Slashdot Mirror
'Godless' Apps, Some Found In Google Play, Root 90% Of Android Phones (arstechnica.com)
Dan Goodin, reporting for ArsTechnica:Researchers have detected a family of malicious apps, some that were available in Google Play, that contain malicious code capable of secretly rooting an estimated 90 percent of all Android phones. In a recently published blog post, antivirus provider Trend Micro said that Godless, as the malware family has been dubbed, contains a collection of rooting exploits that works against virtually any device running Android 5.1 or earlier. That accounts for an estimated 90 percent of all Android devices. Members of the family have been found in a variety of app stores, including Google Play, and have been installed on more than 850,000 devices worldwide. Godless has struck hardest at users in India, Indonesia, and Thailand, but so far less than 2 percent of those infected are in the US. Once an app with the malicious code is installed, it has the ability to pull from a vast repository of exploits to root the particular device it's running on. In that respect, the app functions something like the many available exploit kits that cause hacked websites to identify specific vulnerabilities in individual visitors' browsers and serve drive-by exploits.Affected apps that have been spotted in Google Play, Android's marquee app store, are largely flashlight, Wi-Fi apps, as well as copies of popular games.
I'm not an Apple fanboi or anything, but I'm pretty sure that there are not a bevy of apps in the App Store that can contain malware which can root 90% of iPhones.
Say what you will about the virtues of Android and iOS, that's just silly.
I think this falls under the "victim of their own success" category.
The thing is, once you install an app, that's it, it can then do whatever it wants within the limitations that Google has defined. One of those things is "access the Internet" which means that the app, once installed, can then go out to the web and grab whatever it needs to exploit your device.
I am sure that there are thousands of legit apps that have the same exact "signature" as these malware apps. As in, they do normal stuff like access the Internet, turn on your camera's LED, etc.
If you start blocking apps that access particular URLs, that's all well and good, but what if the malicious party creates an ad that is only malicious when used in conjunction with their app? Will Google block apps that access the ad networks? Nope.
The real fix is to get these devices updated so that they are no longer vulnerable to root kits.
My eyes reflect the stars and a smile lights up my face.
I see. Verizon and Samsung won't let me root my phone, but Russian and Chinese hackers can. Thanks Verizon and Samsung.
Came here to say just this. "Rooting" your phone should be a setting in a menu somewhere saying "Allow me to access my own device"; it shouldn't require searching the internet for the least-sketchy app to flip a bit somewhere.
Actually the thing with iOS is that it's virtually impossible for anybody but Apple to mass audit apps for malware. There are without a doubt malware apps on Apple's app store, but nobody has found them yet. In fact, in at least a few cases, some malware apps on iOS were only discovered after somebody found it on the Android version and decided to check the iOS version on a hunch.
This wouldn't have happened if Android had been more intelligently designed.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
I'd also add that I'd be fine with this being turned off by default (i.e. your device isn't rooted by default). Most people won't need root access for what they use their phones/tablets for. But if I want to root my phone/tablet, I can turn this on (perhaps click OK on a "this can wreck havoc with your device if you don't know what you're doing" warning) and then have root access.
Want to make it a little less likely that someone would turn on root by mistake? Do what they did with USB debugging. To turn this on, you need to go to Settings, About Phone, and tap the Build number 7 times just to get the option to display. Make it so "Enable Root Access" doesn't display unless you tap some other section like this. It would prevent casual users from accidentally getting root access while making it much easier for the rest of us to do this.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
stop being a cheap-ass and buy a new phone.
And put the old phone to what use? Adding to the growing e-waste problem?
I didn't mean to imply that the onus is on the user to update their device.
I am saying that Google and the carriers need to find some way to get along and keep these devices updated.
At the end of life, when Google no longer wants to support these devices, I think it would be appropriate to block access to the Play Store for those devices.
My eyes reflect the stars and a smile lights up my face.
You don't have to wait for Google, because Cyanogen will have you covered too http://www.cyanogenmod.org/
My HTC Evo 4g
That gives me nightmares, that was my first smartphone. I've upgraded twice since then, you should really consider it. When I booted that up to wipe it back to defaults it felt like I had discovered some relic of a bygone era.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Victim of their own success? Or a predictable outcome of the security model?
The android security model is what I call "blame the user". Although things have shifted slightly, the original intent was pretty simple: an application could only do things that it was pre-approved to do. This was handled by having declarations and the user would have to agree to those declarations. There are several problems with this model.
1. Users are not generally equipped to properly discriminate and thus are not able to make an actual informed decision.
2. Permissions are not granular. You even mention one of the most glaringly ungranular permissions, "access the Internet".
3. Permissions are an all-or-nothing proposition. They only have any meaning when there is no adversary. That is, they provide no security whatsoever, merely at best providing limited information as to whether or not you might want to install an app. Kind of like a ratings system.
4. Applications can (and do) declare permissions that they don't need. This can be attributed to laziness (why bother worrying about what the app needs, just select them all) but in the end allows an app to do things that it never needed to do which can be leveraged maliciously.
I call this "blame the user" because when someone's device ends up with malware on it the response was (especially initially) "but you knowingly installed it, accepting that it would 'access the Internet'".
With a few exceptions (such as a web browser), the user doesn't really intend to give an app unlimited access to the Internet. Instead, they are thinking that a game app will send and receive leader board information, or that an advertising supported app will connect to an advertising network, or that drawing app will check for updates, or whatever. They are *not* expecting that the will use this global "access the Internet" permission for command-and-control traffic for the botnet it just joined.
The entire model is flawed. Anyone who has dealt with "normal" users on any long term basis is well acquainted with how unsolvable #1 is. And, while making permissions more granular and separable would address #2 and #3, it does so at the expense of #1. Addressing #4 is more difficult, but should be achievable by making them inherent to function usage.
But, in the end, the user is no more equipped to make security decisions based on a declaration of access requirements on a mobile device than they are to make security decisions based on a Windows security alert. If it goes any deeper than confirming an action (because of the possibility of non-interactive triggers) then it is not a good use-case for a user decision.
For example, prompting before allowing first-time execution of something that was downloaded by a browser -- if the user just downloaded and attempted to run the installer they can confirm this -- but if a malicious site managed to trick the browser into downloading and executing then a user has a chance of realizing they should say "no" when prompted by the operating system.
In short, the android model of permissions/capabilities does not provide security. At best, it provides a framework for an educated to user to possibly make an informed decision about installing an application. This isn't a *bad* thing as there is nothing wrong with enabling better management of a device -- unless it is mistaken for security.
Security is difficult. There is no silver bullet. It cannot be automated. While some sort of automatic scanning can be *part* of an overall security approach, it will always fail if it is all there is to the approach. Google (or Apple) scanning apps in their stores can gain *something* but does not provide a good endgame. Increasingly, the only time malicious applications are first detected is by actual analysis. That this is a high cost to perform that users are not willing to play doesn't help matters any. It remains to be seen how well relying on voluntary third-party audits of applications will work. I just don't see it scaling very well.
Oh yes, protect against 3rd party exploits by installing a third party OS. Sounds like a GREAT solution!
It used to work very well.
I did it when I installed OS/2 on the nineties, and now when I install OpenSUSE.
Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org