More on Olympics malware

More on Olympics malware

Summary: What's the real story on that London Olympics widget - is it malware or just adware? Dig deeper here.


The story so far: On Monday, security vendor Webroot posted a note on their threat blog warning of possible malware programs masquerading as a London Olympics applications. ZDNet's Rachel King followed up with an article based on Webroot's report which made the threat seem larger than it actually is, so after consulting with Rachel and our editor, I wrote an article of my own Wednesday pointing out any FUD (fear, uncertainty, and doubt) being spread by both postings.

I thought that would be the end of it, but since then there have been 2 updates to Rachel's article and 4 to mine. In addition, the vendor's PR company contacted ZDNet to complain that my article was "unfair and inaccurate," adding that they wanted us to correct the "factual errors".

First, I want to say that I stand by what I wrote in the article, and I consider it to be factually accurate. The origin of the misleading cropped image was unclear, so I did add this update from Rachel:

Rachel contacted me to say that the vendor supplied the full image and that she inadvertently cropped it while uploading the article.

Second, Webroot asked for an opportunity to respond to the article. Here's what they have to say: 

"The purpose of Webroot’s blog post is to make users more aware of the permissions they grant any application they install, on any device, before they click 'OK.' The London Olympics Widget shows the user aggregated 2012 Olympics news while also harvesting contact lists, device id and SMS messages. While not specifically malicious, an app for Olympic news does not need all of the above functionality to show who won the latest gold medal. We want to make sure users exercise caution and make informed decisions when downloading apps to whatever device they may use."
Actually, that sounds like good advice. An NC State study [PDF] showed that malicious apps asked for Messaging and Contacts permissions far more often than was normal in most apps. Do not install an app that asks for those permissions unless you trust the developer not to abuse them.
Finally, Webroot posted a follow-up article on their blog about the London Olympics App. After all this fuss, it turns out the app is only "potentially unwanted": 
"The reason we have classified this as a Potentially Unwanted Application is because it is using the Olympics to draw people into installing their apps so they can make money on multiple aggressive advertisement SDK add-ons.  It is the aggressive advertisement SDK add-ons that are requesting permissions to read contacts, look up device ids, and read SMS messages."
Personally I don't consider apps with ads to be true "malware", even if the ads are aggressive. Apps that escalate their privilege through root exploits (security holes) are the real threat. Luckily, malware of this type isn't very common, and they're usually found by scanners before being put on the official Google Play Store. If they slip through and manage to get in the store, then Google removes them as soon as possible. In two cases I recall, the apps were pulled within 2 hours of discovery.
Amazon has a good track record for scanning and removing bad apples too, so I would consider the Amazon app store to be just as safe as Google's. However unofficial stores (especially in Asia) and random web sites are not scanned as vigorously, if at all.
Android gives you the tools to take charge of your own security: an explicit security model that asks your permission before installing, and official app stores that scan for harmful programs and track developer reputations. Use them wisely.

Topics: Security, Android, Apps, Malware, Mobile OS

Ed Burnette

About Ed Burnette

Ed Burnette is a software industry veteran with more than 25 years of experience as a programmer, author, and speaker. He has written numerous technical articles and books, most recently "Hello, Android: Introducing Google's Mobile Development Platform" from the Pragmatic Programmers.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • right

    Comparing Rachel's post and the original Webroot's blog, I'd say that the former had more Android and open source FUD than the latter. Webroot's suggestion was pretty innocent for a antivirus company.

    IMHO, here's another example of FUD that links a self-referenced "study" of a Kaspersky's officer.