Discussion on:

Find out which mobile apps are stealing your identity

... by security firms trying to sell something.

I've still yet to see anybody quoting actual infections of real malware from any of the "official" apps stores.

Reminds me of the "sky is falling" approach taken by many so-called security experts when 1 (that's right, 1) infection made it onto OSX machines.

I'll take all of these reports with a large grain of salt until I hear about actual infections of real malware. But I'm not holding my breath.

Malware today is not designed to be damaging. It sits in the background, quietly sending your information to some remote site. And, your phone's security measures do not consider it malware as you willfully loaded it.

I guess THAT is the problem then. On my PC, if I "willfully" click "OK" and allow malware to be installed my malware detection software will still detect it as such.

You have the option to test it yourself. Pick an app Zscalar has marked as one that sends your information to the developer's server. Load it, scan it using Zscalar's tool. See what the tool says. Finally, see if your phone's antimalware app finds it.

I have done this with apps known to leak information and antimalware apps did not recognize them as malware.

And no, I didn't miss the point, but apparently you missed mine.
I was commenting on the data manipulation and exaggerated malware claims coming from those trying to profit from stirred-up malware hysteria.

I agree with you that there is some theater, that is why I wrote this article. This tool allows you "yourself" to determine what the app is doing. I have been researching this for over a year and the only other method I know is to reverse-engineer the code. In the near future, a research team from Germany that I interviewed will have another tool:

http://www.techrepublic.com/blog/security/android-apps-and-ssl-wheres-the-padlock/8836?tag=content;blog-list-river

Got lost in the nesting for a moment there.
But yes, I was referring to your reply to my reply to yours.

I would certainly classify sending my information to a remote site as "damaging".

to your previous article Michael. I'm sure all of us in the TR community feel obliged to you!

First of all - great article. Very informative both from a "what's wrong?" aspect and from a "what you can do" aspect.

Your article cites Android applications as the major offenders. What about iOS apps?

Does anyone know where I can get one of those Giant Cell Phones with a huge battery pack from the 1980's that only made voice calls? Until the Android store does a better job at reviewing the software that it allows to be distributed on their network I think one of those old phones will be safer.

I used to have one of those phones, and I will keep my SIII. I think we can stay ahead of the game as long as we stay alert and reading TechRepublic (shameless plug).

those old phones don't work on the cellular standard anymore - even out here in the desert, they ditched the old infrastructure equipment years ago.

Just FYI, the original mobile phone cell network in the US was called AMPS (Advanced Mobile Phone System). You mght be surprised to find out that the FCC only required the discontinuation of AMPS in 2008 so up to that point you could in fact have used this old phone.

Speaking of which, this phone in particular was the Motorola Dynatac 8000X, which interestingly, now belongs to Google as part of their acquisition of Motorola. So, Android users out there, voila! there's a lineage to be proud of. The 8000X weighed 8 pounds by the way and had a 30 minute talk time battery life.

And one thing about Android platform and why they're so more highly prone to malware is that it's an open market, many many apps are not piped through the Google service but can be grabbed from bittorrents and the like. I realize anybody can put apps on their iOS device and get around the Apple Store but that's nowhere near the level of Android's open...ness. Whatever the word is.

I recall recently reading the account of an IOS app dev, explaining how trivial a matter it is to get around Apple's cursory scan of newly submitted apps.

I was replying to SgtPappy above.
At present the 'reply' and indeed even the 'edit' links are unresponsive here.

Well, I'm not a mobile app developer but it would seem to me that code is code essentially so while in the PC world, malware has evolved greatly, I don't see what that would be very different in the mobile world, yet, the mobile security products seem to be only in their infancy thus it will be easy for malware developers to overcome it. For example, does ZAP have solid tamper protection? But how can it, when other Android apps are given full priveldges on the device, thus malware can remove ZAP before it even gets to be involved. Don't get me wrong I applaud that we are starting to see security at some level for mobile, because mobile is a security hole the size of Jupiter, but I fear it's not evolved enough. And the problem is that, for example, a rootkit in the PC world often never goes away even if you've run updated scans that "clean" the latest file running in ..\local settings\temp or what not, so you have the wipe the machine and re-install the OS. Not something people know to do on a mobile, so we'll have millions of rooted mobile devices out there, and by the time robust security is available those devices will already be owned and part of a botnet or whatever.

I do plead ignorance about ZAP though and have no idea what other things are out there. Example: I know Symantec has a Mobile security platform but no idea what it does.

ZAP is a web tool on a Zscalar server that intercepts traffic from the application on your phone on its way to the application's home server. It then looks to see if traffic is sent in the clear and what traffic is being sent.

Geez, even after reading the article it seems I got it stuck in my head that it's an app when I posted. My mistake. But perhaps the idea still stands. Malware develoopers can code their app to look for traffic sent to ZAP and redirect it into oblivion, or I would assume there is some form of code installed on the phone itself that acts as the front-end forwarder to this back-end server, which cduld also be comprromised.

Btw if I'm confused yet again, I'll just re-read the dang article so I can my facts straight :)I read so many things in a day, sometimes with a pause between reading an article and posting about it, that I am prone to my own personal version of EMI I think.

It seems like my brain gets packed with too many interesting subjects, and just can't handle it all!

If you use the scan feature, you provide what information is sent. And if the traffic is supposed to be encrypted (SSL) no one will be able to learn what you provided. The problem is that developers are doing a poor job of SSL and or not using SSL, sending your provided information in the clear, which ZAP looks for.

If the malware has full admin rights on the same device as is using SSL to send to the server, couldn't they compromise the root certificate store on the device? Or somehow intercept the data on the device before it tunnels into the encryption engine? I don't know, I just remember reading about SSL archetecture a bit once and basically it's good security unless either of the two endpoints in the session is compromised.

Speaking of stupid apps sending cleartext, I think it was even on TR I saw this but WhatsApp got a slap by the Canadian and Dutch authorities for colelcting unauthorized address book info and sending that in the clear to their server(s). The fact that anybody, anywhere, thinks it's ok to code an app to send data in the clear is not a good sign.

JCitizen: You're right, but the object-oriented nature of Quirbles makes it difficult to adjust the magnometer curve. Oops sorry, wrong thread. Ok ok....viProCon ----- Lame.

Just something that occured to me, but it's quite common as I'm sure you know, that when somebody hears that a website or a content provider of some kind has some kind of scanning of said content on their server, that everythign is safe. As we all know, you can lump 15 malware scanners running all on the same system and there will still be rootkits they can't find and so on. So what makes people think these scans done by app stores are any better? Of course apps are less complex than full applications found on PC's, generally speaking that is, so there are maybe less behaviioral traits or signatures to look for but again I defer to my own ignorance of app development so who knows. After all if it's got a network stack it's exploitable, one way or another.

Sorry to be all over the place on this thread, sometimes at TR I click the latest Reply just to keep things sequential, then sometimes I end up replying directly to earlier posts.

We value your input regardless!

I am just appreciative that you are commenting.