backtop


Print 47 comment(s) - last by YashBudini.. on Mar 10 at 2:40 PM

Company will release special removal tool for affected users, is remotely killing apps

Google is reacting quickly to what is perhaps the largest mass infection of users of its Android OS, yet. Rather than keep quiet, Google quickly pulled the 58 malicious apps, which were repackaged versions of legitimate apps (containing extra malicious APKs designed to grab personal information, obtain root access, and install code remotely).

Now it's take even more strident measures to combat the attack, personally reaching out to affected users.  Google began executing its remote kill functionality on the malicious apps Saturday.

It also pushed out an update to affected users phones, which will remove the installed rootkit.  Google sent the following email [source] to the estimated 260,000 Android users:

Hello,

We recently discovered applications on Android Market that were designed to harm devices. These malicious applications (“malware”) have been removed from Android Market, and the corresponding developer accounts have been closed.

According to our records, you have downloaded one or more of these applications. This malware was designed to allow an unauthorized third-party to access your device without your knowledge. As far as we can determine, the only information obtained was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).

However, this malware could leave your device and personal information at risk, so we are pushing an Android Market security update to your device to remove this malware. Over the next few hours, you will receive a notification on your device that says “Android Market Security Tool March 2011” has been installed. You are not required to take any action from there, the update will automatically run. You may also receive notification(s) on your device that an application has been removed. Within 24 hours of receiving the update, you will receive a second email confirming its success.

To ensure this update is run quickly, please make sure that your device is turned on and has a strong network connection.

For more details, please visit the Android Market Help Center.

Regards,
The Android Market Team


The flaw that allowed the malware to gain root access without asking for permissions was actually fixed by Google with firmware update Android 2.2.1.  Unfortunately carriers have been extremely sluggish at rolling out updates for Android users, and this is the end result.

Google has repackaged the fix as an individual patch and given it to carriers and handset makers.  But it's up to carriers and their hardware partners to push it down to phone customers as the patch will have to be adjusted to individual hardware configurations.  

In other words Google's keeping busy killing the burglars in the house, but back door is still wide open.  At least it's doing something, though, and giving its customers the decency of communication.

Google is also taking steps to make sure similar malware doesn't reappear in the Android Marketplace.  While the company is vague on specifics, it writes:

We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.

According to professional hackers and security researchers, most phones and applications markets have the potential to be infiltrated by malware.  

For example, at Nicolas Seriot, a Swiss iPhone expert, has demoed [white paper] at the annual Black Hat conference an app called "SpyPhone", which showed off how easy it would be to sneak malware into the App Store.  It is unknown if this is being actively done, but Mr. Seriot's whitepaper offered obfuscation code that disguised disallowed strings, offering hackers a clear path to getting their malware into the App Store (the only other necessary steps would be a delayed activation of the malicious activity, and avoidance of using private APIs).


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Googles done decently
By trooper11 on 3/7/2011 10:45:36 AM , Rating: 5
Not sure why the phone makers would be to blame for this. Google takes the hit first of course becuase of the flaw in the first place, but it sounds like its the carriers that are to blame for the number of people affected.

If the carriers are responsible for delaying the updates that would have protected these customers, then something needs to be done to avoid this.


RE: Googles done decently
By Akrovah on 3/7/2011 10:59:27 AM , Rating: 3
And that is my #1 reason why I won't go with an Android., Even though almost everything about it is awsome the utter lack of timely system wide updates is a deal breaker for me.


RE: Googles done decently
By Stoanhart on 3/7/2011 4:54:00 PM , Rating: 3
So buy a Nexus phone. It's cheaper to pay full price and pay less per month than it is to get a "free" phone anyways.


RE: Googles done decently
By Murst on 3/7/2011 5:06:40 PM , Rating: 2
quote:
It's cheaper to pay full price and pay less per month than it is to get a "free" phone anyways.

What does this have to do w/ anything? You can buy all kinds of phones from T-mobile w/o the subsidy.

The Nexus S is $200 w/ a 2 year contract, and $530 without... pretty similar to other smartphones.


RE: Googles done decently
By Akrovah on 3/7/2011 6:29:39 PM , Rating: 2
The Nexus looks nice, but is only available on T-Mobile in the states, and T-Mobile mas terrible reception in my home town. I had to return my HD7 (which I friggin loved otherwise) because I couldn't make calls from home on it.


RE: Googles done decently
By Zoomer on 3/7/2011 7:46:47 PM , Rating: 2
So that's why I got an OTA update for my Desire back, erm, Nov?


RE: Googles done decently
By Akrovah on 3/8/2011 12:52:04 PM , Rating: 2
I never said there were no updaes, jsut a lack of timely updates, dependent completely on when the manufacturer and carrier get around to making them. As a result hoels like this go unplugged for an extended period of time.

And what version of Android did your desire get updated to? was it the latest version, or a signifigantly delayed and now out of date version?


RE: Googles done decently
By omnicronx on 3/7/2011 11:09:22 AM , Rating: 4
Something gives me a feeling a lot of this falls on the basic design of Android.. Far too much can be changed from carrier to carrier, and requires a lot of testing for each update. Nothing is enforced either, so they don't have to continue to perform updates.

So whose fault is it? The carriers for doing what their agreement states they can do? Or Google's for not thinking the update process through?

I'm an Android user, and I love my phone, but out of all the 4 next gen smartphone OS's (iOS, Windows Phone, WebOS, Android), it has by far the worst update process and procedures.


RE: Googles done decently
By trooper11 on 3/7/2011 11:14:27 AM , Rating: 2
I would like to know what those carrier agreements are. This isnt the first example of carriers standing in the way of updates. Microsoft is dealing with the same problem trying to roll out thier first updates, so its not just an android thing.

Im not saying the carriers might not have a good reason for delaying updates, but it would be nice if the process was more transparent so that there wouldnt be the normal blame game that goes around.


RE: Googles done decently
By omnicronx on 3/7/2011 11:47:18 AM , Rating: 1
Rolling out updates is never easy, but other companies have made things easier on themselves. The very thing that makes Android so successful is also its most hindering, its ability to customize.

Apple, well as draconian as they may be, they have the update process down. Obviously having a single device makes it much easier on them, but from an update standpoint, they are one of the best.

Windows Phone, OEM approach like Android, but with some pretty big differences. No ability to customize the UI, which is a big one as this is often a big part of the delay. Standardized hardware, internal and external, once again, closer devices are, the easier it is to release updates. I'm also pretty sure that MS is actually only using one SOC variant on all of their phones as it currently stands.I'm also pretty sure that unlike Android, the carriers are only allowed to skip one update.

Palm, Well as low as their share and popularity is, their update process was actually a bright spot. Closed platform and only two phones, so this is kind of expected.

Android, great in theory, but a phone can differ so much from carrier to carrier, and the vast amount of phones available with no mandate to update their devices was just a bad idea in the first place. The only saving grace is the Nexus One, which is basically vanilla Android is a true display of how Android should be. Unless Google can somehow figure out a way to streamline the update process while still allowing such an ability to customize, then perhaps they need to go a different route (which apparently they may be already).

Perhaps by moving the responsibility of customizing the device to the user like it should be.


RE: Googles done decently
By Kurz on 3/7/2011 12:12:35 PM , Rating: 2
You would think since Android is based on Linux that the UI/software packages should have its own mem space and the guts of the OS should be able to update seperately while not messing up what the manufactures do to the phone.


RE: Googles done decently
By Alexstarfire on 3/7/2011 1:31:58 PM , Rating: 5
In this case it's mostly the carriers fault seeing as how this flaw has actually already been fixed. Carriers just haven't pushed/made the update. If this flaw was in all versions or at least the current version then I see it being much more Google's fault.

It sucks either way, don't get me wrong, but it's rather unfair to blame Google for something that's already been fixed. Might as well get mad at Apple, or any company for that matter, when someone gets iOS 4.1 hacked into on their iPhone 3GS. Flaw shouldn't have been their to begin with but no one makes perfect software. It's already been fixed however so it's a moot point from Apple's, in this case Google's, perspective.


RE: Googles done decently
By dubldwn on 3/7/2011 1:58:37 PM , Rating: 3
I feel old fashioned reading these comments. I blame the creators of the malicious apps.


By SublimeSimplicity on 3/7/2011 2:05:06 PM , Rating: 2
It can't be their fault, because they don't have any money to sue for.


RE: Googles done decently
By Alexstarfire on 3/7/2011 10:47:35 PM , Rating: 2
I thought that was a given. :P There are usually, and certainly in this case, more than 1 person/company/etc. to blame.


RE: Googles done decently
By SPOOFE on 3/8/2011 12:37:47 AM , Rating: 2
Just goes to show that there's multiple levels of blame.

Blaming the guys that made the malware is one of those "goes without saying" things.

However, it similarly goes without saying that hackers and crackers and the just plain mischievous are sort of a constant: They're out there, looking for most any opportunity to mess around with other hardware. It's an inherent aspect of the ecosystem, and there are better and worse ways to deal with it. A judgment of quality may be made based on how well a given vendor deals with it.


"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki