Slashdot Mirror
Malicious App In Android Market
dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?
One great app I use is DroidWall, which is a simple GUI for iptables.
I set the default outbound policy to DROP, then specifically whitelist the apps that should reasonably have access to the internet.
Since Android apps have to specifically declare the privileges they require before installation (such as ability to read contact data, internet access, etc), then it's easy to make sure that all apps that read personal data are not whitelisted, unless they come from a reputable developer (e.g. Google-made apps). Any app that can read my contacts data, my calendar, my email, etc, is sure as hell not getting internet access for "usage statistics" or whatever other lame excuse they give.
I wish this functionality was built into the OS, rather than having to do it manually (for example, a way to disallow internet access during installation) -- but at least it's doable on Android. I don't think any other phone platforms give this level of permission separation or control. I'm not so sure that app review would really fix the overall problem; it might catch the obviously-malicious phishing apps like in this story, but I bet that the app auditors' opinion on what is a privacy violation differs greatly from my own.
I still wouldn't use my banking info on my phone regardless, since a phone is so easily losable, and locking/unlocking the data everytime with a secure passphrase would probably be too inconvenient. At very most, I would only allow read access to transactions from my phone (if banks offered this), thereby limiting the amount of useful information or control a would-be attacker could gain from compromising my phone.
Sandboxing wouldn't help here. The app looks like your bank app. So, it just collects the information from you.
An iPhone-like vetting process would be "we'll reject it if we don't like the look of it". How about "Linux-distro style vetting process"?
Multiple repositories solve part of the problem, but more then just vetting the repository as a whole we need to score/rank/blacklist/require individual applications and authors. What friends think of an application is much more important than the "average" score of everyone. IT departments need to add/update/remove applications for workers phones, but also let the end user manage applications. Ban lists need to be available in a form that lets the end user (or their tech. support) decide what to trust.
It's amazing that such a big industry has such crappy tools to manage applications. Making things "just work" for the end user does not need to mean a monopoly or tyrant controlling the (only) store.
tomorrow who's gonna fuss
From time immemorial, bazaars have had pickpockets.
This is why we can't have nice things.
And I'm sure US cellphone carriers can't wait for more malicious apps.
One that hath name thou can not otter
Even with vetting, it still won't keep a truly determined and malicious attacker away. Say someone makes an app that is popular and releases to the Android market. The only odd thing is that it asks for a lot of permissions. Lots of people download it, and it gains a cool buzz with nobody having problems with it, except for people who wonder about the huge amount of perms asked. But eventually people get to shrugging and continuing.
Then the app maker releases an update and slings in the malicious code. It copies off the addressbook to a remote site to sell to targetted phishers. It sends text messages to shady places subscribing the phone network holder to numerous charge by month "services" (akin to the old modem dialers). It spawns a botnet client which can be used for spamming. It intercepts other apps to obtain their stored usernames and passwords which are used for ID theft attacks (the bogus "hey bud, I'm stuck, could you wire me $500?" which a lot of people on social networks fell for.)
So, even though Android has a very good priv model, in theory, it can still be stung by someone who drops in their malware at a later date.
One of the things my bank does for their mobile banking application (which is contracted out to another company) is to give you a special code that is akin to a extra "mobile password." You get this code from the bank's website after putting in your mobile phone number. You then must enter it on your phone and "activate" that phone to access your account. At any time also, you can go into the website and "deactivate" the device. At no time do you ever enter your banking login details into your phone, only this special code which is tied to you phone number, mobile OS, and carrier (that you can deactivate at any time) is entered into your phone.
It's not perfect security, but it certainly puts up a few more decent hurdles against phishing.
meep
And that's why certificates can be revoked, and apps can be pulled from the app store after the fact.
If you really want to steal people's info just throw up a quick Magento site pretending to sell things at unlikely prices and submit a Froogle feed. Soon you'll be getting lots of orders and you can collect credit card numbers, addresses, etc to your hearts content and then disappear and repeat the process next week. Lots of people will give you their info without thinking about it.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
What I can see is that carriers would have their own Android app stores, similar to how one carrier in the US used to require not just Microsoft code certificates on signed executables, but the carrier's as well. If the app wasn't signed by a certificate either from the carrier, or a key allowed by the carrier, the app won't install on the phone. Of course, the certs can be yanked at a moment's notice.
I think it is natural to make the comparison, one of the only reasons that Apple has an advantage is because of the quality control it offers on its app store. Of course, until recently Apple didn't do any in app checking, to find out what exactly the app was doing.
And of course you are happy, until you get your information stolen. You might not even realise it, and even when you do, it would be hard to link it to a phone application rather than one of the usual methods.
I find you comment very odd, it adds nothing to the conversation, and complains about the obvious comparison that someone made, and that everybody was thinking about. Android army or just moron?
Do the Underhanded C Contest and Obfuscated C Contest ring any bells?
Even review of every line isn't enough. But it's better than what closed source can offer.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
The very same argument has been made as to why the XBox online experience is better than the PS3 or Wii. With MS, the control is in place. To participate, you have to accept the control (ask those banned due to hacked boxes). It's also why the PS network is getting some level of premium status to help curtail some of the problems related to that.
Apple's control is great in terms of keeping the store "clean", but the process they put in place didn't anticipate the number of submissions, overwhelming them. Resulting in slow acceptance times, bogus rejections, etc. Someone will need to figure out a happy medium in terms of control and flexibility.
I think it is natural to make the comparison, one of the only reasons that Apple has an advantage is because of the quality control it offers on its app store. Of course, until recently Apple didn't do any in app checking, to find out what exactly the app was doing.
"Until recently"? So, inotherwords, it took them years, while Google has been at this for a lot less time? I am sure they will learn from their mistakes.
Yet it seems apps that Apple think are bad have slipped through from time to time. That was my point. The comparison would be great if it didnt cover the fact that until recently, such protections werent in place, and things still slip through now and then.
And of course you are happy, until you get your information stolen. You might not even realise it, and even when you do, it would be hard to link it to a phone application rather than one of the usual methods.
I use a very small list of apps, because I am aware of the dangers. The vast majority of those apps are made by Google - thus making their use no more dangerous than my regular online "Google Experience" where they have access to the same exact info.
I find you comment very odd, it adds nothing to the conversation, and complains about the obvious comparison that someone made, and that everybody was thinking about. Android army or just moron?
Really? You cited some reasons why my comment wasn't "very odd" in pointing out that it took a couple years for Apple to make changes to try to prevent such things from occurring.
But that aside... perhaps they should have learned from Apple's mistakes and Apple's improvements by instituting an app marketplace where each app is verified to do only what it claims to do, this could have been prevented.
Because, yes, they shoulda learned... this has already been done, and done better... with their experience in the online area, they shouldnt be playing catch-up to Apple or anyone else.
I just found it odd for someone to jump right on the Apple iPhone vs Android soapbox so quickly without much else to contribute.
My take would have been more along the lines above, indicating I hope they've learned from both this experience and Apples - and that they are making a concerted effort to start checking the 20,000 other apps on the app store.
StarTrekPhase2 - The Five Year Mission Continues!
Open source is another way to stop malware... not every user looks at the source, but enough curious ones will put out the warning should anything not be as its marked.
Out of curiosity, what's to stop this situation: I build a "custom" version of an opensource application that includes a trojan. Maybe I use the application's original name, or maybe I add a few features/artwork and call it something different? People are just grabbing the exe's, afterall, and not building their own copy from the source.
My biggest fear is that a malicious app ends up in the fledgling Android modding community. This would bring bad press, just like the ssh password brought a lot of negative press to the iPhone jailbreak scene. Android modders are concerned right now about people who don't know the consequences of rooting a device [1] causing malware infestations. Bad press about rooted phones would give cellphone carriers and phone manufacturers more reason to have more Draconian means of ensuring their phone offerings do not get rooted (TPMs), or just abandoning Android altogether and championing a closed OS.
[1]: For most things, you don't need to root an Android phone. In general, if you want a dedicated feature, such as cooking and testing custom ROMS, running android apps on the memory card, or enabling swap space, go for it. However, rooting an Android device "just because" is not really needed, and could be dangerous. Especially by people who don't know the ramifications of the "#" prompt and why it isn't good to use it 24/7.
Simple. Time delay. Be like a trojan. Wait. Act nice. Then MAUL. Don't do it on all. Do it on 1% of the installs. NO ONE WILL BE THE WISER. Because, after all, you are ALL DUMASSES !! What you do, that's your business.
Suddenly your .exe doesn't match the MD5 hash of the real program. People will notice.
Basically, there's nothing in the app description or screenshots to suggest that the application, which uses only publicly available knowledge, violates any of the terms of Apple's app policy.
What about the "we may reject your application for any reason whatsoever" clause of Apple's policy?
... and then they built the supercollider.
It's prudent to note that Avira anti-virus used to be called "AntiVir"...but I'm pretty certain you're not talking about the same people..
Right. There's a rogue called AntiVir as well.
Nowhere near as annoying as the "heck with it, just backup and OSRI"-worthy "Internet Security 2010", however.
Assuming the app appears to do something 'real' [which I assume it does, as people download and use it], you can have the app access a web page that tells the app if it should harvest data or not. You simply don't enable the harvesting until after Apple has accepted it into the App Store.
And then what do you do about the fact that you have given Apple and address they have verified, and paid for a $99 developer account via some means they can tract back to you, along with probably given them your bank account number and routing code?
That's a lot of exposure for a scam that's likely to be shut down in under a day.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What makes "mobile" so different from the desktop?
I note that searches of Secunia, SANS.org, and CERT don't return any mention of it, which is curious given that the...alert...began spreading on or about the 3rd of December, 2009 according to a date-sorted Google search (who is Jeremy Allexon?). Said search likewise fails to turn up any sources which I would call "authoritative".
Given the nature of corporate competition...
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
And applications can be pulled from the Android Market after the fact, which frankly is terrible security.
Apple's security model is still far inferior to Androids. Apple have a gateway only approach, Apples decides what does and does not run on Iphones remotely and forgo any local security, Android has a limited gateway and local security approach, Google can revoke malicious applications and make them go through some kind of testing before hand (probably what Google will end up doing, limited semi/completely automated testing to check for obvious problems) and then you have local security on the device. The idea is that no program is trusted. Now with Apple you have a single point of failure, if a self replicating virus/trojan gets past apple then its over unless apple uses the kill switch, if the kill switch works. With Android if a virus/trojan can replicate you still need each user to authorise install on each device.
You will also have more people watching android applications, Google are quite open to security being questioned where as it is tantamount to heresy to even suggest that Apple has insecurities (and I'm certain some fanboys are frothing at the mouth reading this and typing an incoherent rant). The false sense of security that surrounds Apple is far more dangerous then the open nature of Android or the Android marketplace.
Calling someone a "hater" only means you can not rationally rebut their argument.
I agree with you, but your analogy is faulty. The Xbox Live experience is better because MS is a software company, and Sony is a hardware company.
A better analogy is why Ubuntu is more n00b friendly than is parent Debian. The centralized control mechanisms which vet systems before they are implemented from a small group with a specific purpose in mind which does not include doing absolutely everything possible. However I do believe an attack like this is possible, but not probable on the iPhone due to the nature of the people at Apple. Also if this did succeed they would just sew them into the ground. and get them and all their associates imprisoned also due to the nature of the people at Apple.
would you care to elaborate on PSN vs Live ??? Live has nothing more to give than PSN except the cost (I don't see the added value to justify that) Frankly I fail to see a relation between the matter at hand and that.
On Live, if you get banned for violating their ToS (for example, hacking your box, cheating, sufficient complaints of racism) then you are banned from all online play. On the PS3, Sony does not (to my knowledge) participate in the ban process except for their own services. So, if you get banned from Home for racism you can still play all your other games online. Each game needs to ban you individually, thus fewer asshats will be banned for any particular game.
Even the cost itself helps here. If someone gets banned from PSN for cheating, they can just make another free account. If someone gets banned from XBL, they must pony up cash to create a new account, giving a monetary disincentive not to cheat.
Write your representatives! Repeal the 2nd Law of Thermodynamics!
You are blaming sony for a lack of control of their hardware ? that should be a first here.
No, control on their network. MS only has control over their hardware in as much as they can limit access to their network capabilities. However, more importantly, they can use this same control to limit any ToS violation, particularly cheating, while any mechanism on PSN can be easily circumvented with a new account.
Write your representatives! Repeal the 2nd Law of Thermodynamics!
I think people are missing the point here - this isn't about a malicious app on some random website, with people saying "Well it wouldn't happen with Apple, because you can only run what they allow you", it's about a product on Google's App Store.
AFAIK, they can and do control what goes on here - the problem was they failed to spot it.
So what this shows is that relying on app stores isn't necessarily safe after all - personally I prefer the freedom to download from where I like, as offered by Android, Symbian, Linux, Windows and every OS on the planet except You Know What.
Every app for the android must be signed. Its free to do so, but the only thing missing is a web of trust.