    Can this be addressed statistically – by the various hops along the path to the destination server?
    technically yes, however in practice upstream ISP's won't take care of this for you on your behalf. They won't alter their upstream filters to protect you downstream.  Its your problem. 

    Mmmm... Aren't US ISPs given a near monopoly in certain areas (cities) in exchange for providing a given level of service -- like a gas, electric or phone utility? If so, aren't these ISPs subject to regulation/taxes -- especial since they use the public airwaves?

    It appears that there may be ways to incentivize the ISPs.
  • Reply 48 of 186
    tallest skiltallest skil Posts: 43,388member
    Originally Posted by Dick Applebaum View Post

    Mmmm. Aren't US ISPs given a near monopoly in certain areas (cities) in exchange for providing a given level of service -- like a gas, electric or phone utility? If so, aren't these ISPs subject to regulation/taxes -- especial since they use the public airwaves?

     

    Yep and shrug, in that order.

  • Reply 49 of 186

    Andrhoid's platform is "open" to RAT infestation, huh?

  • Reply 50 of 186
    droidftwdroidftw Posts: 1,009member
    Quote:
    Originally Posted by Corrections View Post

     

    Also remember that "it is" as a contraction becomes its not it’s. 


     

    If you're going to get anal about someone's grammar at least be accurate when doing so.

  • Reply 51 of 186
    dick applebaumdick applebaum Posts: 12,527member
    <span style="line-height:1.4em;">Mmmm. Aren't US ISPs given a near monopoly in certain areas (cities) in exchange for providing a given level of service -- like a gas, electric or phone utility? If so, aren't these ISPs subject to regulation/taxes -- especial since they use the public airwaves?</span>

    Yep and shrug, in that order.

    Read my edit!
  • Reply 52 of 186
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by Dick Applebaum View Post

     
    Mmmm. Aren't US ISPs given a near monopoly in certain areas (cities) in exchange for providing a given level of service -- like a gas, electric or phone utility? If so, aren't these ISPs subject to regulation/taxes -- especial since they use the public airwaves?


    I think he is correct in general. A private citizen cannot get any action from a major carrier but if you go through channels it will get done such as my earlier description of data center protocol. A private citizen only sees the end result of the DDOS in that they can't get their email or something but the IT staff have much better access to the other network professionals and can escalate issues to level 3.

  • Reply 53 of 186
    Quote:

    Originally Posted by NexusPhan View Post

     

     

     

    It's insanely easy to avoid malware in Android. 


    Simply avoiding android and its malware would be insanely easy.  ? 

  • Reply 54 of 186
    jameskatt2jameskatt2 Posts: 720member
    How horrifying it is to have an Android phone.
  • Reply 55 of 186
    dasanman69dasanman69 Posts: 13,002member
    Also remember that "it is" as a contraction becomes its not it’s. 

    That is incorrect, the contraction for 'it is' is indeed 'it's', but to show possession it is 'its'
  • Reply 56 of 186
    dick applebaumdick applebaum Posts: 12,527member
    dasanman69 wrote: »
    Also remember that "it is" as a contraction becomes its not it’s. 

    That is incorrect, the contraction for 'it is' is indeed 'it's', but to show possession it is 'its'

    You dasen't correct Corrections!

    I shan't warn you again!
  • Reply 57 of 186
    gatorguygatorguy Posts: 23,516member
    If it’s easy, go ahead and prove that most Android phones that shipped with an outdated version subsequently received security updates.

    Of course it's easy. Pretty sure that you already knew it too, the voracious reader that you would seem to be.
    From the folks at Malwarebytes last June:
    http://blog.malwarebytes.org/mobile-2/2013/07/android-as-a-service-verify-apps-for-gingerbread-and-up/

    "Most of the features introduced in 4.3 are functionality related but one pertains to security, which is the Verify Apps feature. I covered this feature in one of my blogs last June, it’s pretty much a built-in app scanner. With this feature enabled, Android will interrogate apps installed outside of the Google Play store.

    In Jelly Bean 4.3, Google has moved the Verify Apps feature to Google Play Services and will be available to Android versions 2.3 and up. This is significant because it is a huge feature—in my mind—to be available to older versions. This opens the door to making other features available to “outdated” devices."

    "... I like that Google isn’t leaving some of its customer base behind, and Google Play Services gives every Android user an opportunity to receive updates otherwise unavailable. With Google Play Services, Google is showing that it is aware of the difficulties in getting updates to all its customers and making more and more features available to most—95 percent are using v2.3 or higher.
    "


    Sept of last year:
    http://arstechnica.com/gadgets/2013/09/balky-carriers-and-slow-oems-step-aside-google-is-defragging-android/

    "It's such a simple idea: Android updates roll out too slowly, so start releasing all the cool stuff separately. The hard part is making it actually work. But the first reason this is now possible is a little app that has finally come of age: "Google Play Services."

    " While the latest version of Android is on six percent of devices, Play Services rolls out to everyone in a week or two and works all the way back to Android 2.2. That means any phone that is three years old or newer has the latest version of Google Play Services. According to Google's current Android statistics, that's 98.7 percent of active devices. So at Google I/O, when Google announced their slew of new APIs, nearly every Android device was immediately compatible in a week. Play Services is a direct line from Google to the core of your phone... This is how you beat software fragmentation. When you can update just about anything without having to push out a new Android version, you have fewer and fewer reasons to bother calling up Samsung and begging them to work on a new update."


    And then a couple weeks ago Google began a rollout of more security enhancements via their Play Services pipeline and an enhanced VerifyApps:
    http://blogs.computerworld.com/android/23590/google-android-security

    "Dangerous malware" and "new threats" make for great headlines... to feed fear-inducing fodder to stats-loving reporters (go figure!). ;)
    'Over the next couple of weeks, Google will be rolling out a universal update that'll enable constant on-device monitoring for potentially problematic apps. It's an upgrade to the platform's Verify Apps function that first launched with Android 4.2 in 2012, ... and then spread to all devices with Android 2.3 and up last July."

    What's changing is that Verify Apps will soon continue to monitor your applications even after they're installed, thereby extending its level of protection.

    "We're constantly updating what [threats] we're aware of, so being able to detect those things where we've improved our coverage is valuable," Android Lead Security Engineer Adrian Ludwig tells me.

    ...Ludwig says the newly expanded system will also help identify issues with apps installed before Verify Apps became available -- or those installed without a person's knowledge while, say, someone else was borrowing a device."

    ...So what's the broad takeaway from this? ... Now more than ever, malware on Android is far less significant of a real-world issue than some reports would lead you to believe. In the real world, the killer viruses that are so good for headlines actually affect next to no one. And now, even if you don't exercise basic common sense -- even if you carelessly download shady-looking stuff from unofficial sources out in the wild -- your phone will automatically protect you even more than it already did."


    There you go sir. As I said it was easy to demonstrate your claim that most old Android phones won't ever get security updates isn't true. They do. Effectively all of them, not just most.

    There's absolutely more that can and probably will be done. Malware authors are getting more clever by the week and some stuff will inevitably get thru. Resorting to drama and claiming that Google doesn't care about security for older phones is silly IMO. They obviously do. There's still plenty to complain about with Android so being creative with embellished complaints shouldn't really be necessary.
  • Reply 58 of 186
    dasanman69dasanman69 Posts: 13,002member
    jameskatt2 wrote: »
    How horrifying it is to have an Android phone.

    Just as horrifying as it was when Iraq had WMDs, oh wait they didn't but we were scared into believing that they did. Things are never as good as they seem and they're never as bad as they seem.
  • Reply 59 of 186
    dasanman69dasanman69 Posts: 13,002member
    You dasen't correct Corrections!

    I shan't warn you again!

    Don't take my word for it. Read for yourself.

    http://www.elearnenglishlanguage.com/blog/english-mistakes/its/
  • Reply 60 of 186
    freerangefreerange Posts: 1,595member
    gatorguy wrote: »
    Of course it's easy. Pretty sure that you already knew it too, the voracious reader that you would seem to be.
    From the folks at Malwarebytes last June:
    http://blog.malwarebytes.org/mobile-2/2013/07/android-as-a-service-verify-apps-for-gingerbread-and-up/

    "Most of the features introduced in 4.3 are functionality related but one pertains to security, which is the Verify Apps feature. I covered this feature in one of my blogs last June, it’s pretty much a built-in app scanner. With this feature enabled, Android will interrogate apps installed outside of the Google Play store.

    In Jelly Bean 4.3, Google has moved the Verify Apps feature to Google Play Services and will be available to Android versions 2.3 and up. This is significant because it is a huge feature—in my mind—to be available to older versions. This opens the door to making other features available to “outdated” devices."

    "... I like that Google isn’t leaving some of its customer base behind, and Google Play Services gives every Android user an opportunity to receive updates otherwise unavailable. With Google Play Services, Google is showing that it is aware of the difficulties in getting updates to all its customers and making more and more features available to most—95 percent are using v2.3 or higher.
    "


    Sept of last year:
    http://arstechnica.com/gadgets/2013/09/balky-carriers-and-slow-oems-step-aside-google-is-defragging-android/

    "It's such a simple idea: Android updates roll out too slowly, so start releasing all the cool stuff separately. The hard part is making it actually work. But the first reason this is now possible is a little app that has finally come of age: "Google Play Services."

    " While the latest version of Android is on six percent of devices, Play Services rolls out to everyone in a week or two and works all the way back to Android 2.2. That means any phone that is three years old or newer has the latest version of Google Play Services. According to Google's current Android statistics, that's 98.7 percent of active devices. So at Google I/O, when Google announced their slew of new APIs, nearly every Android device was immediately compatible in a week. Play Services is a direct line from Google to the core of your phone... This is how you beat software fragmentation. When you can update just about anything without having to push out a new Android version, you have fewer and fewer reasons to bother calling up Samsung and begging them to work on a new update."


    And then a couple weeks ago Google began a rollout of more security enhancements via their Play Services pipeline and an enhanced VerifyApps:
    http://blogs.computerworld.com/android/23590/google-android-security

    "Dangerous malware" and "new threats" make for great headlines... to feed fear-inducing fodder to stats-loving reporters (go figure!). ;)
    'Over the next couple of weeks, Google will be rolling out a universal update that'll enable constant on-device monitoring for potentially problematic apps. It's an upgrade to the platform's Verify Apps function that first launched with Android 4.2 in 2012, ... and then spread to all devices with Android 2.3 and up last July."

    What's changing is that Verify Apps will soon continue to monitor your applications even after they're installed, thereby extending its level of protection.

    "We're constantly updating what [threats] we're aware of, so being able to detect those things where we've improved our coverage is valuable," Android Lead Security Engineer Adrian Ludwig tells me.

    ...Ludwig says the newly expanded system will also help identify issues with apps installed before Verify Apps became available -- or those installed without a person's knowledge while, say, someone else was borrowing a device."

    ...So what's the broad takeaway from this? ... Now more than ever, malware on Android is far less significant of a real-world issue than some reports would lead you to believe. In the real world, the killer viruses that are so good for headlines actually affect next to no one. And now, even if you don't exercise basic common sense -- even if you carelessly download shady-looking stuff from unofficial sources out in the wild -- your phone will automatically protect you even more than it already did."


    There you go sir. As I said it was easy to demonstrate your claim that most old Android phones won't ever get security updates isn't true. They do. Effectively all of them, not just most.

    Actually FALSE!!!!!

    As previously stated, hundreds of millions of phones in Asia do not in fact get updated!

    So stop spreading this total BS! There is more to the world than the narrow view of the West.
Sign In or Register to comment.