Android malware, FUD, and the FBI

Android malware, FUD, and the FBI

Summary: A badly written FBI warning about Android malware has been taken to be about Android's security, when it's really about idiot users.

Blown Up Android

The Internet Crime Complaint Center (IC3), a U.S. government task force made up of the FBI and the National White Collar Crime Center, recently issued an Android malware warning. This has been taken by some to be yet more proof of how insecure Android is compared to Apple's iOS. Please. Give me a break.

All the IC3's badly written, vague release really said was that: "The IC3 has been made aware of various malware attacking Android operating systems for mobile devices. Some of the latest known versions of this type of malware are Loozfon and FinFisher." And, what are these?

Loozlon is a Trojan horse that Symantec reports as having less than 50 reported instances. FinFisher is a much more serious spyware program.

FinFisher has been around for years on Macs and Windows PCs as "legal" spyware from Gamma International, a UK security company. Recently it's been ported to all the major mobile devices, including Android, Blackberry, and, yes, the iPhone. It is in no way, shape, or form purely an Android problem.

In any case, both programs aren't classic computer viruses. They require users to go above and beyond the call of stupidity to catch them.

With both, you typically need to open a suspicious looking email, then follow a link, and then agree, in Android's case, to download the unknown Android application package (APK). After that, you have to tell your smartphone or tablet to install it even though it's not in Google's Play Store, ignore the malware warning, and then you finally get to infect your device. 

In short, these malicious programs don't really infect devices. Maliciously stupid users do. Or, in the case of FinFisher, it might be your employer or your government.

The real problem with Android security though isn't malware that requires a fool's active co-operation. No, the true trouble is that Google still doesn't do anything like enough checking of applications for security risks before it lets them go on the Google Play Store. This is one thing that Apple does do better with its app store than Google does.

The good news is that Google finally seems to be getting it act together in stopping these real threats. According to a report, Google will soon be integrating a malware scanner in the Google Play application store. Neither Google, nor anyone else, can stop fools from being fools, but the search giant is finally working more seriously on solving Android's real security problems.

Related Stories:

Topics: Android, Apps, Google, Government US, iPhone, Mobility, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Nicely said

    I've noticed that all of the Android scare articles that have been written in recent months all unravel into FUD propaganda when you actually take the time to do a small amount of research. Thank you for not just taking part in the typical media echo-chamber approach and actually calling this out for what it is.
    • Yep the show has started, Got the pop corn

      Look at all the supposed IT folks making fools of themselves.

      These people make IT decisions, LOL... :)
      • Yep - those idiot IT folks...

        Completely foolish, these IT folks thinking that a trojan could be a security threat. I mean, it's only stupid people who'll download and install this, right?

        And good IT people know not to let stupid people bring their smartphones and tablets into the workplace, right?

        And even if the CEO of the company isn't all that tech savvy, but absolutely needs his email on his Android phone, the smart IT people have enough clout to tell the CEO to pound sand, right?

        Yep.. IT people are complete idiots.. because they think about the human factor of IT before the technical factor. Complete. Fools.
        • Why tha heck your CEO would need to

          Open email.
          Follow link.
          Download APK.
          Install it with worning.
          Ignore another worning.


          He should be fired for breach of security, and utter stupidity and/or ignorance. As CEO he have access to all resources of company. HE WILL BE TARGET. If he can not learn how to behave, than CEO is not position for him.
          • CEO Fired?????

            The only people that can fire a CEO are the Board. Since they are likely his/her friends and golf/drinking/yachting buddies, who would they believe, the CEO or some lowly IT peon (even a Director is a peon by their standards) who says the CEO did something stupid?

            Even the people choosing the CEO of a nation can be bamboozled into choosing one with poor judgement. I have my own partisan idea of who that would be, but either way, the principle stands. Them that has the gold, makes the rules.
          • There are many answers to this...

            The short answer would agree with you - he wouldn't need to do this.

            Having said that - very few CEOs (including those of otherwise hi-tech firms, such as pharmaceutical and other R&D firms) have expertise elsewhere in their fields than in IT and security. The CEO is probably the last person who should be expected to be an IT guru - that's why they hire IT people.

            Thinking you're going to get a CEO fired for downloading a trojan on a company device is pretty wishful thinking. Even ignoring the likelihood that you have to get past the close personal relationships that CEOs have with board members, the truth is most CEOs simply have skill sets that are hard to replace.

            The situation above is very real - any executive these days likely has their corporate email accessible on their phones or other devices that they use personally. They need to be connected. It is likely some of them will make the mistake of installing a trojan on their device. We can educate them all we want (and if we're lucky, they will actually listen), but in the end, we still have to prepare for the inevitable mistake such as this one that will be made.

            SJVN and other fanbois would love to sweep this under the rug and say "nothing to see here", and pretend that security issues are still just an "everything but Linux" problem. Those of us in the real world, however, know that this is just one more security threat that needs to be mitigated, and it doesn't matter what system, device, or OS you own - if it connects to something else, it can be broken.
        • Tech Savvy?

          If you CEO even gets these emails, then the IT department is failing. Email like this, containing attachments of any kind of installers (EXE, ZIP, APK, and others) should be marked as spam and not even be delivered. THAT'S what a good IT department does to protect its network and its users.

          You can harp all you want about educating users, but as a former educator and now a sysadmin, I know exactly how much is retained by the non-savvy users.
          • So in your world security ends at the inbox?

            "If you CEO even gets these emails, then the IT department is failing. Email like this, containing attachments of any kind of installers (EXE, ZIP, APK, and others) should be marked as spam and not even be delivered. THAT'S what a good IT department does to protect its network and its users."

            And what about poisoned websites? What about non-vetted applications on the Google Play store? What about internal emails from other users which may include other documents?

            I get your meaning, but as a sysadmin and a former educator, you surely know that both education and IT security is a constantly moving target.
        • Good email app to prevent such vulnerabilities

          As the author mentions, I also had concerns about my private data like emails,files and other stuff.
          Since most of my communication especially these that must be encrypted is done by email,I’ve looked for a secure email app for my Android device.
          I must say that the default email app in Android is defiantly not secure, I've looked around for a good email app with robust security features.
          I found several business apps but after doing some benchmarks I decided to use Emoze to secure my Android device .
          The OTA protocol has two layers of encryption ,AES bundled with SSL which is pretty much immune to MITM attacks.
          Emoze security features allows you to find the device location by SMS or email ,remote wipe or block by SMS as well as to encrypt your files and private data.This is cool because you don’t need PC connected to the internet to get the job done ,you can simply send SMS to your phone number to
          activate the security process.
          Moris Kahan
    • Get real SJVN. 99.99% of android users are idiot users.

      Thats what happens when you os is the one used on all the phones that are sold to people who dont know what an os is. This is just like the days of windows being bashed for the "must dismiss dialog to proceed to porn" people getting used to clicking through it's warning popups without reading and understanding them.
      Johnny Vegas
      • You must have taken a survey

        Or were you relying on someone else's? Or were you just spouting partisan drivel?
        John L. Ries
        • Perhaps a minor change in Johnny Vegas title makes it more accurate

          Instead of, "Get real SJVN. 99.99% of android users are idiot users" it should be, "Get real SJVN. 99.99% of all users are idiot users"

          As such, all operating systems are open to these kinds of threats as the common thread is the user.

          As Steven spent so much time in the past bashing other operating systems for these issues, to see Linux targeted in the same way, when the Linux proponents had so strenuously claimed it couldn't happen because Linux was modular and so secure, well, it just shows what a moron Steven really is.
      • Wow

        And you are the reason people can't stand iFans.
    • That doesn't affect the general denial...

      ... of many android users....
      Android is generally less secure than Apple iOS devices.
      NSA is working on Android security to get it to a consumer acceptable level though.
      Some Android versions support encryption but it is still less secure than the iPhones hardware enhanced AES.
      Then there's the fact that Android is created as a spyware product to begin with. Google distributes devices at cost just to get their spyware in your hands. Many apps, even simple video players get access to "sensitive log data".
      So on an iPhone some apps can access your contacts, and you can see what accesses what. On Android, and don't lie because I've used it, a fair share of google market apps have access to "sensitive log data" among other things.
      Also some android devices have NFC, which is a proven security risk allowing anyone the opportunity to hack your phone just be putting instructions to do so in the scan. That's how they hacked the S3 at the root control level at the latest pwn2own.
      I'm not saying it's impossible to be safe, but just get over the fact that android is generally less secure. The constant denial doesn't help, recognizing this and addressing it does.
      Or you can wait until the NSA fixes it... Google ready incorporated some of their fixes earlier this yer.
  • Just too funny

    Windows malware is the fault of Microsoft. Any OS that needs AV is flawed by design. Users shouldn't be expected to know how to protect themselves online. The OS should take care of security. etc. etc. etc.

    Google malware is the fault of the user. Just because Android (which is Linux) needs AV doesn't mean that it is flawed by design (Google is adding AV to Android devices). Users should be expected to know how to protect themselves online when using Android. Android users should take care of their own security.

    You can't make this stuff up.
    • Apparently, you can make this stuff up

      at least SJVN does...
      William Farrel
    • Funny if you're uneducated

      I actually created an account to reply to this stupidity.

      There is no OS - whether it's a PC, a Mac or a mobile device - that is completely bullet proof to any form of malware. Honestly, any form of malware infection happens because the user is being stupid.

      These days, a "secure" OS really is the one that makes it the most difficult for stupid users from breaking your own machine. The most secure OS in the world will be infected by a virus if a stupid user - like you - answers Yes to things without reading/thinking.

      I don't know where you read average users shouldn't be expected to know how to protect themselves online, but THEY SHOULD. Do you drive around with your car without expecting the basic problems you might encounter by doing so? The web is so vast and everyone is using it almost daily. It's about f***ing time average users also educate themselves how to use the damn thing.
      • If you want to preach "education"..

        You probably shouldn't start a post on a site like ZDnet with "I actually created an account to reply to this stupidity"..

        The rest of your post is nothing but either stating the obvious ("The most secure OS in the world will be infected by a virus if a stupid user - like you - answers Yes to things without reading/thinking.") and the elitist "It's about f***ing time average users also educate themselves how to use the damn thing."

        The rest of us live in the real world where we realize that not all people are tech-heads and have other interesting talents and hobbies that aren't focused on computers. Those of us who are tech-savvy and realize this spend more time educating the less-savvy on how to protect themselves against these threats and mitigate damage when the "unedumacated" make a mistake, rather than just belittling those who are below us.

        Some of us have had an account for a while. The fact you created a new one yourself just to rant about how stupid some people can be tells a pretty sad story about your personality.
      • I agree with most of what you said...

        "These days, a "secure" OS really is the one that makes it the most difficult for stupid users from breaking your own machine. The most secure OS in the world will be infected by a virus if a stupid user - like you - answers Yes to things without reading/thinking."

        Why do you think they added UAC to Windows Vista? In essence, Windows 7 is LESS secure because the default is to allow users total control of their computer, which is a mistake IMO. It may only be a prompt, but at least the onerous is on the user for clicking past it for not understanding the ramifications of changing a system setting. Some people just don't read what is right in front of them.

        "I don't know where you read average users shouldn't be expected to know how to protect themselves online, but THEY SHOULD"

        Agreed. There are some people that should need a license to operate a computer. And anybody that downloads pirated music and such "because their neighbour does without getting viruses" deserves what's coming to them. Chance are, I've already had to fix their neighbours computer anyway.

        That said, sometimes even the most advanced user gets bit by a drive-by download like those that poison ad networks - including CBSi, which has had more than their fair share over the last couple of years. It's nice to know that you have some kind of antivirus watching your back. Even when you do keep your OS security up-to-date, there are 0-day threats that can attack it and sometimes security vendors can update their AV signatures faster than the OS vendors. Most viruses are just variants of existing classifications anyway.
      • Then there's seeded web sites

        The S3 was recently rooted, hackers gaining full root control just by waving an NFC tag, with no user interaction at all.
        Although they were showing off with NFC, they really just used NFC to open a poisoned link. A similar attack was used on last year's iPhone, allowing the hackers to get some contact and video info, while the same type gave hackers absolute root control of the S3 with no user interaction required. How does one educate them self against that? Don't use NFC or browse the web? Websites can be hacked and poisoned, even popular ones like google.
        I do find it interesting, how at the same contest, the iPhone gave up partial info, and the S3 was rooted completely by waving a tag, how zdnet seemed to completely ignore the android security risk and focused on the more partial hack of last year's iPhone....