Android Malware Pretends To Be WhatsApp, Uber and Google Play (fireeye.com)

← Back to Stories (view on slashdot.org)

Android Malware Pretends To Be WhatsApp, Uber and Google Play (fireeye.com)

Posted by msmash on Wednesday June 29, 2016 @05:20AM from the security-woes dept.

Reader itwbennett writes: Security vendor FireEye said on Tuesday that malware that can spoof the user interfaces of Uber, WhatsApp and Google Play has been spreading through a phishing campaign over SMS. Once downloaded, the malware, which has struck Android users in Denmark, Italy and Germany, will create fake user interfaces on the phone as an 'overlay 's top of real apps. These interfaces ask for credit card information and then send the entered data to the hacker.

37 of 57 comments (clear)

Min score:

Reason:

Sort:

Outstanding by nehumanuscrede · 2016-06-29 05:23 · Score: 2

It's the App version of an ATM skimmer :|
Easy fix by wbr1 · 2016-06-29 05:32 · Score: 3, Insightful

Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this, and is the default on most mainstream devices. It gets turned off when people want hacked versions of games, etc, then the malware creeps in. That setting should be on a use count timer. Use it once, then have to go set it again (manually, not a simple yes like UAC), for a fresh sideload install.
Make the user think!

--
Silence is a state of mime.
1. Re:Easy fix by LichtSpektren · 2016-06-29 06:16 · Score: 2
  
  There are legit reasons for turning on unknown sources. Humble Bundle is one that comes to mind.
  And Adguard. But if you're going to install a third-party program, it's very wise to only turn on "Install from unknown sources" during the installation/update, and then immediately turn it back off.
2. Re:Easy fix by mlts · 2016-06-29 06:27 · Score: 1
  
  F-Droid as well.
3. Re:Easy fix by LichtSpektren · 2016-06-29 06:28 · Score: 1
  
  Use iOS.
  Great plan. Because as we all know, iOS is 100% secure and never has to receive security patches.
4. Re:Easy fix by macs4all · 2016-06-29 09:20 · Score: 1
  
  Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this, and is the default on most mainstream devices. It gets turned off when people want hacked versions of games, etc, then the malware creeps in. That setting should be on a use count timer. Use it once, then have to go set it again (manually, not a simple yes like UAC), for a fresh sideload install.
  Make the user think!
  This is exactly how Apple implemented the "Allow Apps from Anywhere" setting in their "Gatekeeper" feature in OS X/macOS.
  
  If you set it to that level, after a time (I think it is 30 days) it will revert to the next-more-secure-level (Allow Apps from Registered Developers; which, BTW, does NOT mean "only from the App Store"). I think it should be shorter; but it's the right idea for most people, and the timeout strikes a fairly decent balance between "too naggy" and "too dangerous", IMHO.
  
  And since Apple will now issue Registered Developer certs for FREE (no $99/yr fee), there isn't any reasonable reason why any legit. Dev. shouldn't take advantage of that, if for no other reason than for the sake of peace-of-mind for its customers/downloaders.
5. Re:Easy fix by macs4all · 2016-06-29 09:35 · Score: 1
  
  Use iOS.
  Great plan. Because as we all know, iOS is 100% secure and never has to receive security patches.
  At least iOS GETS Security Patches, right? Now where's the same page for your non-Nexus Android phone?
  
  Thought so.
6. Re:Easy fix by invictusvoyd · 2016-06-29 13:37 · Score: 1
  
  Make the user think!
  
  Product fail
7. Re:Easy fix by LichtSpektren · 2016-06-30 01:21 · Score: 1
  
  Use iOS.
  Great plan. Because as we all know, iOS is 100% secure and never has to receive security patches.
  At least iOS GETS Security Patches, right? Now where's the same page for your non-Nexus Android phone? Thought so.
  I happen to have a Nexus 5X and I don't recommend anything other than the Nexus phones, thanks.
  
  While it's true that iPhones have a longer support life than most Android phones, what you're failing to mention is that Apple quickly dumps support for the major iOS versions, so to get security updates, you have to bump up a major version. Since each newer version uses more resources than the older ones, the older iPhones slow to a crawl and become generally unusable.
8. Re:Easy fix by macs4all · 2016-06-30 03:59 · Score: 1
  
  Use iOS.
  Great plan. Because as we all know, iOS is 100% secure and never has to receive security patches.
  At least iOS GETS Security Patches, right? Now where's the same page for your non-Nexus Android phone? Thought so.
  I happen to have a Nexus 5X and I don't recommend anything other than the Nexus phones, thanks. While it's true that iPhones have a longer support life than most Android phones, what you're failing to mention is that Apple quickly dumps support for the major iOS versions, so to get security updates, you have to bump up a major version. Since each newer version uses more resources than the older ones, the older iPhones slow to a crawl and become generally unusable.
  That's why Apple sometimes releases sub-versions ("point" releases) that have changes specifically designed to address performance issues in older hardware. The most recent that comes to mind was, IIRC, the iOS 9.3.1 Update (later replaced with the more-stable (and slightly faster overall) iOS 9.3.2, both of which were specifically designed to improve performance on the iPad 2 and (IIRC) the iPhone 4s. Speaking of which, this site conducted an informal performance comparison between iOS 9.3.1 and 9.3.2 on iPhones from the iPhone 6 back to the 4s. If you think that the performance on the iPhone 4s for either 9.3.1 or 9.3.2 could be described as "slow[ed] to a crawl", then you are simply a liar.
  
  I assume what mostly happens on those revisions is the re-nice-ing of interrupt priorities; but I am certainly not privvy to iOS internal development details.
Another Win For Brexit! by Anonymous Coward · 2016-06-29 05:41 · Score: 1, Funny

Once downloaded, the malware, which has struck Android users in Denmark, Italy and Germany
Denmark, Italy and Germany are all in the EU. The UK is unaffected!
Not so easy... by SuperKendall · 2016-06-29 05:51 · Score: 1

Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this
And when app fragments are downloaded and installed automatically over web pages as the latest version of Android does?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Not so easy... by wbr1 · 2016-06-29 06:02 · Score: 1
  
  Never heard of this.. app fragments?? Some linkage is in order.
  
  --
  Silence is a state of mime.
2. Re:Not so easy... by swillden · 2016-06-29 07:11 · Score: 1
  
  Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this
  And when app fragments are downloaded and installed automatically over web pages as the latest version of Android does?
  Not just the latest version of Android. "Instant apps" will be available on every platform version from 4.1 up.
  However, instant apps can *only* be downloaded from the Play store -- there is no equivalent of "allow untrusted sources". They'll run inside a sandbox which is part of Google Play services, so it can be updated at any time if any abuse is detected -- including the ability to remove APIs, disable specific abused instant apps, or even shut the whole system off if needed. In addition, Google will be vetting them even more closely than normal Play apps.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
3. Re:Not so easy... by swillden · 2016-06-29 07:11 · Score: 2
  
  https://developer.android.com/...
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re:Not so easy... by SuperKendall · 2016-06-29 07:19 · Score: 1
  
  That all sounds really good but sandboxes can be broken, and where did you get "Google will be vetting them more closely" - that sounds like a hope, I didn't hear them say that... and will they be vetting them so closely after many updates?
  Fundamentally the fact remains that going to a web page will download some executable code onto your device without consent or explicit installation action. Then from there it's just a matter of how it escapes.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
5. Re:Not so easy... by swillden · 2016-06-29 07:32 · Score: 2
  
  That all sounds really good but sandboxes can be broken
  Sure, they can, but putting code into them that tries to break out of the Sandbox will get caught by the Play store review systems. Oh, I suspect that we'll occasionally see a clever 0day that can do it and sneak by the review systems, just as there are occasional apps that can break out of the sandbox and obtain root. Such techniques are quickly understood and apps that use them removed from the Play store. In the case of instant apps, there are some additional levers of control: the sandbox can be updated whenever problems are discovered, and sandbox updates can potentially even remove or restrict APIs.
  
  where did you get "Google will be vetting them more closely"
  I work with the people who do the vetting.
  
  and will they be vetting them so closely after many updates?
  I expect that will depend on how many vulnerabilities are found and how much abuse occurs. It's certainly safe to assume that instant apps will always be at least as safe as the Play store in general... and that's quite safe.
  
  Fundamentally the fact remains that going to a web page will download some executable code onto your device without consent or explicit installation action.
  Like, say, Javascript?
  How difficult that is to secure depends on what the sandbox allows the code to do. How quickly you can update the sandbox to remove discovered vulnerabilities is also very important.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
6. Re:Not so easy... by SuperKendall · 2016-06-29 08:15 · Score: 1
  
  There is a BIG difference between Javascript and native code (though admittedly the difference is somewhat less since everyone started adding native Javascript acceleration engines).
  It is good to hear such apps are more strongly vetted, but I'm still not sure how well that will work out over time...
  How quickly you can update the sandbox to remove discovered vulnerabilities is also very important.
  I agree but a newer sandbox like this is bound to be more vulnerable than an established sandbox for something like JavaScript.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
7. Re:Not so easy... by swillden · 2016-06-29 08:24 · Score: 1
  
  Instant apps aren't native code.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:Not so easy... by swillden · 2016-06-29 08:28 · Score: 1
  
  Also, I should mention that there are some powerful techniques for effectively sandboxing native code as well, when/if instant apps can use native code. NaCl's history of safely sandboxing x86 code has been outstanding.
  http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/34913.pdf
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
9. Re:Not so easy... by macs4all · 2016-06-29 09:25 · Score: 1
  
  It's certainly safe to assume that instant apps will always be at least as safe as the Play store in general... and that's quite safe.
  ORLY?
10. Re:Not so easy... by swillden · 2016-06-29 10:05 · Score: 1
  
  Yep. You should look at those links. Or if you want quantitative measurements, check out http://static.googleuserconten...
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
11. Re:Not so easy... by wbr1 · 2016-06-29 10:10 · Score: 1
  
  Read.... the parts still download from Google play when needed. Still vetted by the Google, and does not require sideline settings.
  
  --
  Silence is a state of mime.
12. Re:Not so easy... by swillden · 2016-06-29 10:21 · Score: 1
  
  https://slashdot.org/comments....
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
13. Re:Not so easy... by wbr1 · 2016-06-29 11:43 · Score: 1
  
  Thanks.. I had not gone back to read the entire thread my view was limited by the link I followed to reply and did not think to.. Also, thanks for being a voice of reason amongst the FUD.
  
  --
  Silence is a state of mime.
14. Re:Not so easy... by swillden · 2016-06-29 13:17 · Score: 1
  
  I figured :-)
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
15. Re:Not so easy... by dwillden · 2016-06-29 21:34 · Score: 1
  
  Question: is Google planning on doing anything about the new trend in browser redirects that take you to the store? Can they do anything about it?
  
  Combine that very annoying trick with this fake GooglePlay malware and I see a glaring vulnerability, in addition to the major annoyance of trying to read a website only to suddenly be yanked into the play store to install some dumb game.
  
  --
  I'm too lazy to compose a creative sig.
16. Re:Not so easy... by swillden · 2016-06-30 01:42 · Score: 1
  
  I see the annoyance, though that's the web site's decision. I don't see the vulnerability. If you install this sort of malware, there are all sorts of things it can do and such redirects don't make things worse. If you don't, then there's no vulnerability.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
17. Re:Not so easy... by dwillden · 2016-06-30 03:26 · Score: 1
  
  It should not be any website's decision to redirect ME from the page I'm trying to read to the play store. That alone is a gaping vulnerability, if any web page can just call another app without my approval that is a vulnerability, not just an annoyance. Add in this malware and it becomes a potentially critical vulnerability.
  
  --
  I'm too lazy to compose a creative sig.
18. Re:Not so easy... by swillden · 2016-06-30 04:58 · Score: 1
  
  That's how hyperlinks and Android intents work.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Re:More loonix flaws by LichtSpektren · 2016-06-29 06:15 · Score: 1

Can you provide even a single example of somebody running a web server on Android?

Linux servers don't get "constantly rooted and defaced". But, regardless, nobody is saying Linux is invulnerable. We'll have to settle on merely being orders of magnitude more secure than Windows, which is the point of the comparison.
If you're gonna make a malware app . . . by DickBreath · 2016-06-29 07:27 · Score: 1

If you're gonna make a malware app, and if you're gonna make it pretend to be three things, then why not change what three things it pretends to, and simply call your app GooFaceTwit.

--

I'll see your senator, and I'll raise you two judges.
FUD! Pay us cash! by chill · 2016-06-29 08:25 · Score: 3, Insightful

This is a 24 page report that can be summed up as "An amazing number of people are stupid enough to click links embedded in SMS messages. However, since this sort of attack is blocked by anyone with the default 'do not allow third-party apps' setting in Android, we only saw 38 actual instances of infected devices contacting the C2 systems. Please take the other 23 1/2 pages of the report as proof we are highly technically skilled, but in general spreading FUD so you pay us lots of money to protect against a threat that has an almost insignificant likelihood of affecting you."

--
Learning HOW to think is more important than learning WHAT to think.
1. Re:FUD! Pay us cash! by macs4all · 2016-06-29 09:54 · Score: 1
  
  This is a 24 page report that can be summed up as "An amazing number of people are stupid enough to click links embedded in SMS messages. However, since this sort of attack is blocked by anyone with the default 'do not allow third-party apps' setting in Android, we only saw 38 actual instances of infected devices contacting the C2 systems. Please take the other 23 1/2 pages of the report as proof we are highly technically skilled, but in general spreading FUD so you pay us lots of money to protect against a threat that has an almost insignificant likelihood of affecting you."
  I wonder if your comment would be different if the article was about the iOS App Store?
2. Re:FUD! Pay us cash! by chill · 2016-06-29 10:17 · Score: 1
  
  It wouldn't, as my criticism was directed at the 3rd party security tool vendor, not the OS vendor. I would have been equally derisive if the malware was for iOS and only was effected on jail broken devices.
  Thought, to correct your assertion, you actually wonder if my comment would be different if the target of the malware was iOS.
  I personally prefer Google's model because it gives me the choice whereas Apple's does not. Android says "you should" whereas iOS says "you must".
  
  --
  Learning HOW to think is more important than learning WHAT to think.
Re:More loonix flaws by macs4all · 2016-06-29 09:32 · Score: 1

We'll have to settle on merely being orders of magnitude more secure than Windows, which is the point of the comparison.
Is that actually true anymore?

I am absolutely the farthest thing from being a WIndows fanboi; but it has been QUITE a while since I heard of a new IIS exploit being discovered. In fact, the newest search result on Google for "IIS vulnerability" is from over a year ago.
Re:More loonix flaws by seksi-seppo · 2016-06-29 19:04 · Score: 1

Linux servers don't get "constantly rooted and defaced". But, regardless, nobody is saying Linux is invulnerable. We'll have to settle on merely being orders of magnitude more secure than Windows, which is the point of the comparison.
AFAIK most of the security issues around lunix installations are related to false sensation of security under which the user installs bit too liberally things on their server and "once it works, don't touch it" is sadly common practice encouraging neglecting security updates. Also, more things installed in luserspace, more things requiring potential security updates. Some distributions, especially certain infamous South African one, makes it far too easy to install a lot of crap.
All self-developed things on top of common stack coming from a distribution is yet another story...