
Google Play has been spreading advanced Android malware for years - elsewhen
https://arstechnica.com/information-technology/2020/04/sophisticated-android-backdoors-have-been-populating-google-play-for-years/
======
AnthonyMouse
Let this be another nail in the coffin of the "walled garden" farce.

We learn this lesson again and again. People want someone to trust, but a
bureaucracy isn't trustworthy. It has its own agenda and values inconsistent
with yours. They take 30% from everybody whether they approve malware or not,
and whether they reject legitimate apps or not.

Trust doesn't come from size. If you want someone to vet your apps, it has to
be someone whose interests are actually aligned with yours, not just whoever
is big enough to force everybody through the tollgate into their store.

~~~
Razengan
I would still prefer to have to trust just one authority for my platform than
a multitude of random developers.

> _Let this be another nail in the coffin of the "walled garden" farce._

There is no coffin, the walled gardens are not dying, and have long since
become the norm, which happened because the people found them to be better
than the alternative: getting apps (and manually updating them) from many
different sources of varying quality and convenience.

~~~
realusername
> which happened because the people found them to be better than the
> alternative

Walled garden only exists because mobile devices make self-install
alternatives very difficult or impossible to get on purpose, otherwise they
would not be able to compete in any ways.

Case in point, the Mac App Store and the Windows Store are both moderate
failures despite a lot of technical & marketing push.

~~~
ycombi3
I'd say that they are more than moderate failures. I've heard from many
acquaintances who aren't as tech literate as myself that one of the major
reasons they got rid of their iPhone was not being able to install
applications from outside sources.

Myself, I would never want to trust anything centralized.

~~~
tinus_hn
Clearly the iPhone is a massive failure and everyone is getting rid of theirs.
In what country are you seeing this?

~~~
ycombi3
I never said it was a massive failure, but many people have switched over the
years to some form of Android after getting fed up.

~~~
jtbayly
>>I'd say that they are more than moderate failures.

So... major failure? Is that what's in between moderate and massive?

If so, I'd love to have a major failure. :)

~~~
ycombi3
Meaning the central stores they attempt to force on us, not the devices
themselves.

------
WrtCdEvrydy
Oh yeah, they can spread malware for months, but I submit one fucking app that
allows you create signs for your business for COVID-19 and all of a sudden I
get a 'Sensitive Events Violation Suspension' and get a ding on my Google Play
account.

Google has become Apple except worse because at least Apple is reachable.

~~~
realusername
Apple is pretty much the same, I've been trying to create a developer account
for three entire weeks and it still shows as "pending" without info. I saw on
the forums that for some people it can take months. It looks like some
bureaucratic government body from the 90s.

I now advise my friends to switch to Android if they want to see the app,
there's a limit on what I can put with. These companies should just be broken
up in pieces.

~~~
armitron
At least Apple doesn’t serve you malware or harvest your personal data for
profit.

~~~
lern_too_spel
On the contrary, Apple has served malware to far more users than Google
despite having far fewer total users. [https://blog.lookout.com/xcodeghost-
apps](https://blog.lookout.com/xcodeghost-apps)

Apple also uses your GPS data to update its location service (for profit), and
unlike Android offers no way to opt out — if you want to get your location on
an iDevice, Apple will get it, too. If you want to do something crazy like
write apps for your own device without having to reinstall weekly, you have to
deanonymize yourself with payment.

~~~
dTal
>unlike Android offers no way to opt out — if you want to get your location on
an iDevice, Apple will get it, too.

As far as I know there is _not_ a way to opt out of this in (Googlified)
Android. If you have Play Services installed (which you do, unless you've
taken unreasonable steps to avoid it such as rooting and installing a 3rd
party ROM), you get a dialog box popup whenever you enable location services
which informs you that Google will be watching (it's framed as a consent
dialog, but if you decline then location services will not be enabled). And
you need location services even to use the GPS.

~~~
literallycancer
If you don't like Google, installing a community ROM that doesn't violate your
privacy would be perfectly reasonable. If you want a megacorp service but not
from a megacorp, I think you won't find that anywhere.

~~~
dathinab
But then all banking apps stop working (including the 2FA apps "required" for
using credit cards from some EU Banks; for EC cards you luckily still can use
ChipTAN).

Also mobile payment will stop working, normally I wouldn't care about that but
currently paying without touching anything is nice.

Then some apps you need for work might stop working.

Not even speaking about hounded of other apps.

The problem is to many app depend strongly on Google services which are not
part of Android itself but shipped with every Google Android phone.

And to many institutions except you to either have a Google Android phone or a
iPhone.

I could get away most of the time with a non Google Android phone but I will
would need a second Google Android phone like 5 times a month or so.

~~~
BenjiWiebe
Not true. With things like magisk and systemless root, the banking apps
continue to work. At least my 4-5 banking/payment/credit card apps all work,
with lineageos and magisk.

~~~
dathinab
Thanks, I will look into it.

But how do you replace FCM? I mean most apps which where not intentional
distributed over alternate app stores will just try to send notification
through it.

Also I'm not so sure how legal it is to side load a app which is only meant to
be distributed over google play.

------
izacus
The wording of the title is interesting - how it puts all the responsibility
onto Play store and none of it onto the people actually developing the
software.

We truly live in an age where the mass media demands that corporations censor
and police everything we see and use.

I wonder when they'll start targeting Linux and Windows for allowing you to
download and run malicious programs without any corporation approving them.

~~~
dunnevens
Google advertises their store has "Google Play Protect" which promises to
ensure no malware in the apps you download from them. Of course Google is
going to get the blame when they make promises like that.

~~~
bzb3
It doesn't say anywhere that it's infallible.
[https://support.google.com/android/answer/2812853?hl=en](https://support.google.com/android/answer/2812853?hl=en)

~~~
bathtub365
Do you really expect it to say “Google Play Protect is infallible”? It’s
obviously pitched as anti-malware and the fact that it’s not working is an
issue despite them not saying it’s perfect.

~~~
bzb3
The fact that it's failed to stop this particular attack does not mean this
anti-malware solution is "not working".

~~~
ship_it
Except this isn't the first time happening; Google Store was fulled with
malware forever. The techies will of course say it doesn't mean anti-malware
solution, while greater masses will say it's deff an anti-virus of some sort
by looking at it.

------
javajosh
It's emotionally difficult to find out about flaws in something you trust. I
think humans really like black and white thinking, and crave association with
people and institutions with blemish-free reputations. But the truth is that
nothing and no-one is blemish free, especially if you zoom in on them enough.
If you let it, then this truth can make you feel like you can't trust anything
or anyone.

But its not true. You can trust. Although blemishes are universal, the scale
of the blemishes are not. The key to trusting again in a world of flaws and
faults is perspective. Is the flaw large or small? Does the agent accept it
and want to fix it, or do they deny it exists (a much worse problem!)?

Everything has flaws, everyone makes mistakes, often people behave badly. That
is never going to change. The thing we have to judge is whether the self-
corrective systems in place are doing their jobs to acknowledge and repair the
damage. IOW, making a mistake shouldn't determine trust, but failing to
address the mistake should. One might call it "second-order trust". If you
accept that, then the missing piece of this story is Google's response --
although they removed the offending malware from the Play Store, the
journalist didn't apparently contact Google for anything else, like what steps
they are taking (if any) to prevent this sort of thing from happening again.
Ars didn't say anything about contacting Google, so I'd say that is an
indication of lazy journalism, itself a sad but endemic problem in a world
where we all have another false belief, that useful screens should be free (as
in beer).

------
xorfish
Why haven't antitrust lawsuits made it mandatory that you can chose your app
store after first use like it happened with browsers?

~~~
jedimastert
I currently have F-Droid installed on my stock phone and Google did nothing to
stop me other than a single "unknown app" warning.

Also, that's not how it works with browsers. You have one browser installed. I
don't think I've ever seen windows or mac (or any linux distro I've tried) ask
which browser should be installed. There's just the default one and the choice
to install anything else.

------
innagadadavida
Does google know which apps were infected and does it plan on letting folks
installed know? It’s unfortunate their own project zero didn’t catch this.

~~~
notRobot
The article lists the package names of the infected apps.

------
KingOfCoders
Tin foil hat on. We had these iOS zero days and now conveniently we get
something about Android security.

~~~
wccrawford
There's no tinfoil hat needed. It's pretty common for people who get their
feelings hurt to lash out against "the enemy" with whatever they have. It
doesn't matter how old the news is when they can just post it again and people
will upvote it like it's new.

And it doesn't even necessarily have anything to do with Apple themselves.
They don't need to spearhead this movement because fanatics will defend them
like this anyhow.

The same goes for Google fanatics, and every other kind out there.

