Slashdot Mirror
Malicious Apps Get Back on the Play Store Just by Changing Their Name (bleepingcomputer.com)
Malicious Android apps that have been previously reported to Google are showing up again on company's marquee Play Store with new names, security researchers are reporting. BleepingComputer: Seven of these apps have been "rediscovered," said Symantec in a report published yesterday. The company's experts say the author of the original malicious apps didn't do anything special, but only changed the app's names, without making modifications to the code, and re-uploaded the apps on the Play Store from a new developer account under a new name. Symantec says it detected seven of these re-uploaded apps on the Play Store, which it re-reported to Google's security team and had them taken down again.
To vet the software it makes available?
Rick B.
I guess we should just quit and go home. Or we could just try again.
If there is an actual vetting process, it's a joke. So much for diligence, trustworthiness, and looking out for the security of their Android users, who dominate worldwide consumers of their "product".
---- Teach Peace. It's Cheaper Than War.
With AI available, how is it possible that a multi-billion dollar system is fooled by changing a string in the app name? Doesn't the AI detect that? The humans did. Very puzzling.
YOU are the malicious app in the "Play Store". But more seriously - if you are smart enough to create an Android App, why bother with hacking/phishing/scamming at all? Build something useful and sell it as every other decent programmer would. Make money honorably. A lot of the malware, malicious apps, hacking tools and similar originates in Eastern Europe and Russia these days. And its all built by decently smart people who can actually program a computer. So the question one more time: If you are smart enough to scam, aren't you smart enough to create something legit and make your money that way? Without ruining somebody else's life or breaking all sorts of laws in the process? But it seems that the computing culture in EE/RU is all about doing what should not be done. The internet is one great big see of credit cards, bank accounts, social security numbers, gullible consumers to these people. The sad thing is that they are ruining the region's future in legit software as well. If some smart people in Russia someday made a great OS that can compete with Windows or Linux, would anybody in their right mind actually use it? Would you install a Russian OS on even a single computer in your company? THAT is what these people are doing to their future. Even if a decade from now the culture changes and they start building legit stuff, nobody is going to use it. Because it came from Eastern Europe and Russia.
Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
They failed at an even simpler level than that. They could have just kept checksums of the code objects in known malicious apps and automatically removed any other apps that match that checksum, either already in the store or on upload, just like even the most basic antivirus software tech was doing over two decades ago. Or perhaps they simply just didn't expect that malware coders would be equally lazy/clueless and not bother to include some random salt or other obfuscation in their files to mess up attempts at checksumming them.
UNIX? They're not even circumcised! Savages!
There's at least two orders of magnitude more malware on a per-app basis at Google Play than at F-Droid.
That's ridiculously easy to spoof. Just add a few lines of orphaned code that does nothing to change the app's function and it will have a totally different checksum.
that they had to outdo the malware issues of Windows by delivering malicious software directly, This is an order of magnitude more incompetent considering the world Android was born into. You cannot hide behind naivety so I'll chalk it up to arrogance.
APK
Of course it's ridiculously easy to spoof - I even said how you'd do it in my post - and that's my point; Google are apparently not even doing the kind of basic checks that early AV software was doing in the late 1990's, let alone the kind of modern heuristical scanning that current AV tools use, which is what I'd have expected them to be doing. It's well known in security circles that most malware writers re-use a lot of common code libraries and other "kits" from the darknet and other forums that they then modify to suit, so that Google hasn't successfully automated that kind of scanning on app submission to their own store beggars belief, especially given the number of well regarded security experts they have on thier payroll.
UNIX? They're not even circumcised! Savages!
the problem is, all of those well regarded security experts are on the pay roll for one purpose: to sling mud at others (primarily Microsoft and Apple). The powers that be at Google have seen the broad success of negative tactics in US politics and are simply using the same mud slinging tactics.
Why improve your own security when you can keep Apple, Microsoft, whoever, in the news for the exploit-of-the-day and divert attention?
I bet the package has been repacked with the new name so the hash is obviously different not just the filename. I bet there are several methods for App detection. signature and behavior. The signature ones can get through if they re-package with minor changes I bet. I don't know if there are any behavior checks, but there really should be.
Changing the name would change the binary package signature too though. So a naive approach by Google, but the technical reason of why could be explained.
Great ideas falling from their ears.
And SHIT IMPLEMENTATION WITH NO SUPPORT.
Chas - The one, the only.
THANK GOD!!!
But that's wrong; changing the name will change the checksum. The package names are all over the code.
One word: HASH
As somebody saddled with doing "code review" for H1Bs hired by the government because they "can't find" anybody else, this absolutely does not surprise me. Ever week the needful doers dump half a million lines of copy pasta on me. Every week I send back the same security holes. Every week the deployment continues without any remediation whatsoever. Every week there's another panic over crashes or slowdowns or breaches or whatever. I just don't fucking care anymore. Clearly nobody else does.
They failed at an even simpler level than that. They could have just kept checksums of the code objects in known malicious apps and automatically removed any other apps that match that checksum
Since the name is part of the package contents, changing the name will change the checksum. For that matter, just re-signing the package (even with the same key, much less a different key) will change the checksum. Your very simple countermeasure couldn't actually work at the package level. It might work at a lower level, disassembling the package and storing checksums of individual .class, etc. files, but the naive approach would produce a lot of false positives, because Android apps (including malicious ones) often contain library code. It would be possible to build a system that could distinguish common libraries from other code and minimize the false positives... but it wouldn't be trivial to do at scale, would likely always generate some false positives, and would be very easy for malware authors to defeat since they'd only have to change one byte of their code to break it.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
A definite point. But you could do checksums of random sections of the code. You'd get false positives, that you'd need to screen out, of course, and even a few false negatives, if blocks of code got switched during compilation or linking, and your checksum straddled a block boundary. The larger a block of code you checked, the fewer false positives you would get, but the more false negatives. So you pick a medium to small block of code, and scan several blocks per submission. You'd still need to check this by other means, but if you got the sizes right you should do a pretty fair job that would have very few false negatives. and not too many false positives.
I think we've pushed this "anyone can grow up to be president" thing too far.
A butthurt RAT has been impersonating me for MONTHS and it's PISSING me off. It's infuriating to see an anonymous UNIDENTIFIABLE TROLL pretending to be me on a daily basis and it needs to STOP.
I don't see any impersonation here. Anonymous Coward posts anonymously.
Anyhow, if you don't like seeing that, can't you just block her with an adblocker that allows blocking a div element of class commentBody that contains both bold tags and "APK"?
if you got the sizes right you should do a pretty fair job that would have very few false negatives. and not too many false positives.
Maybe, maybe not. You're making a lot of guesses -- which isn't bad unless you start assuming that your guesses are guaranteed to be right. In fact that's pretty much how this space works; people guess at what might work, evaluate the data, then try it if it looks promising. it's entirely possible that something like this was tried and found not to work as well as you're guessing it would. I know the people on the malware scanning team and they're very good. I know this example looks bad, but the problem is a lot more complex than it appears.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Why?
Because Apple is clearly winning. It's evident in their high phone margins.
...what was the point of creating these tightly controlled, walled gardens for software again? Wouldn't open white-listing be more effective and secure?
Actually, I think the real problem would be that the right block sizes would require too much computing. But you're right, it would take a LOT of testing. And it's quite possible that there's no "one size fits all" right block size.
I think we've pushed this "anyone can grow up to be president" thing too far.