Malicious App In Android Market

dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?

Re:No sandboxing?

[slifox]

Android has sandboxing, to a degree

Each app has its own user and group ID, and filesystem permissions are used to determine what data an app can access.

Additionally, apps have to declare the special permissions they require before installation, such as internet access, read contacts data, etc...

Android is way ahead in this department -- this story is simply a case of phishing: the users thought the app was a legit bank app, and they willingly gave their sensitive information to it. It's hard to prevent against that without user training, and the success of normal email/website phishing has shown that very few users are "trained" in this sense...

Re:Check for the signed label!

[davester666]

Um, no.

Apple's certification process is unlikely to uncover an app like this. Assuming the app appears to do something 'real' [which I assume it does, as people download and use it], you can have the app access a web page that tells the app if it should harvest data or not. You simply don't enable the harvesting until after Apple has accepted it into the App Store. Black box testing won't uncover it, and static program analysis is unlikely to either [short of the app obviously using restricted APIs]. And apps can poke around the system, and I think even other apps data without even needing to hardcode in paths.

Now, it might be easier to Apple to be able to trace where exactly the app came from than it is for Google...

Re:Check for the signed label!

[Bogtha]

This is not the case. Apple don't perform in-depth testing in this manner; they don't have access to the source code and some developers have already successfully bypassed the rules of the App Store by hiding functionality as easter eggs. It is trivial to put malicious code in an iPhone app that won't be triggered until after the application is already in the App Store. The security restrictions on what the iPhone OS lets you do doesn't save you from this kind of attack either; it sounds like all an equivalent iPhone app would have to do is embed a UIWebView and wait for people to enter their information.