Google puts malware in the Trending page in the Play Store - over half million download as a result

[Misanthrope]

Whoops! I am sure that this won't happen often and humans are clearly not clever creatures capable of cheating the Google algorithms to promote malicious content (Which is pretty much the basis upon which Youtube has been built today)

[Commodus]

Wish folks would stop equivocating by trying to claim the iOS App Store is just as insecure as Google Play.  I'm sorry, but it's just not.

 

The issue, and it persists to this day, is that Google both has looser restrictions on what's allowed and has a more automated, laissez-faire approach to screening than Apple.  Yes, it's possible for malware to slip into the App Store, but it's much less likely because of both iOS' tighter limits (like them or not, they have a positive effect on security) and because humans approve the apps before they become available.

 

This doesn't mean that Google should necessarily follow Apple, but it should be smarter about the approach it does take.  It has to stop assuming that automation solves everything and that it can somehow eliminate all major malware outbreaks if it can just write a better algorithm.

[ZacoAttaco]

I feel bad but when I read this headline I just started laughing. This feels like a move Microsoft would support I'm sure, anyone say October Update?

[Trixanity]

3 hours ago, James Evens said:

Android has premssions and devices which have not seen a update in years.

Not secure at all.

What's your point?

The claim was that Android wasn't sandboxed. It is. What you're saying does not refute that.

 

Having permissions is how things should be so why would permissions make it less secure?

 

Devices without updates is a device specific problem and not inherent to Android so how does that make Android less secure?

[Commodus]

33 minutes ago, Trixanity said:

Devices without updates is a device specific problem and not inherent to Android so how does that make Android less secure?

I'd disagree that this is a device-specific problem.  To some extent, it is inherent to Android.

 

Security updates shouldn't be optional, but Google has treated them that way until very recently, when it started requiring a minimum number of updates for popular devices over the space of two years.  Think about it: companies could go months between security updates, or even skip them entirely, and leave you vulnerable simply because they didn't feel like implementing a patch.  That's a terrible policy, and you know it.  The ideal would be Apple's approach, where every compatible device gets every security update almost immediately, but Google isn't there yet.

 

There's also how long Google decides to support Android.  The three-year window for security updates is an improvement over how it used to be, but that's as far as it goes.  This still increases the chances that someone will have an active device with unpatched security flaws, especially since some vendors will sell brand new devices using outdated versions of Android.  (Lenovo has been selling brand new tablets with Nougat on them, for example).  Shouldn't the update period extend to four or five years, like Apple does, to make sure that very few in-use devices are vulnerable?

[captain_to_fire]

On 11/26/2018 at 11:19 PM, RejZoR said:

So, "Play Protect" doesn't seem to do anything apparently... Use a proper antivirus. They are not CPU or battery intensive anyway.

https://www.av-comparatives.org/tests/mobile-security-review-2018/ 

https://www.av-test.org/en/antivirus/mobile-devices/android/september-2018/google-play-protect-11.4-183611/

[GoldenLag]

i want windows phone back.........

[Trixanity]

2 hours ago, James Evens said:

A sandbox where you could just straight up ask to leave it and everybody say yes (permissions) or straight up don't need to ask and just use one of the thousand of security vulnerabilities make the sandbox a joke.

 

It is android specific. Other OS manage to get the update out to the devices. With android you might get one or two major updates and security patches are still not standard. The problem is that manufactures have to roll out the updates and they might need for the suppliers to update there software.

I have not heard of any permission or API to leave the sandbox nor have I heard of any user prompt to do so as you suggest. Unless you mean standard user permissions which require user interaction to access specific functions or data on the phone in which case: really? Giving permission to retrieve one thing is not the same as breaking the sandbox eg location permission does not give access to make phone calls or to interact with data in another app (which is why autofill required some funky workarounds to work prior to Oreo). As for any vulnerabilities: that goes for any piece of software, doesn't it? If there are any they can be exploited. 

Either way: some sources needed on that.

 

It's Android specific in the sense device manufacturers using the OS but not specific to the OS itself. So if you want to use that terminology you should qualify your statement. In other words it's a cultural or a policy issue, not an OS issue as you implied. 

Major OS updates and security updates are not the same. Many devices receive regular security updates. Solution: buy a device that receives updates. 

2 hours ago, Commodus said:

I'd disagree that this is a device-specific problem.  To some extent, it is inherent to Android.

 

Security updates shouldn't be optional, but Google has treated them that way until very recently, when it started requiring a minimum number of updates for popular devices over the space of two years.  Think about it: companies could go months between security updates, or even skip them entirely, and leave you vulnerable simply because they didn't feel like implementing a patch.  That's a terrible policy, and you know it.  The ideal would be Apple's approach, where every compatible device gets every security update almost immediately, but Google isn't there yet.

 

There's also how long Google decides to support Android.  The three-year window for security updates is an improvement over how it used to be, but that's as far as it goes.  This still increases the chances that someone will have an active device with unpatched security flaws, especially since some vendors will sell brand new devices using outdated versions of Android.  (Lenovo has been selling brand new tablets with Nougat on them, for example).  Shouldn't the update period extend to four or five years, like Apple does, to make sure that very few in-use devices are vulnerable?

There are problems with the update model on Android and it's clear that the OS design had some major flaws in its foundation that are hard to fix but that doesn't mean that's it's not entirely the fault of the device manufacturer. It's only inherent in the sense that manufacturers avoid their responsibility to their customers and that Google's policies and enforcement of them aren't strict enough. Essentially the complaint is that Google aren't locking it down enough which would be against the wishes of its partners. Locking it down would mean reduced ability to modify Android which many manufacturers take advantage of.

 

Ideally Google shouldn't have to police the ecosystem when it's no longer their product (to a certain extent).

 

Ideally the support window would be 10 years.

 

Ideally there would be timely monthly updates and timely feature updates.

 

One of the problems with security updates are hardware vendors not patching vulnerabilities and making them available (likewise not releasing new BSPs for feature updates).

 

Similarly another issue on both fronts was Linux kernel support being only two years before it was discontinued. Google took it upon themselves to extend that window to six years. It takes time to test and validate a new kernel version so sticking to one and patching it helps that. Don't know why Google haven't increased their update window accordingly unless it's hardware vendors making it impossible.

 

I'm quite sure you only have a window of like six months to release a device when a new Android version is launched before certification fails. Certainly not more than a year. While vendors know Google's schedule, it takes time to bring a product to market and delaying to validate a new feature update could be costly.

 

It's difficult to compare Android to iOS or even Windows. Very different ecosystems. Apple has to support devices made entirely in-house and quite deep vertical integration and otherwise very controlling of their partners. They have like 30 devices and many with a shared platform to update.

You have thousands of Android devices from many different vendors with many different platforms with many different modifications to core systems. I don't think I need to say much more on the topic. It's a lot more complex than people think. It was a business decision to make it so open. Both consumers and developers are paying for that today. However it's a double edged sword. The very same are arguing that they like for device manufacturers to modify the OS.

[Commodus]

25 minutes ago, Trixanity said:

There are problems with the update model on Android and it's clear that the OS design had some major flaws in its foundation that are hard to fix but that doesn't mean that's it's not entirely the fault of the device manufacturer. It's only inherent in the sense that manufacturers avoid their responsibility to their customers and that Google's policies and enforcement of them aren't strict enough. Essentially the complaint is that Google aren't locking it down enough which would be against the wishes of its partners. Locking it down would mean reduced ability to modify Android which many manufacturers take advantage of.

 

Ideally Google shouldn't have to police the ecosystem when it's no longer their product (to a certain extent).

 

Ideally the support window would be 10 years.

 

Ideally there would be timely monthly updates and timely feature updates.

 

One of the problems with security updates are hardware vendors not patching vulnerabilities and making them available (likewise not releasing new BSPs for feature updates).

 

Similarly another issue on both fronts was Linux kernel support being only two years before it was discontinued. Google took it upon themselves to extend that window to six years. It takes time to test and validate a new kernel version so sticking to one and patching it helps that. Don't know why Google haven't increased their update window accordingly unless it's hardware vendors making it impossible.

 

I'm quite sure you only have a window of like six months to release a device when a new Android version is launched before certification fails. Certainly not more than a year. While vendors know Google's schedule, it takes time to bring a product to market and delaying to validate a new feature update could be costly.

 

It's difficult to compare Android to iOS or even Windows. Very different ecosystems. Apple has to support devices made entirely in-house and quite deep vertical integration and otherwise very controlling of their partners. They have like 30 devices and many with a shared platform to update.

You have thousands of Android devices from many different vendors with many different platforms with many different modifications to core systems. I don't think I need to say much more on the topic. It's a lot more complex than people think. It was a business decision to make it so open. Both consumers and developers are paying for that today. However it's a double edged sword. The very same are arguing that they like for device manufacturers to modify the OS.

Your opening paragraph really illustrates my point -- you say it's solely the Android vendors' fault, but promptly cite "major flaws" in Android's roots and point out that Google decided against locking things down.  Those are both choices Google made.  So yes, Google does play a role in this; it's just a question of how easy it is for Google to correct things.

 

Besides, think about it: Google may let companies customize Android, but in the end it's still Google's operating system, and vendors are still held to certain requirements if they want to use the platform.  If it cares about security, it should put its foot down even if it inconveniences partners.  If there were a Blaster-style malware epidemic that affected Android phones, the blame wouldn't just go to Samsung, or LG, or Sony, it'd go to Google as well.

 

Android doesn't compare directly to iOS, but that doesn't mean there aren't better ideas on one side or the other.  And let's face it, iOS has the unquestionably better security model.  It's a matter of whether or not Google can emulate enough of that model to make a difference, and without causing too much pain for OEMs... though frankly, I think they've been slacking.

[Canada EH]

Is this Malware that Google knowingly put on by themselves, or other business.

I wouldnt be suprised one bit, knowing the Google business model of selling every little piece of info they can get their hands on, whether it be from your searches, whatever is in your email, in your cloud.

[yian88]

I still dont understand why they make android ecosystem garbage and dont vet the apps, you pay freaking 30%of income to them.

[desertcomputer]

Stop playing mobile games along time ago. I have been using same set of apps for along time.

[captain_to_fire]

3 hours ago, James Evens said:

I still hope to see a new Nokia 1020. The space required for three bad cameras is large enough to fit one awesome sensor which will have a slight depth of field. 

This is probably one of Nokia’s well made ads. I like the part where it shows the light passing through the six element lenses as well as the OIS system with ball bearings. 

 

[RejZoR]

11 hours ago, captain_to_fire said:

https://www.av-comparatives.org/tests/mobile-security-review-2018/ 

https://www.av-test.org/en/antivirus/mobile-devices/android/september-2018/google-play-protect-11.4-183611/

So, this just confirms it doesn't seem to do anything for a fact.

 

I don't know why people don't use reputable Android AV's since majority of them are actually free and they don't affect phone resources much at all. BitDefender Free, Dr. Safety (Trend Micro), DrWeb Light, avast! Free, AVIRA Free, NOD32 etc

[Trixanity]

12 hours ago, James Evens said:

The entire idea of permissions is to allow you to leave your sandbox and access system resources like files, wlan or gyroscope and nobody cares what permission you ask for when installing the app. 

For security issues just google them the worst you can find are privilege escalations. The least worst just crash your app.

 

Nokia 930 was a gorges phone before the display started "malfunctioning". I still hope to see a new Nokia 1020. The space required for three bad cameras is large enough to fit one awesome sensor which will have a slight depth of field. Just check the original nokia 1020 pictures.

Modern phones (and apps) don't ask for permissions during install but as you go when required. That nobody cares isn't the same as apps suddenly having root access at will or even just having access to files. That apps can get permissions is essential to functionality. How would a file manager work if it couldn't access local storage outside of its own domain? How would a navigation app work without access to location? How would a video chat app work without access to camera and microphone?

 

There's some sort of disconnect here. Unless you imply that apps should have a very limited scope by its very nature. Many apps don't require any permissions at all precisely because they don't need anything but what it can do within its sandbox. Conversely malicious or lazy app developers can make an app that requires all permissions available to function. However you can't even make an app now to abuse old target APIs like was previously possible because any developer making a new app needs to target Oreo as minimum (current version - 1 in essence).

 

I wasn't aware that software bugs or privilege escalations were unique to Android? Got a source?

 

If I'm reading this right your points boil down to: user error = insecure = unique to Android. Also, apps can have advanced functionality = bad.

Finally: security issues exist on Android period. No context. That leaves the implication that it's unique to Android or at least that Android is plagued by it to a degree not seen elsewhere.

11 hours ago, Commodus said:

Your opening paragraph really illustrates my point -- you say it's solely the Android vendors' fault, but promptly cite "major flaws" in Android's roots and point out that Google decided against locking things down.  Those are both choices Google made.  So yes, Google does play a role in this; it's just a question of how easy it is for Google to correct things.

 

Besides, think about it: Google may let companies customize Android, but in the end it's still Google's operating system, and vendors are still held to certain requirements if they want to use the platform.  If it cares about security, it should put its foot down even if it inconveniences partners.  If there were a Blaster-style malware epidemic that affected Android phones, the blame wouldn't just go to Samsung, or LG, or Sony, it'd go to Google as well.

 

Android doesn't compare directly to iOS, but that doesn't mean there aren't better ideas on one side or the other.  And let's face it, iOS has the unquestionably better security model.  It's a matter of whether or not Google can emulate enough of that model to make a difference, and without causing too much pain for OEMs... though frankly, I think they've been slacking.

My opening point implies I'm well aware of how things work. It's indicates that I'm not being disingenuous in my argument. The flaw is Android was designed to be open and to run on anything you can imagine because you can modify it to your heart's content (within reason if you want to pass Google's CTS for Play Services). That doesn't mean devices can't be updated if the ecosystem wanted to. The ecosystem being the various parties involved in each device. Locking things down limits what Google's partners can do. That limits what can be accomplished outside of Google's influence. That would make it supremely difficult for partners to add things to it and Android wouldn't have involved the way it has. It's quite evident how much the likes of Samsung and Sony (as examples) have contributed to Android. The same would not be possible at all with a closed ecosystem. At best they could develop within the parameters of whatever APIs Google would allow.

 

The only way for Google to correct things would be dropping Android. Modifying Android itself would be a huge undertaking and takes a long time to the point where you'd risk breaking things before you actually fixed anything. In fact Fuschia seems to be a potential contender to supplant Android but I suspect they'd have to have some form of Android framework as a compatibility layer in a transition phase. You can't just abandon one million apps and the ecosystem behind it over night. 

 

Ultimately the lack of support is separate from Google. Google continues to give better and more comprehensive and easier tools to make updating a device easy. It's just a matter of throwing a few resources at the problem but OEMs would rather sell you a new phone than sinking money into a device not netting them money anymore. They don't make money off existing devices. At best their incentive is to have customer retention but I don't think the likes of Samsung has much of an issue despite the lack of timely OS updates. They do however do monthly security updates because they have enterprise customers to appease. Funnily enough the very same enterprise customers properly hate the feature updates. Maybe that's your answer. Just look at Microsoft to see how enterprise likes that.

 

Google have some clout but not entirely. This isn't a zero sum game. They have to give partners some leeway or they'll start questioning the soundness of continuing the relationship. The Pixels aren't a success story by any means. They rely on Samsung and Huawei to secure their business model. You don't bite off the hand that feeds you. Google does slowly improve things through various initiatives but you can't do sweeping changes without pushback.

 

I don't think anyone wants Android turning into iOS. Yes, the model you desire would pretty much put Google most of the way there. They'd have to ban a lot of stuff that makes Android good. Could Android continue to improve? Yes and it does that. Over the last 4 years a ton of changes has been made both to policies, app development and security models (and more). 

 

Just out of curiosity: was it Microsoft's fault that Lenovo, Dell and Sony installed rootkits on Windows PCs? Or was it perhaps the vendors in question? That's the crux of the problem.

[mynameisjuan]

12 hours ago, Canada EH said:

Is this Malware that Google knowingly put on by themselves, or other business.

I wouldnt be suprised one bit, knowing the Google business model of selling every little piece of info they can get their hands on, whether it be from your searches, whatever is in your email, in your cloud.

I am sorry but you would have to be a moron to think that google purposely injected a malware app. 

[Canada EH]

4 hours ago, mynameisjuan said:

purposely

Turning a blind eye is not innocence!

[ZacoAttaco]

On 11/29/2018 at 12:49 AM, mynameisjuan said:

I am sorry but you would have to be a moron to think that google purposely injected a malware app. 

Yeah, I think, purposefully serving malware-ridden apps to their consumers would push these users off the platform and would be a worse outcome than the benefits of any data they could potentially receive.

[corrado33]

On 11/25/2018 at 9:33 PM, James Evens said:

why is this a news?  a app managed to get enough attention and optimization that a algorithm AI decided to promote it

Oh wait it was again one of those anti virus selling company blogs and media love these stories. Just like the random warning for malware attacks on refrigerators by the BSI president (Germany).

Oh it's not a big deal on Android but if it was on the Apple app store all hell would break loose...

[mynameisjuan]

3 hours ago, ZacoAttaco said:

Yeah, I think, purposefully serving malware-ridden apps to their consumers would push these users off the platform and would be a worse outcome than the benefits of any data they could potentially receive.

Its not just that but why would they? You are already on THEIR OS and can push any app to your phone already. They are open about how much they track you, this malware doesnt come close to their typical model. 

[Drak3]

1 hour ago, corrado33 said:

Oh it's not a big deal on Android but if it was on the Apple app store all hell would break loose...

If it happened on the 'App Store,' it'd be more news worthy because of how much more secure the 'App Store' is claimed to be.