Slashdot Mirror

← Back to Stories (view on slashdot.org)

App Store-Aided Mobile Attacks

Posted by kdawson on from the so-simple-a-kiddie-could-do-it dept.

Trailrunner7 sends along a ThreatPost.com piece that begins "The pace of innovation on mobile phones and other smart wireless devices has accelerated greatly in the last few years. ... But now the attackers are beginning to outstrip the good guys on mobile platforms, developing innovative new attacks and methods for stealing data that rival anything seen on the desktop, experts say. This particular attack vector — introducing malicious or Trojaned applications into mobile app stores — has the potential to become a very serious problem, researchers say. Tyler Shields, a security researcher at Veracode who developed a proof-of-concept spyware application for the BlackBerry earlier this year, said that the way app stores are set up and their relative lack of safeguards makes them soft targets for attackers. ... 'There are extremely technical approaches like the OS attacks, but that stuff is much harder to do,' Shields said. 'From the attacker's standpoint, it's too much effort when you can just drop something into the app store. It comes down to effort versus reward. The spyware Trojan approach will be the future of crime. Why spend time popping boxes when you can get the users to own the boxes themselves? If you couple that with custom Trojans and the research I've done, it's super scary.'"

39 of 186 comments (clear)

  1. I like the yum "app store" by FranTaylor · · Score: 3, Interesting

    All the packages are signed and I can rebuild anything I want from scratch.

    Adobe uses it to update Flash and Reader on my systems, they don't need to support an update installer.

    I have no doubt that the same type of system can serve palmtop systems well.

    1. Re:I like the yum "app store" by mrsteveman1 · · Score: 3, Insightful

      They already sign the code, some of the app stores even require business documents before you're allowed to put anything up.

      Having source is a plus but this is commercial software we're talking about, you don't have the source for the 2 things you mentioned, Reader and Flash. Besides that, having the source isn't guaranteed to protect you, companies have been obfuscating the hell out of source code for a while now. All they really need to do is get users to install the binary first, and then it's a waiting game to see if anyone actually reads the source and finds the evil lines, if they ever do. By then, millions of users have installed the app or the updated app (the first version doesn't need to be malicious) and had their info stolen, etc.

    2. Re:I like the yum "app store" by Anonymous Coward · · Score: 4, Funny

      companies have been obfuscating the hell out of source code for a while now

      I believe it's called outsourcing.

    3. Re:I like the yum "app store" by tsm_sf · · Score: 3, Funny

      Since Apple has an apparently arduous approval process for their app store, I'm assuming that they guarantee everything against this sort of foolishness. I didn't bother to read the 92 page EULA that went along with it, but they're an honorable company, right?

      --
      Literalism isn't a form of humor, it's you being irritating.
    4. Re:I like the yum "app store" by eggnoglatte · · Score: 4, Insightful

      Well, FWIW, it is kind of hard to do much damage if the app can't run in the background due to lack of multithreading.

      No, I don't have an iPhone, iPod, or iPad. I am just getting tired of the same old tirades from both sides.

  2. I've always wondered by norpy · · Score: 2, Insightful

    I've always wondered why deliberate exploits hadn't been included in seemingly safe app store apps that allowed access to forbidden api's and did naughty things always sorta amazed me.

    I guess I wasn't the only person who thought of that.

    1. Re:I've always wondered by s73v3r · · Score: 2, Interesting

      Maybe the screening process has been working?

    2. Re:I've always wondered by norpy · · Score: 2, Interesting

      The screening process is on the binary, it is very hard to detect some crappy code that is intended to cause a buffer overflow.

      That would still limit you to userland exploits, but it would definately allow some malicious code to be injected through a server request that could access phonebook/etc and then send it back home all without the naughty code ever existing in the application that was submitted to Apple.
      This code would be all but invisible since the timebomb and malicious payload are controlled remotely.

      It would be nice for someone in the know to weigh in about apple's code execution security for appstore apps.

  3. iPhone Banker Trojan? by Graff · · Score: 5, Informative

    From the article:

    Banker Trojans targeting platforms such as the iPhone

    [citation needed]

    I poked around the internets a bit and only found a mention or two for iPhone trojans. These trojans were ONLY on jailbroken iPhones, not un-jailbroken ones that are using the iPhone App Store. As far as I know there have never been any "banker" trojans in the iPhone App Store.

    This article seems to be riding the coattails of the iPhone's popularity by throwing it in the mix with other platforms that have had "banker" trojans. If they have evidence of an iPhone App Store trojan I'd love for them to directly mention it rather than being vague and doing a lot of hand-waving.

    --
    Sapere aude!
    1. Re:iPhone Banker Trojan? by s73v3r · · Score: 3, Informative

      There have been some for Android. At least 2, which posed as fake banking apps. They have been removed for a while now, however.

    2. Re:iPhone Banker Trojan? by R3d+M3rcury · · Score: 2, Interesting

      Well, this isn't quite as serious as Bank Trojans, but Storm8 is infamous for stealing phone numbers from their customers. And this is with the all-mighty App Store in place.

    3. Re:iPhone Banker Trojan? by MidnightBrewer · · Score: 3, Insightful

      Yeah, this entire story is kind of supporting Steve Jobs' obsessive control of the closed App Store. My iPhone has no viruses.

      It does have Plants vs. Zombies, though.

      --
      "Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life
    4. Re:iPhone Banker Trojan? by Graff · · Score: 2, Insightful

      Yeah, there has been some poaching of the bit of info that apps can tap into. I know Apple tightened up on that though and there's a lot less that an app can get at.

      There's no doubt that the App Store gatekeepers are a necessary evil. Hopefully they do just enough and not a bit more in keeping bad apps out and still allowing good apps in.

      --
      Sapere aude!
    5. Re:iPhone Banker Trojan? by nahdude812 · · Score: 2, Informative

      Android's Market tells you exactly what an app can and can't access before you install it. In order to access certain classes of API, the app has to include this access in its manifest file or the API's aren't available. Examples include location (there are two tiers: rough network-based, and precise GPS based), phone (again, two tiers: phone state [usually to do things like pause music when the phone rings], and the ability to place/receive calls), network access, storage (read or modify SD card contents), SMS, camera access, contact data, calendar, email, phone sleep functions, and so forth.

      Those access levels are detailed here:
      http://developer.android.com/reference/android/Manifest.permission.html

      Certain accesses are considered sensitive, and will be specifically brought to the user's attention before they install the app. Other controls (such as access to the phone's vibrate function) aren't, and although you can look to see if the app uses those functions, you're not bothered to verify that this is ok first.

      So if an app wanted to poach your phone number, etc. on Android, it would basically have to advertise to you that it's doing so or it wouldn't have that level of access.

      That said, I do wish there was a way to *block* those accesses.

      --
      Slay a dragon... over lunch!
    6. Re:iPhone Banker Trojan? by netsavior · · Score: 2, Interesting

      yeah something combining android's manifest and blackberry's application permissions screen would be really nice... They each have half of the puzzle. BB lets you block permissions by application to certain functions (like gps, phone, etc) but it is not smart enough to know which of those things the app might try to do.

    7. Re:iPhone Banker Trojan? by Bakkster · · Score: 2, Informative

      Even though I've already abandoned Apple, it's their belief that enough people won't do this that they can retain their clout. The industry as a whole is damaged as a result. Further it sets the precedent that a software company can dictate what other software you run on the same device for business reasons rather than for technical ones (i.e. we're not talking software incompatibility, we're talking rejection because they say so). Apple is the first, if they succeed, you can guarantee that other companies will be looking to shut out their competition simply by refusing to let you run the competition's software. The entire thing is creating an atmosphere of anti-competitiveness.

      You're actually 2 decades late. Nintendo did this on the NES back in the 80's, with a lock-out chip. Only Nintendo approved (and licensed) software could be loaded and run, at least without 'jailbreaking' the cartridge to circumvent this. Note: the world of open environments has not collapsed yet.

      That said, we're talking about a cell phone, which never had the ability to run user software before anyway. If they want to do the same thing on a PC, then I would begin to worry.

      --
      Write your representatives! Repeal the 2nd Law of Thermodynamics!
  4. Open Store, Open Door... by LostCluster · · Score: 4, Insightful

    As much as we hate Apple's walled-garden approach to an app store, having a central authority with a kill switch for any app, plus limited multitasking ability, plus developers tied to using the app store's preferred programming language and tools are all things that stand in the way of a would be trojan spyware author. As Apple claims, jailbreaking your iPhone could all "the enemy" to do what they want with it, and that could crush poor little American Telegraph and Telephone Co.'s network.

    Google touts openness, and Microsoft touts the power of a free-market of commercial software, both of which provide nice benefits to the consumer, but also to the hacker who wants to compromise user privacy. Has anybody looked into the Facebook apps on these platforms?

    1. Re:Open Store, Open Door... by grcumb · · Score: 3, Interesting

      As much as we hate Apple's walled-garden approach to an app store, having a central authority with a kill switch for any app, [etc....] are all things that stand in the way of a would be trojan spyware author.

      Perhaps, but if you cast your net a little wider, you'll realise that the main thing required is a viable process. Autocratic centralised control is just one of a number of different and equally effective means of managing security for end users. Debian, Ubuntu, Fedora and countless other community-maintained repositories have historically sustained a commendable level of security in their vast software collections. They've built up so much trust, in fact, that the trust itself has become a peculiar kind of strength.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    2. Re:Open Store, Open Door... by Anonymous Coward · · Score: 3, Insightful

      The only way the three systems you mentioned would detect a rogue package update, would be from open-source coders reviewing the original codebase. Maintainers don't often examine code -- often, they are even incapable of it.

      So what do you get when that update comes from (A) a closed-source application, or (B) a solo-programmed OSS project? You get hell, that's what you get.

      Also, a bit of perspective. The last I heard (years ago), Debian had 17,000 packages. How many do you think the iPhone has?

      On the App Store, Wikipedia says: As of April 8, 2010, there are at least 185,000 third-party applications officially available on the App Store, with over 4 billion total downloads.

      It's not nearly as simple a situation as you make it to be.

    3. Re:Open Store, Open Door... by mjwx · · Score: 4, Interesting

      Google touts openness,

      Android has on-device security which let the user know, in simple English what the application will do ("can access your contacts", "uses services that cost you money (SMS, makes phone calls)", "will access the internet") so when you download a fart application that wants access to your contacts and to the internet you have to figure out something isn't right.

      As much as we hate Apple's walled-garden approach to an app store, having a central authority with a kill switch for any app,

      But that isn't so useful as Apple's walled garden approach has forgone local security in favour of gateway only security, once you've gotten past the censors you have a free reign. Enterprises have known for some time that gateway only security is a complete and utter failure. You need both gateway and local security, which Android provides both although the gateway security is entirely voluntary (but enabled by default).

      There have already been data miners for the Iphone that have gotten past Apple's ever watchful censors including at least one fake banking application (BOA, IIRC). This isn't including data miners like Arsebook.

      Ultimately gateway and local security is preferred for end users, one should have a choice whether to use the gateway or not but local security is an absolute must, especially on a mobile device. Despite how good you think your gateway is it is fundamentally flawed.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    4. Re:Open Store, Open Door... by Wovel · · Score: 3, Informative

      This link and this one

      Did you read the articles you linked? Clearly state the apps only targeted jailbroken iPhones. This means they were not distributed through the app store and not in any way relevant.

  5. That was a close call by Gadget_Guy · · Score: 4, Insightful

    Wow. I was going to download some apps from one of those app stores. I can't believe I nearly exposed my phone to something even more dangerous than anything on my PC. In future, I am going to just limit myself to downloading whacky screensavers for my Windows system, because that is totally unlike downloading an app for my phone.

    Seriously, I can't believe the gall of those attention-seeking media whores who call themselves security experts. Years after we have been able to download applications for phones, some nitwit finally realises that one of those apps could be harmful. All they have to do is blow the danger out of all proportion and wait for the stupid media to lap up the story.

    "But this time it is different - instead of downloading the app from a website, you get them from an app store!" Yeah, right.

    1. Re:That was a close call by Anonymous Coward · · Score: 2, Insightful

      The real power behind the Apple vetting process has nothing to do with what Apple does, it's what Apple has: Your bank routing #, social, full name, address...and yes, they have all this of mine.

      So if a fly by night app store that lets anyone submit apps without any process and may not collect this information for all app submitters has an app with a virus - they remove it. Apple could quite possibly notify the authorities of your location.

      I'm not saying Apple vetting process is foolproof, or that this would stop all attacks, but by collecting this information you're a lot more likely to be able to hold people accountable for crap they do than otherwise.

      Just my $0.02.

    2. Re:That was a close call by Techman83 · · Score: 2, Funny

      "does it crash? does it look like it does what it says?"

      Guess that's why Flash is denied.

      --
      # cat /dev/mem | strings | grep -i cat
      Damn, my RAM is full of cats. MEOW!!
    3. Re:That was a close call by phantomfive · · Score: 2, Insightful

      I don't know if it's that bad. If Bank of America creates an App that lets me access their bank, I might use it (assuming I had an iPhone). I think it is reasonable to assume that Apple would not let anyone but Bank of America create the Bank of America app. If there is another app that asks for my bank account info, I'm going to be really suspicious. So there is some security built into the app store, even if they don't verify every line of code.

      --
      Qxe4
    4. Re:That was a close call by gig · · Score: 4, Insightful

      That is bullshit. They not only check for malware, they even check for privacy violations and use of unfinished API's that may break in a future OS release. The whole app platform was designed for approvals.

      You can't say iPhone is doing it wrong because it's not open on one day and then say it's just as vulnerable to malware as Android the next. We know Apple is not as vulnerable because they have not had any malware through 2 years of a billion downloads and over 200,000 apps, while Android Market has served malware with significantly fewer apps and downloads. And most of Apple's users do not know WTF "malware" is, which is why they do it this way.

  6. Starting at $59.99 by Anonymous Coward · · Score: 2, Insightful

    Norton AntiVirus: iPhone edition.

    1. Re:Starting at $59.99 by Culture20 · · Score: 2, Interesting

      Norton AntiVirus: iPhone edition.

      Symantec Endpoint Protection, iPhone Edition has scanned its own jail space and found no viruses. Would you like to enable real-time protection (until you close the SEP iPhone Edition App)?

  7. On blackberry? Not so much by Jeffrey+Baker · · Score: 4, Informative

    Any app on the blackberry requires user intervention before it's allowed to fetch URLs, open raw sockets, read email, dial the phone, get your location, manipulate the address book, or do any other damned thing. And 90% of the APIs require the developer to be vetted through the app signing process. It actually seems much less vulnerable to trojans and spyware than a PC.

  8. Re:This is why Android could take over the market. by Jeremi · · Score: 3, Insightful

    It comes down to if you cannot see the source don't trust it.

    ... and even if you can see the source, you still can't trust it. Unless you are an expert in the source's programming language, AND you are willing to spend several dozen hours doing a line-by-line review of all of the source code, most exploits are still going to walk right by you. A "mistake" that opens up a security hole can be very subtle; indeed that's why so many honest developers end up releasing security holes by mistake.

    And that's not even counting the second issue: how do you verify that the source code you are reading actually corresponds with the executable your computer is going to run? If you download both source and executable, it could be that the source is clean, but the executable contains a back door. Even if you compile the source code yourself, it could be that the code exploits a bug (or backdoor) in your compiler to implement behavior different from what the source code indicates.

    --


    I don't care if it's 90,000 hectares. That lake was not my doing.
  9. Re:This is why Android could take over the market. by Culture20 · · Score: 2, Funny

    Sounds like what you want is Gentoo: phone edition. Plug in your phone, type emerge --sync && emerge phone-image on the PC, wait overnight while the image compiles, then dd onto /dev/phone. If it crashes, do another emerge --sync and see if emerge phone-image compiles something new, then dd that. Call^W Email work and tell them you'll be late because you're compiling your phone OS again. They'll understand.

  10. Perhaps this will evolve into something beneficial by Dr_Marvin_Monroe · · Score: 4, Insightful

    I agree with the poster that the economics of attacks is definitely in favor of the Trojan vs. the technical attack. It's scary how many people install junk on their computers, and it's not getting any better. Even I do it sometimes without knowing 100% who's behind some utility or patch that I want. This is the approach that pays off easy too. Why bother trying to sneek into their box when the user's will install your bug for you?

    In nature though, some of these parasites actually evolve into beneficial bugs. The take their little bit, but they also do some extra bit for the host. Both sides win, this is symbiosis. Imagine that the SETI@home also defragmented your disks or optimized performance some how in exchange for running on your system, same thing.

    Now consider for a second that Conficker patched some security holes after entering the host system....Isn't it doing some little bit of good? Not wanting it on my box, just showing how Conficker's security is also beneficial to the host machine. Their goals align... Consider also, how does Google's goals align with mine when I use online Docs?

    I think there will be a real blending here. Trojans will get more beneficial and less intrusive, people will tolerate them because they do something useful, and a new class of free (as in beer) software will evolve.

  11. Clearly unfair to Apple by gig · · Score: 5, Insightful

    You can't tell me how wrong Apple is for having a closed store with strict app approvals and how other mobile makers will outdo Apple with their open stores and then wrote a malware-scare article about how app stores are too open and lump Apple in with everyone else. It's one or the other. Everyone else has Jas apps you can install from the Web and Apple has C apps you can't.

    Apple has an actual record here. They've been malware-free 100% for 2 years, 200,000 apps, over 1 billion downloads, with consumer users who don't know what malware is, doing 1-click installs.

    How you can write an article like this saying "app stores should be more closed" and not mention Apple's is closed is beyond me.

    And there has been no native malware on iPhone. Also bullshit.

    And although Apple may not strictly guarantee zero malware, they are actively policing every app. To pretend that's like having no cops, as on the other platforms, is ridiculous.

    Awful article. Just fucking awful. Do some fucking research!

    1. Re:Clearly unfair to Apple by Rocketship+Underpant · · Score: 4, Insightful

      My guess: there's a rather popular hate-the-leader bandwagon among certain geeks. You see this on Reddit a lot, where anything critical of the iPhone or iPad gets modded up immediately whether it's insightful or not.

      This author is probably part of that bandwagon, desperately trying to stitch together a premise (open app stores are an opportunity for trojans) and an incorrect conclusion (fear the iPhone!) with no logical connection. Why else use App Store like a proper noun in the title, knowing full-well that most people will immediately assume the iPhone/iPad App Store?

      Anyone who's owned a Mac a long time and constantly been lectured by their PC-using friends that "Macs are just as susceptible to viruses" even though no one gets viruses on their Macs while PCs are like leper colonies for malware knows this full well.

      --
      He who lights his taper at mine, receives light without darkening me.
  12. Bad apps that don't work are in the store... by seifried · · Score: 2, Informative

    I was testing SSH clients for the iPhone so I bought about a half dozen, one of them flat out didn't work (filled out the problem form, no response). One didn't allow you to change the port to something other than 22. Only one app allowed you to import a key. Only one (a different one) allowed you to have more than one key. In other words one was completely broken, one was arguably missing basic functionality and all were missing common functionality. In other words the quality was abysmal.

    I also tried to contact them, one had a website listed that was several years out of date and had no contact info (no names, emails, phone numbers, nothing). Not exactly inspiring of trust.

    Based on this I can simply say I will not use them, for one thing they don't work terribly well. But mostly because who knows what they do in the background. Perhaps every 50th connection, assuming it is a Tuesday they send your connection details (user name, password, IP, etc.) in an outgoing packet to the bad guy that wrote the app.

    I actually regret going with the iPhone (not that the android is much better in this respect). I'm so used to Open Source software having to use a closed source application from a basically unknown source (as opposed to someone who is at least known and ideally has a decent reputation they want to protect) is foreign to me and to be honest a deal breaker.

  13. Re:This is why Android could take over the market. by migla · · Score: 2, Interesting

    As was all ready mentioned, it's about having a security process. This can be implemented regardless of openness.

    If more open "stores", such as Android or Maemo/MeeGo or Debian or whatever don't yet have as rigorous a process as Apple, they should get busy of course.

    Regarding any discrepancy between source and binary, you should obviously just upload the source to the store and have the store build the binary.

    --
    Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
  14. Re:This is why Android could take over the market. by Graff · · Score: 2, Insightful

    It comes down to if you cannot see the source don't trust it.

    And when is the last time you looked at every single line of code for a major open-source application and made sure that it was totally and completely safe? Do you just use them, assuming that someone else did it for you?

    The fact is that we all trust the developers at some point, it doesn't matter if it is open or closed source. At least with a major author they have a physical presence, buildings, investors, publicly traded, cash in the bank. If they do something underhanded you have stuff you can go after. In open source yeah you have code that people can look at but you also have the possibility of some anonymous person who works a sneaky backdoor into the code. Then when it all goes kablooey there's no one whose feet can be held to the fire.

    I'm not saying that either closed or open source is better than the other, just that both have many good and bad points. You can't automatically assume that open source is better. Either way it helps to have safeguards in place, like an app review process and the ability to quickly remove malware from devices.

    --
    Sapere aude!
  15. iPhone has local security too by EMB+Numbers · · Score: 2, Informative

    From http://developer.apple.com/iphone/library/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/ApplicationEnvironment/ApplicationEnvironment.html

    The Application Sandbox
    For security reasons, iPhone OS restricts an application (including its preferences and data) to a unique location in the file system. This restriction is part of the security feature known as the application’s “sandbox.” The sandbox is a set of fine-grained controls limiting an application’s access to files, preferences, network resources, hardware, and so on. In iPhone OS, an application and its data reside in a secure location that no other application can access. When an application is installed, the system computes a unique opaque identifier for the application. Using a root application directory and this identifier, the system constructs a path to the application’s home directory. Thus an application’s home directory could be depicted as having the following structure: /ApplicationRoot/ApplicationID/
    During the installation process, the system creates the application’s home directory and several key subdirectories, configures the application sandbox, and copies the application bundle to the home directory. The use of a unique location for each application and its data simplifies backup-and-restore operations, application updates, and uninstallation. For more information about the application-specific directories created for each application and about application updates and backup-and-restore operations, see “File and Data Management.”

    Important: The sandbox limits the damage an attacker can cause to other applications and to the system, but it cannot prevent attacks from happening. In other words, the sandbox does not protect your application from direct attacks by malicious entities. For example, if there is an exploitable buffer overflow in your input-handling code and you fail to validate user input, an attacker might still be able to crash your program or use it to execute the attacker’s code.

    See also protections around location, camera, microphone, address book access, and network interfaces that "let users know in simple words what an application will do"

  16. Re:This is why Android could take over the market. by Graff · · Score: 2, Informative

    It doesn't matter if I do it; if it's an important enough piece of software, somebody has. And if it's really important, more than a few somebodies. And if it's really really important, I can pay somebody to do it.

    I'd like to introduce you to an important, relevant psychological effect known as the bystander effect. The more important that something public is, the GREATER the chance that no one will take care of it because they all just assume "It's so important that someone must have taken care of it."

    I'm not saying that open source is insecure, just that you can't automatically assume that it IS secure. Unless you personally look at the code or pay someone trusted to do so, you have to assume that it isn't secure.

    The "noob" here is the person that blindly trusts other people to make sure everything is secure.

    --
    Sapere aude!