[skstrials]

As the Google report shows, while Android as a whole has a lot of malware, close to zero of it is on Google Play. The overwhelming vast majority of Android malware comes from third-party app stores such as 1mobile, Aptoide, etc. or random websites offering pirated paid apps. To get any of those, you have to manually enable third-party apps, which includes reading and agreeing to a warning.

In other words, it's more-or-less like Windows, where illegal (pirate) porn sites and pirate sites were the primary vectors for malware infections, and where, in most cases, users had to intentionally participate in high-risk activity. Ironically, people here on CB encourage BB users to do exactly this on a regular basis - encouraging the use of third-party app stores like 1mobile and Aptoide...

Of course, this part of the story doesn't get page clicks or sell ads, so the headlines are only going to talk about the total amount of malware, not how most official users will never encounter it.

Snap is safe. I do not think people really recommend 1mobile or any other app stores on here.

I have heard many bad things about 1mobile in the forum.

Posted via CB10

[SunshineStateFlyer]

One thing we have to realize is that Android brings a lot of choice when it comes to settings and customization. Basically all apps run in boxed environments with no access to other parts of the system. However, users can give access.

Also, Android can be rooted, which is the point when users have full control and face full risk at the same time. Installing pirated apps from third party stores is obviously a bad idea.

Generally speaking, Android is not built to be 100% secure, but it is pretty safe for users who use common sense. The same goes for lots of security problems in IT infrastructures. Many times it is the user acting irresponsibly rather than a true technical security issue.

Posted via CB10

[paulwallace1234]

Afraid not, here's a good ol' privilege escalation exploit from way back in 2008: Vulnerability found in the latest Symbian operating system

And a touch of malicious code execution via MMS, from 2009: https://cxsecurity.com/issue/WLB-2009070014

Hacking Team, the surveillance contractor that was hacked yesterday, offers ways to monitor targets using Symbian as well - and that's something that will likely never be fixed, since the platform no longer receives updates.

I'll give you the second one, but the first one can't be classed as a threat, it was a modification of the OS's InstallServer, removing the certificate checks, not something you could do without knowing exactly what you where doing and wanted to do.

Also, due to the hash checks for all executable files on Symbian (they will not execute unless it has a valid hash and are located in the sys/bin folder) the attacker would not be able to sent another process to be executed.
The exploit explained gained access to that process only which would only have limited capabilities on its own.

[The Big Picture]

Look at all the defenders of all things Google here. Do no evil gents ;-)

Android has 94 percent but their global market share is less than that. That shows once again that it is an insecure platform.

Downloading malware from unofficial sites? That in itself is an android problem and not a problem anywhere else. On IOS, windows phones and to a certain extent blackberry, clueless smartphone user would not even know where to begin to download un official apps.

Most mobile OSes ecosystem and policies protects it's less security/privacy conscious users.

Also there is a rule in hacking, and it's the cost vs benefit factor.

So obviously android phones are just too easy to hack.

And so what if people are going to install dodgy apps. Are you gonna stop them? It's the system that needs to be fixed not the users.

Posted via CB10

[asherN]

Cool, BB should block all side loading then.

[Soulstream]

Look at all the defenders of all things Google here. Do no evil gents ;-)

Android has 94 percent but their global market share is less than that. That shows once again that it is an insecure platform.

Downloading malware from unofficial sites? That in itself is an android problem and not a problem anywhere else. On IOS, windows phones and to a certain extent blackberry, clueless smartphone user would not even know where to begin to download un official apps.

Most mobile OSes ecosystem and policies protects it's less security/privacy conscious users.

Also there is a rule in hacking, and it's the cost vs benefit factor.

So obviously android phones are just too easy to hack.

And so what if people are going to install dodgy apps. Are you gonna stop them? It's the system that needs to be fixed not the users.

Posted via CB10

The user is warned that installing apps outside google play store may be harmful. This is not google fault for users not caring about security. Google does it's job pretty good in protecting their own app store. The user has to be protected, but if he just ignores all warnings then the harmful results are all on him, not google.

The same could be said about Microsoft's Windows and has been true for 20 years now and it hasn't been changed.

[Dunt Dunt Dunt]

Look at all the defenders of all things Google here. Do no evil gents ;-)

Android has 94 percent but their global market share is less than that. That shows once again that it is an insecure platform.

Downloading malware from unofficial sites? That in itself is an android problem and not a problem anywhere else. On IOS, windows phones and to a certain extent blackberry, clueless smartphone user would not even know where to begin to download un official apps.

Most mobile OSes ecosystem and policies protects it's less security/privacy conscious users.

Also there is a rule in hacking, and it's the cost vs benefit factor.

So obviously android phones are just too easy to hack.

And so what if people are going to install dodgy apps. Are you gonna stop them? It's the system that needs to be fixed not the users.

Posted via CB10

You are right....

Best way to really fix Android is to make it a Closed OS and prevent anyone from installing Android unless it is installed on Google approved hardware. And lock the Boot Rom , and make it so apps installed from the Google Play Store would run, with all apps required to use Google Services for validation. Of course if that were to happen, BB10 would be dead in the water... No Runtime, No Android Apps....so watch out what you wish for. But that goes against what Google wanted for their OS... and make them too much like the Apple ecosystem.

But then that would help BlackBerry's security also as many of the malicious apps can be installed on a BlackBerry device.... and there really isn't some magical sandbox that keeps those apps from accessing info on your device or accessing the network. If a user installs a malicious app they are giveing it permission to do whatever it wants as we have no control over Android App Permissions (without using a 3rd Party App)

[SunshineStateFlyer]

Look at all the defenders of all things Google here. Do no evil gents ;-)

Android has 94 percent but their global market share is less than that. That shows once again that it is an insecure platform.

Downloading malware from unofficial sites? That in itself is an android problem and not a problem anywhere else. On IOS, windows phones and to a certain extent blackberry, clueless smartphone user would not even know where to begin to download un official apps.

Most mobile OSes ecosystem and policies protects it's less security/privacy conscious users.

Also there is a rule in hacking, and it's the cost vs benefit factor.

So obviously android phones are just too easy to hack.

And so what if people are going to install dodgy apps. Are you gonna stop them? It's the system that needs to be fixed not the users.

Posted via CB10

You're basically saying that limiting the users will make Android more secure. That's true to a certain extent but it is the question whether this is really the way to go, especially for an open source OS. The fact that we're talking about open source in combination with a huge user base cannot be neglected, and giving more freedom to the user always comes with certain risks.

There's no need to defending here, it's just about analyzing and comparing different platforms. BlackBerry is superior to Android in terms of security, I think that is unquestioned. However, the current way they're going, with letting people install apk files from unknown sources of course bears some risks. That users don't know how to do it or that there just aren't enough users to make it a real problem doesn't mean it is a safe practice.

Installing a third party store through a sideloaded file and giving them all your Google credentials isn't safe at all, yet many are choosing to do it in order to improve their app choice.

To conclude a statement out of this I would probably agree to the fact that Android bears more risks to the common user but it is mainly because of their less controlled environment. Architectural problems might be added but I'd say they account for way less security breaches with consequences than users do on their own.



Posted via CB10

[tollfeeder]

Regarding sideloaded APKs - nothing new, but it is very well possible to 'hack' the ART http://www.security-sleuth.com/sleut...-android-phone (at least with 10.3.1, maybe BB fixed it but I doubt it). I tried it myself and it's certainly fun to remotely being able to access the camera etc.

Via Pasta CB10

[Soulstream]

Regarding sideloaded APKs - nothing new, but it is very well possible to 'hack' the ART Using Metasploit to Hack an android phone ? The Security Sleuth (at least with 10.3.1, maybe BB fixed it but I doubt it). I tried it myself and it's certainly fun to remotely being able to access the camera etc.

Via Pasta CB10

Hacks that require physical access to the phone are really hard to pull off. so first you must have access to the device and bypass the lock-screen in order to install the APK. and the exploit only works as long as long as the phone is on the same network as you.

This is not something that will happen in real-life. It's more of a proof-of-concept exploit.

[tollfeeder]

Hacks that require physical access to the phone are really hard to pull off. so first you must have access to the device and bypass the lock-screen in order to install the APK. and the exploit only works as long as long as the phone is on the same network as you.

This is not something that will happen in real-life. It's more of a proof-of-concept exploit.

The logic could be implemented in other malicous APKs as well and distributed through 1Mobile for example. So physical access is not really needed. The exploit can be pulled off over the internet as well. Btw - it's not even the only exploit available.

Via Pasta CB10

[Soulstream]

The logic could be implemented in other malicous APKs as well and distributed trough 1Mobile for example. So physical access is not really needed. The exploit can be pulled off over the internet as well. Btw - it's not even the only exploit available.

Via Pasta CB10

From the article you provided: Ensure that the android phone is connected to a local area network and make sure you know its IP address

And again, the moment you allow you phone to install non-google-play APKs, you are responsible for any the loss of security. It's like me telling you my gmail username and password, you accessing my account and then me blaming it on Google and not myself.

Also most Android exploits usually presented on this site as a means to show how insecure Android is usually have at least 1 or 2 unreasonable requirements that make it hard to pull off in real-life. I think Google balances pretty well the openness of Android with security requirements: you can install any app you want but you do so at your own risk.

[LazyEvul]

I'll give you the second one, but the first one can't be classed as a threat, it was a modification of the OS's InstallServer, removing the certificate checks, not something you could do without knowing exactly what you where doing and wanted to do.

Also, due to the hash checks for all executable files on Symbian (they will not execute unless it has a valid hash and are located in the sys/bin folder) the attacker would not be able to sent another process to be executed.
The exploit explained gained access to that process only which would only have limited capabilities on its own.

Fair point, I should've taken a closer look - but there are plenty more where those came from, those were the first two I found. And that's before we look at the Hacking Team kit, which seemed to provide some pretty impressive surveillance capabilities (though the source code has been taken down since I last saw it). Saying Symbian is entirely free of threats is definitely a stretch.

[Witmen]

This is scary stuff people! It is really harming everyday users as well. Something should be done about all of these threats.

Here is a link to a post from a real user whose phone was recently infected with one of these threats -

http://forums.crackberry.com/android...rning-1026786/

That poor guy was just downloading and installing random things from the internet to his Passport from who-knows-what-sources and look what happened to him! His Android apps got held hostage. Surely there must be some way to prevent things like that from happening.

It is a crazy and scary world we live in. What happened to the days of being able to install any random, suspicious thing we came across on the internet? Now we have to use common sense and only stick to installing stuff from trusted sources? That's just too hard for some people.

[tollfeeder]

From the article you provided: Ensure that the android phone is connected to a local area network and make sure you know its IP address

And again, the moment you allow you phone to install non-google-play APKs, you are responsible for any the loss of security. It's like me telling you my gmail username and password, you accessing my account and then me blaming it on Google and not myself.

Also most Android exploits usually presented on this site as a means to show how insecure Android is usually have at least 1 or 2 unreasonable requirements that make it hard to pull off in real-life. I think Google balances pretty well the openness of Android with security requirements: you can install any app you want but you do so at your own risk.

Sure, the linked article is only about local attacks, still it is possible through WAN as well. Just some googling required. Let's say you managed to put the Malware on device, then you can secretly start a web server as well. While I agree it's a very bad idea to install APKs from untrusted sources, it's really not the same as giving out your Google login data. There is/was a Webview vulnerability which affected browsers downloaded from Play Store (and not patched in older versions) too, so 'normal' users were fracked as well.

Dunno about 'unreasonable' or maybe I just don't see Google as 'balanced' as you do.

Via Pasta CB10

[Soulstream]

Sure, the linked article is only about local attacks, still it is possible through WAN as well. Just some googling required. Let's say you managed to put the Malware on device, then you can secretly start a web server as well. While I agree it's a very bad idea to install APKs from untrusted sources, it's really not the same as giving out your Google login data. There is/was a Webview vulnerability which affected browsers downloaded from Play Store (and not patched in older versions) too, so 'normal' users were fracked as well.

Dunno about 'unreasonable' or maybe I just don't see Google as 'balanced' as you do.

Via Pasta CB10

That has always been the case for software, not just Android. Windows has had that problem for ages now, with user installing programs from untrusted sources, and yet its popularity didn't decrease. I am for giving users options, but using that power must be used with care.

Android is like Windows on PC. With a little bit of common sense you will be fine in 99% of cases.

[tollfeeder]

Android is like Windows on PC. With a little bit of common sense you will be fine in 99% of cases.

Is this supposed to mean it's as bad? Because I think it is. Did you ever have a look at the average users Windows machine? From my experience there is a lot of common sense missing there.

Via Pasta CB10

[Soulstream]

Is this supposed to mean it's as bad? Because I think it is. Did you ever have a look at the average users Windows machine? From my experience there is a lot of common sense missing there.

Via Pasta CB10

True, I have seen such machines as well. My point is that the ability to install untrusted apps being disabled by default and giving users a warning about potential security risks is a good balance between security and accessibility. The best way to solve this would be to block all sideloading from android altogether. I don't see another way for google to protect users against such rogue apps.

[Prem WatsApp]

CryptoLocker for Android...

Now available for your device!

8-o

�   Chendroid or not? - QNoX powered ftw...?   �

[Prem WatsApp]

True, I have seen such machines as well. My point is that the ability to install untrusted apps being disabled by default and giving users a warning about potential security risks is a good balance between security and accessibility. The best way to solve this would be to block all sideloading from android altogether. I don't see another way for google to protect users against such rogue apps.

Yeah, it goes like

"Just google some program so I can watch this video or download from youtube, click, click, click, Next, Next, Express Install, Agree, Next, Finish..."

If you ask, "I don't know how that got on there..."

And that's how the junk, ad-ware and spyware end up on the PCs and are causing a horrible mess. Why should it be different on Android? "Permissions, ok, done... "

:-D

�   Chendroid or not? - QNoX powered ftw...?   �

[Troy Tiscareno]

Snap is safe. I do not think people really recommend 1mobile or any other app stores on here.

I have heard many bad things about 1mobile in the forum.

On the contrary - I see people recommending 1mobile and other "alternative" app stores here almost daily, and I cringe each time. It's kind of like shopping for used car parts in Tijuana...