That is correct, but you do lose out on all investments that have generated the wealth to make people wealthy these days.
So let's say inflation was 4 percent for the year and you could have made 10 percent invested in stocks for the year, you would have made 6% profit on your money for the year. Instead you lost 4% that year.
That difference could make or break someone long term, completely different retirement options.
How though. Over here cash isn't accepted anymore at most places. I only use cash for buying drugs. Most stores and groceries only accept card. Same with bars and clubs. I honestly have no idea besides drugs what to use cash for.
Am I just missing it, or is there no list of of these infected apps on the posted article or the reference the article links to.
To me, that is the most important information.
As somebody who occasionally had to develop for android: the churn of improvements to app security was a huge pita. And as a user I know many of the abandoned apps that I liked that lost compatibility was for that reason.
So the fact that in spite of this pain, Android security still allows apps to do horrible crap like that is infuriating.
That's not what I mean. I'm not thinking about Play Store security, but Android OS security. Like, your app physically has to ask for permission (or even require the user manually change settings) to do most unsafe things.
So I could write an app that is okay on the Google store, then change it to steal people's information? Hmmm 🤔 that gives me an idea....hahh! Too many projects at the moment.
If you read the original report, it says that it basically just displays a fake banking login page. It also says that it requested accessibility service permissions, which makes me think maybe it brought up the fake login pages "in the right moment" (as in as users opened their banking apps) to make it more convincing, even though the article doesn't specify that.
Either way, IMO the problem here is clearly with the Play Store allowing this app in, and not with Android's security itself. These apps are misusing the accessibility service system, which is obviously necessary for a ton of important use cases (and of course also requires the user to grant very explicit permission). The fact that the accessibility services are a thing doesn't delegitimize Android's security improvements over the years.
If a user can open their baking app, and this app can sense that and open instead, then that is 100% an Android issue. That behaviour shouldn’t be possible.
"Accessibility service permissions" is a higher level of permissions than most apps get and Android will be all like "bro, are you sure you want to grant this app that kind of access and control? You really sure?" I've got a few apps on my phone with that level of permissions including one written by Google. They'd simply be unable to do their job without that level of access, jobs which have been straight-up good for my physical health. Ultimately there's a balance between security and letting the user do what they want.
"Over the past few months, we identified and analyzed more than 90 malicious applications uploaded to the Google Play store. These malware-infected applications have collectively garnered over 5.5 million installs.
Recently, we noticed an increase in instances of the Anatsa malware (a.k.a. TeaBot). "
So not 5.5M installs of this specific malware, FWIW
He's being condescending because he believes as a developer nothing is actually fully secure. If I spend 100 hours building and securing something, that's not going to stack up very favorably vs the 1,000's or even 1,000,000's of hours attackers and communities can spend trying to break my security layers.
Basically, he's a dick in how he answered the question, but the truth every software engineer learns, is that there is no fully secure system. There's always an angle/attack vector you didn't think of and secure.
It looks like they are doing it after app install with a malicious patch. This patch asks for SMS and accessibility access to gain privileges necessary to get into the banking apps. I haven't thoroughly read it but just looking at the attack chain that's what I gleaned.
Since the other reply was unhelpful: apps are supposed to have limited privileges and isolation from each other, yes... But the whole point of malware like this is that they figure out ways to break those restrictions and get escalated privileged.
You can get more technical detail from reading the report, in this case it looks like the app does not contain malware, but instead requests an update after install that contains the bad code and then breaks the app limitations and scans for the target banking applications and copies the security certificates.
Because tech journalism is trash on the best days, and these android malapps articles only ever amount to blogspam to make you nervous. I don't think I've seen more than a handful of these articles that actually warns you about the actual apps instead of just talking about the problem without relevant specifics.
I think I may know a few of those. But not through play store. They usually scam someone by saying they got a packet on their way and their tracking number must be opened on an app that they send via messaging apps.
This only would work if you check every line of source code, even the dependencies and build chain, and then build it yourself. See xz utils backdoor or heartbleed, etc.
There is no guarantee that the released app is exactly the same as the source code when getting it on Google Play. You'd have to decompile or compile from source and try to compare.
If we are talking about bigger projects with hundreds of thousands or millions of downloads, than this may be true. But smal scale projects have so few people actively looking through them that even to automatic scan done by the playstore has a higher chance of catching malware. It doesn't even have to be bad intent, two years ago there was a virus propagating trough the Java class files in minecraft mods which reached the PCs of quite a few devs before it was caught.
I don't dislike FOSS, a lot of the apps I use come straight from github, but all this talk about them beeing constantly monitored by third parties is just wishful thinking.
My whole point is that you can not point to a 3rd party checking for you and claim that it secure because someone else already checked. And I brought two examples which contradict this claim.
I'm not sure you're understanding the argument: you cannot monitor closed source, therefore, you have at least as many eyes looking at my random crap on github as you do on the random crap some companies are doing.
And you didn't understand what I said. While you can not monitor closed source at the code level bjt you definetly can monitor their behavior. Even the automatic threat protection from the playstore protect function is worth more than the measly amount of people looking through smaller projects codebases.
I hate Google with a passion, but with all their control over android devices, they are more than capable of scanning apps for malicious behaviour and automatically remove them. These few apps in the article are the 0.01% of malicious apps that their algorithm didn't detect.
Exactly. Neckbeards love to pretend open source magically has no security vulnerabilities, and that the ability to inspect the source means you'll never install anything nefarious.
I expect all of them to have read the source for every single package they've ever installed. Oh and the Linux source too, of course
Yes, opensource doesn't magically fix all vulnerabilities. But it is for sure way better then closed source, where you don't have a way of auditing the code
Another classic lie. 'Open source' misses the point of libre software. Anti-libre software [malware] bans us [everyone else] from removing malicious source code.
The thing is we only know about these vulnerabilities in such great detail because the projects are open source. God knows what kund of vulnerabilities are hidden in closed source software.
Yes, of course. However, when it's open source, at least somebody is capable of checking those things, even if it is not you. Somebody in the community is capable of doing so.
Yes, that is true, but let's not pretend that just because some one is theoretically able to, that all source code is constantly monitored by 3rd parties.
Oh, absolutely, that's true. Definitely smaller projects have less audited code, and even bigger projects can have bugs. Heart bleed ring a bell, LOL. However, when open source software has a bug and it is discovered, it is fixed by somebody in record time, whereas in closed source software, you don't know that there is a bug that can be exploited and it definitely won't be fixed until it's reverse engineered or something or exploited.
If you download apps from fdroid, at the very least you can be sure that the binary is 100% generated from the provided source code, the devs can't pull a switcheroo like submitting an altered version of app (e.g. inserting malware) that doesn't match the published source code.
A very classic lie, disinformation, used to spread anti-libre software. Anti-libre software bans us, not only me but everyone else, from removing malicious source code.
Very disingenuous of you to fight a strawman and proclaim victory by claiming that I said things which I never did. But if that's what floats your boat. But for everyone else, try to find any mention of anti-libre software in the original claim.
What are you talking about? You are digging yourself in a trench against me for some reason and you dig deeper every time. I have no idea what your agenda is, but I am stopping participation in it.
I don't know about you but I have always been a free software advocate, see
You're right, I should clarify better. When I say open source, what I mean is totally open and totally free to contribute to, like the MIT or patchy licenses. Source viewable is a whole different can of worms and not what I mean, so I should be more specific in future.
Given I’ve been described as a right with conspiracy theorist for saying that capitalist countries experience less starvation than socialist ones, I’m going to have to take this assessment with a grain of salt.
Maybe it’s more like right wingers in general are coming back in droves after finding an online community that won’t ban them for their political affiliation.
Given I’ve been described as a right with conspiracy theorist for saying that capitalist countries experience less starvation than socialist ones, I’m going to have to take this assessment with a grain of salt.
That's not the methodology used, unless your description of starvation literally includes QAnon hashtags:
Tracking commonly used QAnon phrases like "QSentMe," "TheGreatAwakening," and "WWG1WGA" (which stands for "Where We Go One, We Go All"), Newsguard found that these QAnon-related slogans and hashtags have increased a whopping 1,283 percent on X under Musk.
And if not, then I'm not sure what your observations add to the discussion.
"i reflexively identify with the openly-fascist right-wing base that has found its home on elon's twitter, and since i'm a reasonable person, the evidence that they're flagrantly conspiracy-minded and/or are CSAM posters simply must be fabricated"
I think a large part of this is that X is the only major social media which has no dedicated team for detecting and banning the propaganda bots / troll farms.
I have no idea how much of the Q / antivax / conspiracy material on social media is deliberate campaigns to destabilize American politics in general (as opposed to perfectly organic homegrown nuttiness which the US has always had plenty of anyway), but I know it's not 0.
It's not just to destabilize "American" politics, it's a series of worldwide campaigns to destabilize all information flow, to sow doubt and confusion among everyone, then out of the blue present an aligned front to push a certain narrative.
If people are kept in a "flux state of distrust", they're easier to convince when suddenly a bunch of their sources agree on some point, "it must be true if conflicting sources suddenly say the same".
then out of the blue present an aligned front to push a certain narrative.
This is a good point. I see this alot with ukraine. There are many famous shills (eg. max blumenthal) who have been promoting the fascist invasion of ukraine. Now these same shills are supporting Palestine. This would be good except they are just using the issue to lure people in. Then once they're hooked on all these shady accounts, they start talking about how ukrainians are nazis, how stalin was awesome, etc. It's so transparent but so dangerous. I imagine this happens on many fronts.
edit: Just remembered these podcasts about this: Part 2 and Part 3
The biggest problem with Ukraine... is that they aren't fully detached from Nazis:
During WW2, Ukraine was allied with Nazis and fascists, helping them exterminate Poles
21st century Ukraine, still uses Nazi symbology, the fascist salute, a fascist hymn, has set national support for WW2 Nazi combatants, and even their national shield is a fascist remnant.
All of that has nothing to do with the Russian invasion... but it does give Russia's propaganda machine an awesome excuse. It's just too easy to get people hooked up with some actual facts, then get them to do a leap of faith and fall straight into full propaganda... and Russia knows it.
Israel and Palestine is a particularly juicy case, where there are really shitty groups coming from both sides, ending up like an "all you can eat" buffet for every propaganda machine out there. No matter what narrative one wants to spin, chances are they'll find a latch point in the Israel vs. Palestine conflict, even contradictory ones for different audiences.
mashable.com
Hot