Another new kernel flaw that Google won't fix for Android users prompts more switching to Apple's i

12346

Comments

  • Reply 101 of 125
    gatorguy said:
    ...and just like with most iOS exploits the supposedly billion android devices affected by it are, well, unaffected.  TBH the whole malware scare story is waaay overblown IMHO. The stories are much scarier than the truth.

    BTW, inn the quite old IQMobile report you referenced do you know what "malware" was defined as? Pay attention to details since they can change the story. For instance you might not be aware that OS X was the most vulnerable operating system last year, worse than Windows... or was it? 
    Sorry gatorguy, but your desperate attempts at brushing off the Android malware problem are ill founded and very unwise.

    Just one of those 65,557 Android malware variants called Eurograbber siphoned 47 million dollars from the bank accounts of 30,000 hapless Android users in 2013. Then there is the Bmaster command and control botnet malware which has been siphoning between half to 3.5 million dollars off poor Android users per year.

    The truth is far scarier than your worldview seems to want to hear.

    You need to learn the difference between vulnerabilities that are promptly patched vs malicious exploits that actually do the damage.

    With Apple pushing out security and system updates within days to the vast majority of iOS devices worldwide, it is no surprise that iOS malware represents far less than 1% of the mobile malware in the world. 

    Cambridge University reports that it takes 18 long months for half of Android devices to get patched for CRITICAL known vulnerabilities while the remaining 50% of Android devices NEVER get patched for all critical vulnerabilities.  That is why 97-99% of all mobile malware targets Android - 87.7% of the Android platform on average is WIDE OPEN for malicious exploitation.  That is why the StageFright vulnerabilities caused such massive panic across all savvy Android stakeholders.  

    No, the fact of the matter is that Google's disastrous abdication of responsibility for distribution of Android security and system software updates rates as THE biggest security failure of our time and will continue to reverberate across the mobile sphere for years to come.
  • Reply 102 of 125
    cnocbuicnocbui Posts: 3,613member
    rocwurst said:
    cnocbui said:
    Most mobile phone OS attacks are happening in China.  Any exploit requiring physical access to a device is non-critical for anyone who isn't a target of a nation-state's security service.
    Actually, 10% of those 32.8 million malware infections in 2012 occurred in the USA according to InQ Mobile. 

    Stagefright is just one of many vulnerabilities that don't require physical access to compromise an Android phone. In the case of Stagefright, your phone could just be sitting there and a simple MMS message is all that is required to own your phone.

    Other Related Stagefright vulnerabilities only require simply browsing a graphic on a web page, in an email or a chat app. 

    This particular kernel vulnerability is just one of a multitude that won't be patched on the majority of Android devices around the world. 
    I said most.  10% is not most.

    Samsung issued a patch for Stagefright for the S6 in a matter of weeks, similarly so did other manufacturers. here's a list of phones that were patched:

    According to you and other AI founts of Android wisdom, Android security exploits are never fixed.

    Meanwhile, when is Apple going to patch the vulnerability that was found in Keychain?  Last I heard it was 'one day'.


    singularity
  • Reply 103 of 125
    gatorguygatorguy Posts: 24,604member
    rocwurst said:
    gatorguy said:
    ...and just like with most iOS exploits the supposedly billion android devices affected by it are, well, unaffected.  TBH the whole malware scare story is waaay overblown IMHO. The stories are much scarier than the truth.

    BTW, inn the quite old IQMobile report you referenced do you know what "malware" was defined as? Pay attention to details since they can change the story. For instance you might not be aware that OS X was the most vulnerable operating system last year, worse than Windows... or was it? 
    Sorry gatorguy, but your desperate attempts at brushing off the Android malware problem are ill founded and very unwise.

    Just one of those 65,557 Android malware variants called Eurograbber siphoned 47 million dollars from the bank accounts of 30,000 hapless Android users in 2013. Then there is the Bmaster command and control botnet malware which has been siphoning between half to 3.5 million dollars off poor Android users per year.

    The truth is far scarier than your worldview seems to want to hear.

    You need to learn the difference between vulnerabilities that are promptly patched vs malicious exploits that actually do the damage.

    With Apple pushing out security and system updates within days to the vast majority of iOS devices worldwide, it is no surprise that iOS malware represents far less than 1% of the mobile malware in the world. 

    Cambridge University reports that it takes 18 long months for half of Android devices to get patched for CRITICAL known vulnerabilities while the remaining 50% of Android devices NEVER get patched for all critical vulnerabilities.  That is why 97-99% of all mobile malware targets Android - 87.7% of the Android platform on average is WIDE OPEN for malicious exploitation.  That is why the StageFright vulnerabilities caused such massive panic across all savvy Android stakeholders.  

    No, the fact of the matter is that Google's disastrous abdication of responsibility for distribution of Android security and system software updates rates as THE biggest security failure of our time and will continue to reverberate across the mobile sphere for years to come.
    Isn't Eurograbber a PC phishing scheme?
    http://www.darkreading.com/attacks-and-breaches/zeus-botnet-eurograbber-steals-$47-million/d/d-id/1107673?
    Or did you mean this version which requires so many things come together the possibility of encountering it would be pretty rare. Note too that Apple users are not immune to the method used: Social engineering to trick users into allowing a program to install, generally referred to as phishing.  
    http://www.informationweek.com/mobile/zeus-banking-trojan-hits-android-phones/d/d-id/1098909?
    Android.Bmaster? A piece of malware that can only be loaded via 3rd party sites and requires default security be disabled and can only be used in China and on two specific carriers? 
    https://www.botnets.fr/wiki/Android.Bmaster:_A_million-dollar_mobile_botnet

    No sir it's not nearly as scary out there as some folks, apparently including you, would try to convince us it is. While users of electronic devices obviously should use common sense, and some of course don't, the multitudes of scareware posts and stories about mobile OS'es far exceed the actual harmful malware that actually occurs. Both Android and iOS are much more secure than common desktop operating systems. Heck even Apple has let certain potential exploits affecting Macs and iPhones remain for months and in a couple of instances years. Holes aren't always to close, (Ie XcodeGhost and several new variants) but that doesn't mean users are in imminent danger. 
    edited January 2016 singularitycnocbui
  • Reply 104 of 125
    gatorguy said:
    ...and just like with most iOS exploits the supposedly billion android devices affected by it are, well, unaffected.  TBH the whole malware scare story is waaay overblown IMHO. The stories are much scarier than the truth.

    BTW, inn the quite old IQMobile report you referenced do you know what "malware" was defined as? Pay attention to details since they can change the story. For instance you might not be aware that OS X was the most vulnerable operating system last year, worse than Windows... or was it? 
    https://blog.malwarebytes.org/mac/2016/01/was-mac-os-x-really-the-most-vulnerable-in-2015/
    Sorry gatorguy, but your desperate attempts at brushing off the Android malware problem are ill founded and very unwise.

    Just one of those 65,557 Android malware variants called Eurograbber siphoned 47 million dollars from the bank accounts of 30,000 hapless Android users in 2013. Then there is the Bmaster command and control botnet malware which has been siphoning between half to 3.5 million dollars off poor Android users per year.

    The truth is far scarier than your worldview wants to hear.

    You need to learn the difference between vulnerabilities that are promptly patched vs malicious exploits that actually do the damage.

    With Apple pushing out security and system updates within days to the vast majority of iOS devices worldwide, it is no surprise that iOS malware represents far less than 1% of the mobile malware in the world. 

    Cambridge University reports that it takes 18 long months for half of Android devices to get patched of CRITICAL known vulnerabilities while the remaining 50% of Android devices NEVER get patched.  That is why 97-99% of all mobile malware targets Android - 87% of the Android platform on average is WIDE OPEN for malicious exploitation.  That is why the StageFright vulnerabilities caused such massive panic across all savvy Android stakeholders.  

    No, the fact of the matter is that Google's atrocious abdication of responsibility for distribution of Android security and system software updates rates as THE biggest security failure of our time and will continue to reverberate across the mobile sphere for years to come.
  • Reply 105 of 125
    gatorguygatorguy Posts: 24,604member
    rocwurst said:
    gatorguy said:
    ...and just like with most iOS exploits the supposedly billion android devices affected by it are, well, unaffected.  TBH the whole malware scare story is waaay overblown IMHO. The stories are much scarier than the truth.

    BTW, inn the quite old IQMobile report you referenced do you know what "malware" was defined as? Pay attention to details since they can change the story. For instance you might not be aware that OS X was the most vulnerable operating system last year, worse than Windows... or was it? 
    https://blog.malwarebytes.org/mac/2016/01/was-mac-os-x-really-the-most-vulnerable-in-2015/
    Sorry gatorguy, but your desperate attempts at brushing off the Android malware problem are ill founded and very unwise.

    Just one of those 65,557 Android malware variants called Eurograbber siphoned 47 million dollars from the bank accounts of 30,000 hapless Android users in 2013. Then there is the Bmaster command and control botnet malware which has been siphoning between half to 3.5 million dollars off poor Android users per year.

    The truth is far scarier than your worldview wants to hear.

    You need to learn the difference between vulnerabilities that are promptly patched vs malicious exploits that actually do the damage.

    With Apple pushing out security and system updates within days to the vast majority of iOS devices worldwide, it is no surprise that iOS malware represents far less than 1% of the mobile malware in the world. 

    Cambridge University reports that it takes 18 long months for half of Android devices to get patched of CRITICAL known vulnerabilities while the remaining 50% of Android devices NEVER get patched.  That is why 97-99% of all mobile malware targets Android - 87% of the Android platform on average is WIDE OPEN for malicious exploitation.  That is why the StageFright vulnerabilities caused such massive panic across all savvy Android stakeholders.  

    No, the fact of the matter is that Google's atrocious abdication of responsibility for distribution of Android security and system software updates rates as THE biggest security failure of our time and will continue to reverberate across the mobile sphere for years to come.
    You must have this written somewhere else and copy/pasted? I think it's identical to one of your earlier posts. You  probably intended this to be a different one. 
  • Reply 106 of 125
    cnocbui said:
    I said most.  10% is not most.


    Samsung issued a patch for Stagefright for the S6 in a matter of weeks, similarly so did other manufacturers. here's a list of phones that were patched:

    According to you and other AI founts of Android wisdom, Android security exploits are never fixed.

    Meanwhile, when is Apple going to patch the vulnerability that was found in Keychain?  Last I heard it was 'one day'.

    Do you think that the USA is "most" of the smartphone market in the world? Ever heard of Europe? or Asia? or Australia?  

    Considering you Android fans are always trying to minimise Apple's huge smartphone market share in the USA as being just a small part of the World, it's hilarious that you suddenly turn around and try to say that the USA is all that matters.  10% of that malware was 3.28 million Android devices in the USA infected with Malware in 2012 alone.

    Likewise, you only mention a small selection of carriers (all US-based) who patched only a small selection of recent Android phones for Stagefright - again ignoring the multitudes of older Android devices in the USA and the multitudes of Carriers and Android OEMS in the rest of the world.

    We're talking about smartphones, a minor Mac OS X keychain vulnerability is irrelevant to this discussion.
    edited January 2016
  • Reply 107 of 125
    gatorguy said:
    Isn't Eurograbber a PC phishing scheme?
    Android.Bmaster? A piece of malware that can only be loaded via 3rd party sites and requires default security be disabled and can only be used in China and on two specific carriers? 
    Eurograbber is hybridised malware meaning it first infects a PC (not a Mac incidentally) and then immediately infects the user's mobile device in order to defeat Bank's two-factor authentication.

    Darrell Burkey, who oversees intrusion prevention products at Internet-threat-protection provider Check Point Software Technologies
     reports that "The mobile devices targeted in this attack were Blackberry, Android and Symbian devices."  Considering the vast market share of Android compared to the other 2 platforms, most of those 32,000 victims would indeed have been Android victims.

    With Bmaster, again, you're trying to discount the massive Chinese market as of no concern when they represent 30% of the Android market worldwide.  You can't have your cake and eat it too I'm afraid.
  • Reply 108 of 125
    suddenly newton said:
    What does your sarcasm meter tell you?
    See, I have to get mine taken in. Been on the fritz for a while and I’m stuck using this thing until then...



    EDIT: No animated gifs here. Really. Really. I can’t post my animated gifs. Are you serious? APNG, maybe? Doubt it.
    edited January 2016
  • Reply 109 of 125
    gatorguygatorguy Posts: 24,604member
    rocwurst said:
    gatorguy said:
    Isn't Eurograbber a PC phishing scheme?
    Android.Bmaster? A piece of malware that can only be loaded via 3rd party sites and requires default security be disabled and can only be used in China and on two specific carriers? 
    Eurograbber is hybridised malware meaning it first infects a PC (not a Mac incidentally) and then immediately infects the user's mobile device in order to defeat Bank's two-factor authentication.

    Darrell Burkey, who oversees intrusion prevention products at Internet-threat-protection provider Check Point Software Technologies reports that "The mobile devices targeted in this attack were Blackberry, Android and Symbian devices."  Considering the vast market share of Android compared to the other 2 platforms, most of those 32,000 victims would indeed have been Android victims.

    With Bmaster, again, you're trying to discount the massive Chinese market as of no concern when they represent 30% of the Android market worldwide.  You can't have your cake and eat it too I'm afraid.
    Android was a relatively recent phishing target for the several year old "Eurograbber" exploit so Sybian and Blackberry could well represent the majority of them. In fact not even a penny of the $47Million stolen from users that you mentioned in your earlier post would have come from Android. Look at the date of it. Android wasn't yet a target.

    In any event that's a pittance. I'm sure you could have found a better example  of Android users harmed since thousands more iOS devices have been impacted by Xcode Ghost for instance. Which serves as a lead-in to China who I'm sure you aren't discounting as that's where most iOS exploits are reported to occur. China represents a teeny percentage of the Google Android worldwide market doesn't it? No where near 30% since Google has almost no presence there, at least not yet. 

    So yeah, of course there's security holes and exploits in Android. No denying that. Some significant ones too, more so than for iOS. And yeah they need to fix 'em too.  Google should and probably can do better. 
    But still fewer exploits and security issues than for even OS X. Are you worried every time you log on to your Mac? 
    edited January 2016
  • Reply 110 of 125
    cnocbuicnocbui Posts: 3,613member
    rocwurst said:
    cnocbui said:
    I said most.  10% is not most.


    Samsung issued a patch for Stagefright for the S6 in a matter of weeks, similarly so did other manufacturers. here's a list of phones that were patched:

    According to you and other AI founts of Android wisdom, Android security exploits are never fixed.

    Meanwhile, when is Apple going to patch the vulnerability that was found in Keychain?  Last I heard it was 'one day'.

    Do you think that the USA is "most" of the smartphone market in the world? Ever heard of Europe? or Asia? or Australia?  

    Considering you Android fans are always trying to minimise Apple's huge smartphone market share in the USA as being just a small part of the World, it's hilarious that you suddenly turn around and try to say that the USA is all that matters.  10% of that malware was 3.28 million Android devices in the USA infected with Malware in 2012 alone.

    Likewise, you only mention a small selection of carriers (all US-based) who patched their phones for Stagefright - again ignoring the rest of the world.

    We're talking about smartphones, a minor Mac OS X keychain vulnerability is irrelevant to this discussion.
    Lol - Yes, I have heard of Europe - I currently live there.  I have heard of Australia too.  Grew up there, got the passport.

    I am not really an Android fan as I have never owned a phone that runs it.  I actually said nothing whatsoever about market share or even mentioned the US, you jumped to conclusions.  In Europe it is very common for people to purchase phones SIM free (70%) - ie., not tied to a contract - where they pay the full price of the phone unsubsidised.  Same for China and even higher, at 90%, in India and Africa.  This means that all those Sim free customers get their OS updates directly from the manufacturer in most cases, or from a carrier, if that is from whom they purchased their phone.  Manufacturer updates can be installed as soon as the are released and don't suffer any delay as do those that have to go through carriers.  So while that list I just grabbed at random may pertain to US carriers, the fact remains that the updates for those phone models were also made available world wide, sooner in many cases,  and were not restricted to just the US.

    As I said, I just grabbed that list at random to serve as an example to disprove your thesis and in no way thought or suggested that it represented a comprehensive list.
  • Reply 111 of 125
    Haha this whole article is total BS with no evidence provided
  • Reply 112 of 125
    gatorguy said:
    Android was a relatively recent phishing target for the several year old "Eurograbber" exploit so Sybian and Blackberry could well represent the majority of them. In fact not even a penny of the $47Million stolen from users that you mentioned in your earlier post would have come from Android. Look at the date of it. Android wasn't yet a target.

    In any event that's a pittance. I'm sure you could have found a better example  of Android users harmed since thousands more iOS devices have been impacted by Xcode Ghost for instance. Which serves as a lead-in to China who I'm sure you aren't discounting as that's where most iOS exploits are reported to occur. China represents a teeny percentage of the Google Android worldwide market doesn't it? No where near 30% since Google has almost no presence there, at least not yet. 

    So yeah, of course there's security holes and exploits in Android. No denying that. Some significant ones too, more so than for iOS. And yeah they need to fix 'em too.  Google should and probably can do better. 
    But still fewer exploits and security issues than for even OS X. Are you worried every time you log on to your Mac? 
    Android had 68% worldwide market share in 2012 with Symbian and Blackberry both below 5% according to IDC. Of course Android users were more than a target for Eurograbber.

    There have been zero financial impacts of Xcodeghost on iOS - unlike the situation on Android.

    We're talking all Android here, not just "Google Android"  (as Android fans always talk about the whole Android platform when they boast of worldwide market share figures) and Android has 75% market share in China - not a "tiny" percentage.

    Of course I'm not worried about critical vulnerabilities on my Mac because Apple patches them promptly.  Unlike Android.
  • Reply 113 of 125
    cnocbui said:
    This means that all those Sim free customers get their OS updates directly from the manufacturer in most cases, or from a carrier, if that is from whom they purchased their phone.  Manufacturer updates can be installed as soon as the are released and don't suffer any delay as do those that have to go through carriers.  So while that list I just grabbed at random may pertain to US carriers, the fact remains that the updates for those phone models were also made available world wide, sooner in many cases,  and were not restricted to just the US.
    Unfortunately your theory is not demonstrated to be true in the real world.

    87% of Android devices insecure

    Thursday 8th October 2015

    Manufacturers fail to provide security updates

    A new study by researchers at the University of Cambridge has shown that 87% of Android devices are vulnerable to attack by malicious apps and messages. Manufacturers are to blame, because most do not provide regular security updates.

     http://androidvulnerabilities.org/images/norm_versionsecurity.svg 

    edited January 2016
  • Reply 114 of 125
    cnocbuicnocbui Posts: 3,613member
    rocwurst said:
    cnocbui said:
    This means that all those Sim free customers get their OS updates directly from the manufacturer in most cases, or from a carrier, if that is from whom they purchased their phone.  Manufacturer updates can be installed as soon as the are released and don't suffer any delay as do those that have to go through carriers.  So while that list I just grabbed at random may pertain to US carriers, the fact remains that the updates for those phone models were also made available world wide, sooner in many cases,  and were not restricted to just the US.
    Unfortunately your theory is not demonstrated to be true in the real world.

    87% of Android devices insecure

    Thursday 8th October 2015

    Manufacturers fail to provide security updates

    A new study by researchers at the University of Cambridge has shown that 87% of Android devices are vulnerable to attack by malicious apps and messages. Manufacturers are to blame, because most do not provide regular security updates.

     http://androidvulnerabilities.org/images/norm_versionsecurity.svg 

    Nice attempt at diversion there.  We were talking about one specific vulnerability that you chose to use as an example of an Android vulnerability that hadn't been addressed.  That didn't hold up to scrutiny so you are now trying another angle.

    As for your garbage from  androidvulnerabilities.org - sounds like a domain DED would create.  Did you read what was being measured by the researchers?  That 87% is because in the sample used there appeared to be a lot of people using Android phones who hadn't updated their OS to the latest versions that were available for their phones, or their phones were over two years old and the manufacturers were no longer providing OS updates for them, and so they weren't protected.  That's like saying 87% of people who stand in front of a moving train are likely to die.

    I think this means there are a lot of people who are either ignorant about the potential dangers or they don't care because there is nothing on their phones of great value like financial details.  The thing that I suspect would strike the greatest fear into the hearts of the majority of mobile phone users would be them having all their social media accounts hijacked and for them to not be able to then access them.

    If someone actually has stuff worth stealing on their phone, they should probably use a Windows phone.  I did like the way you sidestepped the issue of Apple not patching a critical security vulnerability in OSX because they only care about IOS these days - nice touch.
    singularity
  • Reply 115 of 125
    gatorguygatorguy Posts: 24,604member
    Rocwurst said:
    gatorguy said:
    Android was a relatively recent phishing target for the several year old "Eurograbber" exploit so Sybian and Blackberry could well represent the majority of them. In fact not even a penny of the $47Million stolen from users that you mentioned in your earlier post would have come from Android. Look at the date of it. Android wasn't yet a target.

    Android had 68% worldwide market share in 2012 with Symbian and Blackberry both below 5% according to IDC. Of course Android users were more than a target for Eurograbber.
    Not if your own story is correct. Android wasn't included as a potential target until 2015. So no it's still a very poor example of harm that came to users, I'm sure you have a bigger one to include in the discussion. You seem convinced that it's a huge problem with billions of users encountering malicious stuff. So far you've not made a very good show for your storyline of untold multitudes of Android users being harmed every day but you've certainly talked a lot of stuff around the edges. IMO my point stands: The smoke (and mirrors) is far larger than the fire. If you were truly interested in where the truth lay you'd expand your reading beyond agenda blogs. They're out there. I'll be happy to PM you a couple of them if you ask. 
    edited January 2016
  • Reply 116 of 125
    cnocbui said:
    Nice attempt at diversion there.  We were talking about one specific vulnerability that you chose to use as an example of an Android vulnerability that hadn't been addressed.  That didn't hold up to scrutiny so you are now trying another angle.

    As for your garbage from  androidvulnerabilities.org - sounds like a domain DED would create.  Did you read what was being measured by the researchers?  That 87% is because in the sample used there appeared to be a lot of people using Android phones who hadn't updated their OS to the latest versions that were available for their phones, or their phones were over two years old and the manufacturers were no longer providing OS updates for them, and so they weren't protected.  That's like saying 87% of people who stand in front of a moving train are likely to die.
    I did like the way you sidestepped the issue of Apple not patching a critical security vulnerability in OSX because they only care about IOS these days - nice touch.

    So, a peer-reviewed study from Cambridge University is garbage is it? Okaaaay.

    I'm sorry but your attempted deflection of Cambridge's damning indictment of the Android platforms's system and security software update architecture just doesn't hold water.  You don't seem to understand that the people using Android phones in the study reflect a broad cross-section of the very Android platform you are trying to defend.

    That moving train heading towards Android users is actually a very good analogy of the reality of the Android platform.  As the graph below shows, it takes 18 months for half of all Android phones to be patched for critical vulnerabilities going back 4 years (that's how rigorous this study is - the researchers have been collecting data for that long) and the remaining 50% never get patched for all critical vulnerabilities.  (actually in recent years, it has gotten worse as you can see in the graph - only 20% ever get patched after 1 - 2 years before the next vulnerability appears and suddenly 100% are vulnerable again.  Talk about a tide of red...

    Apple supports iOS devices going back 5 years like the iPhone 4S and iPad 2 which all regularly receive the latest security patches and system updates - yes, the latest iOS 9 runs fine on even those old devices.  With Android, you're lucky to get updates after you walk out the store let alone 2 years or heaven forbid - 5 years from now.

    (I did like the way you tried to sidestep Android's problems by bringing up irrelevant issues that have nothing to do with smartphones - nice touch)

    edited January 2016
  • Reply 117 of 125
    gatorguy said:
    Not if your own story is correct. Android wasn't included as a potential target until 2015. So no it's still a very poor example of harm that came to users, I'm sure you have a bigger one to include in the discussion. 
    Not sure what you're talking about.  The report is from 2012 when Eurograbber had sucked 47 million dollars from 30,000 hapless users, the vast majority of which would of course have been Android.  Where do you get 2015 from?

    If you were truly interested in the truth you'd be aware of the massive numbers of Android users compromised every year by malware.

    Last year alone Symantec detected 9,839 cumulative Android malware variants and reported that an incredible 17% of Android apps were malware in disguise.  

    Here’s just a small sampling of some of the multitude of other Android malware infestations beyond Eurograbber and Bmaster out there:

    Almost a million Android users (900,000) have been infected by 'Ghost Push' and its variants sucking millions of dollars every single day as of Oct 2015.

    Then there is the wave of Trojanised Android SMS apps that have drained between 6 - 24 million dollars from between 30,000 - 1.2 million Android users as reported by Panda Labs in 2014.

    I'm afraid the smoke is evidently getting in your eyes stopping you from seeing all the fires burning around you.  Android's broken security and system software update architecture is why Android is known as a toxic malware hellstew whether it agrees with your worldview or not.

    edited January 2016
  • Reply 118 of 125
    gatorguygatorguy Posts: 24,604member
    Rocwurst said:
    gatorguy said:
    Not if your own story is correct. Android wasn't included as a potential target until 2015. So no it's still a very poor example of harm that came to users, I'm sure you have a bigger one to include in the discussion. 
    Not sure what you're talking about.  The report is from 2012 when Eurograbber had sucked 47 million dollars from 30,000 hapless users, the vast majority of which would of course have been Android.  Where do you get 2015 from?

    If you were truly interested in the truth you'd be aware of the massive numbers of Android users compromised every year by malware.

    Last year alone Symantec detected 9,839 cumulative Android malware variants and reported that an incredible 17% of Android apps were malware in disguise.  

    Here’s just a small sampling of some of the multitude of other Android malware infestations beyond Eurograbber and Bmaster out there:

    Almost a million Android users (900,000) have been infected by 'Ghost Push' and its variants sucking millions of dollars every single day as of Oct 2015.

    Then there is the wave of Trojanised Android SMS apps that have drained between 6 - 24 million dollars from between 30,000 - 1.2 million Android users as reported by Panda Labs in 2014.

    I'm afraid the smoke is evidently getting in your eyes stopping you from seeing all the fires burning around you.  Android's broken security and system software update architecture is why Android is known as a toxic malware hellstew whether it agrees with your worldview or not.

    I appreciate that you have your story and your sticking to it. A lot of posters bail when challenged so thanks. 

    With that out of the way I think we're fast approaching the point where there's not much benefit to continuing. You've made up your mind that "malware variants"=malicious infections. I would have thought that the difficulty you're having in finding any reports of significant harmful infections would have told you that's not the case. The antivirus companies would be yelling loud and clear about harmful malware infections when they occur. Helps them sell product. The fact that companies like Symantec paint all these pictures of a malware-infested platform with pretty charts and lots of words and scary claims, yet don't include bonafide statistics on the number, type and location of actual malicious malware infections should be a big red flag: The purpose was to sell antivirus software, not warn users of an infection going around.  Heck they don't very often even mention what they consider to be malware. Want to know what Symantec says is the most prevalent, and you really have to search to find that out: An app that shows pop-up ads without mentioning it to the user. Second most? Apps that gather unneeded and/or undisclosed information. Did you also know that based on that definition more than 50% of the top 55 apps in the AppStore in a relatively recent report would qualify as malware, collecting or sharing location, contact, or other personal information (even health!) without telling the user? 

    Considering there's well over a Billion active Android devices in use it would be no surprise at all if some million of them had installed "malware", and a very few million had real money taken because of it. 

    In a nutshell an exploit or a malware variant does not mean any user devices were infected by anything at all,  much less anything more malicious than collecting location data or popping up an ad. I don't suspect this will lead you to question anything you've chosen to read, but it's the truth. There's a lot of smoke, most of it from antivirus companies with financial reasons to scare folks into buying their product. The fires on any mobile platform are exceedingly rare as you're finding when you go looking for them. 

    As you're so certain that iOS is so safe and Android is "malware-infested" and basing that off reports from anti-virus or security companies have a read thru this report. I'd LOVE to get your reaction. 
    https://www.checkmarx.com/2015/11/05/the-state-of-mobile-app-security/

    Here's one excerpt that might get prompt you to read it:

    " So what about iOS vs Android? It is a common myth that the iOS development platform is more secure than the Android equivalent for several legitimate reasons:
    A. iOS has more restrictive controls over what developers can do and tight application sandboxing.
    B. iOS Applications are fully vetted before being released to customers - preventing malware from entering the Apple App Store. ( proven not to be not true of course)

    Yet, in the field of pure application security where vulnerabilities are built in the code or into the application logic the story is quite different. Our statistics show that the distribution of vulnerability exposed by severity is almost identical between iOS and Android Applications with a slightly higher percentage of critical vulnerabilities in iOS applications...
    1. 40% of the detected vulnerabilities on IOS tested applications were found to be critical or high severity .
    2. 36% of the detected vulnerabilities on Android tested applications were found to be critical or high severity.
    I look forward to your comment after reading it if you feel like making one. 


    Or how about this headline:

    iOS 9 code vulnerability lets hackers steal thousands of dollars worth of in-app purchases

    Depending on your choice of articles to read you might arrive at different conclusions. Technically it's true. But it's also hyperbole. Not Apple's fault which you wouldn't know unless you wanted to. It takes a little extra work to get to the real story. I's also not always Google's fault either and that too takes a little extra work to discover. Look beyond the headlines and don't take all these things you've chosen to read (while perhaps ignoring others that don't fit with your view?) at face-value. 

    EDIT: BTW, I'm part of that Cambridge study you've sourced a few times, not that it would matter. Just thought it worth mentioning that I'm familiar with it. 
    edited January 2016 singularity
  • Reply 119 of 125
    gatorguy said:
    I appreciate that you have your story and your sticking to it. A lot of posters bail when challenged so thanks. 

    With that out of the way I think we're fast approaching the point where there's not much benefit to continuing. You've made up your mind that "malware variants"=malicious infections. I would have thought that the difficulty you're having in finding any reports of significant harmful infections would have told you that's not the case. 

    EDIT: BTW, I'm part of that Cambridge study you've sourced a few times, not that it would matter. Just thought it worth mentioning that I'm familiar with it. 
    I've presented multiple examples of tens of millions of Android users losing hundreds of millions of dollars to tens of thousands of different Android malware variants such as Eurograbber, Bmaster, Ghost Push and that recent wave of trojanised premium SMS-texting apps so not sure what you mean by "difficulty you're having in finding any reports of significant harmful infections".  You still haven't explained what you mean by "Android wasn't included as a potential target until 2015".

    Potential vulnerabilities in iOS as noted by your link from CheckMarx are all very interesting but irrelevant in the light of Apple's on-going prompt patching of the 800 million-strong iOS installed base meaning that actual malicious exploits and evidence of financial harm are completely absent from your analysis.  

    You have 
    presented no examples of financially harmful iOS malware infections compared to the mountain of evidence convicting Android.  (that "iOS 9 code vulnerability" you mention has nothing to do with users losing any money - it simply refers to poor coding of in-app purchases in some 3rd party apps by devs that could potentially allow users to acquire game credits or gems without paying)

    You condemn Security vendors as having a vested interest in making the malware situation on Android seem worse than it is, but completely ignore Cambridge University's impartial peer-reviewed study demonstrating the horrific state of ongoing vulnerability of the Android platform and the delinquency on Google's part that has resulted in 87.7% of Android devices continually remaining vulnerable to critical vulnerabilities going back 4 years.

    Come on gatorguy, your attempts at minimising the malware apocalypse on Android does a disservice to yourself and your fellow Android users as mobile devices become ever more essential in all parts of our lives.
    edited January 2016
  • Reply 120 of 125
    gatorguygatorguy Posts: 24,604member
    Hyperbole. You've found and posted references to REAL malware affecting anywhere from several thousand to a few million at best. Hardly "Tens of millions".
    Rocwurst said:
    losing hundreds of millions of dollars...

    More hyperbole. You found at best a few thousand to a few million dollars involved. Again, hardly "hundreds of millions". 
    ...and by the way iOS users aren't immune to phishing schemes involving banking apps. You really think no Apple users ever gets fooled into sharing their bank passwords and account info, with money stolen from their accounts as a result? 
    https://blog.kaspersky.com/ios-banking-apps-riddled-with-holes/3493/
    Rocwurst said:
    You're confusing the existence of someone's attempt to write malware (9000+ variants) as actual malicious infections. There's no evidence you've presented that all or even a lot of the "variants" are either effective or active. And once again as a reminder, most "malware" the security companies discuss is relatively benign in the first place. Ads and location/contact logging.
    A primarily Russian scam from 2012/13 affecting primarily Russian users and addressed with Android 4.2 and up which includes around 85% of active devices. 
    Why am I not surprised you'd think it was irrelevant? Sounds a bit disingenuous based on your faith in security company reports about Android but whatever. 

     - Yes sir some people like to do bad things to others.
     - Yes sir, there's mobile malware out there, some benign and some actually harmful.
     - Yes sir some folks accept the risks of disabling default mobile device security settings/jailbreaking to sideload some app or feature they can't get from the manufacturer or perhaps don't want to pay for ( IMHO they deserve whatever they get if stealing it).
     - And yes sir some folks may not be the brightest bulbs and fall for the sometimes obvious and sometimes not phishing schemes (even users of Apple products) that often involve actual money,

     But no sir not even close to the level of it that you imagine or maybe even wish it it was.

    The mere existence of a "malware variant" or a "security vulnerability" is not the same as malware causing malicious harm to real users. On the contrary it's big news in tech news and on blog sites (and always reported here at AI) if one of them actually does result in any any harm. Why? Because it's so rare. Of course that does not mean that one day the big one doesn't hit millions of users. Mobile OS providers have to continue working hard to keep up with the bad guys and in general they do a good job IMHO. Obviously Apple holds an advantage over Google in potential response time, but even a few of Apple's security issues are becoming harder and taking longer to fix. Some of these new mobile exploits are so much a part of the core code they're going to hang around for awhile. The fixes aren't always fast nor easy. 
    edited January 2016 singularitycnocbui
Sign In or Register to comment.