Stealthy Google Play Apps Recorded Calls and Stole Emails

An anonymous reader quotes Ars Technica: Google has expelled 20 Android apps from its Play marketplace after finding they contained code for monitoring and extracting users' e-mail, text messages, locations, voice calls, and other sensitive data. The apps, which made their way onto about 100 phones, exploited known vulnerabilities to root devices running older versions of Android.... As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger. The now-ejected apps also collected messages sent and received by Whatsapp, Telegram, and Viber, which all encrypt data in an attempt to make it harder for attackers to intercept messages while in transit... To conceal their surveillance capabilities, the apps posed as utilities for cleaning unwanted files or backing up data.
Google reports that the malicious apps also had these functions:

• Call recording
• VOIP recording
• Recording from the device microphone
• Location monitoring
• Taking screenshots
• Taking photos with the device camera(s)
• Fetching device information and files
• Fetching user information (contacts, call logs, SMS, application-specific data)

12 hours later an antivirus provider reported two more Google Play apps could surreptitiously steal text messages by downloading a malicious plugin -- and that the apps had already been downloaded at least 100,000 times.

Not surprised

Another false sense of security that walled-gardens try to trick people into believing they provide (it's purely a money grab for the store providers). Sure, they can remove the apps, but the deed was already done and you can't take that back.

Re:Not surprised

Yeah but only on Android. What a shitty operating system. What a shitty company. What a whiny ass user base.

Re: Not surprised

And these apps will probably remain on the phones that they are installed on.

Re: Has this happened with IOS?

This has virtually nothing to do with Linux. If/when google switches their kernel to something different (it's in the works now), the play store will still have this wild Wild West model. Torvaldes has 0 control over this because he doesn't work on the android user space, just the kernel. And this has happened in the iOS App Store, just in much much smaller quantities and less often

Shitty article and summary

Whatever you do don't provide a list of the apps...

Re:Shitty article and summary

[SeaFox]

Looks like someone might have in the comments.

Re:Safe spaces.

[cunina]

That's not sad at all. "Safe spaces" have their appropriate uses. I consider the iOS walled garden to be a valuable feature. Since I don't have the time or inclination to mess around with my phone's internals, I don't care that I'm forbidden from doing so. I just want it to work, and it does, in a mostly secure way.

Why is this possible?

[Gravis+Zero]

Honest question: Why is it possible for application A from company X to access information from application B from company Y? I could understand if they were both from company X and were signed with the same certificate but it's nothing like that! No application should EVER have full system access.

Re:Why is this possible?

Android is designed to create a gap between Google Play and the outside apps. They merged harmless and abusive permissions together. That way users are helpless and they need to rely on people checking that apps don't "abuse" the permissions they were granted, which is the added-value of the walled garden. With this strategy Google is totally playing with fire, and this story illustrates what can happen when things go wrong.

Re:Why is this possible?

[FrankHaynes]

My phone runs the very latest version of Android which now asks for permissions each time the app is run, rather than once at installation time. Each time I start the MLB app it demands to know my location, which I deny, yet it still runs just fine.

The best defense is to run the minimum assortment of apps to get the job done. And delete apps that you no longer use for whatever reason.

Re:Why is this possible?

Why is it possible for application A from company X to access information from application B from company Y?

Because Android's permissions system is complete BS. It's designed to make collecting data about the user as easy as possible while giving them the smallest amount of control over it so they can avoid lawsuits.

"Take it or leave it" is their motto. In official Android versions you can't say I don't want to grant this permission or disable access after installation. Heck some apps will crash if this happens on ASOP releases that allow you to do so, because they *expect* to be able to ravage your personal data.

Most people realize this, and most accept it without question. (Heck, most won't even read the permissions request when they hit the install button anymore.) Either because they were required to use that specific app for external reasons, or because they don't want to spend the time and effort to find another app that does what they want without the abuse. In short, they are sheep. So when the sheep get bit, they get bit hard because they've been trained to ignore threats to themselves. (They have no choice to make anyway from their perspective.) They also show apathy to others who try to get them to change. (They don't want the hassle, and they've been told constantly not to install something they don't understand.)

No application should EVER have full system access.

Wrong again. There is one user that should have full system access and that's the device owner. If for nothing else but to restrict and clean up after these kinds of apps that abuse their access to personal data.

People have been trained to reject the idea of having full control over something. Heck, in this comment section alone we already have apple fanbois championing their lack of control over their iPhones like it's the greatest thing ever. This is the single greatest mistake you could ever make as a device owner. There will *always* be an app or some such out there dying for the chance to take advantage of you. That's human nature. Giving up the ability to control your devices just makes their job that mush easier, because you've removed the single greatest objector and obstacle for those apps to overcome if they want to do their dirty work: You. You are the single greatest protector of your own data. No-one else is going to do that for you. If anything they will pay lip service to it, but they are not the person who will face the consequences of having their data taken from them. You are. Not to mention the possibility for state sponsored attacks being made that much easier if they don't have to have the user assist with their own subversion. That's the whole reason for the FBI vs. Apple debate. That's the reason China has to have the police check their dissidents phones for the spying app's installation. Whether it's at home or abroad, there's plenty of reasons to keep your devices under your control, and they just can't seem to stop giving you new examples.

People need to remember this and not fall for the "I'm locked out, so it's safe." trick. It cannot be said enough: Just because you are locked out, doesn't mean your adversaries are. It means you can't do anything to stop it, if and when they do break in.

Re:Why is this possible?

[Kjella]

Why don't you RTFSummary?

The apps, which made their way onto about 100 phones, exploited known vulnerabilities to root devices running older versions of Android....

Re: Why is this possible?

[cyber-vandal]

That's great if your manufacturer and carrier can be bothered to update your phone to the latest version. Otherwise you're stuck with what was preinstalled. You can install a third party ROM but then you run the risk of bricking your phone and in any case you can't expect non-technical people to do that.

Re:Why is this possible?

Why is it possible? Because Android is a piece of shit.

Jeleousy

As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger.

"Hey! That's our business model!" was proclaimed inside Google HQ.

Finger nail polish

[Trax3001BBS]

Just how often does one take a selfi? I don't trust any forward facing camera.

I use Finger nail polish to cover it as it's almost permanent - used to use electrical tape.

Re:Finger nail polish

[Ogive17]

I'm not really into the selfie movement but I do use my front facing camera at least once a month. When my wife or I is traveling, we use it to video chat. And if our travels have one of us somewhere the time zone difference doesn't allow the evening video call, sending a quick "selfie" with our 4 year old is a good way to send a note of affection.

Re:Finger nail polish

[tlhIngan]

Just how often does one take a selfi?

Me? Never. I had to ask someone for assistance when I had an occasion where I needed to

But for other people, you obviously don't go out very much - they take selfies so often, you wonder why they don't just use video mode. Or why front facing cameras continue to take a back seat to the rear facing one, because people seem to take photos only using the front facing one.

Look at the permissions Android apps ask for.

Most apps ask for complete access to the phone. For example, why does a guitar tuner need access to my contacts? Or my camera? Or my location?

And I see it for MOST of the apps on Google Play. Therefore, I don't use many apps from Google Play. And we're not even talking about what Google slips into the base system.

There is no justifiable reason or excuse for this behavior.

When I download apps for my iPad, I don't have any such issues. And it's not a take it or leave it proposition, either. iOS apps put a popup and asks explicitly for access.

iOS is superior. I only use Android because the phones are much cheaper - and I only use a smartphone because people prefer texting over calling these days.

Utility software lol

[FunkSoulBrother]

I mean I guess they could have hid this in a game app, but it would have been more questionable why it wanted all of those permissions.

They should just ban cleanup/AV/nonsense utility scumware as a category from their stores, these things aren't really needed on such locked down mobile OS. They might have had some value in the day of like Windows 95 but now they are just the computer equivalent of a scummy mechanic charging an old lady for 'turn signal fluid'.

Re:Utility software lol

The game apps already require all sorts of blatant malware permissions. I just opened up play store, looked at the first random app it showed me in the 'games' category and here is what it wants:

google play billing service
approximate location
precise location
read, modify, delete files on SD card
view wifi connections
read phone status & identity
full network access
prevent phone form sleeping
change audio settings
control vibration
view network connections

(I gave up on play store long ago, would have been willing to purchase things, but it was full of trash and had no means to filter out the trash - not even a basic search function that can be used to exclude apps on the basis of their required permissions)

An even more extreme case was some game that I had which required no special permissions when I installed it, then later was updated to require a huge list which included even the ability to make calls. (that app was immediately uninstalled instead of updated)

Re:Utility software lol

[Dutch+Gun]

One trick scummy app authors use is to copy a legitimate game's marketing material and art, then create an app that does nothing but "hang" on the loading screen, in the meantime trying to game the ad system to earn some free money.

Unfortunately, this hurts the reputation of the legitimate game and its developers, as often the malware authors simply steal the name along with the art assets.

So many who've never heard of flurry.com

[Trax3001BBS]

You too can obtain this ability, just sign up and pay the cost.

I can't view the site as it's in my Routers block file, but it used to be google now appears to of been taken over by Yahoo.com

You need to opt out of flurry.com, twice Google flurry.com requires a number only your phone has. Yahoo a opt out google will take you to a selection you can turn off.

Re:So many who've never heard of flurry.com

[Trax3001BBS]

A Yahoo opt out requires you to do this with your phone.

This is why I don't install apps on my phone.

[Kargan]

Okay fine, I have two: Rocket Player and one for local highway traffic provided by the city.

That's it, though. All the other apps that are installed came with the phone. I should probably remove those...

Read the TOS's

[Trax3001BBS]

I do.

The best TOS I've encountered was the one for Angry Birds Rivio.com at the time. It told one everything it was going to do with your data it was the 2% overseas that I never caught or yet to of figured out. It also led me to flurry.com.

Samsung HDTV's - their TOS tells you they will be recording everything you do and keeping it, While it's meant to predict your needs, I know of two /. articles of Samsung having to tell people they can hear everything you say.

Google Needs to ix this

[Zombie+Ryushu]

Two things wwould fix this:

1. Instead of being "Google Play" or "Everything else" the user should be able to say: I trust Google Play, F-Droid, and APK Pure only.

2. All the handset makers need to provide support for Vanilla Stock Android VIA Lineage OS or Similar. Cough up Driver APKs, and stop allowing handset makers to bake Malicious software like ADUPS in the System area.

Re:Google Needs to ix this

Thank god you only said it twice, you almost summoned him.

More proprietary malware, more reason to distrust.

[jbn-o]

This means no matter how much skill Android users possess Android users can't usefully investigate and fix the leveraged vulnerabilities themselves should they wish to do so or hire someone to do so on their behalf. The most they could do is write an exploit which demonstrates the bug, report the bug with the exploit program, and hope the proprietor takes corrective action. Upgrading to another version of proprietary software is no real fix as it could (at best) mean trading in fixes for these bugs in for other bugs the users are prevented from usefully investigate and fix. The user being rather helpless to improve their own situation or help their community all along the way. This is how proprietary (read: non-free, user-subjugating) software treats its users.

All complex software has bugs, proprietary OSes and apps are no exception, but as the GNU Project points out, "The difference between free software and nonfree software is in whether the users have control of the program or vice versa. It's not directly a question of what the program does when it runs. However, in practice nonfree software is often malware, because the developer's awareness that the users would be powerless to fix any malicious functionalities tempts the developer to impose some.". Since there aren't any free software tracker (none might be possible so long as the phone network insists on proprietary control over the user's device) this is also an opportunity to learn to say no to proprietary control and do without a tracker (and, yes, particularly given the context of this thread it is proper to call them 'trackers' and not 'cell phones' or 'mobile phones', names which help obscure the main reason organizations want users to get these devices and install apps in the first place).

Re: Has this happened with IOS?

Short answer: no.

Android is the MS Windows of the mobile world but hey, those phones are cheap nigga!!!

Re:Only apps can app apps!

[Aighearach]

No, this story was about, only apps can app you up the app.

Re: Only apps can app apps!

So some crappy app from the play stire can root my phone but I can't?

All 3rd party apps destroy smartphone security

All 3rd party apps destroy smartphone security, because you can never be certain they didn't find a back door exploit and aren't elevating their privileges to root - which can do anything.

Don't do anything personal or sensitive on any smartphone or tablet. Definitely don't use them for banking.

Death of the API

... the apps posed as utilities for cleaning ...

With apps doing their own license checks, cloud-storage clients, or server-side AI (eg. voice commands), they become more vulnerable to attack and more likely to hold Trojan malware by design.

Re:More proprietary malware, more reason to distru

Google created this mess in the first place. Now I'm seeing tablets and phones where you're not allowed to root and as such I don't even want it anymore. Things that I used to be able to do, I'm not allowed to do anymore and I'm not dictated by Google or Apple how I'm supposed to do things. And now with the years going by, there is a huge mess of applications that are not even supported anymore on both Apple's store and Googles play store, which in itself is creating another security nightmare.

A decade ago, we had this problem solved. Google and Apple, with their absolute greed, destroyed all this and every package manager that actually worked. Their solution is to just put massive limitations on everything where you might as look in the dustbin for that old Nokia phone and dump your smart phone.

Sorry to trouble you, but, um ...

[cascadingstylesheet]

Sorry to trouble you, but, um ... what are the apps? What are they named?

Re:Sorry to trouble you, but, um ...

[charliemerritt03]

BINGO! 20 aps, 12 more aps, I would like to see if I have any installed. {Would it be a good idea if Google could cause their removal automatically? I would guess that most /. would say no}

Re:Sorry to trouble you, but, um ...

[mjwx]

Sorry to trouble you, but, um ... what are the apps? What are they named?

Or better yet, what are the publishers named.

Also, 20 apps out of how many hundreds of thousands?

Can someone please remind me again....

[zantafio]

... why Apple's walled garden is such a bad thing?

Re:Can someone please remind me again....

[DaTrueDave]

These snuck over the wall and into the garden. Apple has no gate, but Google at least let's you open the gate and install from sources other than the Google Play Store. That's not what happened here, though.

So basically. ..

......a Samsung stock app

Re:Has this happened with IOS?

[TheRaven64]

Remember ActiveX? There were a lot of things wrong with the design, but one of the worst things that it did, from a security perspective, was condition users to hit 'okay' to dialog boxes saying 'this bit of untrusted code needs complete access to your computer, allow?' Android has done the same thing: encouraged users to accept that every app needs complete access to your call log, browsing history, text message history, and so on.

iOS is somewhat better in this regard, because apps are expected to start with no permissions and prompt for permissions that they need as they need them. Most non-malicious apps need few permissions and users get into the habit of tapping 'deny' when the permission doesn't seem like one that the app should need.

Note that this has nothing to do with Linux vs XNU (both models could easily be implemented on either kernel), it is a UI design issue and Apple is generally a lot better than Google at HCI.

Re:Has this happened with IOS?

Actually, this is wrong. The problem isn't Android as such, but rather that Google has always been far too lenient with developers and applications which demands far too much access to device. If they had started to throw out applications and their developers on their asses from the start when they started nosing around where they have no business being, it wouldn't be a problem.

Re:Has this happened with IOS?

[angel'o'sphere]

iOS is somewhat better in this regard, because apps are expected to start with no permissions and prompt for permissions that they need as they need them.
I'm pretty sure the OS is prompting for permission and not the App.

Re:Safe spaces.

Guzzle piss you vatnik fucking moron.

I don't think he wants to put you out of work snowflake

POTUS and his Twitter machine

Since POTUS loves to tweet from an old Android phone, what are the odds he's infected?

Google gets paid

Thanks alot google. Hope you got paid for the data at least.

Re:Has this happened with IOS?

How to fix.

"Requires permission for blah blah blah" "Yes" "No" "Report App For Excessive Permission Demands"