More on Olympics malware

What's the real story on that London Olympics widget - is it malware or just adware? Dig deeper here.

The story so far: On Monday, security vendor Webroot posted a note on their threat blog warning of possible malware programs masquerading as a London Olympics applications. ZDNet's Rachel King  followed up with an article  based on Webroot's report which made the threat seem larger than it actually is, so after consulting with Rachel and our editor, I wrote an  article of my own  Wednesday pointing out any FUD (fear, uncertainty, and doubt) being spread by both postings.

I thought that would be the end of it, but since then there have been 2 updates to Rachel's article and 4 to mine. In addition, the vendor's PR company contacted ZDNet to complain that my article was "unfair and inaccurate," adding that they wanted us to correct the "factual errors".

First, I want to say that I stand by what I wrote in the article, and I consider it to be factually accurate. The origin of the misleading cropped image was unclear, so I did add this update from Rachel:

Rachel contacted me to say that the vendor supplied the full image and that she inadvertently cropped it while uploading the article.

Second, Webroot asked for an opportunity to respond to the article. Here's what they have to say: 

"The purpose of Webroot’s blog post is to make users more aware of the permissions they grant any application they install, on any device, before they click 'OK.' The London Olympics Widget shows the user aggregated 2012 Olympics news while also harvesting contact lists, device id and SMS messages. While not specifically malicious, an app for Olympic news does not need all of the above functionality to show who won the latest gold medal. We want to make sure users exercise caution and make informed decisions when downloading apps to whatever device they may use."
Actually, that sounds like good advice. An NC State study [PDF] showed that malicious apps asked for Messaging and Contacts permissions far more often than was normal in most apps. Do not install an app that asks for those permissions unless you trust the developer not to abuse them.
Finally, Webroot posted a follow-up article on their blog about the London Olympics App. After all this fuss, it turns out the app is only "potentially unwanted": 
"The reason we have classified this as a Potentially Unwanted Application is because it is using the Olympics to draw people into installing their apps so they can make money on multiple aggressive advertisement SDK add-ons.  It is the aggressive advertisement SDK add-ons that are requesting permissions to read contacts, look up device ids, and read SMS messages."
Personally I don't consider apps with ads to be true "malware", even if the ads are aggressive. Apps that escalate their privilege through root exploits (security holes) are the real threat. Luckily, malware of this type isn't very common, and they're usually found by scanners before being put on the official Google Play Store. If they slip through and manage to get in the store, then Google removes them as soon as possible. In two cases I recall, the apps were pulled within 2 hours of discovery.
Amazon has a good track record for scanning and removing bad apples too, so I would consider the Amazon app store to be just as safe as Google's. However unofficial stores (especially in Asia) and random web sites are not scanned as vigorously, if at all.
Android gives you the tools to take charge of your own security: an explicit security model that asks your permission before installing, and official app stores that scan for harmful programs and track developer reputations. Use them wisely.