Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Play Malware Used Phones' Motion Sensors To Conceal Itself (arstechnica.com)

Posted by BeauHD on from the sneaky-bastards dept.

An anonymous reader quotes a report from Ars Technica: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers -- and possibly Google employees screening apps submitted to Play -- are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.

Security firm Trend Micro found the motion-activated dropper in two apps -- BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious. The motion detection wasn't the only clever feature of the malicious apps. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required command and control server. Once Anubis was installed, it used a built-in keylogger that can steal users' account credentials. The malware can also obtain credentials by taking screenshots of the infected users' screen.

7 of 55 comments (clear)

  1. The garden wall provides no safety. by GameboyRMH · · Score: 4, Insightful

    I think it's time to officially declare walled garden computing a failure from a security standpoint. Malware has had little trouble getting inside, and then the fact that it's inside the supposedly safe garden lulls users into a false sense of security. The only thing the walled garden has succeeded in doing is enriching the gatekeepers and disempowering the users.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
    1. Re:The garden wall provides no safety. by Actually,+I+do+RTFA · · Score: 3, Insightful

      Android isn't a walled garden - as an OS it's open (albeit needing to have each source whitelisted). Google as a curator of application sis a failure (and there is no reason to expect Amazon others are better.). However, the OS is pretty open.

      Apple seems to have their walled garden in order, and their OS is more locked down..

      Of course, the "walled garden" on phones before, without allowing random third party devs, worked fine on the older phones. I mean, you don't have many apps, but it was safe.

      --
      Your ad here. Ask me how!
    2. Re:The garden wall provides no safety. by DigiShaman · · Score: 4, Insightful

      At the end of a day, you're just not paying for a device, but a service. Part of that service might include many things, including someone else doing the vetting of what software is and isn't safe. I own an iPhone with the full understanding that it's locked down and inside a "walled garden". But you know what, I love that garden. Because at the end of the day, it's just a damned phone that's a tool more than anything else.

      Don't like walled gardens, then don't support a company that enforces them. It's that simple. Just don't right them off as useless especially when the agreement is mutual between the vendor and consumer.

      --
      Life is not for the lazy.
    3. Re:The garden wall provides no safety. by MobyDisk · · Score: 2

      What does Google do once they find this? The walled garden requires, in theory, that you know who the author is. Does Google try to prosecute the hackers? Of all the companies on Earth who should be able to track someone down, Google and Facebook seem like they could do it.

  2. Reviews for the app by MobyDisk · · Score: 3, Funny

    The reviews for the app reveal several levels of stupidity:
    Reviewer 1: "Just started using still unknown"
    Reviewer 2: "you are asking me and I just now installed the app"
    ^^^ Facepalm 1: Then why did you post the review??
    ^^^ Facepalm 2: Why does Android prompt people to review apps just after they installed them?

    Reviewer 3: "Thanksgiving"
    Reviewer 4: "Totally awesome"
    ^^ WTH?

  3. Clever girl by thomn8r · · Score: 2

    The VW emissions trick worked in a similar fashion: it detected the lack of certain control inputs to figure out if it was being tested.

  4. It's not the OS but the input by tepples · · Score: 3, Interesting

    This isnt possible with iOS because bothe simulator and phone run the same OS: MAC OS

    It's not about the operating system. If I run an Android device simulator under GNU/Linux, it's still Linux on the outside and Linux on the inside. It's about using motion input to distinguish a physically mobile device from one chained to a desk or a server rack. To put it another way: To what extent does running an app in the simulator on an iMac produce motion inputs indistinguishable from those of an iPhone? It'd have to produce, say, minute motions of the device itself when its screen is tapped.