Stealthy Google Play Apps Recorded Calls and Stole Emails

An anonymous reader quotes Ars Technica: Google has expelled 20 Android apps from its Play marketplace after finding they contained code for monitoring and extracting users' e-mail, text messages, locations, voice calls, and other sensitive data. The apps, which made their way onto about 100 phones, exploited known vulnerabilities to root devices running older versions of Android.... As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger. The now-ejected apps also collected messages sent and received by Whatsapp, Telegram, and Viber, which all encrypt data in an attempt to make it harder for attackers to intercept messages while in transit... To conceal their surveillance capabilities, the apps posed as utilities for cleaning unwanted files or backing up data.
Google reports that the malicious apps also had these functions:

• Call recording
• VOIP recording
• Recording from the device microphone
• Location monitoring
• Taking screenshots
• Taking photos with the device camera(s)
• Fetching device information and files
• Fetching user information (contacts, call logs, SMS, application-specific data)

12 hours later an antivirus provider reported two more Google Play apps could surreptitiously steal text messages by downloading a malicious plugin -- and that the apps had already been downloaded at least 100,000 times.

Re:Safe spaces.

[cunina]

That's not sad at all. "Safe spaces" have their appropriate uses. I consider the iOS walled garden to be a valuable feature. Since I don't have the time or inclination to mess around with my phone's internals, I don't care that I'm forbidden from doing so. I just want it to work, and it does, in a mostly secure way.

Re:Shitty article and summary

[SeaFox]

Looks like someone might have in the comments.

Why is this possible?

[Gravis+Zero]

Honest question: Why is it possible for application A from company X to access information from application B from company Y? I could understand if they were both from company X and were signed with the same certificate but it's nothing like that! No application should EVER have full system access.

Re:Why is this possible?

[FrankHaynes]

My phone runs the very latest version of Android which now asks for permissions each time the app is run, rather than once at installation time. Each time I start the MLB app it demands to know my location, which I deny, yet it still runs just fine.

The best defense is to run the minimum assortment of apps to get the job done. And delete apps that you no longer use for whatever reason.

Re:Why is this possible?

Why is it possible for application A from company X to access information from application B from company Y?

Because Android's permissions system is complete BS. It's designed to make collecting data about the user as easy as possible while giving them the smallest amount of control over it so they can avoid lawsuits.

"Take it or leave it" is their motto. In official Android versions you can't say I don't want to grant this permission or disable access after installation. Heck some apps will crash if this happens on ASOP releases that allow you to do so, because they *expect* to be able to ravage your personal data.

Most people realize this, and most accept it without question. (Heck, most won't even read the permissions request when they hit the install button anymore.) Either because they were required to use that specific app for external reasons, or because they don't want to spend the time and effort to find another app that does what they want without the abuse. In short, they are sheep. So when the sheep get bit, they get bit hard because they've been trained to ignore threats to themselves. (They have no choice to make anyway from their perspective.) They also show apathy to others who try to get them to change. (They don't want the hassle, and they've been told constantly not to install something they don't understand.)

No application should EVER have full system access.

Wrong again. There is one user that should have full system access and that's the device owner. If for nothing else but to restrict and clean up after these kinds of apps that abuse their access to personal data.

People have been trained to reject the idea of having full control over something. Heck, in this comment section alone we already have apple fanbois championing their lack of control over their iPhones like it's the greatest thing ever. This is the single greatest mistake you could ever make as a device owner. There will *always* be an app or some such out there dying for the chance to take advantage of you. That's human nature. Giving up the ability to control your devices just makes their job that mush easier, because you've removed the single greatest objector and obstacle for those apps to overcome if they want to do their dirty work: You. You are the single greatest protector of your own data. No-one else is going to do that for you. If anything they will pay lip service to it, but they are not the person who will face the consequences of having their data taken from them. You are. Not to mention the possibility for state sponsored attacks being made that much easier if they don't have to have the user assist with their own subversion. That's the whole reason for the FBI vs. Apple debate. That's the reason China has to have the police check their dissidents phones for the spying app's installation. Whether it's at home or abroad, there's plenty of reasons to keep your devices under your control, and they just can't seem to stop giving you new examples.

People need to remember this and not fall for the "I'm locked out, so it's safe." trick. It cannot be said enough: Just because you are locked out, doesn't mean your adversaries are. It means you can't do anything to stop it, if and when they do break in.

Re:Why is this possible?

[Kjella]

Why don't you RTFSummary?

The apps, which made their way onto about 100 phones, exploited known vulnerabilities to root devices running older versions of Android....

Re: Why is this possible?

[cyber-vandal]

That's great if your manufacturer and carrier can be bothered to update your phone to the latest version. Otherwise you're stuck with what was preinstalled. You can install a third party ROM but then you run the risk of bricking your phone and in any case you can't expect non-technical people to do that.

Finger nail polish

[Trax3001BBS]

Just how often does one take a selfi? I don't trust any forward facing camera.

I use Finger nail polish to cover it as it's almost permanent - used to use electrical tape.

Re:Finger nail polish

[Ogive17]

I'm not really into the selfie movement but I do use my front facing camera at least once a month. When my wife or I is traveling, we use it to video chat. And if our travels have one of us somewhere the time zone difference doesn't allow the evening video call, sending a quick "selfie" with our 4 year old is a good way to send a note of affection.

Re:Finger nail polish

[tlhIngan]

Just how often does one take a selfi?

Me? Never. I had to ask someone for assistance when I had an occasion where I needed to

But for other people, you obviously don't go out very much - they take selfies so often, you wonder why they don't just use video mode. Or why front facing cameras continue to take a back seat to the rear facing one, because people seem to take photos only using the front facing one.

Utility software lol

[FunkSoulBrother]

I mean I guess they could have hid this in a game app, but it would have been more questionable why it wanted all of those permissions.

They should just ban cleanup/AV/nonsense utility scumware as a category from their stores, these things aren't really needed on such locked down mobile OS. They might have had some value in the day of like Windows 95 but now they are just the computer equivalent of a scummy mechanic charging an old lady for 'turn signal fluid'.

Re:Utility software lol

[Dutch+Gun]

One trick scummy app authors use is to copy a legitimate game's marketing material and art, then create an app that does nothing but "hang" on the loading screen, in the meantime trying to game the ad system to earn some free money.

Unfortunately, this hurts the reputation of the legitimate game and its developers, as often the malware authors simply steal the name along with the art assets.

So many who've never heard of flurry.com

[Trax3001BBS]

You too can obtain this ability, just sign up and pay the cost.

I can't view the site as it's in my Routers block file, but it used to be google now appears to of been taken over by Yahoo.com

You need to opt out of flurry.com, twice Google flurry.com requires a number only your phone has. Yahoo a opt out google will take you to a selection you can turn off.

Re:So many who've never heard of flurry.com

[Trax3001BBS]

A Yahoo opt out requires you to do this with your phone.

This is why I don't install apps on my phone.

[Kargan]

Okay fine, I have two: Rocket Player and one for local highway traffic provided by the city.

That's it, though. All the other apps that are installed came with the phone. I should probably remove those...

Read the TOS's

[Trax3001BBS]

I do.

The best TOS I've encountered was the one for Angry Birds Rivio.com at the time. It told one everything it was going to do with your data it was the 2% overseas that I never caught or yet to of figured out. It also led me to flurry.com.

Samsung HDTV's - their TOS tells you they will be recording everything you do and keeping it, While it's meant to predict your needs, I know of two /. articles of Samsung having to tell people they can hear everything you say.

Google Needs to ix this

[Zombie+Ryushu]

Two things wwould fix this:

1. Instead of being "Google Play" or "Everything else" the user should be able to say: I trust Google Play, F-Droid, and APK Pure only.

2. All the handset makers need to provide support for Vanilla Stock Android VIA Lineage OS or Similar. Cough up Driver APKs, and stop allowing handset makers to bake Malicious software like ADUPS in the System area.

Re:Google Needs to ix this

Thank god you only said it twice, you almost summoned him.

More proprietary malware, more reason to distrust.

[jbn-o]

This means no matter how much skill Android users possess Android users can't usefully investigate and fix the leveraged vulnerabilities themselves should they wish to do so or hire someone to do so on their behalf. The most they could do is write an exploit which demonstrates the bug, report the bug with the exploit program, and hope the proprietor takes corrective action. Upgrading to another version of proprietary software is no real fix as it could (at best) mean trading in fixes for these bugs in for other bugs the users are prevented from usefully investigate and fix. The user being rather helpless to improve their own situation or help their community all along the way. This is how proprietary (read: non-free, user-subjugating) software treats its users.

All complex software has bugs, proprietary OSes and apps are no exception, but as the GNU Project points out, "The difference between free software and nonfree software is in whether the users have control of the program or vice versa. It's not directly a question of what the program does when it runs. However, in practice nonfree software is often malware, because the developer's awareness that the users would be powerless to fix any malicious functionalities tempts the developer to impose some.". Since there aren't any free software tracker (none might be possible so long as the phone network insists on proprietary control over the user's device) this is also an opportunity to learn to say no to proprietary control and do without a tracker (and, yes, particularly given the context of this thread it is proper to call them 'trackers' and not 'cell phones' or 'mobile phones', names which help obscure the main reason organizations want users to get these devices and install apps in the first place).

Re:More proprietary malware, more reason to distru

Google created this mess in the first place. Now I'm seeing tablets and phones where you're not allowed to root and as such I don't even want it anymore. Things that I used to be able to do, I'm not allowed to do anymore and I'm not dictated by Google or Apple how I'm supposed to do things. And now with the years going by, there is a huge mess of applications that are not even supported anymore on both Apple's store and Googles play store, which in itself is creating another security nightmare.

A decade ago, we had this problem solved. Google and Apple, with their absolute greed, destroyed all this and every package manager that actually worked. Their solution is to just put massive limitations on everything where you might as look in the dustbin for that old Nokia phone and dump your smart phone.

Sorry to trouble you, but, um ...

[cascadingstylesheet]

Sorry to trouble you, but, um ... what are the apps? What are they named?

Re:Sorry to trouble you, but, um ...

[charliemerritt03]

BINGO! 20 aps, 12 more aps, I would like to see if I have any installed. {Would it be a good idea if Google could cause their removal automatically? I would guess that most /. would say no}

Re:Sorry to trouble you, but, um ...

[mjwx]

Sorry to trouble you, but, um ... what are the apps? What are they named?

Or better yet, what are the publishers named.

Also, 20 apps out of how many hundreds of thousands?

Can someone please remind me again....

[zantafio]

... why Apple's walled garden is such a bad thing?

Re:Can someone please remind me again....

[DaTrueDave]

These snuck over the wall and into the garden. Apple has no gate, but Google at least let's you open the gate and install from sources other than the Google Play Store. That's not what happened here, though.

Re:Has this happened with IOS?

[TheRaven64]

Remember ActiveX? There were a lot of things wrong with the design, but one of the worst things that it did, from a security perspective, was condition users to hit 'okay' to dialog boxes saying 'this bit of untrusted code needs complete access to your computer, allow?' Android has done the same thing: encouraged users to accept that every app needs complete access to your call log, browsing history, text message history, and so on.

iOS is somewhat better in this regard, because apps are expected to start with no permissions and prompt for permissions that they need as they need them. Most non-malicious apps need few permissions and users get into the habit of tapping 'deny' when the permission doesn't seem like one that the app should need.

Note that this has nothing to do with Linux vs XNU (both models could easily be implemented on either kernel), it is a UI design issue and Apple is generally a lot better than Google at HCI.

Re:Has this happened with IOS?

[angel'o'sphere]

iOS is somewhat better in this regard, because apps are expected to start with no permissions and prompt for permissions that they need as they need them.
I'm pretty sure the OS is prompting for permission and not the App.