SoylentNews is people
SoylentNews
posted by
martyb
on Friday January 05 2018, @03:50PM
from the the-play's-the-thing-where-I'll-capture... dept.
from the the-play's-the-thing-where-I'll-capture... dept.
TrendMicro has discovered 36 apps in Google Play that execute unwanted behavior:
These apps posed as useful security tools under the names Security Defender, Security Keeper, Smart Security, Advanced Boost, and more. They also advertised a variety of capabilities: scanning, cleaning junk, saving battery, cooling the CPU, locking apps, as well as message security, WiFi security, and so on.
The apps were actually able to perform these simple tasks, but they also secretly harvested user data, tracked user location, and aggressively pushed advertisements.
The apps in question have been removed from Google Play.
Related: Google Pauses Crackdown on Apps That Use Accessibility Features
This discussion has been archived.
No new comments can be posted.
Apps on Google Play Disguised as Security Tools Instead Serve Ads and Track Users' Location
|
Log In/Create an Account
| Top
| 54 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
There will be big changes for you but you will be happy.
(Score: 0) by Anonymous Coward on Friday January 05 2018, @04:53PM (29 children)
Why is the android platform so popular when they constantly have these security issues? You don't see this problem with apps on the "other" platform, but it's not correct to like them for some weird reason.
(Score: 5, Insightful) by requerdanos on Friday January 05 2018, @05:19PM (16 children)
I don't know about generally, but in my case, I am a dues-paying associate member of the Free Software Foundation, and the other platform outright forbids GPL software [fsf.org] in their app store by requiring anti-copy DRM and copyleft-incompatible license terms for all apps. They chose to dislike me, not the other way around.
I encourage world+dog to also join the FSF [fsf.org]. Members make the Free Software Foundation's work possible. Plus when you join you can choose to receive a cool membership card that's a fold-out bootable USB to use as a rescue disc (or whatever).
(Score: -1, Troll) by Anonymous Coward on Friday January 05 2018, @05:41PM (15 children)
Their website is shitty, and their development model discourages contributors.
It is literally a waste of resources to support the FSF.
(Score: 1, Insightful) by Anonymous Coward on Friday January 05 2018, @06:20PM (14 children)
Thank you for that detailed and comprehensive criticism of the FSF! You've completely changed my mind! I'd mod you up, but I'm an AC right now.
(Score: 0) by Anonymous Coward on Friday January 05 2018, @06:23PM (13 children)
Unless you sign away all legal rights to the FSF, it rapidly becomes very difficult to participate in the production of their software.
That's why there are so many alternatives; the FSF throws out technical excellence in favor of philosophical and political masturbation.
(Score: 1, Insightful) by Anonymous Coward on Friday January 05 2018, @07:16PM (7 children)
I don't think I'm aware of this license. I typically release my programs under either GPL or LGPL. What is this FSF license called and where may I read about it?
(Score: 1, Informative) by Anonymous Coward on Friday January 05 2018, @07:45PM (6 children)
You'll have to sign a special form, and assign your copyrights to the FSF.
Seriously, you people are talking out of your asses. I've at least got experience.
(Score: 3, Informative) by lentilla on Friday January 05 2018, @10:29PM (5 children)
This is to prevent issues arising in the future like we see with the Linux kernel - forever stuck on GPLv2. With the copyright assigned to a single; trusted; project sponsor, they don't have to seek consensus to move the project forward (or enforce the licence). As you might imagine, obtaining permission from now-deceased contributors can be challenging.
Nothing here takes away your moral rights to what you contribute. You wrote the code, you contributed the code, everyone in the world can see that. The copyright assignment is simply thinking ahead, anticipating the implications of a changing legal landscape.
(Score: 0) by Anonymous Coward on Friday January 05 2018, @10:45PM (1 child)
*Is* it a problem to be stuck on GPLv2?
(Score: 2) by lentilla on Saturday January 06 2018, @12:56AM
Yes and no - rather depends on your goals and values. The main difference between v2 and v3 are the anti-Tivoization clauses. Others will be able to explain this much more eloquently than I am able in a short post.
(Score: 0) by Anonymous Coward on Saturday January 06 2018, @12:48AM (2 children)
So... try again.
(Score: 2) by lentilla on Saturday January 06 2018, @01:05AM
Quite. Linus is the ultimate pragmatist. His goal is; well; let's call it "market penetration", and from that perspective, GPLv2 suits his goals admirably.
Fair call. Linux is; however; a good example of a project where it is impossible to update the licence. Not even Linus himself could do this. This may; or may not; be a "good thing" - only time will tell.
(Score: 3, Touché) by lentilla on Saturday January 06 2018, @01:15AM
Actually (and at the risk of starting a flamewar), I will take you up on the challenge: had Linux been an FSF project, we would not have had to put up with that ridiculous SCO debacle [wikipedia.org].
Now I'm not stating a position on whether Linux should have been an FSF project... but I am saying we would have avoided years of damage and millions of dollars of legal fees.
(Score: 2) by HiThere on Friday January 05 2018, @07:43PM (4 children)
What you say is true IFF you want the FSF to distribute your software. That's not one of my requirements.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 1, Insightful) by Anonymous Coward on Friday January 05 2018, @08:10PM (3 children)
If you want to contribute anything more than a few typo corrections, they'll start hounding you to sign a document which transfers to FSF rights to patents and copyrights. Nobody else does that sort of thing, and the result is that people would rather work on other projects than associate with the FSF.
So, go ahead. Signal your virtues with a check to the FSF; the rest of us are going to spend our resources actually working on useful FOSS.
(Score: 0) by Anonymous Coward on Friday January 05 2018, @10:49PM
Apache does too. Projects there have to think about how much code they can accept from the community before a copyright assignment is needed.
What's wrong with just answering "fuck off"? Either they take your contribution, reimplement it themselves, or you can post the patch on your website.
(Score: 0) by Anonymous Coward on Friday January 05 2018, @11:18PM (1 child)
So they try to make you sign away the copyrights and patents for your patch to them, or is it more broad than that?
(Score: 0) by Anonymous Coward on Saturday January 06 2018, @12:54AM
The legal statement you're supposed to sign conveys to the FSF any future rights and patents that might in some way be connected back to your patch; on paper, you're basically giving up participation in the patent/copyright system, which is exactly what the FSF wants.
The FSF only likes copyright law insofar as it can be hacked into supporting the copyleft philosophy.
(Score: 3, Insightful) by Freeman on Friday January 05 2018, @07:06PM (9 children)
Apple == "Curated" content. I.E. We'll kick you out, if we don't like you. Mind you, they've been just fine with In-App Purchases and games that are designed to get kids to spend exorbitant amounts of money on fake money. They may have cleaned their act up some, they may not have, but the games are still there. Google also has plenty of that, but at least they're more open to developers. I'm also less likely to get trapped in the Google Ecosystem than the Apple Ecosystem. I would say, Android is plentiful, for the same reason Windows is plentiful. Ability to run on generic hardware.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Informative) by frojack on Friday January 05 2018, @07:51PM (2 children)
You don't HAVE TO provide a credit card for any of the various App Stores, and you would be silly to do so for your kids. Give them app-store gift cards, but never a credit card. That puts a stop to all this in-app purchases nonsense.
Apples Curation hasn't been all that perfect either.
https://www.wired.com/2015/09/apple-removes-300-infected-apps-app-store/ [wired.com]
https://arstechnica.com/information-technology/2015/09/apple-scrambles-after-40-malicious-xcodeghost-apps-haunt-app-store/ [arstechnica.com]
And on top of that, they are currently running a sale on battery replacements rather than just tweaking their OS to stop surreptitiously slowing the processor as your battery ages.
No, you are mistaken. I've always had this sig.
(Score: 1) by anubi on Saturday January 06 2018, @06:06AM (1 child)
I was under the conception I *had* to surrender my credit card info to get onto Google Play.
For that reason, I get all my android phone stuff, anonymously, from Aptoide.
However, one website in particular, YELP, keeps linking back to Google Play every time I click a link on their site if I am using the phone. I can't even do a "read more" without YELP checking back with Google Play, so I simply can't interact with YELP unless I am at the PC.
YELP keeps sending me more stuff about wanting me to write more stuff on their site... then they have some script tell me I am hung up at Google Play. Makes me wonder just what business school their executives attended to place impediments in the way of their customers... about the same sense to have store doors that are difficult to open to persuade old ladies to shop elsewhere.
Believe me, if S/N treated me this way, you guys would very rarely hear from me.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1, Insightful) by Anonymous Coward on Saturday January 06 2018, @09:38PM
I go to a local store and buy a £20 card for the Play store for those occasions where I feel the need to pass some money back to the developers of the small number of bits of software on the Play store that I actually find of use, ditto wrt the Apple store.
In both cases, no credit cards involved at any point.
(but thanks for the pointer to aptoide...I don't keep up with these sites.)
(Score: 2) by KiloByte on Friday January 05 2018, @08:10PM (3 children)
Here, let me show you a program ecosystem [debian.org] with curated content. Every program has a vetted and verified license, no advertisements or spyware, and so on. Some good phones [indiegogo.com] ship with it, and you can use the very same software on your server, laptop, desktop or SoC if you wish. Attractive price ($0). More open to developers.
Ceterum censeo systemd esse delendam.
(Score: 2) by Freeman on Friday January 05 2018, @08:47PM
That's one phone, that's also, still in the prototype phase. I've used Debian and their package management system quite a bit. I was also looking forward to a Non-Vaporware Ubuntu Phone, but alas that never panned out. While I've seen some rather successful kickstarter / indiegogo campaigns. Not many have become a real business or even offered their product to anyone, but those that backed the campaign.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Funny) by Bot on Saturday January 06 2018, @02:28AM (1 child)
> with curated content
why am I thinking about systemd all of a sudden?
Account abandoned.
(Score: 2) by Freeman on Monday January 08 2018, @03:32PM
In all fairness systemd has "quality control". It's just one giant heaping pile of dinosaur droppings. It's like on Jurassic Park, when the girl sticks her hands into the humongous pile of dinosaur droppings. Someone's gotta look at it, but one doesn't have to like it. It's not like, there couldn't be a different system. It's just no one cares enough to make something better. Those that do care enough to make it better, put on the gloves and hold their nose.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Friday January 05 2018, @09:06PM (1 child)
You're also more likely to get dangerous software from the google side, I'm sorry to say. I like google and some of what they stand for and do, but their app store is full of crap.
(Score: 0) by Anonymous Coward on Friday January 05 2018, @10:29PM
Freedom can be dangerous. Don't accept locked-down pieces of garbage just because it's 'safer'. In any case, the best thing to do is to always use Free Software, since it's extremely unlikely for Free Software to abuse you in the ways you're talking about.
Also, why would you like Google? They built a massive surveillance engine and actively use it to violate people's privacy en masse. They are an intolerable company, just like Apple, Microsoft, Amazon, Facebook, etc. I'd like to see them all go out of business and never be replaced with similar companies.
(Score: 3, Informative) by Nerdfest on Friday January 05 2018, @07:37PM (1 child)
Well, the security issues are for the most part vastly, vastly hyped. They have almost exclusively been centered around Asian alternative app stores that tend to specialize in 'warez', etc. This one isn't, which is unusual, but I'm pretty sure that it has happened before, on both Android a *and* iOS platforms. Yeah, it'll tend to happen less frequently under iOS because it's more strictly reviewed, and because the OS itself is more limited. Simply put, with Android, you control what you install, and with iOS Apple decides what you're allowed to install. Mistakes will happen both ways.
I've always advocated the same idea as presented above, and curated store on Android. Charge developers for the review, and perhaps take a bigger cut. It's nice to have options.
(Score: 2) by frojack on Friday January 05 2018, @09:04PM
Do it the other way around.
Charge those that don't choose the extensive review.
The automated reviews are getting better, and when a vulnerability is found in one of the packages the developer incorporated (uses in his build) the automated reviews can quickly track down all of the apps using those packages.
No, you are mistaken. I've always had this sig.