Does malware only come from Apps?

[BlueEyesNotADragon]

Hello! I browse the web alot using the androids browser. So my question is does malware only come from installed apps? The only instance I know of for the internet is drive by downloads and I thought you had to install the apk it gave you to even do any harm. Currently have a Samsung Galaxy s3 with side loading disabled and only install apps from the Google Play Store.

Posted via Android Central App

 

[UJ95x]

Welcome to Android Central
You can get malware from side-loading app, downloading APKs, and browsing sketchy sites. The latter is the least likely though, so if you just stick to apps from the Play Store you should be fine.

Sent from my Galaxy S4 running SlimKat 4.4.2

 

[BlueEyesNotADragon]

Thanks for the response! How do sketchy sites infect you?

Posted via Android Central App

 

[zkSharks]

Thanks for the response! How do sketchy sites infect you?

As UJ95 said, it's much less likely for a website to infect your mobile device these days. Most vulnerabilities would rely on you opening a file that was downloaded from said site (whether intentionally or otherwise), and in the case of Android that's pretty much just APKs. Even then, it's still unlikely. It also depends on how you define "infect" — there are some pretty undesirably tracking cookies out there. Many past browser vulnerabilities relate to file or plugin issues, such as with PNG file and Java plugin vulnerabilities. These work in ways that don't usually translate to mobile environments and browsers, meaning you're fairly safe. That's not to say there aren't problems, though:

Making sense of the latest Android 'Master Key' security scare | Android Central
Multiple vulnerabilities in Google's Android | CORE Security

The second link mentions vulnerabilities that were triggered by opening image files in the browser. The good news is that Google is experienced with software security and is typically on top of their game. Keep an eye on our Security section (and this forum) to stay up to date... Android Security | Android Central

 

[BlueEyesNotADragon]

Thanks so much that's extremely relieving. Just a few last points im worried about if you wouldn't mind; when you refer to opening images in the browser is that loading up a page that has images on it? Such as 9gag or 4chan. And the browser has a retrieve running apps permission. Could a hacker or malware take advantage of that and use it to see pictures or anything else that's still running?

Posted via Android Central App

 

[zkSharks]

Thanks so much that's extremely relieving. Just a few last points im worried about if you wouldn't mind; when you refer to opening images in the browser is that loading up a page that has images on it? Such as 9gag or 4chan. And the browser has a retrieve running apps permission. Could a hacker or malware take advantage of that and use it to see pictures or anything else that's still running?

Posted via Android Central App

Yes, that's correct — any images loaded in web pages were susceptible, though it's important to note that these specific problems have long since been addressed. I don't know of any current major security vulnerabilities in mobile browsers, and the fact that these problems existed at some point isn't cause for concern, only awareness. And, for comparison, these "vulnerabilities" aren't always used with malicious intent. JailbreakMe, an early jailbreak solution for iOS devices, used a vulnerability in Safari's PDF file parser.

Any permissions granted to Android apps specifically relate to components of Android and your phone that the app in question is able to access or use. In the case of web browsers, it's not possible for these permissions to simply "pass through" to any web content; web content is rendered and executed by the web browser, but not at the same level. In the case of other apps, there's no question. The permissions don't extend beyond that application. Web scripts (typically JavaScript) have limited access to information about the client device they're being run on, as well as the ability to do things like tell the web browser to open custom dialog boxes (like text inputs, etc). Though these tools can be used to mislead the user, beyond that they are relatively harmless. Plus, without JavaScript, much of the web just wouldn't work.

Android effectively limits how much information is available to applications, and the primary user-facing mechanism behind this is the permissions system. Pay attention while browsing and downloading, pay attention when installing apps, and keep an eye out for security news, and you should be good.

 

[BlueEyesNotADragon]

Your so helpful! Thank you so much! My primary concern was having the web up, then starting up an app, then going back to the web. Didn't want anything floating around : ) Also never knew alot about Android so now I know something : P

Posted via Android Central App