Android falls flat in front of malware coming from Facebook

Google's Android operating system has had its fair share of concerns as of late, with people growing concerned over flaws that have been unearthed at different times, and malware for the OS appearing on the Android Market. While the scale is still small enough to avoid, more crafty people are looking into ways to get their questionable apps on the OS so that they can cause havoc and potentially harvest details.

Google have tried to prevent this happening in the form of 'Bouncer', an automated scanner of the Android Market which picks up on malware and removes it. Bouncer came into use early in February, but it does not protect individual phones, nor does it prevent other sites from holding malware infested files. TechCrunch confirms that Sophos anti-virus have picked up on the flaw. The newest example is an application entitled "any_name.apk"; and it's spreading via the Facebook for Android application.

When downloaded, the application installs without any permissions granted by the user, and the identity of what is being downloaded is also not made clear. This may not be the case assuming a phone maintains its default settings, since Android comes with a toggle against downloads from alternative sources. Many users do disable this though, so that they can download applications from locations such as the XDA Developers forum.

It seems that this APK is intended to call premium rate phone numbers or send them text messages, incurring large charges which can then be picked up by the fraudsters and con-men who operate the numbers, as well as likely having created the app. The app is also evolving quickly: the researcher who found it downloaded it from a different site a few days later, where it was called "allnew.apk". The newer version worked in the same manner though was coded differently, which would imply that it is being constantly updated.

The malware associates itself with the Opera web browser for Android, including an encrypted configuration file with the dialling numbers for premium rate lines. Google have responded to the news, claiming that an install could not have happened in the manner depicted. According to Google a user would have to permit that the phone installed the application even if it was downloaded without their consent or knowledge. Sophos have not yet commented on this claim. Regardless, it may be worth unchecking the ability to download from other sources when not downloading an app, to help better maintain security.

Report a problem with article
Previous Story

Photosynth in testing for Windows Phone

Next Story

Reddit provides dying boy with his wish

53 Comments

Commenting is disabled on this article.

For everyone on this site who calls the user an idiot, there are at least 10 "idiots" out there.
STOP IT!

Calling someone an idiot for not understanding the technology that was foisted upon them by their friends and carriers doesn't make YOU any better.
You are contributing to the problem.

Let's DEMAND better from the folks who make our lives happy and technology rich, instead of lambasting those on the lower end of technological comprehension scale.

With Android poised to take over iOS in the market, Google really need to step up their game.

which is probably why I only trust twitter with my android. besides. too much typing involved with facebook on a phone. could use the audio portion. but Facebook is like one of two programs I wish I could remove off the phone. Waste of space. Google Books is the other...

which is probably why I only trust twitter with my android. besides. too much typing involved with facebook on a phone. could use the audio portion. but Facebook is like one of two programs I wish I could remove off the phone. Waste of space. Google Books is the other...

Stupid title to this article.

And if you are a dumbshit to click on every link that is posted in FB, even if the link looks like it will cause trouble, then you are a dumbshit and deserve to get infected. These links have been popping up for years on Facebook and I know several people who get their PCs infected because of it.

And look at the video...you have to click on the link and then click to install the damn program. No issue unless you are an idiot. And here is another update from the source...


The malware is downloaded but not automatically installed. That's why the video just shows the download. But for ordinary users it could still be a serious attack. In my experience, they rarely check the permissions when they install an app. Simple social engineering tricks could be used to then trick them into installing the app.

How does Android "fall flat" if you have to go out of your way to let it happen?

Malware is always a concern, but what we are seeing there (and what's being shown in the sophos video) is that:

-You can download an apk from a web link.
-If you have disabled the default setting to only install apps from market, you can install that apk.
-Apks from unknown sources can be malicious, and in this case it definitely is.

Again, just the fact that there's people trying to get malware in your phone is concerning, but how about sticking with the factual information that can help people to not get infected, instead of sesationalizing the whole thing?

ichi said,
How does Android "fall flat" if you have to go out of your way to let it happen?

Malware is always a concern, but what we are seeing there (and what's being shown in the sophos video) is that:

-You can download an apk from a web link.
-If you have disabled the default setting to only install apps from market, you can install that apk.
-Apks from unknown sources can be malicious, and in this case it definitely is.

Again, just the fact that there's people trying to get malware in your phone is concerning, but how about sticking with the factual information that can help people to not get infected, instead of sesationalizing the whole thing?

When setting up a relatives Android Phone the carrier software, in this case Sprint, required me to turn off the setting preventing side loading. So I'm sure a lot of users have turned that off without knowing what it really means.

Frazell Thomas said,

When setting up a relatives Android Phone the carrier software, in this case Sprint, required me to turn off the setting preventing side loading. So I'm sure a lot of users have turned that off without knowing what it really means.

The video in question only shows the application downloading, the user still has to explicitly install it from what I can tell. I can't imagine any novice users doing that.

It is possible to bypass the install prompt if the phone is rooted. If the exploit package includes a method to gain root privileges it can then push the payload package silently and have it installed without the user consent.

You still have to have allowed something to install for that to happen making it a two step process: no app can silently download and install without that permission having been explicitly granted to the app that performs those actions

+mrbester said,
no app can silently download and install without that permission having been explicitly granted to the app that performs those actions

Yet.

Yet again neowin playing fanboy with Apple. APK's need a separate application to launch, a package manager type deal, then the permissions are displayed and the user has to agree.

Didnt realize neowin was becoming such trash as to falsely report news.

Beyond Godlike said,
Yet again neowin playing fanboy with Apple.

Don't kid yourself, buddy. Neowin falsely reports just as much anti-Apple news.

Elliott said,

Don't kid yourself, buddy. Neowin falsely reports just as much anti-Apple news.

I dont doubt it, but they havent been posting any positive Android/Google news lately, only negative. Theyre new logo should be where unprofessional journalism is biased and trashy.

Sigh, another ridiculous anti-Google post on Neowin...

The malware isn't "spreading". You have to select a link to download the APK (user action 1). After that yo have to select the downloaded APK in the notification bar (user action 2). After that you have to confirm that you want to install it (user action 3).

That's excactly the same as it would be on Windows or any other regular OS:

1. Click a link to an executable or msi, etc.
2. Double click the downloaded file.
3. Confirm that you want to install it.

DUH...

Phasma said,
Sigh, another ridiculous anti-Google post on Neowin...
DUH...

Or it's just here to warn people using Android that they don't have to click on such link?
DUH.

Phasma said,
The malware isn't "spreading".
By what definition is it not 'spreading'? It doesn't imply self propagating, just that it's becoming more widespread.

These Android malware scare stories seem to be a regular occurrence these days

Like you say, it's really no different on any OS. It requires multiple explicit user actions in order to install it, something most people would never do. I suppose that's why malware isn't very prevalent on Android devices - the user has to jump through too many hoops for the malware to install successfully.

simplezz said,
These Android malware scare stories seem to be a regular occurrence these days

Like you say, it's really no different on any OS. It requires multiple explicit user actions in order to install it, something most people would never do. I suppose that's why malware isn't very prevalent on Android devices - the user has to jump through too many hoops for the malware to install successfully.

There is a bit of 'scare' stories, there is also a lot of problems with Android and lack of security that people don't realize.

Want to test how 'protected' and secure Android is? Simply post your phone number or phone's IP address. I'll have a friend of a friend of a friend demonstrate some things on your phone to illustrate how bad Android's security really is.

Just leave your phone on, you won't have to do anything, for them to give you the demonstration, and maybe buy themselves a few things, contact your friends for you, make a few calls, check out your hobbies, and see where you live.

(PS As a moral person, seriously do not post your number or IP. Don't put that much faith in Google or Android or any phone or company.

fenderMarky said,
When happens on Windows, it's Microsoft's faults.... whent it's Google (or Apple) it's users fault.

yeah, I don't know why so many people have this stupid mentality. I'll never understand why.

fenderMarky said,
When happens on Windows, it's Microsoft's faults.... whent it's Google (or Apple) it's users fault.

Well said.. i always find it amusing about this stupid mentality.

fenderMarky said,
When happens on Windows, it's Microsoft's faults.... whent it's Google (or Apple) it's users fault.


Yep, just like it's Apple's fault that Google was able to use an exploit to bypass users' privacy settings to install third-party cookies in Safari.

fenderMarky said,
When happens on Windows, it's Microsoft's faults.... whent it's Google (or Apple) it's users fault.

Well, back in the days when a worm could spread just by looking at an email, I would've agreed with you. Now it's usually the user's fault.

However, when something automatically downloads and installs to the system, that's a totally different story. Whether that claim is true or not, I'm not sure, but if it is, it's completely Google's fault.

fenderMarky said,
When happens on Windows, it's Microsoft's faults.... whent it's Google (or Apple) it's users fault.

dont be stupid... the Microsoft fault trend came because Xp and IE6 was weak in security when Internet moved to it modern era and Microsoft didnt update any of its software to keep up.... now with win 7 and IE9 the security is tightened but the fault game will take some time to go.

fenderMarky said,
When happens on Windows, it's Microsoft's faults.... whent it's Google (or Apple) it's users fault.

To be fair, malware is far less common on Android than Windows devices. For many years Windows security was lacking. It's much better now with Windows 7 though, finally. Android was designed to be secure from the get go, and it has worked well for an open platform.

The alternative is requiring each app to be approved (walled garden approach). I for one prefer to take the open approach and exercise circumspection when downloading/installing third party apk's.

fenderMarky said,
When happens on Windows, it's Microsoft's faults.... whent it's Google (or Apple) it's users fault.

Just...leave. Seriously. Its all USER fault no matter what system you are using. With windows, its idiots going to porn sites or warez sites and either do not have protection, updated protection, or they click on popup. Users are blamed for a lot of things because they are uneducated. People have been saying the same thing about Windows they do about Android for years.

still1 said,

dont be stupid... the Microsoft fault trend came because Xp and IE6 was weak in security when Internet moved to it modern era and Microsoft didnt update any of its software to keep up.... now with win 7 and IE9 the security is tightened but the fault game will take some time to go.

There is truth in this, but after this was correct with SP2, and the security revamp at Microsoft, it has continued now for almost 10 years.

Also XP's security was still far beyond what Linux had at the time and what OS X had at the time. (With the exception of Administrator level users accounts allowed.)

Users were coming from System 7,8,9 and Win9x based OSes that truly had no security model. They were never designed for secure use, as they were home OSes, and they were fragile when it came to online security.

Online security was a new era and access point for all OSes, and even the security models of Linux and NT used at the time that did not deal with online threats well. The most secure OS of this generation was NT 4.0 and Win2k, as they at least didn't encourage users to run as administrators and had a more robust security model than Linux which rigid and complete ACLs and kernel level security with the object token model in NT.

The internet changed a lot, and the consumers were using 'Windows' so it got hit hard by the 'new' security issues, and got hit first. Microsoft was discovering new 'hacks' to systems that had not been 'known' in the computing industry, or even thought possible. Linux and other OSes got the luxury of not getting hit, and quietly updating to prevent the same types of hacks, that they were also venerable to prior to Windows getting hit.

Microsoft took a lot of flack, and attacks against Windows shoved security several generations ahead of knowing what was 'possible' even though it was never considered or seemed impossible prior to the discoveries.


The issue or questions here really is, why didn't Google learn from this?

Android is full of OS model security holes that everyone else learned form and patched and designed their security models to prevent. Even Apple that is rather bad at security at least was 'smart' enough to monitor what was happening and happened to Windows and implement security changes to prevent these exploits on OS X and iOS.

Why didn't Google follow and implement the same security precautions on Android?

Today even iOS and OS X have security flaws that are 'Apple' should know better, but it would break too much to fix. However, they at least are trying, and because of the iOS kernel tie to OS X, there are reasons they can't get past some of these easily. (Also the kernel model of iOS/OS X is very rigid and changes break stuff easily, even if needed for security.)

Android was a new platform that Google could have changed after they bought it to fully lock down the massive security holes. Instead they assumed they would be immune or just didn't get it or give a crap about user security. This is what is concerning.

If you look at WP7, comes from the Windows Mobile underpinnings with WinCE and the .NET technologies for a new OS platform. It is the poster child of how to design an OS model that not only learns from the past, but so tightly enforces security and App isolation, it is sometimes hard for App developers to do what they want, as they can't step out of their box.

If nothing else Microsoft did what Google SHOULD HAVE done, and locked down WP7 so hard that it hurt developers rather than compromise security or stability. This is why WP7 even if the user is socially engineered to download a Malware App, it has little functionality, as its only access to the device or the OS is through limited APIs that are locked from doing anything. (Additionally, the Microsoft screening process for App submissions is extremely robust in seeing what the code is doing and hiding malicious code is not possible.)

Google blew it, especially when Microsoft produces a comparable OS like WP7 that is highly resistant to even social engineering attacks. Android should at least live up to the iOS security model of responsibility, as the iPhone existed as was being 'tested' by a few security flaws when Android was being made. Instead Android is several generations behind iOS, and Google from Apple's example of problems alone, knew better.

Pretty sure this is dead wrong. On any Android device/ROM i've seen, Clicking/Running an APK results in the "What do you want to do with this app? Install/Don't" screen that also lists permissions. That's regardless of the "Unknown Sources" check.

Seems completely sensational to me, Unless someone can prove he bypassed this screen somehow.

Ran Sagy said,
Pretty sure this is dead wrong. On any Android device/ROM i've seen, Clicking/Running an APK results in the "What do you want to do with this app? Install/Don't" screen that also lists permissions. That's regardless of the "Unknown Sources" check.

Seems completely sensational to me, Unless someone can prove he bypassed this screen somehow.

It does, and there are several ways to bypass the 'popup' you find comfort in.

Our tech team was submitting several bypass bugs to Google last year, and it fell on deaf ears. From installing Apps remotely, to gaining full access to an Android phone just by knowing the phone number.

There are so many security 'holes' in how Android works it is a literal nightmare.

Google and Android do not 'check' the security of the application, nor do they even run an integrity check on the App when it is updated or installed.

Semi-smart malware can gain access to a router between you and the Google Market, and look for bytes that are part of a 'Google Map' update, and then attach itself to the download, and Android will accept it, and allow it to install as a part of the Google Map update.

If an App 'warning' screen says it will 'access contact, network, phone', this is just if the author is honest, as it is not fully checked. I can write an App that claims to just want network access, and hide code that sends random texts, calls 900 numbers or whatever I want. And tracking back what App is doing this, is not easy either, as Android does not have a security model.

Android has very little security and enforced protection. Even the Linux kernel won't help, as Android replaces the Linux security model for Apps, and then has few policies that are fully enforced beyond making the user 'feel' better.

Really It falls flat?I'm on Facebook, I have 3 Android devices, I have disabled the download protection and everything is fine with me. I guess that means I'm not stupid.

UndergroundWire said,
Really It falls flat?I'm on Facebook, I have 3 Android devices, I have disabled the download protection and everything is fine with me. I guess that means I'm not stupid.

I've enjoyed reading the flood of comments and forum posts from you assuring us that you're not stupid just really, really smart. I think you should start a blog.

omgben said,

I've enjoyed reading the flood of comments and forum posts from you assuring us that you're not stupid just really, really smart. I think you should start a blog.

I do have one, but it's not for the likes of you.

So as usual you actually have to click on and download the malware for it to cause problems...just don't be an idiot and you'll be fine.

This isn't "news" - any os that doesn't take a walled garden approach suffers from this same problem. People can install whatever they want, but unfortunately some of that is malware.

Hardcore Til I Die said,
So as usual you actually have to click on and download the malware for it to cause problems...just don't be an idiot and you'll be fine.

This isn't "news" - any os that doesn't take a walled garden approach suffers from this same problem. People can install whatever they want, but unfortunately some of that is malware.


Go to the Neowin's Linux/Mac subforums and tell everybody that if they just clicked on some link, the malware can automatically download, install and easily infect their systems. I dare you.

BTW, here is the quote from the atricle.


The researcher found a link posted to the requester's Facebook profile page that, when clicked, directed the browser to a webpage which started an automatic download of an unknown software application to the device.

The software installed and downloaded immediately, without any request for authorization or input from the end user.

Thi is NOT normal. This is automatic installation without user consent and authorization. Don't downplay it - it's not about users clicking "Run" and "Accept" without thinking.

Edited by RealFduch, Feb 25 2012, 2:11pm :

RealFduch said,

Go to the Neowin's Linux/Mac subforums and tell everybody that if they just clicked on some link, the malware can automatically download, install and easily infect their systems. I dare you.

BTW, here is the quote from the atricle.

Thi is NOT normal. This is automatic installation without user consent and authorization. Don't downplay it - it's not about users clicking "Run" and "Accept" without thinking.


The user is solely responsible for downloading malicious .apk, blame the noobs who don't even know what they install on their devices.

yowanvista said,
The user is solely responsible for downloading malicious .apk, blame the noobs who don't even know what they install on their devices.
Did you even read what he said? "automatic installation without user consent and authorization". (I don't personally know whether it's true, but at least respond to what he *actually* said).

yowanvista said,

The user is solely responsible for downloading malicious .apk, blame the noobs who don't even know what they install on their devices.

Bro, are you okay? The original article says that if a user clicks on a link, the file is AUTOMATICALLY downloaded and INSTALLED probably giving the user no chance to do something about it like delete it. This clearly sounds like something that would not normally occur in a usual internet surfing atmosphere. You are usually asked whether or not you would like to save a file, or open it. So really, it's the users sole responsibility to know what they click, but it's an organizations sole responsibility to not let these kinds of things affect their users, especially since they are the ones creating, marketing, and distributing their product.

xXgreatestever said,

Bro, are you okay? The original article says that if a user clicks on a link, the file is AUTOMATICALLY downloaded and INSTALLED probably giving the user no chance to do something about it like delete it. This clearly sounds like something that would not normally occur in a usual internet surfing atmosphere. You are usually asked whether or not you would like to save a file, or open it. So really, it's the users sole responsibility to know what they click, but it's an organizations sole responsibility to not let these kinds of things affect their users, especially since they are the ones creating, marketing, and distributing their product.


It is not automatically installed, the user is prompted to open it.
http://youtu.be/JPlJrB652w8

RealFduch said,

Go to the Neowin's Linux/Mac subforums and tell everybody that if they just clicked on some link, the malware can automatically download, install and easily infect their systems. I dare you.

BTW, here is the quote from the atricle.

Thi is NOT normal. This is automatic installation without user consent and authorization. Don't downplay it - it's not about users clicking "Run" and "Accept" without thinking.


first if you know about android the allow other source has to be enabled for this malware to infect and only geeks enable that.

Hey Hardcore Til I Die, how dare you speak so logically! I for one have the utmost faith in reports by anti-virus companies, regardless of where their biases lie.

It's time to end this common sense approach to malware!

This is NOT automatic installation of the program. Look at the source link AGAIN and read. Additional steps are needed to install. The malware link just downloads the APK and you have to choose to install it.,

techbeck said,
This is NOT automatic installation of the program. Look at the source link AGAIN and read. Additional steps are needed to install. The malware link just downloads the APK and you have to choose to install it.,

So have they lied when they wrote "The software installed and downloaded immediately, without any request for authorization or input from the end user. "?

RealFduch said,

So have they lied when they wrote "The software installed and downloaded immediately, without any request for authorization or input from the end user. "?

Yes, that's right but i wouldn't say they lied but its a mistake from their part...
It sure did download but it never automatically install... I tried it on my old captivate which i never used.

Kirkburn said,
Did you even read what he said? "automatic installation without user consent and authorization". (I don't personally know whether it's true, but at least respond to what he *actually* said).

did you read it?


This may not be the case assuming a phone maintains its default settings, since Android comes with a toggle against downloads from alternative sources. Many users do disable this though, so that they can download applications from locations such as the XDA Developers forum.

SPEhosting said,
did you read it?

Yes, I did read the user's comment - which is what I was referring to. (I'm not in the business of validating Android issues, I was just pointing out that he wasn't really responding to the user's comment)

RealFduch said,

So have they lied when they wrote "The software installed and downloaded immediately, without any request for authorization or input from the end user. "?

They edited the article and the researcher said something different. So they didnt lie, they changed their info.