Droppers Is How Android Malware Keeps Sneaking Into the Play Store (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Droppers Is How Android Malware Keeps Sneaking Into the Play Store (bleepingcomputer.com)

Posted by msmash on Friday July 20, 2018 @08:00AM from the closer-look dept.

Catalin Cimpanu, writing for BleepingComputer: For the past year, Android malware authors have been increasingly relying on a solid trick for bypassing Google's security scans and sneaking malicious apps into the official Play Store. The trick relies on the use of a technique that's quite common in desktop-based malware, but which in the last year is also becoming popular on the Android market. The technique involves the usage of "droppers," a term denoting a dual or multiple-stage infection process in which the first stage malware is often a simplistic threat with limited capabilities, and its main role is to gain a foothold on a device in order to download more potent threats. But while on desktop environments droppers aren't particularly efficient, as the widespread use of antivirus software detects them and their second-stage payloads, the technique is quite effective on the mobile scene.

17 of 38 comments (clear)

Min score:

Reason:

Sort:

I run Antivirus in/on my android... by williamyf · 2018-07-20 08:07 · Score: 1

... and in my mac, and in my Synology NAS, and in my windows (mostly virtual) machines.
If it is a General purpose computer, and you can install software written by someone else on it, even if the software only comes from an "App Store" that alegedly checks said software, one has to run an antivirus.
that goes for Windows, Mac, Linux, Android, ChromeOS, Fuscia, etc.

--
*** Suerte a todos y Feliz dia!
1. Re:I run Antivirus in/on my android... by pr0fessor · 2018-07-20 08:30 · Score: 1
  
  I'll see your "software written by someone else" and raise you connects to the internet.
2. Re:I run Antivirus in/on my android... by OldMugwump · 2018-07-20 08:39 · Score: 1
  
  What is the point of running anti-virus on your Android, if you're downloading apps only from Google, and Google has already run anti-virus on the executable?
  
  --
  "Shoot, a fella could have a pretty good weekend in Vegas with all that stuff."
3. Re:I run Antivirus in/on my android... by Desler · 2018-07-20 09:18 · Score: 1
  
  So you distrust software written by someone else yet run anti-virus which is... software written by someone else.
4. Re:I run Antivirus in/on my android... by Anonymous Coward · 2018-07-20 09:23 · Score: 1
  
  So you're oblivious to the hundreds of pieces of malware that have gotten on the Play Store?
5. Re:I run Antivirus in/on my android... by williamyf · 2018-07-20 09:50 · Score: 1
  
  A "Norton" or "Avast" someone-else trumps no-name-yet-indie-game-developer someone else.
  
  --
  *** Suerte a todos y Feliz dia!
6. Re:I run Antivirus in/on my android... by williamyf · 2018-07-20 09:53 · Score: 1
  
  Answers to your questions:
  1.) With any luck, the AV engine that Google runs will e different to the AV engine that my antivirus runs.
  2.) As TFA said, malware disguises itself as beningn, and then downloads the malign part. Maybe all AV packages may miss the bennign part, but only an AV running on the phone itself will deteckt (pun intended) and hopefully block the trully malign part.
  3.) The Antivirus I run, gives me other goodies (licke bricking the phone in case the SIM changes). Maybe the antivirus you choose will give you some other goodies too.
  
  --
  *** Suerte a todos y Feliz dia!
7. Re:I run Antivirus in/on my android... by williamyf · 2018-07-20 09:54 · Score: 1
  
  I'll see your "software written by someone else" and raise you connects to the internet.
  Amen colleague.
  
  --
  *** Suerte a todos y Feliz dia!
8. Re:I run Antivirus in/on my android... by williamyf · 2018-07-20 10:13 · Score: 1
  
  Somehow, the guys who implemented ClamAV did it for Windows, Linux, MacOS, BSD and Solaris...
  So, it seems that for them too, and for a lot of other people, being able to run an antivirus in *nix platforms was important and valuable.
  You do not seem to value that...
  But then maybe that's why you are posting as anonymous COWARD, you are afraid that they'll revoke YOUR geek card...
  
  --
  *** Suerte a todos y Feliz dia!
9. Re:I run Antivirus in/on my android... by Monster_user · 2018-07-20 10:56 · Score: 2
  
  AC isn't entirely off base, though perhaps a bit crude... Chrome OS doesn't quite yet have the sizeable user base, and the history of not being able to install anything has rendered the primary exploits largely invalid on Chrome OS.
  
  As far as Solaris, BSD, and Linux, most AV scanners for those operating systems are for Windows accessible machines like file servers or mail servers. AVG ventured into the real-time antivirus monitoring arena for a little while back in the 00's. There wasn't any money in it like on the Windows side, and the AVG implementation was not a simple APT-GET or YUM install. Any nerds who would have simplified the process didn't see a need for it on the Linux desktop. An anti-virus isn't a preventative measure, its reactionary, its remediation, which means the virus already got through.
  
  Android, and especially Apple iOS, lack most of the preventative and verification measures of a desktop OS. There are simply no good ways to keep malware from infecting the device and still participate in the market at large and get the full benefits of the device.
  
  Windows is simply the weapon of choice by the unwashed masses, the illiterates, and nobody can afford to babysit them. That combined with Windows' dominate user base unfortunately means that if there is a vulnerability there is a statistically high potential for success, which means that there if there is a zero-day vulnerability, there is a statistically high probability that an attack will breach your network and infect your machine. Which makes an anti-virus almost a necessity on Windows, as it is a constant and ongoing threat condition.
  
  Whereas on Linux any vulnerability which breaches the primary vulnerabilities, such as email, will have already evaded detection. An antivirus won't perform any better than an expert, and you'd first have to identify the malware and submit it to your antivirus vendor. At which point you're just going to clean the malware immediately, before the AV vendor can provide definitions. If you have multiple servers you will either deploy a script to detect and remediate the virus, or simply redeploy your servers from backups, safeguarding them against the malware before putting them into production. Any serious vulnerability is going to be patched out upstream, so an antivirus won't need to detect older threats. So there is no advantage to running an antivirus on 90% of the Linux boxes. It chews up CPU cycles and IOPS, and gives a false sense of security.
10. Re:I run Antivirus in/on my android... by williamyf · 2018-07-20 12:03 · Score: 1
  
  How interesting it is, then, that Antivirus vendors are still implementing Antivirus for Mac and linux.
  Even MORE so, they are implementing antivirus that hooks into your Virtualization/cloud platforms to protect your VMs, both virtual servers and Virtual Desktops...
  Here is te solution from ESET for VMWare:
  https://www.eset.com/int/busin...
  Here is from Bitdefender, for many Hypervisors:
  https://www.bitdefender.com/bu...
  Here is the one from Sophos:
  https://www.sophos.com/en-us/m...
  But hey, I guess I'll better surrender my geek credentials, as well as all the people working in ClamAV, and all the engineers and managers that are working in such a clear dead end technologies as Mac and Linux antivirus at those companies (and many more).
  After all, is soo clear for me now, you and Anon coward can not be wrong.
  
  --
  *** Suerte a todos y Feliz dia!
Why is self-modifying code allowed? by mysidia · 2018-07-20 08:27 · Score: 2

Shouldn't the executables be digitally signed by the author And signed in some matter specific to the device, and the platform should be designed so an app running in a sandbox can't launch an executable if it is unsigned or the signature doesn't match Or if the executable wasn't installed during an app installation?
1. Re:Why is self-modifying code allowed? by Anonymous Coward · 2018-07-20 09:01 · Score: 1
  
  Correct. This shows that there is a massive problem in the Android ecosystem which needs to be promptly fixed. Apps should never be allowed to update themselves with payloads which have not been vetted and signed by Google. Developers who attempt to do this should be detected and banned.
2. Re:Why is self-modifying code allowed? by Spazmania · 2018-07-20 10:12 · Score: 1
  
  This!
  It's easy in linux to make the program directory unwritable by the program and the data directory unexecutable. Same for ram: easy to mark the program memory read-only and the data memory non-executable.
  So how is this extraneous code successfully getting executed?
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
3. Re:Why is self-modifying code allowed? by mysidia · 2018-07-25 09:18 · Score: 1
  
  The Google Play store is Google's walled garden; they've always had the ability to take down malware.
  The platform should be designed so that program's cannot modify themselves by adding new executable code or new executable program files,
  and if somehow they manage to do so anyways, then the program contains an "exploit" that should be treated as malware.
huh? by astrofurter · 2018-07-20 17:36 · Score: 1

Huh? I thought almost every program on offer in the Play Store was malware? Guess we must have a different standard for "malicious".
obviously by sad_ · 2018-07-23 01:49 · Score: 1

the solution is to not allow applications to install executable files on your device.
What possible good reason/excuse could these applications have to do this?

--
On a long enough timeline, the survival rate for everyone drops to zero.