Android falls flat in front of malware coming from Facebook

Google's Android operating system has had its fair share of concerns as of late, with people growing concerned over flaws that have been unearthed at different times, and malware for the OS appearing on the Android Market. While the scale is still small enough to avoid, more crafty people are looking into ways to get their questionable apps on the OS so that they can cause havoc and potentially harvest details.

Google have tried to prevent this happening in the form of 'Bouncer', an automated scanner of the Android Market which picks up on malware and removes it. Bouncer came into use early in February, but it does not protect individual phones, nor does it prevent other sites from holding malware infested files. TechCrunch confirms that Sophos anti-virus have picked up on the flaw. The newest example is an application entitled "any_name.apk"; and it's spreading via the Facebook for Android application.

When downloaded, the application installs without any permissions granted by the user, and the identity of what is being downloaded is also not made clear. This may not be the case assuming a phone maintains its default settings, since Android comes with a toggle against downloads from alternative sources. Many users do disable this though, so that they can download applications from locations such as the XDA Developers forum.

It seems that this APK is intended to call premium rate phone numbers or send them text messages, incurring large charges which can then be picked up by the fraudsters and con-men who operate the numbers, as well as likely having created the app. The app is also evolving quickly: the researcher who found it downloaded it from a different site a few days later, where it was called "allnew.apk". The newer version worked in the same manner though was coded differently, which would imply that it is being constantly updated.

The malware associates itself with the Opera web browser for Android, including an encrypted configuration file with the dialling numbers for premium rate lines. Google have responded to the news, claiming that an install could not have happened in the manner depicted. According to Google a user would have to permit that the phone installed the application even if it was downloaded without their consent or knowledge. Sophos have not yet commented on this claim. Regardless, it may be worth unchecking the ability to download from other sources when not downloading an app, to help better maintain security.

Report a problem with article
Previous Story

Photosynth in testing for Windows Phone

Next Story

Reddit provides dying boy with his wish

53 Comments

View more comments

still1 said,

dont be stupid... the Microsoft fault trend came because Xp and IE6 was weak in security when Internet moved to it modern era and Microsoft didnt update any of its software to keep up.... now with win 7 and IE9 the security is tightened but the fault game will take some time to go.

There is truth in this, but after this was correct with SP2, and the security revamp at Microsoft, it has continued now for almost 10 years.

Also XP's security was still far beyond what Linux had at the time and what OS X had at the time. (With the exception of Administrator level users accounts allowed.)

Users were coming from System 7,8,9 and Win9x based OSes that truly had no security model. They were never designed for secure use, as they were home OSes, and they were fragile when it came to online security.

Online security was a new era and access point for all OSes, and even the security models of Linux and NT used at the time that did not deal with online threats well. The most secure OS of this generation was NT 4.0 and Win2k, as they at least didn't encourage users to run as administrators and had a more robust security model than Linux which rigid and complete ACLs and kernel level security with the object token model in NT.

The internet changed a lot, and the consumers were using 'Windows' so it got hit hard by the 'new' security issues, and got hit first. Microsoft was discovering new 'hacks' to systems that had not been 'known' in the computing industry, or even thought possible. Linux and other OSes got the luxury of not getting hit, and quietly updating to prevent the same types of hacks, that they were also venerable to prior to Windows getting hit.

Microsoft took a lot of flack, and attacks against Windows shoved security several generations ahead of knowing what was 'possible' even though it was never considered or seemed impossible prior to the discoveries.


The issue or questions here really is, why didn't Google learn from this?

Android is full of OS model security holes that everyone else learned form and patched and designed their security models to prevent. Even Apple that is rather bad at security at least was 'smart' enough to monitor what was happening and happened to Windows and implement security changes to prevent these exploits on OS X and iOS.

Why didn't Google follow and implement the same security precautions on Android?

Today even iOS and OS X have security flaws that are 'Apple' should know better, but it would break too much to fix. However, they at least are trying, and because of the iOS kernel tie to OS X, there are reasons they can't get past some of these easily. (Also the kernel model of iOS/OS X is very rigid and changes break stuff easily, even if needed for security.)

Android was a new platform that Google could have changed after they bought it to fully lock down the massive security holes. Instead they assumed they would be immune or just didn't get it or give a crap about user security. This is what is concerning.

If you look at WP7, comes from the Windows Mobile underpinnings with WinCE and the .NET technologies for a new OS platform. It is the poster child of how to design an OS model that not only learns from the past, but so tightly enforces security and App isolation, it is sometimes hard for App developers to do what they want, as they can't step out of their box.

If nothing else Microsoft did what Google SHOULD HAVE done, and locked down WP7 so hard that it hurt developers rather than compromise security or stability. This is why WP7 even if the user is socially engineered to download a Malware App, it has little functionality, as its only access to the device or the OS is through limited APIs that are locked from doing anything. (Additionally, the Microsoft screening process for App submissions is extremely robust in seeing what the code is doing and hiding malicious code is not possible.)

Google blew it, especially when Microsoft produces a comparable OS like WP7 that is highly resistant to even social engineering attacks. Android should at least live up to the iOS security model of responsibility, as the iPhone existed as was being 'tested' by a few security flaws when Android was being made. Instead Android is several generations behind iOS, and Google from Apple's example of problems alone, knew better.

Sigh, another ridiculous anti-Google post on Neowin...

The malware isn't "spreading". You have to select a link to download the APK (user action 1). After that yo have to select the downloaded APK in the notification bar (user action 2). After that you have to confirm that you want to install it (user action 3).

That's excactly the same as it would be on Windows or any other regular OS:

1. Click a link to an executable or msi, etc.
2. Double click the downloaded file.
3. Confirm that you want to install it.

DUH...

Phasma said,
Sigh, another ridiculous anti-Google post on Neowin...
DUH...

Or it's just here to warn people using Android that they don't have to click on such link?
DUH.

Phasma said,
The malware isn't "spreading".
By what definition is it not 'spreading'? It doesn't imply self propagating, just that it's becoming more widespread.

These Android malware scare stories seem to be a regular occurrence these days

Like you say, it's really no different on any OS. It requires multiple explicit user actions in order to install it, something most people would never do. I suppose that's why malware isn't very prevalent on Android devices - the user has to jump through too many hoops for the malware to install successfully.

simplezz said,
These Android malware scare stories seem to be a regular occurrence these days

Like you say, it's really no different on any OS. It requires multiple explicit user actions in order to install it, something most people would never do. I suppose that's why malware isn't very prevalent on Android devices - the user has to jump through too many hoops for the malware to install successfully.

There is a bit of 'scare' stories, there is also a lot of problems with Android and lack of security that people don't realize.

Want to test how 'protected' and secure Android is? Simply post your phone number or phone's IP address. I'll have a friend of a friend of a friend demonstrate some things on your phone to illustrate how bad Android's security really is.

Just leave your phone on, you won't have to do anything, for them to give you the demonstration, and maybe buy themselves a few things, contact your friends for you, make a few calls, check out your hobbies, and see where you live.

(PS As a moral person, seriously do not post your number or IP. Don't put that much faith in Google or Android or any phone or company.

Yet again neowin playing fanboy with Apple. APK's need a separate application to launch, a package manager type deal, then the permissions are displayed and the user has to agree.

Didnt realize neowin was becoming such trash as to falsely report news.

Beyond Godlike said,
Yet again neowin playing fanboy with Apple.

Don't kid yourself, buddy. Neowin falsely reports just as much anti-Apple news.

Elliott said,

Don't kid yourself, buddy. Neowin falsely reports just as much anti-Apple news.

I dont doubt it, but they havent been posting any positive Android/Google news lately, only negative. Theyre new logo should be where unprofessional journalism is biased and trashy.

It is possible to bypass the install prompt if the phone is rooted. If the exploit package includes a method to gain root privileges it can then push the payload package silently and have it installed without the user consent.

You still have to have allowed something to install for that to happen making it a two step process: no app can silently download and install without that permission having been explicitly granted to the app that performs those actions

+mrbester said,
no app can silently download and install without that permission having been explicitly granted to the app that performs those actions

Yet.

How does Android "fall flat" if you have to go out of your way to let it happen?

Malware is always a concern, but what we are seeing there (and what's being shown in the sophos video) is that:

-You can download an apk from a web link.
-If you have disabled the default setting to only install apps from market, you can install that apk.
-Apks from unknown sources can be malicious, and in this case it definitely is.

Again, just the fact that there's people trying to get malware in your phone is concerning, but how about sticking with the factual information that can help people to not get infected, instead of sesationalizing the whole thing?

ichi said,
How does Android "fall flat" if you have to go out of your way to let it happen?

Malware is always a concern, but what we are seeing there (and what's being shown in the sophos video) is that:

-You can download an apk from a web link.
-If you have disabled the default setting to only install apps from market, you can install that apk.
-Apks from unknown sources can be malicious, and in this case it definitely is.

Again, just the fact that there's people trying to get malware in your phone is concerning, but how about sticking with the factual information that can help people to not get infected, instead of sesationalizing the whole thing?

When setting up a relatives Android Phone the carrier software, in this case Sprint, required me to turn off the setting preventing side loading. So I'm sure a lot of users have turned that off without knowing what it really means.

Frazell Thomas said,

When setting up a relatives Android Phone the carrier software, in this case Sprint, required me to turn off the setting preventing side loading. So I'm sure a lot of users have turned that off without knowing what it really means.

The video in question only shows the application downloading, the user still has to explicitly install it from what I can tell. I can't imagine any novice users doing that.

Stupid title to this article.

And if you are a dumbshit to click on every link that is posted in FB, even if the link looks like it will cause trouble, then you are a dumbshit and deserve to get infected. These links have been popping up for years on Facebook and I know several people who get their PCs infected because of it.

And look at the video...you have to click on the link and then click to install the damn program. No issue unless you are an idiot. And here is another update from the source...


The malware is downloaded but not automatically installed. That's why the video just shows the download. But for ordinary users it could still be a serious attack. In my experience, they rarely check the permissions when they install an app. Simple social engineering tricks could be used to then trick them into installing the app.

which is probably why I only trust twitter with my android. besides. too much typing involved with facebook on a phone. could use the audio portion. but Facebook is like one of two programs I wish I could remove off the phone. Waste of space. Google Books is the other...

which is probably why I only trust twitter with my android. besides. too much typing involved with facebook on a phone. could use the audio portion. but Facebook is like one of two programs I wish I could remove off the phone. Waste of space. Google Books is the other...

For everyone on this site who calls the user an idiot, there are at least 10 "idiots" out there.
STOP IT!

Calling someone an idiot for not understanding the technology that was foisted upon them by their friends and carriers doesn't make YOU any better.
You are contributing to the problem.

Let's DEMAND better from the folks who make our lives happy and technology rich, instead of lambasting those on the lower end of technological comprehension scale.

With Android poised to take over iOS in the market, Google really need to step up their game.

Commenting is disabled on this article.