Google Play Malware Used Phones' Motion Sensors To Conceal Itself

An anonymous reader quotes a report from Ars Technica: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers -- and possibly Google employees screening apps submitted to Play -- are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.

Security firm Trend Micro found the motion-activated dropper in two apps -- BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious. The motion detection wasn't the only clever feature of the malicious apps. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required command and control server. Once Anubis was installed, it used a built-in keylogger that can steal users' account credentials. The malware can also obtain credentials by taking screenshots of the infected users' screen.

Happy Friday From The Golden Girls!

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you ever knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Re: Happy Friday From The Golden Girls!

Truly hilarious. This isnt possible with iOS because bothe simulator and phone run the same OS: MAC OS

Re: Happy Friday From The Golden Girls!

Is this like the old comedy routine where one guy stands behind the other and moves his arms independent of the speaker?

Re: Happy Friday From The Golden Girls!

Honeybunch, how come your phone talks in a funny accent when you move it?

Re: Happy Friday From The Golden Girls!

Have to work right. All versions of OSX are essentially the same thing

But..what about the impacted users?

[froggyjojodaddy]

Once the app is removed from the Google store, does Google actually do anything to remove it from users phones too?...

Re:But..what about the impacted users?

Yes

Re: But..what about the impacted users?

Nope

Re:But..what about the impacted users?

Maybe

The garden wall provides no safety.

[GameboyRMH]

I think it's time to officially declare walled garden computing a failure from a security standpoint. Malware has had little trouble getting inside, and then the fact that it's inside the supposedly safe garden lulls users into a false sense of security. The only thing the walled garden has succeeded in doing is enriching the gatekeepers and disempowering the users.

Re:The garden wall provides no safety.

It was never designed to. It was only designed to provide the ILLUSION of security.

Much like government security theater (ex: the TSA rectal exam at airports by mouth-breathing automatons who are otherwise unemployable) is only designed to provide the illusion of security.

Re: The garden wall provides no safety.

News for nerds... I will have to download this virus and recode my emulator to find it and others like it

Re:The garden wall provides no safety.

[Actually,+I+do+RTFA]

Android isn't a walled garden - as an OS it's open (albeit needing to have each source whitelisted). Google as a curator of application sis a failure (and there is no reason to expect Amazon others are better.). However, the OS is pretty open.

Apple seems to have their walled garden in order, and their OS is more locked down..

Of course, the "walled garden" on phones before, without allowing random third party devs, worked fine on the older phones. I mean, you don't have many apps, but it was safe.

Re:The garden wall provides no safety.

[DigiShaman]

At the end of a day, you're just not paying for a device, but a service. Part of that service might include many things, including someone else doing the vetting of what software is and isn't safe. I own an iPhone with the full understanding that it's locked down and inside a "walled garden". But you know what, I love that garden. Because at the end of the day, it's just a damned phone that's a tool more than anything else.

Don't like walled gardens, then don't support a company that enforces them. It's that simple. Just don't right them off as useless especially when the agreement is mutual between the vendor and consumer.

Re:The garden wall provides no safety.

[MobyDisk]

What does Google do once they find this? The walled garden requires, in theory, that you know who the author is. Does Google try to prosecute the hackers? Of all the companies on Earth who should be able to track someone down, Google and Facebook seem like they could do it.

Re:The garden wall provides no safety.

You have clearly no idea on the amount of submissions and deletions a day. They just terminate the devs play account and thats the end of that chapter. They don't have the resources the go after them. The issue is a lot of devs get their accounts unfairly removed as they have only one tool in their toolbox and its a (ban)hammer.

Re:The garden wall provides no safety.

While less common, Apple is by no means immune to malware in their store. Assuming that an app is safe just because it is paying 30% of proceeds is insane.

Re:The garden wall provides no safety.

[tepples]

At the end of a day, you're just not paying for a device, but a service.

Let's run with this analogy. Say I want portable video gaming with physical buttons, which fit some game genres better than the flat sheet of glass that is the input device included with an iPhone or Android phone. But I don't want a Nintendo 3DS or Nintendo Switch because I don't want the service of Nintendo imposing limits on what scenarios may and may not appear in a game. Which handheld device isn't made to impose this unwanted service?

Re:The garden wall provides no safety.

[DigiShaman]

The terms and conditions for their service would (and does) make using their HW a requirement. Case closed.

You agree, or you don't. The choice is yours. If you feel that choice sucks, then start your own company.

Re:The garden wall provides no safety.

[tepples]

Let me rephrase how I understood your post: "Any company disagreeing with Nintendo's monopoly on handheld gaming with buttons ought to be building and selling its own hardware." Do I understand you correctly?

Re:The garden wall provides no safety.

[gmiller123456]

Don't like walled gardens, then don't support a company that enforces them. It's that simple.

This is quite an ignorant statement. It pretends to not be aware that we don't live in a world where users have an actual choice. The walled gardens Google and Apple have created is for their own benefit, not due to user demands. We already have tools for dealing with malware by using firewalls and sandbox environments on "normal" operating systems. The lip service Apple and Goole play to gaurding against malware in their gardens is just because they've denied us the ability to protect ourselves. They are only able to force it upon us because we don't have a true open market.

Re:The garden wall provides no safety.

[Anubis+IV]

While you're certainly espousing a popular sentiment, the facts don't bear out anything you've said.

Take a look at the mobile malware reports from the last few years and if you parse through the details you'll see two consistent trends:

1) Android accounts for the vast majority of malware—about 98% in 2013, rising to within a rounding error of 100% at this point—but that...
2) Nearly all Android malware is coming from sources outside the Google Play Store, mostly via stores in the Middle East and Asia.

Taken together, iOS and Android account for nearly the entire smartphone market, yet the number of threats within their walls (i.e. available in Apple's App Store or Google's Play Store) is less than 0.1% of what is outside their walls. As such, despite the baseless assertions of a random Slashdotter that "the garden wall provides no safety", there's actually a fairly meaningful and measurable amount of safety being provided by those walls. And even when there are leaks, they tend to be caught quickly. The malware mentioned in the summary affected 5,000 devices (at most) before it was removed, which is a drop in the bucket compared to 2+ billion Android devices that are in active use. It's important to keep things in perspective, lest you be misled into thinking that a problem is bigger than it is.

Hell, the only reason why these sorts of lapses are still newsworthy is because the walled gardens have been so successful at keeping their users safe.

Re:The garden wall provides no safety.

[DigiShaman]

YUP! Bingo!

Short of patents (which is another matter entirely, and I'm against them anyways..), you're free to start up your own game company to design hardware, software, games, and other services to compete.

There's no right to others services as you wish. You play by their rules or you don't play at all. If you don't like the rules, then create an org where you craft your own. That's capitalism.

Re:The garden wall provides no safety.

[tepples]

What resources are recommended for a startup video game developer that is getting into the handheld gaming hardware market for the first time?

Re:The garden wall provides no safety.

[GameboyRMH]

I don't see how the existence of a huge amount of malware outside of the walled garden suggests that the inside is safe because it has less, when that number is still enormous, and the primary security purpose is to be free of malware. That's like saying that a submarine that's half full of water has a good functioning hull because it has a much lower percentage of water than the outside ocean. It's like saying that a zoo with five lions running loose in the guest areas has good containment because there are dozens of lions inside the cages.

Re:The garden wall provides no safety.

And as has been said elsewhere, many people embrace companies who lower their risk. You want to do it all yourself, great, but you speak for the minority.

And back to that "do it all yourself"... I don't see you accomplishing that, even if you're an AV developer. You're going to rely on some company or likely several companies to HELP secure the device... so much smarter to stop this at the source and have the manufacturer involved with this on their custom devices.

I don't want your infected phone affecting my phone service or phone network. You can use some amateur / open network instead, which will be just like using publicly available wifi -- filled with thieves and scams and poor service. No thanks!

Re:The garden wall provides no safety.

There are risks for everything. Do you wear a seat belt? In some accidents, wearing the seatbelt will increase your risk of dying or being injured, but you wear them anyway right? Have you stopped driving altogether, or do you make choices to mitigate risk? What you're saying is at best a distraction from facts, an argument from ridiculous exaggeration in search of a point.

So far as "freedom" is concerned, I will take the device that has the much smaller risk. You can do what you want, but the moment your activities affect my service level then you and I will have a problem. You and your lions and submarine will have to pay.

Anon because I'm not sure if you really believe what you say and are therefore deranged, or you are trolling.

Re:The garden wall provides no safety.

[GameboyRMH]

Those aren't ridiculous exaggerations at all. The walled garden's security is just as broken as the flooding submarine or the lion's buffet zoo. But those analogies do fail to account for the downsides of using these things at all when they weren't necessary. It's as if to protect people's safety, we've replaced snorkeling with a submarine and walking in nature with a zoo, causing people to leave their lifevests and rifles respectively at home, only to suffer these terrible problems.

You activities, the walled garden, affect the service level of programmers and users everywhere. You can always opt in to a walled garden but it's not so easy to opt out. That's why you and me have a problem.

Re:The garden wall provides no safety.

[Anubis+IV]

I don't see how the existence of a huge amount of malware outside of the walled garden suggests that the inside is safe because it has less

I see you enjoy moving goalposts. After all, your original assertion (see: subject line) was that "the garden wall provides no safety"—none—which is a patently false claim, but now you're trying to argue that they don't provide enough safety, which is a subjective claim for which you provide no evidence, other than an unspecified but "enormous" amount of malware that is apparently still getting in, despite the links I just provided that seem to contradict that notion.

That's like saying that a submarine that's half full of water has a good functioning hull because it has a much lower percentage of water than the outside ocean.

Not even close. While there are an "enormous" number of apps being submitted for review each year (hundreds of thousands), there's a very small amount of malware actually getting through the wall (only a few hundred most years), most of which never gets more than a couple thousand downloads before it's dealt with. Instead of the sub being half-full, a more accurate analogy would be that of the thousand times someone opened the hatch in the last year, seawater only splashed in once, but it was wiped up quickly, before anyone had a chance to slip on it. Maybe once every few decades, someone slips on the water before it's wiped up.

Now, if you want to argue that someone slipping on water once every few decades is just as unsafe as being outside the sub, we can measure that claim, and you'd be wrong. End of story. If you want to argue that it isn't safe enough, I'll cordially disagree on the basis of the evidence we have available, but "safe enough" is an inherently subjective measure, so if your standard for "safe enough" means "0 instances", then you're welcome to think differently than I do, even though that standard would be a ridiculous one in my opinion.

Re:The garden wall provides no safety.

[GameboyRMH]

Well yes if you want to nitpick, I wasn't literally correct to say "no safety" if you compare the safety of a person installing any random app from inside vs. outside the app store, although that's not something a person will normally do. Similarly in my analogies, of course you'd be in more danger inside the lion cage or strapped to the outside of the submarine. If you assume a person would be stupid enough to go there, which they generally aren't.

Title nitpicking aside, you'd have a good argument if you had the scale of the malware problem in app stores correct. Which you didn't...you were at least a couple of orders of magnitude low:

https://www.zdnet.com/article/...

https://www.express.co.uk/life...

https://bgr.com/2015/09/21/ios... (In which a piece of software used by over half a billion people was infected, among many others).

So yes, there is a helluva lot of water getting through that submarine hull.

Re:The garden wall provides no safety.

[BaronM]

If you insist, you can get something like this:

https://pyra-handheld.com/boards/pages/pyra/

All the buttons you could ever want, and no walled garden at all.

Re:The garden wall provides no safety.

[sootman]

Never say never. Walled gardens provide SOME security. No system is perfect. This is as useless as saying "Locks provide no safety. Break-ins still happen." or "Seat belts provide no safety. People still die in car crashes."

"I think it's time to officially declare walled garden computing a failure from a security standpoint."

Well then, by your logic, I guess we can declare EVERYTHING EVER MADE a failure from a security standpoint because exploits still happen, right?

Follow-up question: are walled gardens more secure, about the same as, or less secure than totally open systems?

Re:The garden wall provides no safety.

[Anubis+IV]

Title nitpicking aside, you'd have a good argument if you had the scale of the malware problem in app stores correct. Which you didn't...you were at least a couple of orders of magnitude low:

I'm not seeing it. Quite the opposite, actually, since your links mention 7, 145, and "more than 50" instances of malware apps making it into the stores, all of which fall in line with my statement that out of the hundreds of thousands of apps that are submitted for review each year, there are "only a few hundred [instances of malware] most years". If anything, your links would suggest that I might have overstated that aspect of the malware problem by an order of magnitude.

That said, it seems like you may be under the impression that I'm denying the existence of outliers when it comes to the number of downloads, so let me be clear: I'm not. What I said was that when it comes to malware apps (emphasis added) "most never [get] more than a couple thousand downloads before [they're] dealt with", which your second link supports, given that among the 145 malware apps they mention, the biggest number they could claim was "more than 1,000 installations".

But outliers certainly do exist (e.g. your first and third links), which is why I also said that "[i]t's important to keep things in perspective, lest you be misled into thinking that a problem is bigger than it is." Take your first link, for instance. It mentions "at least a million users" being affected, which sounds like a huge number until you realize that it correlates to just half of a tenth of a percent of active Android users. That's it. Again, it's more accurate to portray it as a splash of water in a sub that is quickly dealt with, rather than as a sub that's half-full.

(As for your third link, it's light on anything concrete. It mentions "600 million [WeChat] users", which, once again, sounds like a huge number until you realize that the actual number of affected users would have been a substantially smaller, since it was an iOS-specific issue that only occurred for people running a compatible version of the OS who happened to both update the WeChat app and use it during a narrow window of opportunity. The issue was quickly resolved before most users were even aware of it, let alone affected by it.)

Re:The garden wall provides no safety.

[jpaine619]

Just don't right them off as useless

write = what you're trying to describe
right = a direction (opposite of left) or correct (opposite of wrong)

Re:The garden wall provides no safety.

[DigiShaman]

FYI, proofreading is not my strong suit.

Time to randomize the sensor inputs in the simu

and other stuff like that.

And with randomize i mean to filter it to something that looks like it is being used for real, not just completely random crap.

Reviews for the app

[MobyDisk]

The reviews for the app reveal several levels of stupidity:
Reviewer 1: "Just started using still unknown"
Reviewer 2: "you are asking me and I just now installed the app"
^^^ Facepalm 1: Then why did you post the review??
^^^ Facepalm 2: Why does Android prompt people to review apps just after they installed them?

Reviewer 3: "Thanksgiving"
Reviewer 4: "Totally awesome"
^^ WTH?

Re: Reviews for the app

Haha haha! I like this article and the comments better than slashdot itself

Re:Reviews for the app

Reviewer 1: "Just started using still unknown"
Reviewer 2: "you are asking me and I just now installed the app"
^^^ Facepalm 1: Then why did you post the review??
^^^ Facepalm 2: Why does Android prompt people to review apps just after they installed them?

My bet, your Facepalm #2 where apps immediately prompt you for a review.

At this point, I've given up on apps. Most of them are written by assholes and offer little value, or as we see constantly, outright malicious.

To me, grabbing a random app with a relatively small number of downloads it just idiotic ... you have no way of knowing what it actually is doing, so why are you saying "hey, 2000 people have downloaded this, what could possibly go wrong?" Even back on my first gen iPad, it took a relatively small time for the quality of apps to degrade to copycats and other pointless crap.

I'm sort of past feeling sorry for people when this happens. This is no better than clicking on random links you get in emails.

Either people need to understand that these apps may not be trustworthy, or Google et al need to do a far better job in accepting apps.

Right now, people are just taking random apps from random companies, and assuming they're safe. It seems like app stores just give people a false sense of confidence, and no concept of basic security practices.

Re:Reviews for the app

[Dirk+Becher]

>>> Why does Android prompt people to review apps just after they installed them?

Because people buy apps for the attention, not the app.

Contacting Infected Users?

[acoustix]

Does Google or Apple make any effort to contact the infected users when they find malicious apps? Seems like it would be the right thing to do.

Clever girl

[thomn8r]

The VW emissions trick worked in a similar fashion: it detected the lack of certain control inputs to figure out if it was being tested.

Re:Clever girl

The VW emissions trick worked in a similar fashion: it detected the lack of certain control inputs to figure out if it was being tested.

Which more or less demonstrates that the universe is constantly working to create better idiots, and bigger assholes.

There's always assholes, plan accordingly.

Re:Clever girl

[ApartmentCleaningCom]

nice words

It's not the OS but the input

[tepples]

This isnt possible with iOS because bothe simulator and phone run the same OS: MAC OS

It's not about the operating system. If I run an Android device simulator under GNU/Linux, it's still Linux on the outside and Linux on the inside. It's about using motion input to distinguish a physically mobile device from one chained to a desk or a server rack. To put it another way: To what extent does running an app in the simulator on an iMac produce motion inputs indistinguishable from those of an iPhone? It'd have to produce, say, minute motions of the device itself when its screen is tapped.

no emulation of motion sensors?

This would be a suprise if they left this out of the emulators Google uses to screen apps. You would think they'd be able to script simulated motion or have on screen sliders to do the same thing.

Re:no emulation of motion sensors?

Most likely the difference is the lack of noise.

It's also possible that they first scouted the test with an app that phoned home with the accelerometer data so they could profile it and determine a way to sneak past the automated test pattern.

Web-based malware has been doing this for years

To detect mobile malware, I worked up a system to rotate phones on 2 axis at varying speeds at least 3 years ago. Some part of Google knew this because I told them.

Honda did it in the *90s*

With the Honda Accords, I forget which model years (It was OBD2, so either 94-95, or the 96-00 models.) The trick they used was to check the rear ABS sensors, which had become standard on those model cars. Since no states used 4 wheel dynos for emissions testing they simply watched for the rear wheel abs sensors to show them not moving while the front wheel sensors/speed sensor was moving and used that to decide it was in a smog test and tune the cars ECU accordingly. I don't remember how exactly it was discovered, but CARB or the EPA discovered it during testing and eventually traced it back to its source. Honda was far enough ahead on emissions that a stiff fine and an ECU update solved it, but the modern attempts at cheating have been going on for a LONG LONG time, it's just that no public name and shaming has been going on to seriously cut into their profits until the VW one.

That case study was a major point in emissions test training here in California, because it gave an example of how easily the testing can be gamed if you the smog technician are not ever vigilant in your inspection, and sometimes even if you are.

Yeah well

That's just clever. Good for them for thinking of that and good for the person who found it for identifying the issue. Everyone is brilliant.