Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Apps Get Back on the Play Store Just by Changing Their Name (bleepingcomputer.com)

Posted by msmash on from the lol dept.

Malicious Android apps that have been previously reported to Google are showing up again on company's marquee Play Store with new names, security researchers are reporting. BleepingComputer: Seven of these apps have been "rediscovered," said Symantec in a report published yesterday. The company's experts say the author of the original malicious apps didn't do anything special, but only changed the app's names, without making modifications to the code, and re-uploaded the apps on the Play Store from a new developer account under a new name. Symantec says it detected seven of these re-uploaded apps on the Play Store, which it re-reported to Google's security team and had them taken down again.

8 of 56 comments (clear)

  1. Oh No! they banned us by Revek · · Score: 2

    I guess we should just quit and go home. Or we could just try again.

  2. Seems Google doesn't check anything but your email by postbigbang · · Score: 4, Insightful

    If there is an actual vetting process, it's a joke. So much for diligence, trustworthiness, and looking out for the security of their Android users, who dominate worldwide consumers of their "product".

    --
    ---- Teach Peace. It's Cheaper Than War.
  3. Re:Google can't be bothered? by 110010001000 · · Score: 3, Insightful

    Vetting content would destroy their profit margins and require effort.

  4. Re:How is this possible? by Khyber · · Score: 2

    The A in AI does stand for 'artificial' and not 'accurate.'

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  5. In Soviet Russia by dryriver · · Score: 4, Insightful

    YOU are the malicious app in the "Play Store". But more seriously - if you are smart enough to create an Android App, why bother with hacking/phishing/scamming at all? Build something useful and sell it as every other decent programmer would. Make money honorably. A lot of the malware, malicious apps, hacking tools and similar originates in Eastern Europe and Russia these days. And its all built by decently smart people who can actually program a computer. So the question one more time: If you are smart enough to scam, aren't you smart enough to create something legit and make your money that way? Without ruining somebody else's life or breaking all sorts of laws in the process? But it seems that the computing culture in EE/RU is all about doing what should not be done. The internet is one great big see of credit cards, bank accounts, social security numbers, gullible consumers to these people. The sad thing is that they are ruining the region's future in legit software as well. If some smart people in Russia someday made a great OS that can compete with Windows or Linux, would anybody in their right mind actually use it? Would you install a Russian OS on even a single computer in your company? THAT is what these people are doing to their future. Even if a decade from now the culture changes and they start building legit stuff, nobody is going to use it. Because it came from Eastern Europe and Russia.

    --
    Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
  6. Re:Seems Google doesn't check anything but your em by Zocalo · · Score: 5, Informative

    Of course it's ridiculously easy to spoof - I even said how you'd do it in my post - and that's my point; Google are apparently not even doing the kind of basic checks that early AV software was doing in the late 1990's, let alone the kind of modern heuristical scanning that current AV tools use, which is what I'd have expected them to be doing. It's well known in security circles that most malware writers re-use a lot of common code libraries and other "kits" from the darknet and other forums that they then modify to suit, so that Google hasn't successfully automated that kind of scanning on app submission to their own store beggars belief, especially given the number of well regarded security experts they have on thier payroll.

    --
    UNIX? They're not even circumcised! Savages!
  7. Re:Seems Google doesn't check anything but your em by swillden · · Score: 2

    They failed at an even simpler level than that. They could have just kept checksums of the code objects in known malicious apps and automatically removed any other apps that match that checksum

    Since the name is part of the package contents, changing the name will change the checksum. For that matter, just re-signing the package (even with the same key, much less a different key) will change the checksum. Your very simple countermeasure couldn't actually work at the package level. It might work at a lower level, disassembling the package and storing checksums of individual .class, etc. files, but the naive approach would produce a lot of false positives, because Android apps (including malicious ones) often contain library code. It would be possible to build a system that could distinguish common libraries from other code and minimize the false positives... but it wouldn't be trivial to do at scale, would likely always generate some false positives, and would be very easy for malware authors to defeat since they'd only have to change one byte of their code to break it.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  8. Re: This Is Why You Get Your Apps On F-Droid by TheFakeTimCook · · Score: 2

    Yes, but the Apple App store does not distribute apps that will run on any of my equipment.

    Sounds like you have the wrong equipment.