Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious App In Android Market

Posted by kdawson on from the can't-take-it-to-the-bank dept.

dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?

9 of 340 comments (clear)

  1. Re:No sandboxing? by slifox · · Score: 5, Informative

    Android has sandboxing, to a degree

    Each app has its own user and group ID, and filesystem permissions are used to determine what data an app can access.

    Additionally, apps have to declare the special permissions they require before installation, such as internet access, read contacts data, etc...

    Android is way ahead in this department -- this story is simply a case of phishing: the users thought the app was a legit bank app, and they willingly gave their sensitive information to it. It's hard to prevent against that without user training, and the success of normal email/website phishing has shown that very few users are "trained" in this sense...

  2. Re:No sandboxing? by mlts · · Score: 3, Informative

    Android already has sandboxing. Every app installs under its own user ID by default, and if it wants more permissions, it will ask the user on install, and the user can deny it.

    Even if this app had no permissions whatsoever except to display on the screen and send info back to a server, it would be successful, as it made for social engineering, as opposed to having the primary function as being compromise of the Android device.

  3. Re:An iPhone-like process? by mounthood · · Score: 4, Informative

    How about "Linux-distro style vetting process"?

    Impossible, unless all apps are required to be open source ...

    Not true. You can have binary only repositories. Ubuntu 9.10 has a "partner" repository from which you can install Flash, and interestingly, you can add it to your sources list by clicking a link in Firefox.

    --
    tomorrow who's gonna fuss
  4. Re:Check for the signed label! by davester666 · · Score: 5, Informative

    Um, no.

    Apple's certification process is unlikely to uncover an app like this. Assuming the app appears to do something 'real' [which I assume it does, as people download and use it], you can have the app access a web page that tells the app if it should harvest data or not. You simply don't enable the harvesting until after Apple has accepted it into the App Store. Black box testing won't uncover it, and static program analysis is unlikely to either [short of the app obviously using restricted APIs]. And apps can poke around the system, and I think even other apps data without even needing to hardcode in paths.

    Now, it might be easier to Apple to be able to trace where exactly the app came from than it is for Google...

    --
    Sleep your way to a whiter smile...date a dentist!
  5. Re:Check for the signed label! by Bogtha · · Score: 5, Informative

    This is not the case. Apple don't perform in-depth testing in this manner; they don't have access to the source code and some developers have already successfully bypassed the rules of the App Store by hiding functionality as easter eggs. It is trivial to put malicious code in an iPhone app that won't be triggered until after the application is already in the App Store. The security restrictions on what the iPhone OS lets you do doesn't save you from this kind of attack either; it sounds like all an equivalent iPhone app would have to do is embed a UIWebView and wait for people to enter their information.

    --
    Bogtha Bogtha Bogtha
  6. Re:Check for the signed label! by harlows_monkeys · · Score: 4, Informative

    Open source is another way to stop malware... not every user looks at the source, but enough curious ones will put out the warning should anything not be as its marked

    That's commonly claimed, but there is not much evidence to back it. There just aren't enough people interested in looking at source to cover all the apps if the Android market gets as big as the iPhone market.

  7. Re:Use an Outbound Firewall by QuantumG · · Score: 4, Informative

    Yes, but it's not just that.. it's also that Apple redefines the terms as they go along.

    "It's impossible to write a virus for our platform!"
    "Ok, here's one I wrote."
    "That's not a virus."
    "Oh really? How do you figure?"
    "It requires user help to move from machine to machine."
    "Uhhhh... yes, that's what a virus is."
    "No, it has to move from machine to machine without user intervention to be a virus."
    "No.. that's a worm.. as has been clearly defined since the Morris worm."
    "We call it a virus."
    "You're idiots. This is a virus and it is trivial to write them for your platform. In fact, it's easier to write viruses for OS X than any other platform, as there's literally dozens of ways to load code into every running process simultaneously."
    "We disagree."

    and so on.

    Apple, they believe their own hype and they're willing to deny reality to maintain that belief.

    --
    How we know is more important than what we know.
  8. Re:Check for the signed label! by yakumo.unr · · Score: 3, Informative

    However, in Pinch Media's case, the user tracking goes a bit further according to one iPhone developer. He says applications using Pinch Media track the following information:

            * iPhone's unique ID
            * iPhone model
            * OS version
            * Application version (in this case, camera zoom 1.x)
            * If the application is cracked/pirated
            * If your iPhone is jailbroken
            * Time & date you start the application
            * Time & date you close the application
            * Your current latitude & longitude
            * Your gender (if Facebook enabled)
            * Your birth month (if Facebook enabled)
            * Your birth year (if Facebook enabled)

    What's worse is that you're often never told that the app will be performing this level of detailed tracking and you're often never given the opportunity to opt-out. The data recorded is continuously tracked every time you use the application. This violation of user privacy is so egregious that the developer even goes so far as to call Pinch Media "iPhone spyware."

    http://www.readwriteweb.com/archives/dear_iphone_users_your_apps_are_spying_on_you.php

  9. Re:Check for the signed label! by Goldberg's+Pants · · Score: 3, Informative

    It's nice to see the other side of the coin though. The App Store, this would never have made it through.

    Malware is only going to grow on Android.

    Don't get me wrong, I think Apple are TOO controlling, but Android phones become more ubiquitous, malware is going to get worse.

    This is only the beginning. (Ominous music)