Slashdot Mirror
New Android Malware Robs Bandwidth For Fake Searches
adeelarshad82 writes "We've been hearing about various Android malware spreading through the Chinese markets. Well, here's another one to look out for: meet ADRD (aka Trojan:Android/Adrd.A) which is expert in sucking your bandwidth. The malware downloads a list of search URLs and then performs those searches at random in the background, which as the screen shots [in the linked article] show leads to excessive data charges. Similar to other Android malware this too is distributed through wallpapers which are infected repackaged versions of legit wallpapers."
Adds reader Trailrunner7: "Lookout, a mobile security vendor, said it has identified 14 instances of the malware repackaging itself in various wallpaper apps and specifically in the popular game RoboDefense, made available in alternative application markets. The trojan works by duping an infected app into sending encrypted data containing the device’s IMEI and IMSI to a remote host. HongTouTou then receives a set of search engine target URIs and search keywords to send as queries. It then uses these keywords to emulate search processes, creating searches in the search engine yielding the top results for those keywords and clicking on specific results. To the search engine, the searches appear to be coming from a mobile user using a mobile web browser with User-Agent corresponding to the UCWeb browser."
It's not surprising that malware vendors are focusing on the fastest growing segment of the computer market. Android is going to be attacked with malicious intent from all sides. It's all part of the game: Success == Target
I guess it's running fake searches to up the 'autofill' for items on Google? Let's just hope it's not searching for iPhone related items. Man, wouldn't that be embarrassing?
So was this malware put together by, on on the orders of, a mobile company itself, seeking to boost revenues? What other reasons would there be for this malware to exist? Does simply searching for terms do something for SEO?
Curious,
"What in the name of Fats Waller is that?"
"A four-foot prune."
McAfee for Droid... ugh
Not only does God definitely play dice, but He sometimes confuses us by throwing them where they can't be seen. -Hawking
This is PC vs Mac all over again.
Most of the stuff on
The iOS app store can have it's fair share of malware too. It's easy to hide snooping software behind a simple game for example. In fact, all apps can access the contacts list, recent youtube searches, email settings and even non-password field keystrokes. When developers submit apps they only submit the binary and not the source code so Apple's app approval monkeys basically only cover what they can see. This "walled garden" argument is stupid for this reason.
Apparently
mkdir android ; cd android ; repo init -u git://android.git.kernel.org/platform/manifest.git ; repo sync ; make
is supposed to shut iPhone users up. Or something.
Don't lead me into temptation... I can find it myself.
...why Apple's "Walled Garden" for the iPhone is such a bad thing?
Because you can't choose not to use it.
The non-story here is that people carelessly installing bad software from ALTERNATIVE android marketplaces got malware.
Newsflash, if you want assurances of software without malware, don't shop at the internet equivalent of the chinatown night markets.
If you want to be as safe as apple's walled garden, stay within the official marketplaces and you get that.
Then what's the difference between Apple's app store and the Official Market Place? If I have one official app store to choose from and hundreds of malware infected stores...how is that a choice?
Sorry about the mess.
They already (sadly) make it: http://blogs.mcafee.com/enterprise/mobile/mcafee-for-android-a-mobile-security-update
Honestly though I'm tired of Lookout Mobile doing this fear mongering. I'll give them credit though, they are smart guys -- and based on their defcon presentation, they know a lot about Android sercurity. But stop with the scare tactic PR news stories. This would be akin to saying "Virus found on The Pirate Bay, news at 11." I know they need PR because they are a startup, but c'mon.
PocketPermissions Android Permission Guide
Because there's nothing preventing another trusted store to open up, as it happened with Palm, Java-capable dumbphones and hell, even desktops PCs. With Apple, it's their way or the highway and if you don't like it too bad so sad, now try to find a security bug to exploit so you can gain control of your own goddamned phone.
No problem is insoluble in all conceivable circumstances.
"It does not affect any apps in their original versions available on the Google Android Market."
So pretty much you stay away from the untrusted markets where they download the app from the trusted market, append virus, rinse, and repeat and you should be pretty good...
... (yet) according to the article. It's affecting users in China who get repackaged apps from alternative-market Chinese sites. There been reports of suspicious apps on the official Android Market, but they are very few and quickly removed (http://bit.ly/5FOeM3). Does anyone know if there has ever been a confirmed threat? FTA: As of now, Lookout Security is only aware of the HongTouTou Trojan affecting users on Chinese forums. It does not affect any apps in their original versions available on the Google Android Market.
I'd rather have hundreds of alternative malware infected stores than to let someone else tell me what I can or cannot install. That's the choice.
Who need's speling and grammar?
If it's doing searches in bulk like that, it's a search spam program. It's exploiting a vulnerability in Google.
Google Trends lists "hot searches", what's being searched for in Google in recent hours. Google Trends drives Google Suggest, the hinting system for Google. That in turn drives Google Instant. Which, in turn, aims users at the target sites. Which are probably full of ads. Profit!
Spamming of Google Trends has been around for a while. It used to be easier, and you'd see things like the name of some mattress discounter at the top of Google Trends for 15 minutes or so. (I ran a program to follow the trends in Google Trends for a while. It was amusing.) Google seems to now be averaging over more hours, so the spammers have to up their game and use a distributed attack to push their keywords up.
This is the trouble with "crowdsourcing" recommendations. It's too easy to fake a crowd. Yelp, CitySearch, Google Places - they're all choked with recommendation spam. Anonymous recommendations are junk information. And no, requiring a Facebook account won't help. There's an app for that.
Google is now trying a "mark as spam" button in Chrome to identify "content farms". If that starts mattering, it will be spammed. The same applies to Blekko's "slashtags".
The same way you know a software download website is legit: word-of-mouth, user reviews, past experiences, the trust of other websites you already trusted beforehand and so on.
You know, the same way you got to trust Our Holiness Stevie in the first place, as I doubt you were his classmate in high school or such.
No problem is insoluble in all conceivable circumstances.
If you stick to the market for android you would not get these trojans either. The fact that you are not forced too is a good thing.
So how do I do that without paying Mr. Jobs for the privilege of using something I already bought?
If you want to be as safe as apple's walled garden, stay within the official marketplaces and you get that.
The other alternative would be if the OS asked for user permission before an application could access the internet (just one time, not every time). This is what my old Nokia (running Symbian) used to do. It works the same way as how the iPhone prompts to allow programs to use location services.
I am more worried that a program leaks data or uses all my download quota much more than whether it knows where I am.
If you're a registered iOS dev you have a CC on file with Apple.
And surely the large, well-financed criminal organizations behind most modern malware could never possibly obtain a credit card number that's not their own.
Pre-paid Visa cards are available at Wal-Mart for $3.
Becoming an IOS dev costs, what, $99?
So it costs just $102, then, to get a shot at pushing some malware which will hopefully make the author(s) some money. This really isn't a very high bar.
Kid-proof tablet..
The other alternative would be if the OS asked for user permission before an application could access the internet (just one time, not every time).
Not very effective because almost all applications use the internet - at least a little. What would be good is if the application made a request to use the internet and provided an estimated maximum amount used in the dialog. For example, screensaver X requests to use the internet and estimates that it will use under 2MB per month. Now the user knows more about what is happening and the OS can ensure the app does not break it's promise. Advanced settings might even allow the user to restrict the application to specific domains.
While this does not offer a complete solution, it would help prevent apps from running up usage charges.
Yes, because installing third party firmware is EXACTLY like installing applications, which is what the thread has been about.
YES, you need to root most Android phones in order to install third party firmware, such as CyanogenMod. NO, you do not need to root your Android phone in order to install apps that haven't been explicitly allowed by the phone's manufacturer, included alternative app stores.
Protip: Strawman arguments work significantly better when they aren't so bloody obvious.
My sig can beat up your sig.
As I said, it appears to be high enough. Anyone can put together malware for android and get it distributed with no investment other than the time and effort it takes. To put an app in Apple's store is not only not free, it's also not a sure thing your app will be approved. And finally, there is no money in Android, whereas quite a number of people do make a living developing iOS apps.
Of course, the fact that there is very little malware for iOS and tons of it for Android tends to confirm it as well. Personally, I love Linux and think it's a damned shame that Android becomes the first widely-distributed, mainstream version, because it's really a crappy OS security-wise.
Caveat Utilitor
For example, screensaver X requests to use the internet and estimates that it will use under 2MB per month. Now the user knows more about what is happening and the OS can ensure the app does not break it's promise.
And you guys wonder why Apple gets such a large marketshare...
And now I see how the UAC got to be the way it was, over many discussions of what is "reasonable" just like that one.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
No, the app would simply bill itself as needing to download new wallpaper occasionally.
Apple's iOS will certainly maintain some reasonable user base, but the market shall never grant dominance to a control freak. Sorry but people go their own way. iPhone are cute, but kinda old hat now, and all identical. Android otoh has an ever growing rainbow of flavors & features that'll seduce most users eventually. And young people are way more familiar with Java than Objective C meaning Android will see more & more regular the apps first.
Apple has always been pleasant for a certain type of independent developers, especially the sort that like polishing a fancy facade on a utility program : friendly development environments, users who'll pay up croon about it, etc. And I'm sure the DOS/Windows utility developers always put-in vastly more man hours than Mac utility developers, while simultaneously facing rampant piracy. Yet, Norton & co. all started on the DOS side because corporate IT paid their bills. App stores aren't necessarily great for corporate IT though, well unless you roll your own for Android. As you say, you're own interests & sensibilities just don't mesh well with the Android marketplace.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
Good job using 'iOS malware' as the search query. It returns under 1.4 million hits compared to the 7 million some odd for 'android malware'.
Trouble is 'iphone malware' returns 71 million hits.
Android already does this. When installing an app, it displays all the permissions an app can use, and you get to accept or reject the app at that point. After accepting and then installing the application you no longer get prompted. Network Access is one of the permissions that must be requested by the app.
It would be nice to have some granular control. I often install apps, which for some reason or other require internet access to begin with - but don't need it after that for any reason. There isn't an option to block an app from accessing the net once it has been granted/installed.
Perhaps the problem is simply that it isn't widely publicized. Please allow me to attempt to rectify that:
Hey, malware authors! You can pounce on unsuspecting iPhone owners for only $102! All you need to do is get a disposable pre-paid Visa from Wal-Mart, and pay Apple $99 for a disposable dev account! And remember, kids, it takes money to make money! Happy phishing!
There. That should do it.
Kid-proof tablet..
What? Yes you can. Don't buy an iPhone.
OK done. Now how do I make an iPhone app and distribute it to all the iPhone users who want it if Apple doesn't like my app?
So how is restricting yourself to an official marketplace different from having one iOS store? You're arguing in favor of a walled garden!
I love how Slashdot bashed Windows for over a decade about its malware, but when malware happens to a Linux-based OS, it's deemed a "non-story."
One of the big reasons "real" Linux doesn't get malware is that it uses a package manager for most software installation. If you download some random binary from the internet, it doesn't have the execute bit set by default so you double click on it and it doesn't run. But if you know what you're doing you can flip the bit and run it, without breaking any laws or anything. It's like having the garden without the walls.
Now Apple comes in with this "walled garden" approach and I feel like you're conflating the two. Gardens are good. Walls are bad.
The only think Android has working for it is that the hardware can be grossly underpowered and they will still ship with Android on it for a horrible user experience and sub-$200 price (free with contract).
iPhone has something going for it in that you are "safe" using it because it protects you from yourself, and most users need that. Android assumes competency, and that's why it is open to millions of attacks.
Learn to love Alaska
It seems that it is the first post for adrd analysis from aegislab blog: http://blog.aegislab.com/index.php?op=ViewArticle&articleId=75&blogId=1 adrd schedules an alarm to wake itself up when firstly deployed. It acts less frequently than other trojans like GEINIMI found in China, and thus harder to trace once launched. All transmissions are encrypted by DES, but can be easily decode by using key found in DEX file.
As I said, it appears to be high enough. Anyone can put together malware for android and get it distributed with no investment other than the time and effort it takes. To put an app in Apple's store is not only not free, it's also not a sure thing your app will be approved. And finally, there is no money in Android, whereas quite a number of people do make a living developing iOS apps.
Well if we're going to split hairs, it costs $25 to get a licence key to use Google marketplace, although it's free to develop apps if you shove the apks on your own site. Also, you claim there is no money to be made in Android which is strange seeing as an ever increasing number of popular and well known apps are appearing there.
I certainly don't see $99 being ANY barrier to entry if a malware user wished to upload to appstore. If they make more than $99 then it's been a profitable exercise. I expect that malware could be hidden fairly easily too, e.g. within obfuscated / encrypted strings, or data files. Perhaps the malware would even start relatively innocuously doing what it's meant to do until some predetermined event (e.g. number of installs, date / time, remote command) kicks it off.
Of course, the fact that there is very little malware for iOS and tons of it for Android tends to confirm it as well. Personally, I love Linux and think it's a damned shame that Android becomes the first widely-distributed, mainstream version, because it's really a crappy OS security-wise.
I'm only aware of one high publicity case of malware on Marketplace and it was remotely killed. I also assume that Google have automated & manual security audits that they run over apps plus security teams doing analysis based on reports by users flagging apps as malicious. I assume apps are scanned as soon as they are uploaded to the store much as they probably are for the Apple Store. Depending on the threat they could retroactively kill an app, "upgrade" it into oblivion or otherwise neutralize it.
So people are extremely unlikely to get malware. And even if there is a small chance, is the risk outweighed by the benefits of the freedom of choice offered? Just the fact that I can install Opera or Firefox or Flash or a host of other apps that don't see the light of day on iOS makes it worthwhile to use Android to me.
As for security, Android has quite good security. Firstly Android uses Linux style security - processes run with their own user / group ids to stop them interfering with processes / files and there is a fine grained security model built into Dalvik too. I think it could be improved, e.g. UAC style controls of "untrusted" apps would be a huge benefit, and it would be nice if FAT32 SD cards could benefit from some kind of ACL extensions to enforce permissions. But claiming it has crappy security is not understanding what it has in the first place.
The iOS app store can have it's fair share of malware too. It's easy to hide snooping software behind a simple game for example. In fact, all apps can access the contacts list, recent youtube searches, email settings and even non-password field keystrokes. When developers submit apps they only submit the binary and not the source code so Apple's app approval monkeys basically only cover what they can see.
And yet we aren't seeing iOS malware like we're seeing Android malware. So why is that?
Well don't underestimate the app store reviewers. They found an app crash bug in my app which neither me or my partner had found in testing. Could be chance, but it was deep enough down and involved changing settings, that I'm assured they are exercising the app enough to have a good understanding of it's functionality.
Then, if you use ANY non-public API calls in your app, it will be rejected. Which means that Apple are running a static analysis of the code, which is looking what APIs you call. So if they are doing that in order to filter out non-public API calls, it seems likely the tool also highlights potentially abusable API calls. So if you're trying to access the contacts list or send an SMS from a game for example, then they can catch that.
I'm suggesting it's a parallel to the permissions that Android apps ask for upon installing. But it's far better because the API calls are judged by a specialist (an app store reviewer) rather than an average smartphone user who doesn't know squat. And because that one specialist can save the entire userbase from the danger and the waste of time of downloading/reviewing/using the malware.
And of course every time a new kind of threat is thought up or discovered, the processes and tools that the app reviewers use can be improved to be more certain of catching those threats in future.
Again, the proof is in what's happening in the wild. Despite there being many more iOS apps than Android apps, the list of Android malware is ever growing. For non-jailbroken iOS, there isn't any.
And going by the top 10 hits, not a single one affects non-jailbroken iPhones.
Cisco lost the iPhone trademark through non-use before Apple started using it. And Apple licensed the iOS trademark from Cisco.
So in neither case can it be described as stealing. Was that a troll, or are you just ill-informed?
Has it come to this? Needing to have something to look at on your phone even when you aren't using it for something useful? Sheesh!
Just a note is that a large percent of the geek population is trusting ROMs with full root access. Just internet access for some sandbox app is small potatoes. Here's an example of a "good" developer making a simple mistake with their ROM http://www.droidforums.net/forum/liberty-rom-d2/125447-so-who-just-had-their-phone-taken-control-liberty-1-5-a.html Imagine what a malicious developer could accomplish.
The android security model is fairly fine grained, certainly much more so than what we see on conventional desktop OS's, and has a pretty tall wall between apps. Note that the malware was not stealing user data from other apps, it is just a spambot, only stealing CPU cycles and bandwidth.
The main problem I have with the android security model is that the only recourse you have for a questionable app is to not install it in the first place. I'd prefer see the ability to selectively deny permissions, so you could specify that (for example) an app that requests a network connection be denied access. In this case, that would effectively neuter the spambot while possibly still being able to set wallpapers as the app is advertised to do. Sure, the app might just crash, but that would provide some feedback to the user as well (and cause you to uninstall it).
Unfortunately, a lot of apps probably ask for more permissions than they actually use due to poor Android documentation in describing which SDK functions require which permissions. In my experience, this leads developers to take a scattershot approach of adding permissions semi-randomly in an attempt to debug why their app is crashing with permissions errors (of course, there is little incentive to remove those unnecessary permissions). Also some permissions need to be further split up; a music app that needs to know when a phone call is coming in in order to pause playback should only need permissions to that particular event, it shouldn't have to request full access to make and receive calls. Because there isn't enough information to make an informed decision, this quickly causes even technical users to stop paying attention to the "required permissions" page in the android market.