Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious App In Android Market

Posted by kdawson on from the can't-take-it-to-the-bank dept.

dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?

12 of 340 comments (clear)

  1. Check for the signed label! by LostCluster · · Score: 5, Insightful

    This is something that is far more unlikely to happen on the iPhone because of Apple's strict control and testing of all apps. Even the "jailbreak" stores will reject things that aren't as advertised.

    Allow open development, and you've basically got a platform that the bad guys can target. There's already standards for signing code to prove that an app came from who you thought it did.

    1. Re:Check for the signed label! by Darkness404 · · Score: 5, Insightful

      However, there is balance. Look at Ubuntu's repositories, they rarely really "reject" any applications and everything in there is more or less malware free. I can see there being a market for trusted repositories in Android also.

      --
      Taxation is legalized theft, no more, no less.
    2. Re:Check for the signed label! by davester666 · · Score: 5, Informative

      Um, no.

      Apple's certification process is unlikely to uncover an app like this. Assuming the app appears to do something 'real' [which I assume it does, as people download and use it], you can have the app access a web page that tells the app if it should harvest data or not. You simply don't enable the harvesting until after Apple has accepted it into the App Store. Black box testing won't uncover it, and static program analysis is unlikely to either [short of the app obviously using restricted APIs]. And apps can poke around the system, and I think even other apps data without even needing to hardcode in paths.

      Now, it might be easier to Apple to be able to trace where exactly the app came from than it is for Google...

      --
      Sleep your way to a whiter smile...date a dentist!
    3. Re:Check for the signed label! by Bogtha · · Score: 5, Informative

      This is not the case. Apple don't perform in-depth testing in this manner; they don't have access to the source code and some developers have already successfully bypassed the rules of the App Store by hiding functionality as easter eggs. It is trivial to put malicious code in an iPhone app that won't be triggered until after the application is already in the App Store. The security restrictions on what the iPhone OS lets you do doesn't save you from this kind of attack either; it sounds like all an equivalent iPhone app would have to do is embed a UIWebView and wait for people to enter their information.

      --
      Bogtha Bogtha Bogtha
    4. Re:Check for the signed label! by BronsCon · · Score: 5, Interesting

      Do the Underhanded C Contest and Obfuscated C Contest ring any bells?

      Even review of every line isn't enough. But it's better than what closed source can offer.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    5. Re:Check for the signed label! by dotgain · · Score: 5, Insightful

      Um, which people will notice?

    6. Re:Check for the signed label! by mjwx · · Score: 5, Interesting

      And that's why certificates can be revoked, and apps can be pulled from the app store after the fact.

      And applications can be pulled from the Android Market after the fact, which frankly is terrible security.

      Apple's security model is still far inferior to Androids. Apple have a gateway only approach, Apples decides what does and does not run on Iphones remotely and forgo any local security, Android has a limited gateway and local security approach, Google can revoke malicious applications and make them go through some kind of testing before hand (probably what Google will end up doing, limited semi/completely automated testing to check for obvious problems) and then you have local security on the device. The idea is that no program is trusted. Now with Apple you have a single point of failure, if a self replicating virus/trojan gets past apple then its over unless apple uses the kill switch, if the kill switch works. With Android if a virus/trojan can replicate you still need each user to authorise install on each device.

      You will also have more people watching android applications, Google are quite open to security being questioned where as it is tantamount to heresy to even suggest that Apple has insecurities (and I'm certain some fanboys are frothing at the mouth reading this and typing an incoherent rant). The false sense of security that surrounds Apple is far more dangerous then the open nature of Android or the Android marketplace.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  2. Use an Outbound Firewall by slifox · · Score: 5, Interesting

    One great app I use is DroidWall, which is a simple GUI for iptables.
    I set the default outbound policy to DROP, then specifically whitelist the apps that should reasonably have access to the internet.

    Since Android apps have to specifically declare the privileges they require before installation (such as ability to read contact data, internet access, etc), then it's easy to make sure that all apps that read personal data are not whitelisted, unless they come from a reputable developer (e.g. Google-made apps). Any app that can read my contacts data, my calendar, my email, etc, is sure as hell not getting internet access for "usage statistics" or whatever other lame excuse they give.

    I wish this functionality was built into the OS, rather than having to do it manually (for example, a way to disallow internet access during installation) -- but at least it's doable on Android. I don't think any other phone platforms give this level of permission separation or control. I'm not so sure that app review would really fix the overall problem; it might catch the obviously-malicious phishing apps like in this story, but I bet that the app auditors' opinion on what is a privacy violation differs greatly from my own.

    I still wouldn't use my banking info on my phone regardless, since a phone is so easily losable, and locking/unlocking the data everytime with a secure passphrase would probably be too inconvenient. At very most, I would only allow read access to transactions from my phone (if banks offered this), thereby limiting the amount of useful information or control a would-be attacker could gain from compromising my phone.

    1. Re:Use an Outbound Firewall by dumbnose · · Score: 5, Insightful

      Sounds like a really easy way for your standard user to administer their phone. My mom would totally get that....no wait....I think I meant the opposite of that. Yeah.

      Seriously, though, how do you communicate this to your standard, non-techie user?

  3. Re:No sandboxing? by LostCluster · · Score: 5, Insightful

    Sandboxing is an "always deny" tech that keeps legit applications from working easily. Effective, yes. Going to catch on with the average user, no.

  4. Re:No sandboxing? by slifox · · Score: 5, Informative

    Android has sandboxing, to a degree

    Each app has its own user and group ID, and filesystem permissions are used to determine what data an app can access.

    Additionally, apps have to declare the special permissions they require before installation, such as internet access, read contacts data, etc...

    Android is way ahead in this department -- this story is simply a case of phishing: the users thought the app was a legit bank app, and they willingly gave their sensitive information to it. It's hard to prevent against that without user training, and the success of normal email/website phishing has shown that very few users are "trained" in this sense...

  5. Re:Then the developer is screwed by mjwx · · Score: 5, Insightful

    And then what do you do about the fact that you have given Apple and address they have verified

    Quite easy to give and verify a fake address, especially if it's in a foreign country.

    and paid for a $99 developer account via some means they can tract back to you

    Once again, easy to do with a foreign bank.

    There are plenty of easy ways to prove addresses that can be easily faked, bank statements, utility bills. Plus there is the idea of using someone else's identity entirely.

    Let me put it this way, anyone smart enough to develop a scheme like this is smart enough to defeat Apple's rudimentary address/credit checks.

    That's a lot of exposure for a scam that's likely to be shut down in under a day.

    You seem to have a lot of faith in Apple's ability to detect a hidden scam once it has already penetrated their security (the app store). It's entirely plausible that this kind of phishing go on for weeks or months without anyone noticing, especially seeing as Apple are the only watchman and considering what the average iphone user understands about information security.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.