Slashdot Mirror

← Back to Stories (view on slashdot.org)

500,000 Duped Into Downloading Android Malware Posing As Driving Games On Google Play (forbes.com)

Posted by ryuzaki0 on from the security-woes dept.

Be careful what you're downloading from Google Play. Especially if it's one of 13 apps posing as driving games created by one developer called Luiz Pinto. From a report: More than 560,000 have already been tricked into downloading the games, which include a mix of luxury car and truck simulation apps, as discovered by Android malware researcher Lukas Stefanko. Once installed on a user's Android device, the games don't actually work. Looking at the reviews on Google Play, users who downloaded them complained it was a virus. For instance, among the masses of one-star reviews for the Truck Cargo Simulator, one noted his device slowed down after it forced him to download an app that wasn't the game itself. Many simply called it a scam.

62 comments

  1. Google vs Microsoft vs Apple by Anonymous Coward · · Score: 0, Insightful

    Android. Shitty operating system.
    Google Play. Shitty curation of applications.

    Windows mobile. Discontinued.

    iOS. Limited operating system.

    1. Re:Google vs Microsoft vs Apple by Anonymous Coward · · Score: 1

      Android is open source, meaning you have a choice of tons of ROMs or to put together your own from AOSP.
      Google Play isn't the only place you can get apps from. Amazon and F-Droid have them too. All of my Android apps come from F-Droid.

    2. Re:Google vs Microsoft vs Apple by sexconker · · Score: 0

      Android is not open source. AOSP is open source.
      Android isn't AOSP, and hasn't been in a long, long time.

      Android is AOSP + custom bullshit + drivers/firmware + Google's services & frameworks + Google's store and apps.
      The "stock" Android people say they love on the Pixels is all of the above, but with additional services and apps that Google makes exclusive to the latest Pixel device, then slowly trickles them out to the older Pixel devices (maybe).

    3. Re:Google vs Microsoft vs Apple by Aighearach · · Score: 1

      That's merely a steaming pile of No True Scotsman.

      If you don't have the google services, it is still Android.

      Maybe you just don't know what the words mean?

    4. Re:Google vs Microsoft vs Apple by sexconker · · Score: 1

      If you don't have the google services, it is still Android.

      Wrong. Look at how Google licenses and brands Android. Look at what OEMs are forced to agree to if they want to advertise their device as an Android device. Look at what they have to agree to to get access to the latest builds of Android.

    5. Re:Google vs Microsoft vs Apple by Anonymous Coward · · Score: 0

      Wrong. Look at how Google licenses and brands Android.

      And how is that? Enlighten us all, please.

      Look at what OEMs are forced to agree to if they want to advertise their device as an Android device.

      What the fuck are you babbling about? Nobody has to do anything to advertise their device as Android except to load Android on to it, whether that's from AOSP or elsewhere doesn't matter. You're conflating OEMs that want to advertise their devices as having Google Play services, which is a totally different matter.

      Look at what they have to agree to to get access to the latest builds of Android.

      What? Nothing? I can download the entirety of AOSP with a couple of clicks or command lines.

      AOSP *is* Android.

      The very FIRST thing that it says on the AOSP site is:

      Android unites the world! Use the open source Android operating system to power your device.

      But you don't want to accept that because you have some kind of hate-driven agenda to push.

    6. Re:Google vs Microsoft vs Apple by Anonymous Coward · · Score: 0

      AOSP stands for "Android Open Source Project". AOSP most certainly is Android and Android most certainly is open source.

      What you are claiming is the same thing as saying that because I run a few closed source applications that my Manjaro Linux OS isn't open source.

    7. Re:Google vs Microsoft vs Apple by Anonymous Coward · · Score: 0

      Oxford Dictionary:

      Android
      NOUN

      2 trademark [mass noun] An open-source operating system used for smartphones and tablet computers.

      [as modifier] ‘I have an Android phone and I like it a lot’

      And there it is. The highest authority on the English language even states that Android is open source.

  2. obligatory by Anonymous Coward · · Score: 1

    A strange game.
    The only winning move is
    not to play.

    1. Re:obligatory by Anonymous Coward · · Score: 0

      My NDS is working fine. Even my old PSP. And no shitty mobile controls + microtransaction bullshit.

    2. Re:obligatory by Anonymous Coward · · Score: 0

      Professor Falken.

    3. Re:obligatory by Anonymous Coward · · Score: 0

      My day-1 PSP still shipped with the ability to run unsigned code right off the sony-proprietary-memory-stick-trade-mark. I'm grateful for it, and still use it for silly stuff to this day.

      A similar thing basically has happened with the Switch...

      Retrospect can be rose-tinted, don't ya know... and different product boundaries are ideal for different people.

      That said, i concede both of them actually did the job they claimed to...

    4. Re:obligatory by mermeid007 · · Score: 1

      isn't this due to cross-site AJAX calls being disabled in Javascript and then subdomains didn't cross-link right so people turned it off?

  3. Walled Garden Strikes Again! by Anonymous Coward · · Score: 0

    Hah! Google and it's Walled Garden have ensnared a half a million people!

    oh . . . wait . . .

  4. TFA is ridiculous by Anonymous Coward · · Score: 0

    I don't know who this guy Brewster that wrote TFA is, but he clearly knows nothing about the subject. He lets the other guy - Stefanko get away with a statement about Google not scanning apps uploaded to the Play Store for viruses, then goes on and editorially adds that Google has Virus Total and could scan apps. But of course anyone who knows anything about the subject knows that they DO scan apps. They have for years. The issue isn't scanning. It is that people keep coming up with dodges that evade the scanning and then the scanning engines have to get updated to deal with the new malware. This is just another instance of that.

    But keep writing your security blog Mr. Brewster. Maybe someday you'll learn about what you write about.

    1. Re:TFA is ridiculous by NoNonAlphaCharsHere · · Score: 3, Insightful

      People download and install a game(s) that has "masses" of one-star reviews saying "this shit don't work" and "probably a virus" and clearly that's somehow Google's fault. Gotcha.

    2. Re:TFA is ridiculous by DontBeAMoran · · Score: 1

      Maybe it is partly Google's fault. How long did it take for them to react and remove the offending applications?

      --
      #DeleteFacebook
    3. Re: TFA is ridiculous by Anonymous Coward · · Score: 0

      So the the apps in question were not malware. People just thought it was.

      Lolol

    4. Re:TFA is ridiculous by farble1670 · · Score: 1

      Google could do better to protect users on Google Play, Stefanko added. "Many times it would be simply enough to scan apps with anti-virus software before uploading them on to Google Play," he said. Given Google owns an organization that could do just that, Virus Total, that shouldn't be too much of an ask.

      From reading TFA, it sounds like the apps were shells with no real content (or malware), then attempted to download and install malware via "unknown sources", for users that had that enabled. In other words, the game wasn't really detectable malware, it just wasn't a game, and attempted to exploit users that ignored all of the security warnings telling them not to install from untrusted sources.

      This is why the Fortnite installer was such a big deal. It forced users to allow install from unknown sources. How many people did that without knowing the holes, like this, that it opened up.

    5. Re:TFA is ridiculous by TheFakeTimCook · · Score: 1

      It is that people keep coming up with dodges that evade the scanning and then the scanning engines have to get updated to deal with the new malware. This is just another instance of that.

      That's funny!

      Unscrupulous Developers try that stuff constantly with the iOS and Mac App Stores, too.

      But the difference between them and Google Play, is that with the Apple App Stores, I can count the successful "dodges" on just a few fingers.

    6. Re:TFA is ridiculous by Anonymous Coward · · Score: 0

      "Untrusted Sources" - I.e. Sources not trusted by Authority.

      Authority =/= Trust. In this case, this was a "legitimate" app that downloaded malware, had the user agree to install said malware, and was approved by said Authority.

      In both these instances the roots of trust were abused:

      1. Authority abused the trusted position it had with it's users by accepting the app into their store without reviewing it properly.

      2. The user abdicated their responsibility to protect their device, and did not question the need to install another app to run one that was already installed.

      3. The user assumed that because the first app came from said Authority, and had said Authority's blessing, that anything subsequent apps did was "safe" and "approved" as well.

      If numbers 2 and 3 seem to be completely reliant on number 1 to never occur, and that if it does happen nothing would catch it in time to prevent the bad effects from 2 and 3, that's because it is. This is an over-reliance on Authority to protect the ignorant. Any such system would suffer the same problems regardless as to who the Authority was. The only reason Apple gets away with it is because they retain absolute power over the devices they sell. Google does not do this, and as such when a Google device falls into the hands of grandma BS ensues. Google devices are for Windows Admins not Grandma. Quit trying to force these things into the hands of the ignorant, or teach them so they are not ignorant, and eventually these problems will stop. Blaming the tech when the problem is the human using it won't fix the issue.

    7. Re:TFA is ridiculous by khchung · · Score: 1

      People download and install a game(s) that has "masses" of one-star reviews saying "this shit don't work" and "probably a virus" and clearly that's somehow Google's fault. Gotcha.

      And how do you think those "masses" of one-star reviews got posted, if not for "masses" of people downloading and installing it in the first place?

      --
      Oliver.
    8. Re:TFA is ridiculous by Waccoon · · Score: 1

      Walled gardens are great because they protect you from malware. It's good for you!

      Wait, you got malware? It's your own damn fault!

    9. Re:TFA is ridiculous by farble1670 · · Score: 1

      3. The user assumed that because the first app came from said Authority, and had said Authority's blessing, that anything subsequent apps did was "safe" and "approved" as well.

      For the trojan to get installed the user had to explicitly bypass security settings and ignore many security warnings. So your claim is that in spite of the authority telling the user to explicitly not do something, they did it anyway, and that's the authority's fault. Well I am sorry, but that's not how reality works.

    10. Re:TFA is ridiculous by Anonymous Coward · · Score: 0

      Walled gardens from trust able companies. This is why you don't see stuff like this with Apple. Google cant be trusted, and this is one of the many reasons why. Over %50 of apps on google play are viruses. Android is for people who dont really understand Linux.

  5. You can download by Anonymous Coward · · Score: 0

    DEEZ NUTS!!!!

    1. Re:You can download by Anonymous Coward · · Score: 0

      GOT HEEEEEEM!!!!

  6. In other news by Anonymous Coward · · Score: 0

    Dog bites man
    Water is wet
    Trump Lies
    The Patriots are cheaters

    1. Re:In other news by bobstreo · · Score: 1

      Dog bites man
      Water is wet
      Trump Lies
      The Patriots are cheaters

      FTP (not the ancient file transfer protocol this time)

    2. Re:In other news by Anonymous Coward · · Score: 0

      OrAngE mAn bAD!!!1!

    3. Re: In other news by Anonymous Coward · · Score: 0

      It's so old news, you forget we've always been at war with Finland over their forest raking.

    4. Re: In other news by bobstreo · · Score: 1

      It's so old news, you forget we've always been at war with Finland over their forest raking.

      Only socialists and communists rake their forests.

        It's like not letting people pump their own gas, creating so many jobs in NJ and Oregon.

      In other Rake News...

    5. Re: In other news by Anonymous Coward · · Score: 0

      Did he say he was bad? No he said he lies.

      Which is a verifiable fact. Prove me wrong.

    6. Re: In other news by Anonymous Coward · · Score: 0

      Pretty much, he couldn't even resist injecting spite into turkey pardons. Then he defends murder committed by cold-blooded Saudi princes.

  7. but at least it's not a WALLED GARDEN oh noes!!!1 by Anonymous Coward · · Score: 0

    Unlike asshole dickhead Steve Jobs Google's motto is "Don't Be Evil" so you can totally tell they are way more trustworthy than companies with WALLED GARDENS!!!!

  8. but at least he's diverse! by Anonymous Coward · · Score: 0

    I love tacos and malware! Diversity is strength!

  9. Google Play is malware by themusicgod1 · · Score: 1

    and everything on it. If you can't reproducibly build the apks yourself, and install them without Google, that is 'bad' / 'unhappy' enough to be considered badware/unhappyware/malware.

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
    1. Re:Google Play is malware by farble1670 · · Score: 1

      If you can't reproducibly build the apks yourself, and install them without Google, that is 'bad' / 'unhappy' enough to be considered badware/unhappyware/malware.

      That's up to the developer. If they want to post their source for you to build and install outside of Google Play they can do that. In fact, you can even choose to only install such apps. You can do this today.

    2. Re:Google Play is malware by themusicgod1 · · Score: 1

      Yes, we should choose not to install unsafe software.

      --
      GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  10. It's much worse than that... by freak0fnature · · Score: 1

    Take an app like MegaN64 (N64 Emulator), perfectly good app for years. You use it, you trust it. Then one day it auto updates, only the update is infected with malware. Despite the recent poor reviews and warnings, despite reporting it to Google, the app is still available.

    1. Re:It's much worse than that... by CaptainDork · · Score: 1

      The problem you're describing is the fault of Google Play.

      Google warns against side loading, but what's the risk differential?

      Google's walled garden's got cracks in it and can't be trusted.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:It's much worse than that... by Anonymous Coward · · Score: 0

      freak0fnature related:

      Take an app like MegaN64 (N64 Emulator), perfectly good app for years. You use it, you trust it. Then one day it auto updates, only the update is infected with malware. Despite the recent poor reviews and warnings, despite reporting it to Google, the app is still available.

      It's not especially difficult to turn off auto-updating on Android:

      1. 1 Open Google Play.
      2. 2 Tap the hamburger icon (three horizontal lines) on the top-left.
      3. 3 Tap Settings.
      4. 4 Tap Auto-update apps.
      5. 5 To disable automatic app updates, select Do not auto-update apps.

      Of course, most users don't realize that - and most of 'em probably wouldn't take advantage of it, if they did, because convenience.

      Nonetheless ...

      (Posting as AC only so as not to undo prior upmods in this thread.)

      --

      Check out my novel ...

    3. Re: It's much worse than that... by Anonymous Coward · · Score: 0

      Nor can Apple's. How many white hat hackers penetrated the walled garden and got away with it? All of them. Only when they self reported did they get booted.

      Add to that nobody else can reliably scan apps for malware, and you're just asking for it

    4. Re:It's much worse than that... by Aighearach · · Score: 2

      If you care that much about security, you already were refusing to install apps that ask for more permissions than they absolutely need for their core purpose.

      If you're like the average user and you're willing to say "yes" to letting a random application that isn't a phone dialer or email app access your mobile contacts, you've already agreed to be p0wned.

      You use it, you trust it.

      If you trust stuff you downloaded off the internet, you're already pre-p0wned; your system of using technology not only lacks basic protections, it lacks a willingness to be protected.

      It was always a mistake to trust shit. Stop trusting shit. Malware exists. Server bugs exist. Even when none of the humans making and offering the app did anything with the intention to violate your trust, your systems still got p0wned because you gave out excessive permissions and received the expected results.

      And when it starts looking like "all the apps require inflated permissions," simply switch to f-droid and you'll find reasonable alternatives.

    5. Re: It's much worse than that... by TheFakeTimCook · · Score: 1

      Nor can Apple's. How many white hat hackers penetrated the walled garden and got away with it? All of them. Only when they self reported did they get booted.

      Add to that nobody else can reliably scan apps for malware, and you're just asking for it

      You mean like BOTH of them?

      Funny that there haven't been any significant malware incursions in either of Apple's App Stores, whereas there have been literally HUNDREDS OF THOUSANDS in Google Play.

      Somehow, I don't see the equivalence you are trying to foist.

  11. Um by Anonymous Coward · · Score: 0

    I admit, I skimmed through TFA, but.. I think I got the gist of.. it "doesn't seem to do anything", and the "device slows down". Lot's of "it could be doing this, or it could be doing that"

    I mean, no doubt there's some form of Malice behind this, but it's not really a perfect example of a security researcher reporting on something specific. I want details man! I mean if the app were able to download APKs on it's own, is this primarily affecting poorly configured (and probably rooted) devices? Or is it "forcing users" to install APKs because they are full screen adds that look like legitimate application functionality? Because in my opinion, the two things are very, very different. The second is a thing many folks do with varying levels of danger (such as avast using full page advertisements that look exactly like the google play store, behind notifications like "we've scanned your device, here's what you need to know"

    In the case of the second, you might be mislead in some way to think you're doing something, but inevitably Android is going to ask if you want to install this, and provide these permissions... And if it's not, I would have expected the researcher to provide more details.. (such as there is a new android exploit some folks are taking advantage of, by disguising malware as games, and this is what the exploit actually does.

    I wholeheartedly agree however, the google play is filled with 95% shit. But anyways, this isn't news, people report shit apps under suspicion like this all the time. Unless it's just a smear campaign targeting the one developer mentioned with 10 broken games...

    Honestly, its a bigger problem vendors are packing software like the facebook app with the device, in a way that it can't be removed...

  12. Re:Google vs Microsoft vs Apple vs Moto by Anonymous Coward · · Score: 0

    Motorola EZX Linux. The what now? Discontinued.

    I was lucky enough to own an EZX phone. Still works today, though changes in wireless bands makes it less useful. Apps were easy to write and it was a nice system to use.

  13. So far only "reports" and supposition by Zero__Kelvin · · Score: 2

    I don't see any confirmation of the claims being made here. Some user saying it must be malware because his phone slowed way down? Users blame all manner of expected behavior on malware when they don't understand what is going on. Perhaps the games work on the developers system but fail on other phones with different hardware and/or Android versions. Until someone actually analyses it and confirms I will withhold judgement.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    1. Re:So far only "reports" and supposition by Aighearach · · Score: 1

      OTOH, I'm not convinced either.

      OTOH, I'm going to keep using fdroid for most apps, and not installing anything that wants more permissions than it needs.

  14. same with F16 sim for ios by Anonymous Coward · · Score: 0

    a few years ago, I bought some ios apps as I was thinking of becoming an app developer - most of the purchases were good, but one, an F16 flight sim was strange in that it seemed to be very unfinished (no enemies) - the ipad did do strange things while that app was installed, the weirdest being: I opened up the ipad and saw it auto-type in my 4 digit login code - I promptly deleted the offending app

  15. Luiz is a Prick ? by nukenerd · · Score: 1

    one developer called Luiz Pinto

    Isn't "Pinto" Portuguese for a dick ?

    1. Re:Luiz is a Prick ? by FunkSoulBrother · · Score: 1

      I mean, "Johnson" is English for a dick and millions of people have the last name. What's your point?

    2. Re:Luiz is a Prick ? by nukenerd · · Score: 1

      My point is that this guy might be having a laugh at his victims with his name.

  16. Worked for me by Tablizer · · Score: 1

    Whaddya mean it's fake? I went for a nice simulated drive with a Nigerian Prince in the countryside.

    --
    Table-ized A.I.
  17. Thanks in a way & why, lol... apk by Anonymous Coward · · Score: 0

    In your IMPERSONATIONS of me (like u do now) saying what you thought "makes me look bad" e.g. https://tech.slashdot.org/comm... (like now)? You did me a favor & got me to look @ these closely:

    1st - Hosts stop portsmash (blocking downloads of it) "You basically have to already be able to run your own evil code on a machine in order to PortSmash it." from https://www.theregister.co.uk/...

    2nd hosts MAY prevent the OTHER forms of Intel CPU weakness per ACADEMIC RESEARCH I read:

    SPECTRE "As an attempted mitigation for our JavaScript-based attack" https://spectreattack.com/spec...

    MELTDOWN "We presented Meltdown, a novel software-based attack" https://meltdownattack.com/mel...

    So like portsmash?

    Academics NEEDED LOCAL CODE (like portsmash hosts can prevent) so hosts ALSO work vs. Spectre/Meltdown!

    APK

    P.S.=> 3rd strike "yer out" - U FAIL PORTFILTERING TESTS https://yro.slashdot.org/comme... (IF hosts could DO it I'd implement it in my work & I STOP THAT ERROR) ... apk

  18. The difference by SuperKendall · · Score: 1

    Nor can Apple's. How many white hat hackers penetrated the walled garden and got away with it? All of them.

    I would not say all, because you cannot know how many attempts were stopped at review stage.

    Furthermore, there have been a number of instances where something with a problem did make it through, but Apple withdrew it. Those were not "self-reported".

    But on top of that iOS has long been simply a better environment to accidentally download a malicious app into... for what harm could it do? It was going to have to access your permission for anything interesting (and this is the important bit) AT TIME OF ACCESS, not in a blob up front as Android did for so long (I think they have sort of fixed that recently).

    A rogue IOS app isn't going to be able to make or monitor calls or texts without you manually helping it. There are whole classes of malware that simply never have and cannot exist on iOS that work just fine on Android.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  19. Trusted app? by Anonymous Coward · · Score: 0

    No mention if the Google Play Store was listing the game as a "trusted app". This may just be imbeciles that rooted their phones and got what they deserved for running "free games".