Maybe it's the jet lag talking but it seems like the tenses are all messed up in this article, for example "was now" is used in places where they're speaking about the present status of the malware.
Are there any current methods of detection? What about this warning of "any app that required a security update to be installed before it was run" - what is that going to look like? A standard Android warning/request dialog?
No, Android does not have standard dialog that requests do make security updates.
There is a notification/activity, that alerts you, when system update is available.
In some rare cases, there may be messagebox telling you, that Google Play Services need to be updated (and after tapping OK, it opens Play Store for you).
What the article describes, is more like drive-by-installation malware. You need to enable unknown app sources (and acknowledge the warning dialog), as well as verify apps. Then you need to download apk and install it.
To make comparison with PCs, it is similar to some random web site persuading you to download random binary and run it as root.
> No, Android does not have standard dialog that requests do make security updates.
OTA updates are in all modern Android devices and it does ask you to update when new versions come out. They aren't security patches necessarily or communicated that way though, they are OS updates, that reflash your phone.
> Mobile security firm Lookout said the bug, called NotCompatible, was the most sophisticated it had seen.
> The cyberthieves behind the bug had recently rewritten its core code to make it harder to defeat, it said.
> The bug first appeared in 2012 and was now on its third iteration
Am I misinterpreting this, or is it common to refer to malware as "bug"? What a nice source of confusion for a programmer! It almost seems as if it is done on purpose to coin a new term.
I assume they're using the other definition of the term "bug" as in "you caught the cold bug." It might be local (UK specific) slang though that catching a "bug" is akin to catching a disease or virus.
Well ... it is pretty commonly used in the UK to mean disease/virus etc. such as 'a stomach bug', but I still don't think that excuses or explains its usage in this article. To me that just reads like a poor use of technical terminology.
But yeah as another commenter noted this article is aimed at a non-technical audience.
Not sure if it's related, but when browsing sites on my phone I have noticed a lot of ads on websites that redirect you either to a page with an Android download on it, or to a specific game in the Play store. You leave the page you wanted to look at entirely.
I've gone to Firefox+AdBlockPlus on my Android phones, after getting one too many Play Store popups. It makes browsing a lot less aggravating. No, I don't want to play Candy Crush.
On PCs, I prefer using NoScript instead, but NoScript could get kind of bothersome on a phone.
Hm, I don't see any reference to an exploit that's being used. What versions of Android does this affect? It says 2012, so this could very well have been eradicated.
It also does not mention whether Play Services can detect it or not, which is a crucial piece of information.
Not including it makes it sound a lot like a FUD piece in order to raise sales for LookOut
I noticed this has the smell of press-release-as-a-news-report, with Lookout being an Android security company, and them being pretty much the only source in the article. Makes me a little skeptical on how big of an issue this really is. I wonder if there's any solid estimates on what percent of devices are in these phone botnets, and in what regions.
I would be interested in knowing more about how they actually compromise individual devices, but the article, and the linked Lookout blog post, seem light on those details.
18 comments
[ 4.2 ms ] story [ 45.3 ms ] threadNo, Android does not have standard dialog that requests do make security updates.
There is a notification/activity, that alerts you, when system update is available.
In some rare cases, there may be messagebox telling you, that Google Play Services need to be updated (and after tapping OK, it opens Play Store for you).
What the article describes, is more like drive-by-installation malware. You need to enable unknown app sources (and acknowledge the warning dialog), as well as verify apps. Then you need to download apk and install it.
To make comparison with PCs, it is similar to some random web site persuading you to download random binary and run it as root.
OTA updates are in all modern Android devices and it does ask you to update when new versions come out. They aren't security patches necessarily or communicated that way though, they are OS updates, that reflash your phone.
> Mobile security firm Lookout said the bug, called NotCompatible, was the most sophisticated it had seen.
> The cyberthieves behind the bug had recently rewritten its core code to make it harder to defeat, it said.
> The bug first appeared in 2012 and was now on its third iteration
Am I misinterpreting this, or is it common to refer to malware as "bug"? What a nice source of confusion for a programmer! It almost seems as if it is done on purpose to coin a new term.
Regards,
A Brit.
Regards,
A Dutchman.
But yeah as another commenter noted this article is aimed at a non-technical audience.
This blogpost delivers both technical details AND better writing.
On PCs, I prefer using NoScript instead, but NoScript could get kind of bothersome on a phone.
Probably the most frustrating thing. Rooted phone, with adblock installed, using Chrome.
"NotCompatible is being spread via spam and websites seeded with booby-trapped downloads"
I would be interested in knowing more about how they actually compromise individual devices, but the article, and the linked Lookout blog post, seem light on those details.