Malicious App In Android Market

dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?

Check for the signed label!

[LostCluster]

This is something that is far more unlikely to happen on the iPhone because of Apple's strict control and testing of all apps. Even the "jailbreak" stores will reject things that aren't as advertised.

Allow open development, and you've basically got a platform that the bad guys can target. There's already standards for signing code to prove that an app came from who you thought it did.

Re:Check for the signed label!

[Darkness404]

However, there is balance. Look at Ubuntu's repositories, they rarely really "reject" any applications and everything in there is more or less malware free. I can see there being a market for trusted repositories in Android also.

Re:Check for the signed label!

[davester666]

Um, no.

Apple's certification process is unlikely to uncover an app like this. Assuming the app appears to do something 'real' [which I assume it does, as people download and use it], you can have the app access a web page that tells the app if it should harvest data or not. You simply don't enable the harvesting until after Apple has accepted it into the App Store. Black box testing won't uncover it, and static program analysis is unlikely to either [short of the app obviously using restricted APIs]. And apps can poke around the system, and I think even other apps data without even needing to hardcode in paths.

Now, it might be easier to Apple to be able to trace where exactly the app came from than it is for Google...

Re:Check for the signed label!

[Bogtha]

This is not the case. Apple don't perform in-depth testing in this manner; they don't have access to the source code and some developers have already successfully bypassed the rules of the App Store by hiding functionality as easter eggs. It is trivial to put malicious code in an iPhone app that won't be triggered until after the application is already in the App Store. The security restrictions on what the iPhone OS lets you do doesn't save you from this kind of attack either; it sounds like all an equivalent iPhone app would have to do is embed a UIWebView and wait for people to enter their information.

Re:Check for the signed label!

[harlows_monkeys]

Open source is another way to stop malware... not every user looks at the source, but enough curious ones will put out the warning should anything not be as its marked

That's commonly claimed, but there is not much evidence to back it. There just aren't enough people interested in looking at source to cover all the apps if the Android market gets as big as the iPhone market.

Re:Check for the signed label!

[BronsCon]

Do the Underhanded C Contest and Obfuscated C Contest ring any bells?

Even review of every line isn't enough. But it's better than what closed source can offer.

Re:Check for the signed label!

[SQLGuru]

The very same argument has been made as to why the XBox online experience is better than the PS3 or Wii. With MS, the control is in place. To participate, you have to accept the control (ask those banned due to hacked boxes). It's also why the PS network is getting some level of premium status to help curtail some of the problems related to that.

Apple's control is great in terms of keeping the store "clean", but the process they put in place didn't anticipate the number of submissions, overwhelming them. Resulting in slow acceptance times, bogus rejections, etc. Someone will need to figure out a happy medium in terms of control and flexibility.

Re:Check for the signed label!

[brit74]

Open source is another way to stop malware... not every user looks at the source, but enough curious ones will put out the warning should anything not be as its marked.

Out of curiosity, what's to stop this situation: I build a "custom" version of an opensource application that includes a trojan. Maybe I use the application's original name, or maybe I add a few features/artwork and call it something different? People are just grabbing the exe's, afterall, and not building their own copy from the source.

Re:Check for the signed label!

[LostCluster]

Suddenly your .exe doesn't match the MD5 hash of the real program. People will notice.

Re:Check for the signed label!

[dotgain]

Um, which people will notice?

Re:Check for the signed label!

[mjwx]

And that's why certificates can be revoked, and apps can be pulled from the app store after the fact.

And applications can be pulled from the Android Market after the fact, which frankly is terrible security.

Apple's security model is still far inferior to Androids. Apple have a gateway only approach, Apples decides what does and does not run on Iphones remotely and forgo any local security, Android has a limited gateway and local security approach, Google can revoke malicious applications and make them go through some kind of testing before hand (probably what Google will end up doing, limited semi/completely automated testing to check for obvious problems) and then you have local security on the device. The idea is that no program is trusted. Now with Apple you have a single point of failure, if a self replicating virus/trojan gets past apple then its over unless apple uses the kill switch, if the kill switch works. With Android if a virus/trojan can replicate you still need each user to authorise install on each device.

You will also have more people watching android applications, Google are quite open to security being questioned where as it is tantamount to heresy to even suggest that Apple has insecurities (and I'm certain some fanboys are frothing at the mouth reading this and typing an incoherent rant). The false sense of security that surrounds Apple is far more dangerous then the open nature of Android or the Android marketplace.

Use an Outbound Firewall

[slifox]

One great app I use is DroidWall, which is a simple GUI for iptables.
I set the default outbound policy to DROP, then specifically whitelist the apps that should reasonably have access to the internet.

Since Android apps have to specifically declare the privileges they require before installation (such as ability to read contact data, internet access, etc), then it's easy to make sure that all apps that read personal data are not whitelisted, unless they come from a reputable developer (e.g. Google-made apps). Any app that can read my contacts data, my calendar, my email, etc, is sure as hell not getting internet access for "usage statistics" or whatever other lame excuse they give.

I wish this functionality was built into the OS, rather than having to do it manually (for example, a way to disallow internet access during installation) -- but at least it's doable on Android. I don't think any other phone platforms give this level of permission separation or control. I'm not so sure that app review would really fix the overall problem; it might catch the obviously-malicious phishing apps like in this story, but I bet that the app auditors' opinion on what is a privacy violation differs greatly from my own.

I still wouldn't use my banking info on my phone regardless, since a phone is so easily losable, and locking/unlocking the data everytime with a secure passphrase would probably be too inconvenient. At very most, I would only allow read access to transactions from my phone (if banks offered this), thereby limiting the amount of useful information or control a would-be attacker could gain from compromising my phone.

Re:Use an Outbound Firewall

[dumbnose]

Sounds like a really easy way for your standard user to administer their phone. My mom would totally get that....no wait....I think I meant the opposite of that. Yeah.

Seriously, though, how do you communicate this to your standard, non-techie user?

Re:Use an Outbound Firewall

[slifox]

This app is just another vector in the long history of internet phishing attacks

The problem isn't technical, but rather lack of user training

The internet is not a safe place. If you want to use it openly, you better not be gullible and hand out your info to anyone who asks.

One solution would be to setup the phone for your non-techie friend, and whitelist all the apps that they'll need that should have internet access. Yes, this means they'll have limited use of new apps, but if they can't figure out when not to give out her bank details, they aren't sufficiently trained to safely use the internet.

Re:Use an Outbound Firewall

Any app that can read my contacts data, my calendar, my email, etc, is sure as hell not getting internet access for "usage statistics" or whatever other lame excuse they give.

Usage statistics are the only reliable way to get real feedback about how actual users interact with the software (short of having a horde of QA testers that we can't afford). Some of the more useful things that my apps track (anonymized and with the terms stated clearly on install with an opt-out):

(1) Which settings are most often changed, and to what. This helps us put the most-changed settings near the top and set better defaults. If a setting is changed back and forth a lot, that usually tells that the UI needs widget to control that behavior.

(2) Which functions are used most or used most together. This helps organize the UI in accord with the most common usage patterns. Many times, we will see that users do the same clusters of things over and over and that lets us combine those into a single task in some fashion.

(3) What functions/options are almost never used, especially ones we had imagined would be useful. This is usually a sign that we have either totally dropped the ball on implementation or interface or that we don't understand the user's workflow.

I will admit that this is largely a matter of trust between the developer and the user -- I really can't blame users that opt-out or firewall us because they really don't have a reason to trust us. That said, such distrust does deprive us of very important data that we use to improve our products. I just want to express my deep appreciation for all the users that have let us have their usage statistics -- we really do read and act on them!

Re:Use an Outbound Firewall

[QuantumG]

Yes, but it's not just that.. it's also that Apple redefines the terms as they go along.

"It's impossible to write a virus for our platform!"
"Ok, here's one I wrote."
"That's not a virus."
"Oh really? How do you figure?"
"It requires user help to move from machine to machine."
"Uhhhh... yes, that's what a virus is."
"No, it has to move from machine to machine without user intervention to be a virus."
"No.. that's a worm.. as has been clearly defined since the Morris worm."
"We call it a virus."
"You're idiots. This is a virus and it is trivial to write them for your platform. In fact, it's easier to write viruses for OS X than any other platform, as there's literally dozens of ways to load code into every running process simultaneously."
"We disagree."

and so on.

Apple, they believe their own hype and they're willing to deny reality to maintain that belief.

Re:No sandboxing?

[dumbnose]

Sandboxing wouldn't help here. The app looks like your bank app. So, it just collects the information from you.

Re:No sandboxing?

[LostCluster]

Sandboxing is an "always deny" tech that keeps legit applications from working easily. Effective, yes. Going to catch on with the average user, no.

Re:No sandboxing?

[slifox]

Android has sandboxing, to a degree

Each app has its own user and group ID, and filesystem permissions are used to determine what data an app can access.

Additionally, apps have to declare the special permissions they require before installation, such as internet access, read contacts data, etc...

Android is way ahead in this department -- this story is simply a case of phishing: the users thought the app was a legit bank app, and they willingly gave their sensitive information to it. It's hard to prevent against that without user training, and the success of normal email/website phishing has shown that very few users are "trained" in this sense...

Re:An iPhone-like process?

[LostCluster]

iPhone's vetting process has a "AT&T doesn't like it, so Apple will deny" clause that the jailbreak stores don't. Apple then claims that jailbroken apps could be trojans that will overload AT&T's network.

Google seems to be taking a "we'll do what we want and carriers can't stop us" attitude. Good luck with that.

Re:An iPhone-like process?

[mounthood]

An iPhone-like vetting process would be "we'll reject it if we don't like the look of it". How about "Linux-distro style vetting process"?

Multiple repositories solve part of the problem, but more then just vetting the repository as a whole we need to score/rank/blacklist/require individual applications and authors. What friends think of an application is much more important than the "average" score of everyone. IT departments need to add/update/remove applications for workers phones, but also let the end user manage applications. Ban lists need to be available in a form that lets the end user (or their tech. support) decide what to trust.

It's amazing that such a big industry has such crappy tools to manage applications. Making things "just work" for the end user does not need to mean a monopoly or tyrant controlling the (only) store.

Re:An iPhone-like process?

[mounthood]

How about "Linux-distro style vetting process"?

Impossible, unless all apps are required to be open source ...

Not true. You can have binary only repositories. Ubuntu 9.10 has a "partner" repository from which you can install Flash, and interestingly, you can add it to your sources list by clicking a link in Firefox.

Re:If you want to be free

[ducomputergeek]

Tragedy of the Commons comes to mind here. People around here like to bitch about Apple's policies with their app store, but I understood the reasoning behind it from the beginning. The average consumer doesn't know better. A cute app that is malicious can spread to millions of users before someone wises up. And it only takes one or two to make people fearful of the platform.

It will be fun to see if the carriers take advantage of this and try to get control over the handsets back in their court as opposed to that of Google. If it happens a couple more times, I can the Verizon App store popping up and a Verizon UI required on all android phones that only allow users to use their store. And I'm sure a lot of the apps will require extra "monthly" fees.

Separate passcode locked to a verified device

[beakerMeep]

One of the things my bank does for their mobile banking application (which is contracted out to another company) is to give you a special code that is akin to a extra "mobile password." You get this code from the bank's website after putting in your mobile phone number. You then must enter it on your phone and "activate" that phone to access your account. At any time also, you can go into the website and "deactivate" the device. At no time do you ever enter your banking login details into your phone, only this special code which is tied to you phone number, mobile OS, and carrier (that you can deactivate at any time) is entered into your phone.

It's not perfect security, but it certainly puts up a few more decent hurdles against phishing.

Re:An iPhone-like process?

[A1rmanCha1rman]

An iPhone-like vetting process would be "we'll reject it if we don't like the look of it". How about "Linux-distro style vetting process"?

The iPhone vetting process is closer to Slifox's "error on the side of caution" method on his outbound firewall, with the default being set to DROP (deny the app), followed by a specific whitelist (approved apps subject to continuous monitor for "good behaviour").

Quite a number of approved apps in the iPhone App Store have been caught out doing naughty things like accessing and sending "home" users' Contacts - email addresses, phone numbers and home/work addresses - where they really had no business requiring such information for their function (battery charge display apps, games etc) and have promptly been expelled from the app store - quite rightly in my opinion.

The price of true freedom is eternal vigilance, not laissez-faire do-what-you-please laxity...

Why bother?

[MikeFM]

If you really want to steal people's info just throw up a quick Magento site pretending to sell things at unlikely prices and submit a Froogle feed. Soon you'll be getting lots of orders and you can collect credit card numbers, addresses, etc to your hearts content and then disappear and repeat the process next week. Lots of people will give you their info without thinking about it.

My vetting process is simple. . .

[JSBiff]

Why on Earth would you download a 'bank' app from anyone other than *YOUR BANK*? I'm only gonna do online banking from the website or apps provided to me directly from my bank. I'm not gonna download anything from the Android market, from some random user, and do banking with it. Who thinks that it's a good idea to do 'banking' with an app by a random developer? I mean, *maybe*, maybe if it was someone large and established, like IBM, Google, Microsoft, or Apple, I *might* consider using third party software, but certainly not anyone I've never heard of before.

Re:Then the developer is screwed

[mjwx]

And then what do you do about the fact that you have given Apple and address they have verified

Quite easy to give and verify a fake address, especially if it's in a foreign country.

and paid for a $99 developer account via some means they can tract back to you

Once again, easy to do with a foreign bank.

There are plenty of easy ways to prove addresses that can be easily faked, bank statements, utility bills. Plus there is the idea of using someone else's identity entirely.

Let me put it this way, anyone smart enough to develop a scheme like this is smart enough to defeat Apple's rudimentary address/credit checks.

That's a lot of exposure for a scam that's likely to be shut down in under a day.

You seem to have a lot of faith in Apple's ability to detect a hidden scam once it has already penetrated their security (the app store). It's entirely plausible that this kind of phishing go on for weeks or months without anyone noticing, especially seeing as Apple are the only watchman and considering what the average iphone user understands about information security.

Re:HERE'S HOW ANYONE CAN BEAT ANY Vetting !!

[GameboyRMH]

That could work quite well, if the testers can't see the source. You could put a timebomb in an app that activates its malicious payload. This would also work better because it could allow the app to become popular and spread before it turns nasty. A datamining app that collects everything into an encrypted file (just very simple encryption in a file with a large initial size would be enough to keep people from "grepping" the contents or getting suspicious...say it's a cache file or something) and sends it off on a specific date and time could do a lot of damage.