Slashdot Mirror
Malicious App In Android Market
dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?
This is something that is far more unlikely to happen on the iPhone because of Apple's strict control and testing of all apps. Even the "jailbreak" stores will reject things that aren't as advertised.
Allow open development, and you've basically got a platform that the bad guys can target. There's already standards for signing code to prove that an app came from who you thought it did.
Why have a certification process, when you can have sandboxing? It's not a new concept even.
I'm sure Google could figure out how to do it with say, SELinux.
One great app I use is DroidWall, which is a simple GUI for iptables.
I set the default outbound policy to DROP, then specifically whitelist the apps that should reasonably have access to the internet.
Since Android apps have to specifically declare the privileges they require before installation (such as ability to read contact data, internet access, etc), then it's easy to make sure that all apps that read personal data are not whitelisted, unless they come from a reputable developer (e.g. Google-made apps). Any app that can read my contacts data, my calendar, my email, etc, is sure as hell not getting internet access for "usage statistics" or whatever other lame excuse they give.
I wish this functionality was built into the OS, rather than having to do it manually (for example, a way to disallow internet access during installation) -- but at least it's doable on Android. I don't think any other phone platforms give this level of permission separation or control. I'm not so sure that app review would really fix the overall problem; it might catch the obviously-malicious phishing apps like in this story, but I bet that the app auditors' opinion on what is a privacy violation differs greatly from my own.
I still wouldn't use my banking info on my phone regardless, since a phone is so easily losable, and locking/unlocking the data everytime with a secure passphrase would probably be too inconvenient. At very most, I would only allow read access to transactions from my phone (if banks offered this), thereby limiting the amount of useful information or control a would-be attacker could gain from compromising my phone.
An iPhone-like vetting process would be "we'll reject it if we don't like the look of it". How about "Linux-distro style vetting process"?
# cat
Damn, my RAM is full of llamas.
Apple's policy ain't foolproof either. I found an app designed for validating stolen credit cards, marketed to Romanian hackers:
http://rationalitate.blogspot.com/2009/12/credit-card-stealing-app-in-apples.html
More details here: http://zwadia.com/?p=125
It's the new buzzwords. Everybody who's got data now seems to have an API which stands for Applications Programming Interface. Programmers use the interface to make... applications. And there's where that word comes from.
From time immemorial, bazaars have had pickpockets.
Application, you mean an Apple program for the iPhone... right? And API is Apple Program Interface, duh. You should keep up with the worldz you old fossil.
Apple's app store is already full of apps that require the creation of an account with a username and password. That's part of the value proposition of the technology platform: always-on synchronization between device and cloud.
In a significant portion of cases I imagine this means that users have a single username/password pair that they have used to create dozens of accounts with services around the web. The fact that the app has been vetted and functions exactly as promised does not mean that there is not also someone on the "service provider" end of things collecting all of those username/password pairs for more nefarious purposes.
It doesn't even have to be a phish for it to be a security issue. But so long as we do the username/password pair thing, this will remain a vulnerability for the general public, and no amount of "app vetting" can fix it.
STOP . AMERICA . NOW
Holy fuck. These days, whenever the topic of software security arises, some idiot chimes in with "sandboxing" as the cure.
Sandboxing HAS NO EFFECT against what is basically automated social manipulation. You can sandbox your goddamn sandboxes, and that still won't do a damn thing to change the fact that the human user is voluntarily giving away what should be very private data.
Even when sandboxing might be somewhat useful, it often just ends up interfering with normal, legitimate use. So holes are intentionally poked in the sandbox walls, so the sandboxed app can access data or perform actions that are necessary.
So take your sandboxing idea, and fuck right off.
If you want to be free, be free. But then get checked every three months and you probably shouldn't give out your real address and phone number to anyone you're being free with.
The question needs to be asked. Would a shill for apple create tainted Droid applications to discredit Google? First Post! Please go is easy on me, I have been reading /. for over 5 years and this is my first post!
What if the Android market would reserve a few words for only legitimate organizations? For example, apps would need to be certified to appear in an online banking part of the store, and there would be no certification other than Google contacting the company and making sure this is the app they made. For example, if someone submits an app with "Bank of America" in the description (or something) the Android market puts a big red heading saying This app was not developed by Bank of America, do not give out sensitive financial details over the app? It isn't restrictive because it still is open development yet it weeds out phishing apps.
Taxation is legalized theft, no more, no less.
One of the things my bank does for their mobile banking application (which is contracted out to another company) is to give you a special code that is akin to a extra "mobile password." You get this code from the bank's website after putting in your mobile phone number. You then must enter it on your phone and "activate" that phone to access your account. At any time also, you can go into the website and "deactivate" the device. At no time do you ever enter your banking login details into your phone, only this special code which is tied to you phone number, mobile OS, and carrier (that you can deactivate at any time) is entered into your phone.
It's not perfect security, but it certainly puts up a few more decent hurdles against phishing.
meep
It wouldn't be unprecedented, as the Internet has places like SnapFiles and CNET for multiple operating system verified-OK application download hosting.
If you really want to steal people's info just throw up a quick Magento site pretending to sell things at unlikely prices and submit a Froogle feed. Soon you'll be getting lots of orders and you can collect credit card numbers, addresses, etc to your hearts content and then disappear and repeat the process next week. Lots of people will give you their info without thinking about it.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
When I saw "android market" I had visions of Star wars and little Annikin. Turned out to be about some stupid phone. Yawn.
With Droid marketplace(s) just starting to gain traction I don't feel this is a big deal. I'm sure the handset manufacturers and Google have a roll out plan for "validating" Droid apps. The real question will be the "how" they do this as opposed to "if" or "when".
The entire Droid program is a great success and I'm positive that Google will have an innovative approach to vetting applications that will both protect users and yet give developers the free reign they need to continue to innovate.
I would also argue that most Droid users are more tech savvy and would be harder to fool with malware or fakeware. In contrast, I would argue that the average iphone user is less aware of the threats that abound and simply trusts that Apple will somehow protect their user experience.
Don't eat the brown liquorice either. Garth told me.
Home of The Suki Series
This is just the same old phishing attack moved to a new platform. This is no different then directing a web users to a fraudulent banking site.
The fault here lies primarily with the user, but seeing as we cant force the users to be smarter the onus for defeating this attack relies on the bank. Banks can do a variety of things to prevent such phishing attacks from working such as using 2 factor authentication and One Time Passwords. OTP works best when being used for transactions rather then logins, my bank will SMS me a code when I want to make a transaction to another account so even if a phisher has my password, they need my phone to do anything (plus this is a dead give-away that a phisher has gained my password). Banks could also issue a private key to official applications and block any application that does not have the key (granted this is less useful and may be easily defeated)
Iphone style lock downs will not work as they do not address the real problem of phishing and only serve to limit the platform. This isn't a fault with Android, this requires the user to initiate the attack, nor is it self replicating.
Calling someone a "hater" only means you can not rationally rebut their argument.
Why on Earth would you download a 'bank' app from anyone other than *YOUR BANK*? I'm only gonna do online banking from the website or apps provided to me directly from my bank. I'm not gonna download anything from the Android market, from some random user, and do banking with it. Who thinks that it's a good idea to do 'banking' with an app by a random developer? I mean, *maybe*, maybe if it was someone large and established, like IBM, Google, Microsoft, or Apple, I *might* consider using third party software, but certainly not anyone I've never heard of before.
http://slashdot.org/submission/1146708/mobile-phone-banking-apps-for-fun-and-profit?art_pos=2 ...writes "While checking out Google's Android app store I searched for a banking app to use with my bank. I was surprised to see three mobile apps listed and none of them released from the bank itself. I cannot say what any of these apps are doing behind the scenes for sure but the mobile app could certainly swipe your credentials and connect you to the bank at the same time a lot more convincingly than any phishing site could. Is this the beginning of mobile app phishing? It's hard to believe nobody at the app store end is checking to see if the app has been legitimately released/signed from the actual bank it's representing. It makes me wonder what other apps are out there mining people's personal data, phishing, etc. and what can be done about this potential risk to safeguard the general public? Has anyone else run into similar situations? Anti-phishing software like Nokia's Free Anti-Phishing app or mobile Safari's similar feature wouldn't protect the mobile user from an application doing something in via code behind the scenes. Perhaps only a code walk-through or a legit certificate would remedy this situation. Any thoughts?"
Somewhere in Redmond someone is sighing a long sigh of relief. Finally they say - finally - they stopped picking on us!
on any other platform, you wouldn't need to remove software from "Droid09", your overlord would remove it for you, along with any other subversive material that might be on the device that you're borrowing from them
--
Stay tuned for some shock and awe coming right up after this messages!
thats not how the world works, probably the "validation" that apple do serve apple beneficts, and is not made for the safety of the users or other romantic option, maybe with the adition of safety theater
Simple. Time delay. Be like a trojan. Wait. Act nice. Then MAUL. Don't do it on all. Do it on 1% of the installs. NO ONE WILL BE THE WISER. Because, after all, you are ALL DUMASSES !! What you do, that's your business.
It's prudent to note that Avira anti-virus used to be called "AntiVir"...but I'm pretty certain you're not talking about the same people..
0x09F911029D74E35BD84156C5635688C0
Each application can be reported on the market (malicious is one of the options), which will be sent straight to Google. On top of that, each application shows it's average rating (out of 5 stars) - apps that are below 3 stars are lucky to even get a view from me, and if they do it always merits an investigation as to why their rating is so low (by reading the comments, all of which are actually quite useful).
fuck you android lamers. this is why apple created a vetting process. welcome to the real world.
Could not agree with you more in the overall scheme of things. If I could 'friend' people and accept their average judgements' on the the legitimacy and quality of an App it would be of great worth to me. Even with old PCs it was difficult to find quality software behind the countless crappy products. gdgt.com should add the ability to rate Apps and provide API access to 'friends'
uh... waitasec....
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I'd settle for a feature in Applications > Manage Applications that allowed me to search for apps created by Droid09
It's prudent to note that Avira anti-virus used to be called "AntiVir"...but I'm pretty certain you're not talking about the same people..
Right. There's a rogue called AntiVir as well.
Nowhere near as annoying as the "heck with it, just backup and OSRI"-worthy "Internet Security 2010", however.
Allow open development, and you've basically got a platform that the bad guys can target. There's already standards for signing code to prove that an app came from who you thought it did.
Steve? Is that you?
-B. Gates
Google could make some money here, I think. This is a chance to implement a "Google Verified" or "Google Trusted" program where any developer can submit their application to Google, along with a processing fee, for the vetting process that would check their application; if it passes, they could get a small badge and a searchable tag. People would then have the option to either download only verified applications or whatever they wanted. I imagine that financial applications or those that handle serious amounts of personal data would want to go for the vetting process.
http://www.tenjou.net/
This is not the case. Apple don't perform in-depth testing in this manner; they don't have access to the source code and some developers have already successfully bypassed the rules of the App Store by hiding functionality as easter eggs. It is trivial to put malicious code in an iPhone app that won't be triggered until after the application is already in the App Store.
Hey, what was that old saw about Macs not having any viruses? Wasn't it something like, the platform is not popular and that's why they do not have viruses?
Well here we have a wildly popular mobile platform. Yet the most egregious exploit in an app to date is something that sent your address book somewhere without permission (something that's explicitly allowed by the API).
So given the number of apps there are, perhaps the lack of problems like this is an indicator it is not as "trivial" as you claim to put a malicious app in the store.
What would a malicious app really do anyway? It couldn't delete user data. It can't send passwords not entered in the app (passwords are not stored in the keystroke cache). And what makes you think Apple would not give extra scrutiny to an application that asked for something like your banking details? What makes you think they don't roll the date forward a month or two when testing apps just to see what kind of extra activity might be triggered?
Furthermore, because you have to go through some paperwork to be a registered developer in the first place, you have a lot more exposure to liability if you try something. Apple the has valid bank account details for you (if you registered to sell paid apps), along with your address and other things. So if something like this exploit were found, you'd be pretty screwed.
There are more aspects of protection in a closed system than just the review cycle...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Assuming the app appears to do something 'real' [which I assume it does, as people download and use it], you can have the app access a web page that tells the app if it should harvest data or not. You simply don't enable the harvesting until after Apple has accepted it into the App Store.
And then what do you do about the fact that you have given Apple and address they have verified, and paid for a $99 developer account via some means they can tract back to you, along with probably given them your bank account number and routing code?
That's a lot of exposure for a scam that's likely to be shut down in under a day.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I said writing viruses for OS X is trivial.
Oh really - the base system comes with no open external ports. Write a virus that attacks infects it with no user interaction.
Hmm...
Seems like you are the one re-defining "trivial".
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Why on Earth would you download a 'bank' app from anyone other than *YOUR BANK*?
Actually there's a very good reason (for the user) - banks cannot write user interfaces to save their lives.
In fact they are so horrible at it, that Mint.com flourished with tens (hundreds?) of thousands of users, despite you needing to give Mint the passwords to EVERY SINGLE BANK you do businesses with.
Would you or I ever, ever do that? Nope. No reasonable person would you would think. Yet many have (and continue to), just because the experience of using bank websites and mobile platforms was so horrific, and honestly I cannot blame them - in fact I envy them the peaceful bliss of ignorance and nice software.
The whole point of using mobile applications is to make your life simpler, something that lots of developers are good at but not banks. So it's no shock someone would be willing to try an app not written by the bank they use.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I found an app designed for validating stolen credit cards
Come on, an app that simply validates credit cards and you can see NO VALID USE?
What if you are a merchant at at art festival collecting credit card numbers for payment and you use this just to validate a CC card you are being presented is good?
If you thought even a little about it, the app is terrible for hackers who deal with number lists running into hundreds of thousands of CC numbers. You don't think they have a batch operation to check those in bulk already instead of typing EVERY SINGLE ONE into the iPhone keyboard? Come on!
You must be a basketball player, because that's quite a reach you have there.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I'm running Windows.
Do you seriously think that Apple is capable of performing security audits on every app they approve? The primary criteria in their approval process are going to be whether the app might be offensive to someone and whether it competes with Apple's core business.
I note that searches of Secunia, SANS.org, and CERT don't return any mention of it, which is curious given that the...alert...began spreading on or about the 3rd of December, 2009 according to a date-sorted Google search (who is Jeremy Allexon?). Said search likewise fails to turn up any sources which I would call "authoritative".
Given the nature of corporate competition...
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
I hate to break it to you, but Android Market has a remote kill switch which operates at Google's discretion. If they decide you shouldn't have that app, they have (and you've agreed to give them) the ability to remove it from your device regardless of what you'd like.
"Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?" Let's hope not. The best thing about Android is that you don't have to wait 876576532457865412347 gazillion weeks for some hired student rejecting your app and sending you a rejection email that doesn't even get the name of your app right.
Apples model with their apple store is very stable and profitable solution, look at nokias "OVI" that they recently started to advertise, Nokia goes after apple's success... the only difference apple checks each and every application and Nokia doesnt.. If android will be opened and it seems like it is it will have some "bad guys" in it...
That could work quite well, if the testers can't see the source. You could put a timebomb in an app that activates its malicious payload. This would also work better because it could allow the app to become popular and spread before it turns nasty. A datamining app that collects everything into an encrypted file (just very simple encryption in a file with a large initial size would be enough to keep people from "grepping" the contents or getting suspicious...say it's a cache file or something) and sends it off on a specific date and time could do a lot of damage.
"When information is power, privacy is freedom" - Jah-Wren Ryel
The App Store, this would never have made it through.
On what basis do you make that claim? The problem is that this made it to the Android app store without them noticing it. The same could plausibly happen with Apple's app store too.
Whether or not one can run applications from somewhere else is irrelevant, as this is a case where the product made it to the official app store for that platform.
One can equally claim for Nokia, "The Ovi Store, this would never have made it through", and similarly for all other stores.
Malware is only going to grow on Android.
Evidence please?
I think people are missing the point here - this isn't about a malicious app on some random website, with people saying "Well it wouldn't happen with Apple, because you can only run what they allow you", it's about a product on Google's App Store.
AFAIK, they can and do control what goes on here - the problem was they failed to spot it.
So what this shows is that relying on app stores isn't necessarily safe after all - personally I prefer the freedom to download from where I like, as offered by Android, Symbian, Linux, Windows and every OS on the planet except You Know What.
Has the last 20 years of computing taught us nothing?
I have excellent Karma and I am not afraid to Troll it.
The vetting process is only as good as the time and effort and competence you're able to provide.
Case in point: I have an iPhone 3GS. Just 2 days after downloading and accessing the PayPal App on my iPhone, some jerk broke in to my PayPal account and stole money. We traced the relay to a server in the Netherlands, and we suspect one of the seemingly harmless apps (Emoticons) had an obscured/obfuscated key logger.
Needless to say, I will not be doing any sensitive operations on my mobile devices. I was particularly alarmed at Apple's apparent apathy toward it, after calling them and with a very well-documented complaint.
My point is that these are new platforms and it may be a while before we're really able to truly secure them -- at least to the point where we can a computer system that we operate (without restrictions). The Android market is probably more dangerous to this effect as there is no real official vetting process -- anyone can write an app.
Caveat Emptor.
If anyone has reverse engineered the Droid09 apps to show the code - post them somewhere publicly. I'd be interested in seeing these, possibly making comparisons to what was found hiding on the iPhone.
So let the testers see the source.
It's also a bit riskier for the person writing the app it if he has to have verified bank accounts before he's allowed to post an app to the marketplace. Which, of course, is the case with the app store. You'd be crazy to send a malicious app in for review because A.) they do check the source, or at least a list of all methods called and B.) your bank account is verified with them so they should be able to find you without too much trouble.
In light of the fact that you can fake an address (happens all the time- part of how one commits credit fraud...), and can create a throwaway bank account through varying means...
Again, if it's so easy why has someone not done this?
You are still underestimating the amount of research Apple does on signup, and on app review. And I think on the ease of creating a "throwaway banking account" which is not easy at all, given what I had to do to get a bank account for my business.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You don't look at the code, but check for unusual behaviour.
Any application trying to call home will show up in my logs, the behaviour will be reported (or if I have the skills the code will be examined) and the problem spotted and fixed.
This simply will not happen with closed source software, where the companies decide what is deemed necessary to fix and the rest be damned (I have seen companies with serious production issues having to continue using broken software because the provider could not be arsed to fix a problem, with open source you have options if you provider is trying to hang you out to dry).
IANAL but write like a drunk one.
Companies and people that know what they are doing will spot unusual behaviour and trigger an alert, following the problem up until it gets fixed.
IANAL but write like a drunk one.
Or some of my former colleagues.
That is why we are paid to do (Admin, security).
Application calls home? It shows in firewall logs.
Application is running? Is it authorized? No? It shows in log files.
Application is changing files? Changed files show in log files, situation is investigated until culprit is found.
And so on and so forth.
IANAL but write like a drunk one.
Any company well organized will have procedures to install software, part of it would be to do due diligence checks about the software being installed.
IANAL but write like a drunk one.
It's prudent to note that Avira anti-virus used to be called "AntiVir"...but I'm pretty certain you're not talking about the same people..
Right. There's a rogue called AntiVir as well.
Nowhere near as annoying as the "heck with it, just backup and OSRI"-worthy "Internet Security 2010", however.
Internet Security 2010 is not OSRI-worthy. It can be removed in as little as 15 minutes, with the right tools, but usually other malware is on the PC when this or other fake security software is present, which does mean it is sometimes more cost-effective to do a wipe (backup first!) and reinstall.
And yes, IAAPCT.
"used to"? It still is: http://www.free-av.com/en/products/1/avira_antivir_personal__free_antivirus.html - and the premium version, clearly labeled, "Avira AntiVir Premium", is sold in the shop I work.
Go figure, I thought they'd fully changed their name. Learn something new every day.
0x09F911029D74E35BD84156C5635688C0