- From: John Lyle <john.lyle@cs.ox.ac.uk>
- Date: Tue, 26 Feb 2013 11:57:27 +0000
- To: public-sysapps@w3.org
On 25/02/13 17:33, Mounir Lamouri wrote: > The other side of that is things like sending an SMS. Even if we make it > very hard to send an SMS without user consent, the harm to the user is > so high (less money) and the benefit for the attacker is so high > (sending SMS to premium number) that we will have a hard time to allow > SMS to be sent by any application. The Android Marketplace is full of > malware like that. Someone in French has recently being arrested; he was > able to get 500'000€ with such a malware. I agree that the SMS case is certainly a threat, and one of the more significant ones. I also agree that mitigations involving active user consent are almost certainly appropriate. But to nit-pick: the Google Play store isn't "full" of malware like that. There has been some, and there will be more, but it's hardly an epidemic. The presence of the malware is also not necessarily a good indicator of impact, as many users are unaffected even if the malware is available. A notable case in the UK was RuFraud [1], and in this case the malware author didn't earn any money and all UK users were refunded[2]. There's other SMS malware, but the impact on users is very difficult to assess [5,6]. The majority of mobile malware misusing premium rate services is not on the Android marketplace, but is pushed through 3rd party stores (often offering free versions of otherwise expensive apps) or malicious websites. There are very few examples in the survey by researchers at Berkley of malware that is both present on Google Play and misuses premium rate services [3]. In the French case you are referring to, the malware author never actually received any money. He created €500,000 of 'damage' but didn't earn anything himself [4]. That's not to ignore the threat, of course. Furthermore, the impact of malware that uses premium rate SMS is very different in different countries and regulatory areas, as Janusz alluded to in a previous email. As such, I would be interested to hear more about malware threats outside of the UK / western europe. It seems unlikely that one rule will fit all. Best wishes, John [1] http://www.bbc.co.uk/news/technology-16177013 [2] http://www.phonepayplus.org.uk/News-And-Events/News/2012/5/Regulator-cuts-off-worldwide-mobile-malware-attack-in-the-UK.aspx [3] http://www.cs.berkeley.edu/~afelt/malware.html [4] http://www.europe1.fr/Faits-divers/Un-hacker-de-20-ans-arrete-a-Amiens-1279555/ [5] http://www.hotforsecurity.com/blog/sms-malware-in-google-play-marketplace-2710.html [6] http://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99
Received on Tuesday, 26 February 2013 11:57:38 UTC