Droppers Is How Android Malware Keeps Sneaking Into the Play Store (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Droppers Is How Android Malware Keeps Sneaking Into the Play Store (bleepingcomputer.com)

Posted by msmash on Friday July 20, 2018 @08:00AM from the closer-look dept.

Catalin Cimpanu, writing for BleepingComputer: For the past year, Android malware authors have been increasingly relying on a solid trick for bypassing Google's security scans and sneaking malicious apps into the official Play Store. The trick relies on the use of a technique that's quite common in desktop-based malware, but which in the last year is also becoming popular on the Android market. The technique involves the usage of "droppers," a term denoting a dual or multiple-stage infection process in which the first stage malware is often a simplistic threat with limited capabilities, and its main role is to gain a foothold on a device in order to download more potent threats. But while on desktop environments droppers aren't particularly efficient, as the widespread use of antivirus software detects them and their second-stage payloads, the technique is quite effective on the mobile scene.

38 comments

Min score:

Reason:

Sort:

I run Antivirus in/on my android... by williamyf · 2018-07-20 08:07 · Score: 1

... and in my mac, and in my Synology NAS, and in my windows (mostly virtual) machines.
If it is a General purpose computer, and you can install software written by someone else on it, even if the software only comes from an "App Store" that alegedly checks said software, one has to run an antivirus.
that goes for Windows, Mac, Linux, Android, ChromeOS, Fuscia, etc.

--
*** Suerte a todos y Feliz dia!
1. Re:I run Antivirus in/on my android... by pr0fessor · 2018-07-20 08:30 · Score: 1
  
  I'll see your "software written by someone else" and raise you connects to the internet.
2. Re:I run Antivirus in/on my android... by Anonymous Coward · 2018-07-20 08:37 · Score: 0
  
  1- Do not use a mobile to do important stuff
  2- For mac linux android and chromeOS jeez... please hand over your geek card: it's been revoked.
3. Re:I run Antivirus in/on my android... by OldMugwump · 2018-07-20 08:39 · Score: 1
  
  What is the point of running anti-virus on your Android, if you're downloading apps only from Google, and Google has already run anti-virus on the executable?
  
  --
  "Shoot, a fella could have a pretty good weekend in Vegas with all that stuff."
4. Re:I run Antivirus in/on my android... by Desler · 2018-07-20 09:18 · Score: 1
  
  So you distrust software written by someone else yet run anti-virus which is... software written by someone else.
5. Re:I run Antivirus in/on my android... by Anonymous Coward · 2018-07-20 09:23 · Score: 1
  
  So you're oblivious to the hundreds of pieces of malware that have gotten on the Play Store?
6. Re:I run Antivirus in/on my android... by williamyf · 2018-07-20 09:50 · Score: 1
  
  A "Norton" or "Avast" someone-else trumps no-name-yet-indie-game-developer someone else.
  
  --
  *** Suerte a todos y Feliz dia!
7. Re:I run Antivirus in/on my android... by williamyf · 2018-07-20 09:53 · Score: 1
  
  Answers to your questions:
  1.) With any luck, the AV engine that Google runs will e different to the AV engine that my antivirus runs.
  2.) As TFA said, malware disguises itself as beningn, and then downloads the malign part. Maybe all AV packages may miss the bennign part, but only an AV running on the phone itself will deteckt (pun intended) and hopefully block the trully malign part.
  3.) The Antivirus I run, gives me other goodies (licke bricking the phone in case the SIM changes). Maybe the antivirus you choose will give you some other goodies too.
  
  --
  *** Suerte a todos y Feliz dia!
8. Re:I run Antivirus in/on my android... by williamyf · 2018-07-20 09:54 · Score: 1
  
  I'll see your "software written by someone else" and raise you connects to the internet.
  Amen colleague.
  
  --
  *** Suerte a todos y Feliz dia!
9. Re:I run Antivirus in/on my android... by williamyf · 2018-07-20 10:13 · Score: 1
  
  Somehow, the guys who implemented ClamAV did it for Windows, Linux, MacOS, BSD and Solaris...
  So, it seems that for them too, and for a lot of other people, being able to run an antivirus in *nix platforms was important and valuable.
  You do not seem to value that...
  But then maybe that's why you are posting as anonymous COWARD, you are afraid that they'll revoke YOUR geek card...
  
  --
  *** Suerte a todos y Feliz dia!
10. Re:I run Antivirus in/on my android... by Monster_user · 2018-07-20 10:56 · Score: 2
  
  AC isn't entirely off base, though perhaps a bit crude... Chrome OS doesn't quite yet have the sizeable user base, and the history of not being able to install anything has rendered the primary exploits largely invalid on Chrome OS.
  
  As far as Solaris, BSD, and Linux, most AV scanners for those operating systems are for Windows accessible machines like file servers or mail servers. AVG ventured into the real-time antivirus monitoring arena for a little while back in the 00's. There wasn't any money in it like on the Windows side, and the AVG implementation was not a simple APT-GET or YUM install. Any nerds who would have simplified the process didn't see a need for it on the Linux desktop. An anti-virus isn't a preventative measure, its reactionary, its remediation, which means the virus already got through.
  
  Android, and especially Apple iOS, lack most of the preventative and verification measures of a desktop OS. There are simply no good ways to keep malware from infecting the device and still participate in the market at large and get the full benefits of the device.
  
  Windows is simply the weapon of choice by the unwashed masses, the illiterates, and nobody can afford to babysit them. That combined with Windows' dominate user base unfortunately means that if there is a vulnerability there is a statistically high potential for success, which means that there if there is a zero-day vulnerability, there is a statistically high probability that an attack will breach your network and infect your machine. Which makes an anti-virus almost a necessity on Windows, as it is a constant and ongoing threat condition.
  
  Whereas on Linux any vulnerability which breaches the primary vulnerabilities, such as email, will have already evaded detection. An antivirus won't perform any better than an expert, and you'd first have to identify the malware and submit it to your antivirus vendor. At which point you're just going to clean the malware immediately, before the AV vendor can provide definitions. If you have multiple servers you will either deploy a script to detect and remediate the virus, or simply redeploy your servers from backups, safeguarding them against the malware before putting them into production. Any serious vulnerability is going to be patched out upstream, so an antivirus won't need to detect older threats. So there is no advantage to running an antivirus on 90% of the Linux boxes. It chews up CPU cycles and IOPS, and gives a false sense of security.
11. Re:I run Antivirus in/on my android... by williamyf · 2018-07-20 12:03 · Score: 1
  
  How interesting it is, then, that Antivirus vendors are still implementing Antivirus for Mac and linux.
  Even MORE so, they are implementing antivirus that hooks into your Virtualization/cloud platforms to protect your VMs, both virtual servers and Virtual Desktops...
  Here is te solution from ESET for VMWare:
  https://www.eset.com/int/busin...
  Here is from Bitdefender, for many Hypervisors:
  https://www.bitdefender.com/bu...
  Here is the one from Sophos:
  https://www.sophos.com/en-us/m...
  But hey, I guess I'll better surrender my geek credentials, as well as all the people working in ClamAV, and all the engineers and managers that are working in such a clear dead end technologies as Mac and Linux antivirus at those companies (and many more).
  After all, is soo clear for me now, you and Anon coward can not be wrong.
  
  --
  *** Suerte a todos y Feliz dia!
12. Re: I run Antivirus in/on my android... by Anonymous Coward · 2018-07-20 18:57 · Score: 0
  
  Just the antivirus? What about the operating system!!
13. Re:I run Antivirus in/on my android... by Monster_user · 2018-07-21 07:56 · Score: 0
  
  The Hypervisor scanners are for the guest, the VM, not the hypervisor host itself. Most of those VMs are Windows. The Linux ones are a "why not" addition, and probably mostly as a response to largely Windows environments where an antivirus is key or otherwise for some compliance document which doesn't adhere to reality, and really don't provide much benefit.
  
  Mac has a much greater argument for having an antivirus. It isn't the underlying operating system (BSD Unix), but how it is used, and how quickly the viruses reach the antivirus vendors. Most Mac users are not I.T. professionals, and many are barely even computer literate. Mac is sold as an easy to use premium product, and so appeals to those most susceptible to virus infections.
  
  Viruses on Linux and pure BSD are extremely unlikely to even reach the platform, as long as the platform is properly maintained. One's illiterate friends and coworkers typically don't go around accessing your network with unsecured Linux desktops or laptops on which they have been carelessly accessing who knows what. Google's Android (Linux), and Apple's MacOS X (BSD) are infected because those platforms are used by, and marketed to and designed to be used by, security illiterates.
  
  Its like installing a parachute in an automobile. I'm not saying that an automobile won't ever end up falling through the sky, but how often will that happen in real life?
Why is self-modifying code allowed? by mysidia · 2018-07-20 08:27 · Score: 2

Shouldn't the executables be digitally signed by the author And signed in some matter specific to the device, and the platform should be designed so an app running in a sandbox can't launch an executable if it is unsigned or the signature doesn't match Or if the executable wasn't installed during an app installation?
1. Re:Why is self-modifying code allowed? by Anonymous Coward · 2018-07-20 09:01 · Score: 1
  
  Correct. This shows that there is a massive problem in the Android ecosystem which needs to be promptly fixed. Apps should never be allowed to update themselves with payloads which have not been vetted and signed by Google. Developers who attempt to do this should be detected and banned.
2. Re:Why is self-modifying code allowed? by Spazmania · 2018-07-20 10:12 · Score: 1
  
  This!
  It's easy in linux to make the program directory unwritable by the program and the data directory unexecutable. Same for ram: easy to mark the program memory read-only and the data memory non-executable.
  So how is this extraneous code successfully getting executed?
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
3. Re:Why is self-modifying code allowed? by Anonymous Coward · 2018-07-20 11:27 · Score: 0
  
  Yeah, Android is a toy.
4. Re:Why is self-modifying code allowed? by Anonymous Coward · 2018-07-20 22:26 · Score: 0
  
  Apps should never be allowed to update themselves with payloads which have not been vetted and signed by Google. Developers who attempt to do this should be detected and banned.
  So, after years of touting Android as "FREE" and "OPEN", now it should become Google's walled garden.
  Yeah, that would be a good idea.
5. Re:Why is self-modifying code allowed? by mysidia · 2018-07-25 09:18 · Score: 1
  
  The Google Play store is Google's walled garden; they've always had the ability to take down malware.
  The platform should be designed so that program's cannot modify themselves by adding new executable code or new executable program files,
  and if somehow they manage to do so anyways, then the program contains an "exploit" that should be treated as malware.
Impersonating me? apk by Anonymous Coward · 2018-07-20 08:35 · Score: 0

Tell us of your MILLION$ (of lies) "phantasies" https://tech.slashdot.org/comm...
* You admit IMPERSONATING ME https://tech.slashdot.org/comm... + STALKING me by UNIDENTIFIABLE anonymous!
(You impersonating me proves you wish you were me & imitation is the sincerest form of flattery - but you = poor imitation. Your STALKING me by UNIDENTIFIABLE anonymous proves you FEAR me also)
APK
P.S.= Want to IMPERSONATE me? Do something GOOD as I have that even registered /.ers LIKE & USE e.g. https://tech.slashdot.org/comm... instead... apk
I am a big gay baby ...apk by Anonymous Coward · 2018-07-20 08:40 · Score: 0

will you change my diapey...apk
Re: creimer is fat and a gay! Everybody say 'Yay!' by Anonymous Coward · 2018-07-20 09:16 · Score: 0

No thanks, creimer. Someone else will have to use the tweezers to jack yourself off.
People are stupid by Anonymous Coward · 2018-07-20 11:20 · Score: 0

Yeah, well, people are incredibly stupid and install stupid apps so they can impress their friends with how many candyfarm wartokens they have. Play stupid games, win stupid prizes.
LOLLLZ by Anonymous Coward · 2018-07-20 11:45 · Score: 0

But... but... but.... teh LinuXX!!!!111!!!!!!
huh? by astrofurter · 2018-07-20 17:36 · Score: 1

Huh? I thought almost every program on offer in the Play Store was malware? Guess we must have a different standard for "malicious".
That b.s. = "best ya got" WEEZIL? by Anonymous Coward · 2018-07-21 01:30 · Score: 0

See subject: THAT bs = "best ya got" whimpy DO-NOTHING WEEZIL "ne'er-do-well" (+ impersonating me OR stalking me by UNIDENTIFIABLE anonymous posts)?
* JEALOUS "Lil' Jowies" like you are jokes!
APK
P.S.=> Go away PUSSCAKE - you're a loser... apk
obviously by sad_ · 2018-07-23 01:49 · Score: 1

the solution is to not allow applications to install executable files on your device.
What possible good reason/excuse could these applications have to do this?

--
On a long enough timeline, the survival rate for everyone drops to zero.