Android users give malware apps permission to rob them, express shock at the results

Android users give malware apps permission to rob them, express shock at the results

Summary: Is it really malware if it asks permission first? A new threat sneaks past Google's automated Bouncer, but is easily defeated with a little common sense.

SHARE:

From the "don't give your keys to criminals" department...

Alert, alert! Security researchers (i.e., people who sell virus scanners) warn of a dread new threat: Android malware posing as Super Mario or Grand Theft Auto wallpaper can get on your phone and, gasp, send SMS messages to a premium-rate number. Oh no, what will we ever do?

Try reading the permissions first. It turns out that in order to activate the software you have to agree to install a program that will "cost you money":

Imagine you're walking down the street and a panhandler approaches you and asks, "Excuse me sir, may I have your wallet for a moment so I can take some money out of it?" And you say, "Sure, go ahead."

"What, you took my money? How dare you?"

Thank you, security research guys, for saving us from this terrible menace.

Topics: Android, Apps, Google, Malware, Mobile OS, Security

Ed Burnette

About Ed Burnette

Ed Burnette is a software industry veteran with more than 25 years of experience as a programmer, author, and speaker. He has written numerous technical articles and books, most recently "Hello, Android: Introducing Google's Mobile Development Platform" from the Pragmatic Programmers.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Are fandroids going to deny ...

    ... that Android users are some of the dumbest people in the world??

    - Completely ignore basic security 101 and download/install crap from questionable sources.
    - Think that "ROMS" created by anonymous developers and posted on random forums is safe.
    - NOW, click "yes" to install an app even after it explicitly told them that it was going to use services that will cost them money.
    wackoae
    • windows habits

      The point of the article is that unlike on windows where users have the same lot of downloading and installing from unverifiable sources, Android has an advantage of presenting all permissions of an app prior to installation.
      BTW, where do these silly Android users get such a poor education from ? Yes, it's Windows, indeed.
      eulampius
      • windows habits - who mentioned windows ?!?

        Think someone is a little sensitive, and missed the real point of the article.
        Try reading the links, 100000 people downloaded and installed despite Activator warnings. And then google failed to remove/clean-up ... the point is "many people are stupid" (which perhaps also relates to how you got all "Windows" out of the same articles - lol)
        CallMeCynical
        • Maybe you should also read the link

          Obviously you didn't read the link yourself.

          20.000 up to 100.000 people downloaded these two games which can NOT send any SMS messages. These games afterwards try to download the "Activator" application which is the dangerous part. There's no way to tell how many users installed this package, and even if they did, no way to tell how many of their devices are capable to send messages (due to wifi-only tablets, blocked premium messages, etc).
          segroove
      • This doesn't have to a windows habbit.

        If you are id8 enough, you could install from anyone, it doesn't have to be Windows user. If you think Windows users are dumb then look at mirror and you will realize who is the dumbest person on the earth. :D
        Ram U
    • Nope

      Are you dumb enough to say that Android users are dumbest people in the world and so on as dumb users don't exist at iOS or other userbase?

      I tought so....
      Fri13
    • The Future: good branding based on minimal permissions

      People are beginning to realise that nothing is free - Either you pay cash for an app our you pay by giving your data. The tide is turning and the paid for app with minimal permissions will increase. Developers with a good brand based on minimal permissions like StringFree (http://stringfree.co.uk) will become more in demand.
      cuttymarks
  • If you have missed checking permissions

    If you have missed checking permissions on the apps that you install, you can use Anti Spy Mobile scanner or Permission Dog from Google play. They will list your apps excessive permissions !
    Terry Porter
  • Priceless

    Offer a thirsty man/woman a drink clearly marked 'POISON' and they drown themselves!

    Google : We give you the experience of a lifetime. It will mirror everything that life has to offer...EVERYTHING.

    in small print - Google INC, it's partners and personnel accept no responsibility for acts committed by third parties using said Google services, that may impair or impact the users experience or........yada yada yada
    frogspaw
  • How many read complete terms and conditions

    before signing up for credit cards? I think it would be in single digit percentage. Here also the same, majority of users, including the highly enlightened ones at least once in a while, don't pay time to read T&C, EULA, NDA etc. completely before doing something, this includes the smallest warnings like the one you showed in the picture, that just goes past their heads while they were in that trance. And the provider of that particular "piece" the users are interested in cash in immediately. The compulsion of using that resource will override the associated "tarriff", something similar to compulsion buying. They realize once the penalty part comes into picture at a later stage.
    Ram U
  • So Ed - how long before criminals figure this out?

    So here we have criminals that found a way to fool just enough users to get them to download trojans from the Google Play store.

    How long before they figure out a way to "fool" Android into hiding the features of the application's abilities/permissions, so that this pesky warning doesn't display when trying to install an application?

    Think the developers have thought of everything? Think the permissions/installation system is flawless?

    Honestly, I understand the need for fanatics to blame victims of malware episodes such as this - it's comforting to be able to say to yourself "I'm safe - I would never make this mistake" - until you make some "other" mistake that lands you in the same boat.
    daftkey
    • You can be sure, many, many, many criminals already tried, but just failed

      "How long before they figure out a way to "fool" Android into hiding the features of the application's abilities/permissions, so that this pesky warning doesn't display when trying to install an application? Think the developers have thought of everything? Think the permissions/installation system is flawless?"

      In contrast to Apple's iOS, Android does NOT provide any "closed API", hiding (but not preventing) functions which should not be used by application developers. Hence, installing on a non-rooted Android device HAS to be done using Android's built-in package manager, which requires user input.

      Sure, you can never be completly safe, but it has the same security as the package installer of MacOS X or the "permission screen" of Windows Vista/7. For both i didn't see any major security threats until now.

      "Honestly, I understand the need for fanatics to blame victims of malware episodes [..]"

      People are funny. They complain if the government/a company tells them what they may or may not do, but they'll also complain about the government/company if it allows a child to run with a scissor and hurt itself.
      segroove