Android Malware Pretends To Be WhatsApp, Uber and Google Play

Reader itwbennett writes: Security vendor FireEye said on Tuesday that malware that can spoof the user interfaces of Uber, WhatsApp and Google Play has been spreading through a phishing campaign over SMS. Once downloaded, the malware, which has struck Android users in Denmark, Italy and Germany, will create fake user interfaces on the phone as an 'overlay 's top of real apps. These interfaces ask for credit card information and then send the entered data to the hacker.

Outstanding

[nehumanuscrede]

It's the App version of an ATM skimmer :|

Easy fix

[wbr1]

Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this, and is the default on most mainstream devices. It gets turned off when people want hacked versions of games, etc, then the malware creeps in. That setting should be on a use count timer. Use it once, then have to go set it again (manually, not a simple yes like UAC), for a fresh sideload install.

Make the user think!

Re:Easy fix

[LichtSpektren]

There are legit reasons for turning on unknown sources. Humble Bundle is one that comes to mind.

And Adguard. But if you're going to install a third-party program, it's very wise to only turn on "Install from unknown sources" during the installation/update, and then immediately turn it back off.

Re:Not so easy...

[swillden]

https://developer.android.com/...

Re:Not so easy...

[swillden]

That all sounds really good but sandboxes can be broken

Sure, they can, but putting code into them that tries to break out of the Sandbox will get caught by the Play store review systems. Oh, I suspect that we'll occasionally see a clever 0day that can do it and sneak by the review systems, just as there are occasional apps that can break out of the sandbox and obtain root. Such techniques are quickly understood and apps that use them removed from the Play store. In the case of instant apps, there are some additional levers of control: the sandbox can be updated whenever problems are discovered, and sandbox updates can potentially even remove or restrict APIs.

where did you get "Google will be vetting them more closely"

I work with the people who do the vetting.

and will they be vetting them so closely after many updates?

I expect that will depend on how many vulnerabilities are found and how much abuse occurs. It's certainly safe to assume that instant apps will always be at least as safe as the Play store in general... and that's quite safe.

Fundamentally the fact remains that going to a web page will download some executable code onto your device without consent or explicit installation action.

Like, say, Javascript?

How difficult that is to secure depends on what the sandbox allows the code to do. How quickly you can update the sandbox to remove discovered vulnerabilities is also very important.

FUD! Pay us cash!

[chill]

This is a 24 page report that can be summed up as "An amazing number of people are stupid enough to click links embedded in SMS messages. However, since this sort of attack is blocked by anyone with the default 'do not allow third-party apps' setting in Android, we only saw 38 actual instances of infected devices contacting the C2 systems. Please take the other 23 1/2 pages of the report as proof we are highly technically skilled, but in general spreading FUD so you pay us lots of money to protect against a threat that has an almost insignificant likelihood of affecting you."