Android permissions explained, security tips, and avoiding malware

[its_me]

An app with full internet access does not mean it can log what you type. Only keyboards can do that.

That's why I NEVER use a keyboard with full internet permissions - that's the combination to avoid.

But I used to get confused when I saw the standard message that comes up when first enabling any new keyboard - it says the app can get my passwords, credit card info, etc. But that is a standard Google message for all keyboards. Only worry if it's combined with internet permission - otherwise it can't send it anywhere even if it did log my keystrokes.

Thank you for your response. I wish these weren't things people had to worry about with their phone.

 

[its_me]

To whoever was asking about Lookout Mobile: I think they're a pretty good company even if they do exagerate threats (in my opinion).

I'd probably choose them over the other AV if I used AV.

Thanks. I've been thinking about getting this so hopefully I can avoid these crazy things.

 

[alostpacket]

Interesting article by android police:

The Mother Of All Android Malware Has Arrived: Stolen Apps Released To The Market That Root Your Phone, Steal Your Data, And Open Backdoor | Android News, Reviews, Apps, Games, Phones, Tablets, Tips, Mods, Videos, Tutorials - Android Police


I'm going to update this guide with a few "what not to download" recommendations I think.
Something like:

"beware apps that promise..."
-pictures of girls
-pictures of celebrities
-free music, especially single songs
-wallpaper apps that request internet permissions


If anyone has other suggestions let me know too. I'm going to take a look in the "just in" sections of the market and see if I can identify traits of the apps to watch out for.

 

[Roze]

Interesting article by android police:

The Mother Of All Android Malware Has Arrived: Stolen Apps Released To The Market That Root Your Phone, Steal Your Data, And Open Backdoor | Android News, Reviews, Apps, Games, Phones, Tablets, Tips, Mods, Videos, Tutorials - Android Police

Wow...scary article

If the app has the ability to root your phone, before you download it, should you not see those root permission that it requires?

But that

 

[alostpacket]

Rooting is almost always accomplished via an exploit in the Linux kernel, some Linux library, the Dalvik VM, or some binary driver. The last one usually being the most likely target (AFAIK).

Only developer phones come "unlocked" so that you can root via just asking the phone to give you root.


This is why official OTA updates almost invariably break root for most roms/kernels/whatever. And also why the AOSP patches the exploits.

It is also why ROM devs really need good reputations for you to trust them. But 99% of them are great guys from what I have seen. (Though I think the community thinks they are superstars even though they are just recompiling other people's work most of the time, but that another subject for another day).

But ya, this looks to be the worst malware I have yet seen on Android.

 

[Lennatron]

Very informative. It really helped me out when I first came to Android.

 

[SpaceDementia]

I've seen the same thing with other programs. The program "silent toggle widget" by droidmania says it requires NO special permissions when you look at it in the Market.

But if you install it and check Settings>Applications you'll see that it too has a "Modify SD card contents." This makes me uncomfortable.

In response to this and my own question earlier in the thread. I have since found this helpful post

http://androidforums.com/android-ap...ge-phone-call-permissions-without-asking.html

 

[alostpacket]

In response to this and my own question earlier in the thread. I have since found this helpful post

http://androidforums.com/android-ap...ge-phone-call-permissions-without-asking.html

Yep, this is a long know problem and some of it is working as intended, but other parts are bugs Google has only addressed partially.

You can see source code demonstrating this issue here:

http://androidforums.com/android-applications/119690-can-app-permissions-hidden.html#post2376273

That whole thread actually has some good info on the matter too.

 

[its_me]

Once i uninstall an app does that app still have access to my info?

 

[alostpacket]

Once you remove a burglar from your house does he still have access to your refrigerator? No, but he might have already drank up all your soda and ate your pizza.

 

[rachelle038]

Hi alostpacket! Just found your post today. Thanks for sharing these incredible Android tips and guidelines! You rock.

 

[droidlight]

I just joined the Forums and was browsing about. This is exactly the type of info that I need. I printed it out for a couple of coworkers with droids who I know will never putz around the Forums.

Thank you from all of us newbie droid users.

droidlight

 

[alostpacket]

Depends on the phone Ed, and if you're willing to root. Ask in the Android lounge though, this thread is about app security.

 

[alostpacket]

Made some major edits tonight.

- Several new sections
- Updated information about malware that was in the wild
- Permissions that you cant see
- Added image to show what version of Android an app targets
- Warez warnings
- Why devs use IMEI,
- how to be a good citizen/user in the Android Community
- A bunch more I'm likely forgetting
- Cleaned up a lot of old typos
- Probably made twice as many new typozzzz

 

[leonAlpha]

Hi All... I'm new to Android (just switched from iPhone) and I came across this post while searching for 'official' ways to stay safe. Very useful post, and a big thanks to alostpockets and the rest who have contributed.

Ok, so off to my question:

added the following permission:

Development Tools read logs
This permission is of very high importance. This allows the application to read what any other applications have written as debugging/logging code. This can reveal some very sensistive information. There are almost no reasons an applications needs this permission. The only apps I might grant this permission to would be Google apps.


Source:
Vimeo, Video Sharing For You

Thanks to a Slashdot reader R- for pointing me to the info

After reading this post in its entirety, I went to check the apps on my Android 2.3.3 Nexus S and found that Evernote (a quite popular note-taking app) requires the "Your personal information: read sensitive log data" permission. This may be a dumb question, but is this the same permission as the one in the above quote? If not, then great... but if it is the same, why would Evernote need access to it?

Thanks.

 

[alostpacket]

Yes that's the same permission they just changed the display name of it.

I'll make a note to update that, thanks for the heads up.

 

[alostpacket]

Interesting article too on this point:
Pandora App Sends Private Data To Advertisers - Slashdot


Pandora was one of those apps that also used to read the logs before the users pressured them and news broke as to how dangerous the "read logs" permission is.

 

[leonAlpha]

Very interesting... thanks again for your help.

 

[Yeahha]

And I would be willing to bet that pandora doesn't flag as malware with an "Antivirus" app.

 

[alostpacket]

updated 'read logs', and managed to nab a few typos/awkward sentences as well. Thanks again.

 

[Rico ANDROID]

I was reading this discussion hopeing to locate a site that is dedicated to Apps that were flagged as Suspicious or had been rejected or "Pulled" fromthe Android Market.

Does such a site or online report exist? Anyone got a link?

 

[alostpacket]

None that I know of, the recent episode of a virus on Android was widely reported on tech blogs that listed those apps though.

You might also try some of the AV app writers sites. They tend to publish some information like that, esp for PC virus, not sure about Android.

If you find anything please feel free to post back -- it would be helpful info for this thread.

 

[Rico ANDROID]

Lookout Mobile Security recently posted a list of reported malware that has been removed from the Android Market (but says some may still be there due to android markets still investigating some of these).....

This list was published in an article dated March 1/2011 (fairy recent)
Who is affected?
Anyone who has downloaded the apps listed above may be affected. If you have downloaded these apps, contact us at support-at-mylookout.com.




Full list of infected applications published by “Myournet”:

• Falling Down
• Super Guitar Solo
• Super History Eraser
• Photo Editor
• Super Ringtone Maker
• Super Sex Positions
• Hot Sexy Videos
• Chess
• 下坠滚球_Falldown
• Hilton Sex Sound
• Screaming Sexy Japanese Girls
• Falling Ball Dodge
• Scientific Calculator
• Dice Roller
• 躲避弹球
• Advanced Currency Converter
• App Uninstaller
• 几何战机_PewPew
• Funny Paint
• Spider Man
• 蜘蛛侠

Full list of infected applications published by “Kingmall2010″:

• Bowling Time
• Advanced Barcode Scanner
• Supre Bluetooth Transfer
• Task Killer Pro
• Music Box
• Sexy Girls: Japanese
• Sexy Legs
• Advanced File Manager
• Magic Strobe Light
• 致命绝色美腿
• 墨水坦克Panzer Panic
• 裸奔先生Mr. Runner
• 软件强力卸载
• Advanced App to SD
• Super Stopwatch & Timer
• Advanced Compass Leveler
• Best password safe
• 掷骰子
• 多彩绘画

Full list of infected apps under the developer name “we20090202″:

• Finger Race
• Piano
• Bubble Shoot
• Advanced Sound Manager
• Magic Hypnotic Spiral
• Funny Face
• Color Blindness Test
• Tie a Tie
• Quick Notes
• Basketball Shot Now
• Quick Delete Contacts
• Omok Five in a Row
• Super Sexy Ringtones
• 大家来找茬
• 桌上曲棍球
• 投篮高手

 

[Roze]

Phone calls
read phone state and identity
This permission is of moderate to high importance. Unfortunately this permission seems to be a bit of a mixed bag. While it's perfectly normal for an application to want to know if you are on the phone or getting a call, this permission also gives an application access to unique numbers that can identify your phone such as the IMEI and/or IMSI. Many software developers legitamately use these numbers as a means of preventing piracy though.

Thinking about this permission, I wonder why can't Google seperate them? One permission is Phone state, which I'll gladly give the developers. The other 'phone identity', which I do not prefer the developer to have
The sad thing is, most apps need to know the phone state to really work efficiently, so we really have no say and accept this permission if we want the app. I guess it's all about how much do you trust the developer right? *sigh* The funny thing is, that in the manifest.permission, Google explains phone_state but there's nothing on phone_identity, which I find very misleading.

READ_PHONE_STATEAllows read only access to phone state.

At least the Permission description on the Market is more detailed now:

<LI class=doc-permission-group>Phone calls read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.

 

[Rico ANDROID]

Roze, your profile pic makes me sooo hungry.