So what exactly did this malware do most of the time?
In the original kaspersky report it says "For example, an app with this malicious code may show intrusive ads and sign users up for paid subscriptions.".
So how/did it sign up users for paid subscriptions without user interaction? Does android allow something like that? Aren't all apps sandboxed?
In general how is the android sandboxing and permission system nowadays? I'm considering switching back to it from iOS, but reports like this are kinda discouraging.
This. As an iOS user / developer who isn't too familiar with Android, I also don't get it. Either these reports are lacking, and there is in fact a vulnerability being exploited down the line, or Android is completely broken. I find it odd that this important detail is being ignored in the reports/discussion.
> So how/did it sign up users for paid subscriptions without user interaction? Does android allow something like that? Aren't all apps sandboxed?
This sandbox isn't a VM per-se in that the apps can view and interact with other apps via various api-interfaces, sometimes with devastating consequence (like apps with storage permission scraping location information from EXIF, or apps with SMS permission scraping inbox for your financial transactions).
> In general how is the android sandboxing and permission system nowadays?
There's lot of confusion and most users simply grant all access. Ask-on-first-use doesn't really help with privacy, at all. iOS, I think, has it better: Grant permission only when app is in the foreground.
That said, I am working on an app that'd help revoke and grant permissions automatically to apps depending on whether they're in the foreground or background; firewall apps from internet; block trackers. This isn't something you can't not do on Android today. And if you choose to root your device, there are apps like AF+ Wall, Privacy Guard (on LineageOS), XPrivacyLua (with XposedMod), NoRoot Firewall, NetGuard that are excellent offerings but sometimes feel like they're built for the power-user.
I don't know this particular case, but "malware" seems to be used to describe "adware" these days by some blogs to generate more clicks.
Android is just as secure/unsecure as iOS. Some recent "malware" campaigns targeted both platforms but in general Apple silently removes them while Android gets scrutinized to death.
Edit: to answer your questions, these apps still operate within the limits of the sandbox. Which is maybe a reason the term "malware" should not be used.
This is clearly not the case. Not only is Android’s permission system more permissive, most Android phones don’t get updates as frequently and definitely not as far long as iOS.
In modern Android phones, the core system is updated one a month [if needed - which is often the case during the first year]. Android applications (including things like mail and browser) and a large part of the OS is updated immediately via the store.
The permission system is being updated and apps are being rejected for bad user of permissions (check Reddit for the SMS permission stories)
> most Android phones don’t get updates as frequently and definitely not as far long as iOS.
This is irrelevant. Most phones period don't get updates frequently. Does that mean you shouldn't buy any phone? No, you should buy a phone that does get updated, and there are plenty of Android options.
> How many Android devices get support that far back?
Also irrelevant. Most people don't use phones that old. If they upgrade devices on a normal schedule, there are plenty of Android devices that will get updated during that time. Even better, their system apps will also get updated at an even higher frequency during that time transparently, while iOS users have to wait for an OS update and reboot their devices. This is an issue with highly vulnerable apps like iMessage and Safari.
Also irrelevant. Most people don't use phones that old.
There is a vibrant official second hand market for iPhones where people sell their phones and the hand me down market. It really helps when you can still use an older device with the newest operating system. Anecdotally, my son is still using my circa 2015 iPhone 6s with the latest OS. According to many benchmarks, it was faster than high end Android phones up until 2018 and is still faster than mid tier Android phones.
Even better, their system apps will also get updated at an even higher frequency during that time transparently, while iOS users have to wait for an OS update and reboot their devices. This is an issue with highly vulnerable apps like iMessage and Safari.
Well fortunately we have statistics about how many iOS users are running the latest OS compared to Android users from the prospective companies. We know that your conjecture is probably false.
> There is a vibrant official second hand market for iPhones where people sell their phones and the hand me down market.
Irrelevant. I'm not buying from the second hand market. If you want to push that benefit, push it on somebody who will.
> We know that your conjecture is probably false.
We know I'm right. It takes weeks for iOS users to update their phones if iMessage or Safari has an update. On Android, the SMS and browser apps updates automatically without the user noticing. For the phones that receive system updates, the statistics show they update just as quickly on Android as on iOS. For users who upgrade devices frequently like me, these Android devices are strictly better than iOS devices in security.
> I had to rely on information I could find on the internet....
Which is? I pointed out why it is that these new Android devices are better from a security update perspective than iOS devices. Your response is to point to non-existent statistics. No amount of wishful thinking is going to make statistics appear that violate common sense.
> It might come as a surprise, but the world doesn’t revolve around you and this is a general discussion forum...
Users who don't upgrade phones frequently have no good options. Users who upgrade frequently have Android devices that fit the bill. I don't consider iOS's security updates reasonable, as I have already explained.
Irrelevant. I'm not buying from the second hand market. If you want to push that benefit, push it on somebody who will.
Because you upgrade frequently
Users who don't upgrade phones frequently have no good options. Users who upgrade frequently have Android devices that fit the bill. I don't consider iOS's security updates reasonable, as I have already explained.
Well your “explanation” that iOS security is not acceptable because you have to reboot. Compared to not getting a full update at all is laughable.
I already pointed out why lumping all Android devices together is nonsensical in my very first comment. The rest of your points crumble after you remove this nonsensical foundation.
Right because every part of the OS consist of the apps. First you said that there weren’t any statistics and now that I post statistics from Google they are “nonsensical”.
Do you have any more reliable numbers or just more conjecture?
Because in your world, it is more secure to not be able to update the entire OS than to have to do a reboot.....
> now that I post statistics from Google they are “nonsensical”.
Your statistics are for a nonsensical metric as I have repeatedly pointed out. The correct statistic is how quickly Android devices that are known to get updates get updates because those are the only devices that anybody who cares about security updates should buy.
> Because in your world, it is more secure to not be able to update the entire OS than to have to do a reboot.....
Once again, you are completely ignoring the point. It is more secure to have a device that updates the base system quickly and updates the apps instantly without the user noticing. There are devices that do that, and there are devices that don't. The devices that don't are so inferior to the devices that do that they shouldn't be used.
Do I need to draw a Venn diagram for you, or do you finally understand?
The correct statistic is how quickly Android devices that are known to get updates get updates because those are the only devices that anybody who cares about security updates should buy.
So that’s “the correct statistic” as long as you ignore the literally billion Android phones that don’t get updates compared to the 0% of iPhones that were introduced since 2011 that haven’t gotten an update in the last 3 months.
In other news, everyone in the US is rich as long as you ignore all of the poor people....
It is more secure to have a device that updates the base system quickly and updates the apps instantly without the user noticing. ^
So the “base system” consists of applications* not the underlying operating system....
In 30+ years of being in the computer industry professionally and as a hobbyist, I’ve never heard anyone consider applications as the “base system”.
It is more secure to have a device that updates the base system quickly and updates the apps instantly without the user noticing. There are devices that do that, and there are devices that don't. The devices that don't are so inferior to the devices that do that they shouldn't be used.
So the vast majority of Android phones shouldn’t be used and none should be used considering the average amount of time people are keeping their phones is longer than the time that any manufacturer is supporting them?
So 90%+ of all Android phones “shouldn’t be used” even if you’re charitable and ignore the phones that only get updated for a couple of years....
Btw, to get a clue about how an ecosystem should work where one company is responsible for the operating system and other companies sell the hardware, look no further than Microsoft. Not only are one of my computers that is used as a Plex server over 10 years old and still running the latest version of Windows (a Dell Core 2 Duo circa 2009), my mom is still using my old Mac Mini circa 2006 running a supported version of Windows 7.
> So that’s “the correct statistic” as long as you ignore the literally billion Android phones that don’t get updates compared to the 0% of iPhones that were introduced since 2011 that haven’t gotten an update in the last 3 months
How many times do I have to repeat that it doesn't make sense to group all Android devices together just like it doesn't make any sense to group all phones together?
> So 90%+ of all Android phones “shouldn’t be used”
Yes! That's what I've been trying to tell you! 90% of Android phones shouldn't be used, and 100% of iOS phones shouldn't be used. How is it that you still do not understand this?
> So the “base system” consists of applications* not the underlying operating system....
That explains it. I specifically separated base system, which gets updated quickly with reboots, from applications, which get updated transparently without reboots, and through some incredibly poor reading comprehension, you understood this as saying both are the same.
Yes! That's what I've been trying to tell you! 90% of Android phones shouldn't be used, and 100% of iOS phones shouldn't be used. How is it that you still do not understand this?
So no personal computer should ever be used since you have to reboot to receive security patches. But I guess in that case even Windows 95 was secure since you could update applications without rebooting....
> So no personal computer should ever be used since you have to reboot to receive security patches.
Nope. Try reading my comments again. The base system has to be rebooted when receiving updates. Personal computers, just like Android devices, do not need to reboot when updating the web browser or a messaging app. iOS is so poorly architected that it cannot do this.
In the original kaspersky report it says "For example, an app with this malicious code may show intrusive ads and sign users up for paid subscriptions.".
So how/did it sign up users for paid subscriptions without user interaction? Does android allow something like that? Aren't all apps sandboxed?
In general how is the android sandboxing and permission system nowadays? I'm considering switching back to it from iOS, but reports like this are kinda discouraging.