How Secure Are Playstore Apps?

[DroidFOSS]

I really believe that Android as an OS is almost as safe as Linux and one needs common sense and not anti-malware to keep your data safe. Having said that, I do not install from 3rd party websites, I do not visit dubious sites, I do not play games and I only download needed, not wanted, apps.

Hardening my browsers is a priority.

I do run AVL PRO on my phone and it had found various riskware in apps downloaded from Playstore. These are mostly adware that can allow unknown third party apps to access data on one's Android device. The ONLY anti-malware that could find these, is AVL PRO. I have tried 360, AVG, Bitdefender, all the major brands.


AVL PRO discovered this in Avira just now.

What do the techsperts say about this, what is really at risk and how can it affect me?

Why are so many apps "infected" with these adwares? Maildroid, BusinessCalendar, BusinessTasks, Avira.....many, many others.

 

[chanchan05]

Adware on Android phones aren't an infection. That's how the developers of free apps on Android earn, through ads. Also unlike adware on PCs which take over certain aspects and slows the computer down, ad software inside apps don't affect the overall performance of the phone.

 

[DroidFOSS]

Adware on Android phones aren't an infection. That's how the developers of free apps on Android earn, through ads. Also unlike adware on PCs which take over certain aspects and slows the computer down, ad software inside apps don't affect the overall performance of the phone.

I have always thought so myself, but Symantec reports that some of these adware can and do install third party apps in the background and these can access your personal info, contacts, even banking info. If Symantec is right, then we could have a problem?

Maildroid had adware in it and it used my contacts to send unsolicited emails, such as sending Whatsapp chats to my contacts via email. I am also not the only Maildroid user who had experienced this. This reminds of the Windows-based Melissa virus of around 2001.

One cannot have apps acting independently and compromising safety, security, privacy, etc.

 

[chanchan05]

I doubt the install without consent. If you have install verifier active in the Google Settings, any installation needs your consent to prove that.

However, the MailDroid thing does raise concern. However, it's something the developers designed their ads to do. Which is not exsctly a malware as opposed to a specific ad distribution scheme. The best thing to do in such a case would be to report to the developers that you do not want this ad scheme. However, you should also be wary. Any email app would have access to your contacts because the very nature of the app needs it to work. If you have sensitive information, then do not use a third party to access them. Maildroid is a third party email app. Stick to Gmail, Outlook, Yahoo or whatever email service you use.

 

[DroidFOSS]

Background installations are nothing new, it sits within existing apps and therefore cannot even be seen by App Manager. This is nothing new and I am aware that Apple users are also at risk for the same reason. Windows Phone is much stricter with app developers and therefore they have much less apps. That is why they sell much less phones, but it actually is a very safe system, second only to BBOS.

Many apps also pass Google's scrutiny and insert malware when you respond to the nag for updating. Android is very secure but the apps are all riskware until proven to be clean. Using something as efficient as AVL PRO does help as well.

I do not consider Google, Yahoo or Outlook as safe either, nor Apple, as we had seen enough security breaches over the past few years. Perhaps trusting app developers and service providers could be an error of judgment.

 

[zuben el genub]

Read the TOS. If Play doesn't tell you, sometimes Appbrain will have permissions broken down.

You can run a VPN on Android so I've heard. There are some people that have run computers for years with no AV. They have other means and use them, including all safety practices.

Don't automatically upgrade - read the change first. I've had a couple of apps change on upgrading and didn't say - improved UI isn't much of a description.

I use Eset. Have for years since it never required IE to run. It's been very reliable.
If push comes to shove, I will buy their version for Android.

I wouldn't be interested in Maildroid - but, does it only work with Google contacts?
What about those who prefer Outlook? My contacts are phone only, and no email addresses attached. Someone could send spam text I suppose.

 

[DroidFOSS]

The point is that someone with bad intent isn't going to tell you just as a car hijacker won't tell you he is waiting for you at the crossroads by 3pm, asking you to be in time.

It is really nothing new that malware gets into systems in this way and it has been documented and debated to the point of exhaustion by now. Apple takes on average six seconds to approve apps, I am not sure how well Playstore is checking either.

Eset - I swore by that brand for years but it did not detect a few riskware in Android, so I ditched it. So far, only AVL PRO had found riskware that were reported by Symantec, Kaspersky, etc., to be dangerous potentially. In each and every of these adware found by AVL PRO, it were the kind that will do background installations and harvest sensitive data.

PC wise, I have migrated to the more secure world of Linux and I use Thunderbird for email. It should be safe and I so wish there was a T-bird for Android as well.

 

[Rxpert83]

I don't have and (in my opinion at least) don't need AV.

Google regularly scans the playstore for malicious apps. Anything google doesn't pick up (zero day) likely isnt going to be picked up by an antivirus app either.

Android also runs apps in a sandbox, the antivirus app is also in that sandbox, effectively negating any real use.

Finally, google already verifies apps as they are installed on your device. This is essentially doing the same thing an antivirus app is doing.

IMO the bottom line is only download from the play store, from reputable developers, and check app permissions. IE - A flashlight shouldnt need access to your contacts. Thats about as safe as can be.

Spoiler

The Android operating system deals with software packages by sandboxing them; this does not allow applications to list the directory contents of other apps to keep the system safe. By not allowing the antivirus to list the directories of other apps after installation, applications that show no inherent suspicious behavior when downloaded are cleared as safe. If then later on parts of the app are activated that turn out to be malicious, the antivirus will have no way to know since it is inside the app and out of the antivirus’ jurisdiction. Due to the sandboxed nature of Android’s app ecosystem, according to the AISEC’s report, “Android antivirus cannot monitor dynamic behavior of other apps and working directories’ contents, antivirus software is completely oblivious to such activities.” Therefore, it is very difficult for antiviruses to get the full coverage that is typically needed to be truly effective.

http://www.androidauthority.com/state-antivirus-android-523684/

So right away, the potential for trouble from a single app is fairly limited. But it also means that there's not much an antivirus could do either. Any antivirus software you install on a phone would not be able to scan any other app, or any data used by those apps.

http://www.techrepublic.com/blog/it-security/how-effective-is-antivirus-software-on-smartphones/

Antivirus software on your smartphone works just about the same way as Google’s verification software. According to Google, “if you attempt to install an app from any source while app verification is turned on, your device may send information identifying the app to Google”.
This verification will walk through the whole process in the background, all without getting in the way (unless there’s a major red flag). Google’s anti-malware detector, Bouncer, also regularly scans for any app misbehavior or any activity that should be brought to your attention.
Having both antivirus software and the Play Services app installed is like having two of the same app on your phone. Both essentially doing redundant tasks.
So Antiviruses are totally useless? Not always. They do have number of other security features like lost phone location detection, reporting malicious websites, block call/sms, firewall (rooted inly) etc. But all of these are mostly done by Android and various other app. Android device manager locates your lost Android phone, lets you erase it and more. Similarly, Chrome (default browser) can detect malicious sites. And there are other dedicated app which can do other tasks better than these feature-rich antiviruses.


Read more: http://geeknizer.com/mythbuster-do-you-need-antivirus-on-android/#ixzz3JQz6Rwk9

http://geeknizer.com/mythbuster-do-you-need-antivirus-on-android/

 

[zuben el genub]

I use Linux myself. I get mail through Tbird or Clawsmail depending on which computer. I'm a tad annoyed with Mozilla, but Pale Moon has a TAR file.

I really want NoScript on Android - however with stuff moving to HTML5, I haven't seen any reports of what nasties are doing and how to combat.

I had to use Eset. I was running a shell on W98SE that hid Internet Exploder totally.
I hate that browser. Therefore I had to find an AV that didn't use it.

I agree with Rxpert83. If all you see is free and download everything that looks interesting willy-nilly, you will have trouble.

If there is a real bad apple, someone will ask here or there will be posts on other forums that deal with phones and/or security. Read! There are plenty of stickies here.

 

[DroidFOSS]

Does Google also actively scan subsequent updates?

 

[DroidFOSS]

Adware on Android phones aren't an infection. That's how the developers of free apps on Android earn, through ads. Also unlike adware on PCs which take over certain aspects and slows the computer down, ad software inside apps don't affect the overall performance of the phone.

Android.AdMob | Symantec


This is not a nasty but one found in Maildroid and also in a VPN programme were the same - both would install spyware in the background while you surf along happily in la-la-land.

 

[Rxpert83]

Does Google also actively scan subsequent updates?

From my understanding the playstore gets scanned on a regular basis. Whether thats each time an apk gets uploaded or every "x" days/weeks/months I don't know, since its probably information best not made public.

 

[Rxpert83]

Android.AdMob | Symantec

There are certainly less than ideal advertisers out there. Google banned IMO one of the worst - airpush ads.

There are no viruses in the traditional sense on android. The more common scenario is an app downloaded from a 3rd party stealing device data, but that is only possible when the user grants the application permission to do so.

 

[Hadron]

One annoyance is that Google constantly "simplify" the permissions info, giving you less information or making you dig further to find it. And they present this as a good thing...

 

[Hadron]

There are no viruses in the traditional sense on android. The more common scenario is an app downloaded from a 3rd party stealing device data, but that is only possible when the user grants the application permission to do so.

Which is why you should check permissions make sense when installing apps, and be particularly careful when installing apps which do need intrusive permissions to do their job.

Ironically this makes security apps the category to be most careful about, as they really do need every permission a malware author could dream of

 

[mikedt]

Which is why you should check permissions make sense when installing apps, and be particularly careful when installing apps which do need intrusive permissions to do their job.

Ironically this makes security apps the category to be most careful about, as they really do need every permission a malware author could dream of

I've never heard of "AVL Pro", how do I know that the anti-malware isn't malware itself, i.e. a trojan.

How secure are "security apps"? I don't use them myself. Careful about what I install, and look at the permissions carefully when installing stuff.

 

[DroidFOSS]

I've never heard of "AVL Pro", how do I know that the anti-malware isn't malware itself, i.e. a trojan.

How secure are "security apps*? I don't use them myself. Careful about what I install, and look at the permissions carefully when installing stuff.

AVL PRO was recommended by this industry's top security experts.

Even on Windows, Avast! had been "exposed" as containing spyware, maybe 2-5 years ago. Kaspersky is worse than any other malware and impossible to even remove on S60. I also have my doubts about anti-malware apps.

Even though an app passes all scrutiny, it could still access information and anonymously communicate this with a server somewhere out there. Too many Android apps ask for permissions well beyond its need to be functional. That should be a red light of warning to the user,

 

[Hadron]

Android.AdMob | Symantec

You do know that AdMob is Google's mobile advertising platform?

If that's the thing that AVL are reporting as "malware" then they still need to do a bit of work on their classifications. If, like Symantec, they are reporting it as "potentially unwanted" then IMO that's fair, but not the same as malware (the images you posted are too small to see what they actually say).

 

[chanchan05]

If AVL is reporting Google's product as malware on an OS that Google made, I'd say I'll doubt the word of your so called experts on the quality of AVL, which I also have never heard of before. Even when I scour the net and forums for reviews before every AV and AntiMalware purchase.

Also background INSTALLATIONS aren't going to happen on Android due to sandboxing. It's more likely that the malware was already built into the app itself, rather than a background installation. This is how malware on Android works. It's not a background installation as much as it is an embedded process in the app itself.

 

[mikedt]

I'd be suspicious about AVL myself, and who are these "experts"? Links and citations please.

My own brief research tells me it comes from a "Harbin Antiy Technology Co.,Ltd.", who are in China.

You know the proverb..."Don't look a gift horse in the mouth, no matter how questionable its pedigree might be."

 

[maildroiddev]

This is all very interesting with the comments here from people. One person said we have sent out emails to contacts etc. Someone else said VPN. Well, this is all false. We have always been open on permissions and ads. We have ads in the ad version. They are from respectable ad companies (Yahoo, AOL, Google, Amazon, Opera and a few more). If one of them was an issue, we would have been told and they would have been removed. There is nothing in the code that runs to do malicious things, it makes no sense for us to do that (it's our company, why would we want to do that). Now, having said that, there are cracked versions of our app out there on the web. It hurts our business, but to the point that people are willing to download an app that has been cracked and available on hacker sites is beyond us. It could very well be that some of those are infected and I would not be surprised if they are.

MD has been around for 5 years on the play store with almost a million active users, we have no reason to do anything malicious. We are always available to speak via email if you have concerns or questions. However, I felt the need to respond to this old thread as I was shocked to see blatant lies.

 

[lee kennard]

Background installations are nothing new, it sits within existing apps and therefore cannot even be seen by App Manager. This is nothing new and I am aware that Apple users are also at risk for the same reason. Windows Phone is much stricter with app developers and therefore they have much less apps. That is why they sell much less phones, but it actually is a very safe system, second only to BBOS.

Many apps also pass Google's scrutiny and insert malware when you respond to the nag for updating. Android is very secure but the apps are all riskware until proven to be clean. Using something as efficient as AVL PRO does help as well.

I do not consider Google, Yahoo or Outlook as safe either, nor Apple, as we had seen enough security breaches over the past few years. Perhaps trusting app developers and service providers could be an error of judgment.

Hi, where do you get AVL PRO?

 

[EarlyMon]

Wow.

OK - so the OP has 9 posts over 2 days. His introduction said he had here to talk about the product and that's exactly all he's done.

Despite most not ok with AV, I do see a valid place for it in our ecosystem.

However, there's a tremendous difference between valid anti-malware and snakes oil just as there's a tremendous difference between normal members here and trolls and shills.

It comes as no surprise to me that the blog listed as the OP's homepage has been removed and that he hasn't come back.

As I am on record recommending MailDroid in the past (as in - well before this thread came to be) and as I don't get paid by anyone for saying it, how about I just say it again?

Check out "MailDroid - Email Application"

https://play.google.com/store/apps/details?id=com.maildroid

How about another one that got singled out?

Check out "Business Calendar 2"

https://play.google.com/store/apps/details?id=com.appgenix.bizcal

And how about we address the misinformation?

As Hadron pointed out - even the link provided as proof did not say that there was malware here.

All it said was most people are too lazy to follow a link when there's a good argument to be had and that the practice of extrapolating how things are on Windows to Android is alive and well and bickering about it is becoming a grand tradition.

I am not providing a link to the to the nonsense listed in the OP but I am closing the thread.

Anyone have a problem with that, tap my name, drop me a line.

Otherwise let's stick a fork in it.

/thread closed