05
Nov
image

In my continuous hunt for new apps, I sometimes run into such obvious malware/crapware that it causes an immediate virtual gag reflex. Sometimes, however, this malware is cleverly disguised and to an unsuspecting user it may seem legitimate.

Here, have a look at what I found today:

image

If you briefly scanned this page, you may have missed the fact that the publisher's name is MicrosDft Corporation (in all caps), or that it's requesting a permission to directly dial phone numbers without your intervention, or that the website in the listing is msM.com.

Thankfully, the amount of 1-star user reviews is now starting to look alarming, but that wouldn't have been the case if you saw it right as it came out. What's even more worrisome is 10,000+ downloads and the amount of 5-star ratings, all of them undoubtedly either fake or created by unsuspecting victims.

So remember - always pay close attention to the details, do your due diligence, and be suspicious - otherwise you may end up giving away your personal information straight to rogue databases or find a few hundred dollars worth of premium calls on your next phone bill.

What You Can Do

So, what can you do when you spot a shady app like that?

Call [Android] Police

We'll try to bring Google's and the public's attention, and the app should get removed shortly after. Tweet at us, email us, send us a pigeon (email usually works best though).

Flag As Inappropriate In The Device Market

Flag the app as harmful by pulling up the on-device Market and marking it as inappropriate (the Market then asks for a more detailed reason). Why Google doesn't build this functionality into the web Market is beyond me.

Note: The "Harmful to phone or data" option only shows up if you install the app first.

image SC20111105-152135 SC20111105-152203

Report It On The Web

You can report apps on the web via this form buried somewhere deep inside Market support pages. Be prepared to fill out a bunch of info the Market should already know about you - come on, Google, do you really want to discourage your users like this?

Thanks to John Cassero for this tip!

image

Leave A 1-Star Review

Unfortunately (in this case), in order to leave a 1-star review, you need to actually install the app, quickly leave the review without starting it, and then quickly uninstall it. Do so if you feel especially adventurous today - your brethren will be forever grateful, but note that very theoretically the app could get triggered by something and run in the background after installation, so know the risks and be quick.

Note: Be sure you're leaving a 1-star review for an app you truly think is malicious. Don't hit an innocent dev by accident.

This PSA is brought to you by your local Android PD. Stay alert, folks.

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • http://twitter.com/aslack12 Austin

    AP, why would we email you and have you bring more attention to these kinds of apps?

    Doing that just makes the Android Market and Android itself look bad.

    You should have just written about this and told everyone else to just report the bad stuff they find, which most people do already.

    • http://www.AndroidPolice.com Artem Russakovskii

      Because if you find a malicious app and report it once, chances are Google will not see it among all the noise. If you tell us about it, we'll get more eyes on the matter which will likely result in the appropriate action sooner.

      We'll do what needs to be done - we're not in the business of watching from the sidelines.

      • http://twitter.com/aslack12 Austin

        Right, but this is exactly what shouldn't be done.

        One of the big things Apple, and others tout is that the App Store is much safer than the Market because of it's vetting process.

        Why bring attention to what is probably one of the Markets biggest downsides?

        • http://www.AndroidPolice.com Artem Russakovskii

          Why call police when you see a robbery taking place? It'll raise crime stats in your neighborhood and your house may go down in value.

        • SK

          Good response Artem. This guy is obviously a Android fanatic and idiot. There is a fine line between fanatic and fan -- Austin seems to have crossed it.

        • tony

          One reports the issue so that it stops *being* an issue.

          If we never bring to light this problem, it's going to keep affecting more and more people and it will eventually get known anyway. It's more preferable to have it be known when it's not as big a deal and kill it then than have it become known when it is a huge problem and thus looks even worse.

        • http://TheAndroidSource.com Chris Gustafson

          Tony, Exactly, look at Penn State. Lol

        • Jamie

          his point is much more valid than yours, and i fail to see why you are more worried about image than protecting yourself from possible identity theft etc.

          The fact that we are a dev/tight community is what i thought distinguished android from iOS, but apparently not. This is just one way the android community can protect itself, because like it or not popular platforms are always going to be a target of viruses

        • Jerry Mancini

          @Austin... you are an idiot. Buy an iPhone then stupid.

  • http://www.mikeymushi.info mikeymushi

    Good one,smart Bustard he is ,but for one flaw in His /her master plan, Who the hell still uses MSN??? .Anyway I think you guys should have a page dedicated to Malware,viruses,Sneaky Apps etc.

    • Rob

      "Who the hell still uses MSN???"

      Me and everyone I know...

      • http://www.mikeymushi.info mikeymushi

        lol,my bad :),I guess I was meaning that Its not as popular as it was a few years ago.

        • Rob

          I know there's a lot of talk these days about "I don't use an IM client anymore, I just use Facebook Chat". But I've yet to find anyone who has actualy given up IM clients for Facebook. I actualy have friends who never sign in to Facebook Chat, yet use MSN all the time.

      • http://sketaful.se Sketaful

        What I am more curious about is who still uses msn.com :P

        • Zomby2D

          Suprisingly I know quite a few people who still uses it as their homepage.

  • Andrew

    @Austin
    This way if AP is tipped about a malicious application they can blog about it, thus instantly getting that information out to ~35,590 followers on twitter and ~23,598 people who liked it on facebook. After people read about it they can all report it as malicious and it will get it taken off the market faster.

    • http://twitter.com/aslack12 Austin

      Yup, and a whole bunch of Apple followers, who will have just one more reason to act high and mighty...

      It's like giving your opponent the bullets to shoot you.

      • Mike

        If Google isn't going to screen apps, then they need to act quickly when they receive reports like this. If they don't do so, then it IS a major weakness of the Android ecosystem.

        What do you care what Apple fanboi's think?

        • http://twitter.com/aslack12 Austin

          I care because they can influence people away from Android.

          In response to "SK" above. I'm neither a fanatic or an idiot.

          I guess I just don't enjoy shooting myself in the foot.

        • http://unitedtechguys.com/ Brad Merrill

          @Austin

          You shouldn't care what iOS people think. They're obviously not going to steer YOU away from Android (since you're already there), so why are you so worried about it?

      • Danijel

        Why is Apple an opponent, I didn't know Android is at war with iOS. Fanboyism, really?

        Everything has a downside but this is an okay way of taking care.

      • Robert

        The absence of logic in your argument is mind-numbing. Whatever this "Apple v Google" thing is of yours, set it aside for a second a think about what you're recommending. You're essentially saying that users shouldn't have the benefit of the power of the Android Police community behind them whenever rogue or malicious software is found in the Market. It almost sounds like you are a proponent of such software, which I trust you are not. It makes much more sense to report malicious software and risk a bruised eye in the public arena than to sit back and let tens of thousands more folks download crap like this and fall victim. Stop for a moment in your "OccupyApple" campaign and think about the argument you SHOULDN'T be waging.

      • http://sketaful.se Sketaful

        Seriously? Noone can be this ******?

        Are you by any chance a politician? :P

      • Manny

        if you like apple so much why dont u just get an iphone then haha

      • copolii

        Are you afraid of the Apple fanboys? Who cares! This is our platform and we do everything we can to keep it clean. I don't care how Android looks to a bunch of sheep. If some douchebag is putting malicious software on the market, we should all do what we can to get the sucker banned.

  • http://rootzwiki.com Joshua

    Regardless of how much we like Android and would hate to bring bad light to the Android market, we still have to be aware that the nasties can still get through. That's the thing about our awesome community. If we find something we think is harmful, we are very quick to bring it up. In turn it usually gets dealt with quickly. I think that is one tiny thing that helps keep Android fun and enjoyable. This shouldn't be looked at in a bad way. It just shows how much we actually care.

    Thanks AP for helping us keep our market policed.

  • Bunie

    If you "briefly scan" that page, you'd see it says MSN, which is no longer what the messenger is called.

    • Dandmcd

      Most people I know still call it MSN. Especially people from China where MSN is still popular.

  • SK

    Artem, the suggestion to install the app to be able to report it as malicious or to give it a 1-star rating is a very bad suggestion.

    Once installed, an app can auto run without the user starting it for the first time. I believe this has been fixed since Honeycomb or ICS, but it's certainly not true for older Android versions. So, your suggestion might actually help a malicious app to do bad things.

    You could argue that "hit the Uninstall button immediately". But with how slow the Market app and Android can be at times, there is no sure fire way to make sure the malicious app doesn't get to run.

    Thanks for the PSA though.

    • http://www.AndroidPolice.com Artem Russakovskii
      • http://www.mylookout.com David Richardson

        Plan B developer here. Google Analytics referrer tracking can be used to have any app start automatically upon install.

        Source: https://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf (Search for "Start on Install")

        • http://www.AndroidPolice.com Artem Russakovskii

          So many hacks and tricks in there, thanks David. Fascinating read. So it's safe to say that this is fixed in Gingerbread then, as long as the url didn't have that parameter?

        • SK

          Interesting read. The saddest part is that Google could easily fix this by making permissions more granular and describing it to the end user clearly. Also allowing users to pick and choose what permissions requested by the app are honored would help.

          If I don't care for bug reporting/feedback, I should be able to disallow an App from looking at the logs.

          In the current state, security in Android is just security theater, not real security. Not even an attempt at real security! It drives me mad that Google is so apathetic about this.

        • http://www.AndroidPolice.com Artem Russakovskii

          Still miles above iOS, right? As for permissions, it's not as simple. There are many ways I can see users abusing this as well - denying Internet permissions to all offline apps so that no ads could be served, for instance. It would also complicate logic for developers, who wouldn't be able to rely on functions the app thinks it has access to.

          If you want to secure yourself and see what happens, there are apps out there that will let you disallow certain permissions on a case-by-case basis, if you're rooted.

        • Christopher

          [Can't reply to Artem's post directly, for some reason]

          Even without using the Analytics route, there are plenty of broadcasts that occur regularly enough that you can start an app relatively quickly after install: listen for connectivity events (loss of coverage etc), connectivity changes (switch from EDGE to 3G etc), wifi events (wifi on/off, scan results), screen unlock, incoming SMS, battery events...

      • SK

        Wait, how does Plan B send itself a SMS to activate if it's not already running? I guess it's triggered by the user doing something in their website? I would think that can't be used here. Either way, looks like there is still a way to get your App to run after install.

        Thanks for updating the PSA with the risk. I would just not recommend it at all since "being quick" is mostly useless when the CPU can run millions of instructions per second. But, hey, if people feel adventurous, I guess they could do it.

        • http://www.AndroidPolice.com Artem Russakovskii

          Well, since apps react to Intents, if an SMS intent were to fire, it would trigger any apps subscribed to them. I believe, that was the workaround Plan B used to start itself sooner, but David can correct me if I'm wrong.

      • http://schpydurx.livejournal.com ProfessorTom

        On iOS devices, ALL applications are sandboxed–meaning that they can only get to their own quarantined section of the file system and have to go through the OS framework to get at any other data–Android leaves the file system wide open. This leads to an infinitely wider attack surface on Android.

        In addition, because Apple curates apps that are in the App Store, the probability that an app will have permissions to various data that it doesn't need is rather low, thanks to entitlements. I know that Android has some kind of permission declaration, but it seems to be a shotgun approach rather than well-defined and enforced. Leaving it to the user to sort out programatic permissions means that users are likely going to leave settings in their default state or simply approve everything as was seen with Windows Vista. This too causes Android to be infinitely more insecure than iOS.

        Android users, therefore are now required to run anti-virus software, spyware and malware detection tools on their mobile devices, else run the risk of having phones that are riddled with virus, Trojans, spyware, malware, etc. The war that was fought in the decade between 1995 and 2005 on the desktop has moved battlegrounds to the phone.

        So I would argue that security on iOS is much greater than on Android.
        And we haven't even gotten to encryption.

        • http://sketaful.se Sketaful

          The strange thing is that I've never ever encountered any malware or virus on Android and I'm an appjunky that has to install 200+ apps a month and then do a reset on the phone and begin installeing apps again.

          (This on the other hand have given me quite som insight in what apps are useful or not :P)

    • GraveUypo

      hit airplane mode right after downloading it. that should help

  • Fernando

    Google needs to step the F up with this crap.. No wonder iPhone is selling like crazy. People don't want this crap on their phones.

  • hibilliegreg

    Any one downloading an app associated with Microsoft whether real or fake,deserves a virus

    • http://sketaful.se Sketaful

      You deserve a +1

  • http://denh.am DrMacinyasha

    This kind of stuff is also a good reason to have apps like LBE Privacy Guard v2. At the very least, it'll highlight the permissions that the app is requesting, and give you a chance to stop them.

  • lance misner

    Android Police should be come Googles "Back Door" if you know what i mean!!! i think a good strong connection between a very user friendly site, such as this, and major develepors i.g. Google, would make things run alot smoother, and get these issues handled in a much quicker and discreet way.. just my opinion.

  • http://camsvirtualrealityreality.blogspot.com Vectrex

    Here's my solution. Community vetted apps.
    This is from a blog post which has other Market ideas to help fix stuff like this. http://camsvirtualrealityreality.blogspot.com

    *** Problems ***
    - Actual malicious apps which steal your info, make expensive calls or are just simply virus' get released immediately on the marketplace. These seem to take AGES to be removed. A ridiculous amount of time in fact. I've seen fake famous games actually in the top lists for multiple days.
    - Google don't want to/can't hand vet every app.

    *** Solutions ***
    Community vetting: Like a jury.

    - You should be able to set yourself as a vetter in your profile (ties into the beta tester idea below).

    - You get sent a few random new apps a day
    - They would show up in the same place as app update notifications and/or as a special column in the market app.
    - Regardless of what they cost, if you rate them or object to them you get to keep it as encouragement.
    - You don't get to choose which app to vet. To discourage only vetting cool looking apps to get them free. No new apps appear until you finish vetting the existing ones.

    - The number of vetters are automatically calculated based on a previous rating numbers/new app demands/number of registered vetters metric.

    - You can rate/object them BEFORE you install if it's obvious. If you rate low or object it's automatically removed/not installed.

    - If Google receive even a few 'this is harmful' or very low ratings from vetters it's taken down automatically for a Google employee to hand vet, regardless of the positive rating from vetters (to avoid gaming the system). Which would hopefully also quickly ban the entire developer and their other, probably crap apps.

    - The app would not go live on the market until a certain number of vetters vote.
    - This should happen almost immediately due to the massive number of Android nerds like us :)
    - A cool down period of a day would allow the app to go live even if no-one vetted it.

    - New, unvetted apps that make it anywhere near the top lists should get priority and be sent to many vetters immediately.

    - If Google hand vet the app and it is deemed good, ANYONE who objected gets banned from ever being able to vet or beta test again.
    - All apps previously vetted get deleted.
    - Their account can be monitored for any more suspicious activity. Just rating an app low wouldn't do this (as it may not work).
    - A BIG warning comes up when a vetter sets a harsh objection. It should describe the type of things that objection is for. NOT that you just think the app is stupid. Some objections might be exempt, like 'crashes' and would not popup a warning.

    - Vetters tagging the app as broken could have their handset stored in a database so the developer could fix the issue. New users could be warned until the app stops breaking on their particular handset (see 'beta tester' idea below to avoid this)

    - New vetters are warned apps may be malicious! So Google doesn't get in trouble :) Still, this is better than the general public getting it.
    New objection catagories! I presume 'spam, malware, virus' aren't categories so it doesn't scare 'normal' people. Ok, only show these if you are a vetter.
    - New catagories could be 'pirated app, fake, spam, crashes, forces user to skip 15 minute refund period, unreasonable permissions (BIG WARNING HERE, as most people don't understand why apps need certain permissions (like AdMob stuff).

    - Should updates need to be vetted? It would be reasonably easy to submit a non-spam app, get it approved and update it with crap. Even without vetting updates it'd still be vastly better than now since to pass the app would actually have to do something useful and would stop all the fakes which is most of the problem.

    Popup warning
    - The marketplace should automatically warn the user on purchase/install when the app has a high number of low scores (NOT the average), plus multiple objections logged, plus that it hasn't been vetted by anyone yet.
    And finally..

    - Allow the general public to set 'only show vetted apps' in their market app. This is especially good for anyone giving a phone to their kids/mum (a filter for apps with a high 1 star ratio would be nice for the same reasons). If anything I think the default should be to only show vetted apps.

  • someone

    If I wanted a garden type application store, I'd just go download Amazon or get jar. Problem solved

    • Funkey Pancake

      getjar? you gotta be kiddin, 90% of their apps are actually malware

  • Andy

    I think vectrex idea above seem like a good one. Its the community that drives a lot of the android power we all love so his idea seems like a good community solution. It might need more refining though, certainly:
    If Google hand vet the app and it is deemed good, ANYONE who objected gets banned from ever being able to vet or beta test again.
    We'd have no vetters available after a year lol, maybe make it 3 strikes and your account is investigated? but overall seems like a good idea

    Top marks to Android Police for showing this, i believe its better to act than bury your head in the sand

  • http://rockthatmobile.com Dana Rock

    The MSN app is timely because I've had a few ten years+ old hotmail accounts get hacked recently and start sending mass spam to old contacts.

    It kind of scares me that Microsoft's solution to this in their support menu is only to change your password (no reporting option or anything). I'm sure apps like the one in the article are contributing to this wave of hackings - it is the number one support topic in the support area of hotmail.....eeeek.

  • http://droidsamurai.blogspot.com PixelSlave

    You know, Google may not want to pre-screen an app before it's posted, but it definitely should find a way to verify a well-known organization. Today, it's MICROSDFT, what if it's GDDGLE, RDVID tomorrow? If Google verifies celebrities' Google+ account, they should do the same to verify developers' Android account.

  • Falconator

    For situations like this, I still have my Original Droid w/ a custom rom and nothing else on it using wifi only to download from the market and report as necessary.

  • http://camsvirtualrealityreality.blogspot.com Vectrex

    My 'Community vetting' request got denied by Google :(
    http://code.google.com/p/android/issues/detail?id=21582

  • Thomas

    The whole "don't report it or it gives Android a black eye" thought process if flawed. It's like saying "Chevy has a safety issue in the car, but we can't recall if or we might look bad".
    If the security issue is there, report it, and get it fixed. By not broadcasting it and taking action, we look more and more like Apple - with their "Gotta hold it this way" method of fixing their problems.
    By taking action, we show we are a proactive community, not trying to hide from the problems. No, it's not easy, but then, you have to take the lumps in order to knock down the existing king of the hill.

  • NuLL.n.VoiD

    Hey, has anyone noticed that the links are no longer valid? I tried a search in the market and it doesn't show up that way either. So it would appear that this app has been obliterated. Artem, thanks for your diligence.

  • Dennis

    @Rob: I actually don't use any IM clients anymore, except when I happen to be on Facebook. If I could get more people to shift to google+, I would use theirs and drop FB altogether, but for now...

  • uin

    Call the Android Police...I like that

  • Mjroberts22

    I sent you guess a 2 tweets about some bad apps on Monday or Tuesday of this week. Android Central jumped all over it, nothing from you guys. I realized it was probably because you were running a contest that involved twitter at the time, so my tweet probably got lost in the mix. Maybe you need another twitter account for reporting bad apps. The more people that report bad apps the quicker these things get kicked to the curve. I don't think it hurts the Android ecosystem when we do this, I think it hurts Android when innocent people get burned on bad apps.

Quantcast