1. Dimitrios Kirkos's Avatar
    Hi,

    If you have unstrusted sources set to "off", is it possible to get android malware just by visiting a certain website?

    Theoretically, this can't happen, because the only way to get android malware is to download a "bad" apk from said website, turn untrusted sources on, and open it.

    But practically, every browser has those things called "exploits" which can allow "arbitary code execution". In other words, code can be run and/or be installed in your system, without having to open an app package file.

    I was wondering if that is possible on Android.

    Has it ever happened? (aka, is there a documented case of it happening?) That's the question.



    PS: I also understand malware can get in from "trusted sources" such as the Play Store, but if you only download from a handful of well-known devs (Vector Unit, EA, Gameloft etc) it's not a problem, and it's not relevant to the topic anyway.

    PS: Also, I am not referring to the "man-in-the-middle" vulnerability that can be used to target ad frameworks of certain apps. Let's assume the internet link is trusted and the only bad guy is the website. Unless the aforementioned vulnerability can be used by bad ad agencies to exploit the browser app (stock or chrome).
    11-09-2014 08:24 AM
  2. srkmagnus's Avatar
    Is it possibly? Certainly. Be cautious with the sites you visit and what content you are downloading from those sites.
    11-09-2014 08:54 AM
  3. Rukbat's Avatar
    Malware is almost never an app (which is what an apk file is). Having untrusted sources off has nothing to do with malware.

    The two most common ways of getting malware are from sites that send it (usually as Javascript, which your browser then runs, because that's how browsers work) or from opening emails with malware loads. That's true for any computer connected to the internet, not just phones.

    Using exploits in the OS is a totally different thing.

    Has it ever happened on Android? I've gotten a few hits from my protection apps when I check out sites that people post about here. (Since my entire phone is backed up off-site, it's a bother of 5 minutes at worst to get rid of anything.) If I hadn't had the protection apps running, I would have gotten malware in the phone. So yes, it's happened. ("Has anyone ever been shot at?" and "Has anyone ever been shot at while standing behind 16 inches of armorplate?" are different, but someone was shot at in either case. With protection it just didn't cause a problem.)
    11-09-2014 10:10 AM
  4. Dimitrios Kirkos's Avatar
    .The two most common ways of getting malware are from sites that send it (usually as Javascript, which your browser then runs, because that's how browsers work)
    Javascript in itself cannot cause malware installation or arbitary code execution. It runs in a protected environment where it can't mess with the OS or even other websites (same origin).

    In order for a javascript piece of code to be able to cause malware installation or arbitary code execution, an exploit needs to exist.

    Has such an exploit ever existed for Android?

    The only thing that pops to mind is an XSS vulnerability, which allows for javascript to snoop on the contents of other tabs (which is a problem only if you have another tab with sensitive info open).

    But I haven't heard of javascript in Android causing malware installation or arbitary code execution. Has any of you guys? If you know, please post.

    I am trying to come up with an answer to the question: Do average users who have untrusted sources off but may visit a "bad" site once in a while need an antivirus? Some of my friends ask this, and so far I 've always answered "no". Was I right?

    PS: Your protection app may be triggered by attempts to download apks, which does happen. Are you sure it's from javascript?
    11-09-2014 11:25 AM
  5. Rukbat's Avatar
    I am trying to come up with an answer to the question: Do average users who have untrusted sources off but may visit a "bad" site once in a while need an antivirus? Some of my friends ask this, and so far I 've always answered "no". Was I right?
    No. A computer that's connected to the internet needs malware protection. Even assuming that there's not a single way to do anything bad to an Android phone, someone could come up with a way in the next 5 minutes (and the good AV companies would have it in their databases within 24 hours or less).

    PS: Your protection app may be triggered by attempts to download apks, which does happen. Are you sure it's from javascript?
    I've written enough Javascript to know the difference between Javascript and an apk. (And when I see the Javascript in Firebug [I usually use the desktop for this site when I'm home], I'm pretty sure it's Javascript. I just no longer have the patience to trace through 500 function calls to figure out what the problem is. Nor do I really care any more. If it triggers a few AV programs, it's probably not a false positive, and that's good enough for me.)
    11-09-2014 03:15 PM

Similar Threads

  1. In my Gear S Contacts, how do I remove old contacts?
    By pughde in forum Samsung Gear S
    Replies: 8
    Last Post: 08-11-2015, 06:56 AM
  2. What time is it going on sale
    By dswatson83 in forum ASUS ZenWatch
    Replies: 9
    Last Post: 11-12-2014, 09:58 AM
  3. The s-pen for my Galaxy Note II stopped working. How do I fix it?
    By Taylor Davis1 in forum Samsung Galaxy Note 2
    Replies: 2
    Last Post: 11-09-2014, 05:45 PM
  4. Thansfer game data from Razr Maxx to Droid Turbo
    By Dennis Freeman1 in forum Motorola Droid
    Replies: 0
    Last Post: 11-09-2014, 08:21 AM
LINK TO POST COPIED TO CLIPBOARD