Google Play Caught Hosting An App That Steals Users' Cryptocurrency

The Google Play Store has been caught hosting an app designed to steal cryptocurrency from unwitting end users, according to researchers with Eset security company. "The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers," reports Ars Technica. "As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers." From the report: So-called clipper malware has targeted Windows users since at least 2017. The clipper malware available in Google Play impersonated a service called MetaMask, which is designed to allow browsers to run apps that work with the digital coin Ethereum. The primary purpose of Android/Clipper.C, as Eset has dubbed the malware, was to steal credentials needed to gain control of Ethereum funds. It also replaced both bitcoin and Ethereum wallet addresses copied to the clipboard with ones belonging to the attackers. Eset spotted the app shortly after its introduction to Google Play on February 1. Google has since removed it. Stefanko said it's the first time clipper malware has been hosted in the Android app bazaar. Eset malware researcher Lukas Stefanko wrote: "This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app -- only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims' cryptocurrency funds."

Ergo...

OH noeeeSss1!!11 gogggle play Iss EVIl1I111!!1
 
beauhd
  ##$senior$$$editor$##

Caught

[Luthair]

implies they were somehow supposed to know.

Re: Caught

[Rockoon]

I know I expect every app to always be available without a man in the idle attack.

Even if the app *is* the man in the middle?

Yeah you went there. You decided that this wasnt the problem.

Re: Caught

He said man in the idle attack, learn to read.

Re: Caught

Google doesn't review the source code of submitted apps, nor does apple. Apple was recently "caught" hosting apps that do unauthorized screenshots (and not the first time either, previously apple was caught giving the Uber app permission to do unauthorized screenshots). What happens on your iPhone is not going to stay on your iPhone.

Re: Caught

So Google Voice shouldn't be a dialer from the phone book? Ad blockers should all be banned? All VPN apps should be removed?

You didn't think this through, did you.

Re: Caught

Dumbass. I assumed incorrectly that google play was a safe place.

Re: Caught

Funny. I donâ(TM)t see the app the malware was covering. Anyone got a link?

Re:Caught

[drinkypoo]

They were. The Play Store is supposed to be curated.

Re:Caught

[DNS-and-BIND]

Well, the journalist has to do that, to get the clicks. The author used to work for the Associated Press and has a master's in journalism from Berkeley. He knows what he's doing and how to do it. Remember the days when journalists were about truth and were on our side?

Re:Caught

But... but.... Open Sores!!!!!!

Teh wall gardin is ebil!!!11111!!! only Open Sores can save us all!!!!

Re:Caught

[Luthair]

Nope.

Re:Caught

[alvinrod]

This is an age old problem. It doesn't matter how good your defenses are because they need to focus on the hundreds or thousands of adversarial actors and stop all of them. An attacker need not divide its efforts or attention and will eventually be able to sneak through. You can't rely on anyone else to provide you with perfect security. It's simply unobtainable and believing that you can have it is only leaving yourself vulnerable. Personal vigilance will always be necessary in order to minimize your own exposure.

Re: Caught

What kind of fool wasted time writing such an app? Imagine if they wrote something that did calculations or something people would buy

Re:Caught

[drinkypoo]

Nope.

Please explain "Play Protect"

Re:Caught

[drinkypoo]

This is why app stores are bad. They can't (google) or won't (apple) put in the effort to properly vet all the apps, but the fact that they are in an app store lends them an undeserved legitimacy. The vendors have to drive traffic to their app store to make money, so it's not in their best interest to be too exclusive. Both Apple and Google have delivered malware via their app stores, and so has Microsoft for that matter, so this is a universal problem. With Google or Microsoft, at least you're not forced to use their app store. You can still use the old-fashioned method of going directly to trusted distributors.

Re:Caught

[CaptainDork]

This.

CaptainDork's 17th Corollary: "For every motherfucker out there with a computer, there's another motherfucker out there with a computer."

There's no computational hierarchy such as "commercial," vs "residential" or "government" vs "civilian."

It's the same goddam hardware/software all the fucking way down.

Re:Caught

With as much money/power as they have you would think Google could vet all apps at least to a minimal standard. I mean freaking wannabe Apple at least tries to do it.

Re:Caught

The level of scrutiny you want would lead to no third party apps ever being published.

Re: Caught

True. While reviewing the source code would catch sloppy and obvious abuses, and that alone might be desirable, there's plenty of ways to obfuscate code and no guaranteed way to ensure an app is "safe".

Re:Caught

[Luthair]

Play Protect is for malware which is software that attempts to compromise the system. How the fuck is what amounts to an anti-virus scanner supposed to detect an application that doesn't work as advertised? Was Google (or Apple) supposed to do a code audit? Are application developers going to pay Apple/Google 10s of thousands of dollars to do this for every patch?

I guess its too much to ask for some common sense about technology even on Slashdot these days.

Re:Caught

Play Protect wouldn't exist if the Play Store was curated, dumbass.

Re:Caught

[drinkypoo]

Play Protect is for malware which is software that attempts to compromise the system. How the fuck is what amounts to an anti-virus scanner supposed to detect an application that doesn't work as advertised? Was Google (or Apple) supposed to do a code audit?

According to Google's page on Play Protect, "All Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app and developer in Google Play, and suspend those who violate our policies. Then, Play Protect scans billions of apps daily to make sure everything remains spot on. That way, no matter where you download an app from, you know itâ(TM)s been checked by Google Play Protect." And also:

How can I protect my device from harmful apps?

First, make sure youâ(TM)re downloading all apps from trusted sources like the Google Play Store.

Google claims they do precisely what you say they cannot do. They need to make up their mind whether they do "rigorous security testing" or not, and whether google play protect actually protects users from malware or not. From what I can tell, they do not, and it does not, but they certainly claim that it does, and that it does.

Re:Caught

[drinkypoo]

The level of scrutiny you want would lead to no third party apps ever being published.

It would probably require that full sources be sent to the app store vendor, and the software compiled by them for distribution. You know, like with an Ubuntu PPA. Of course, you then have to trust the vendor not to rip off your sources — but if you don't trust Google, you're already not selling through their app store, right?

One way to handle that trust issue would be to offer verification as an optional feature, with the caveat that users would be able to search for only verified apps. Since Android users are not forced to install only apps from the app store, those who would be unwilling to download non-source-verified apps from the Play Store could still get apps from popular, trusted vendors such as Autodesk or [amusingly] Adobe, and sideload them. Developers who didn't want to provide sources to Google could choose between competing with source-verified apps in the Google Play Store, and competing with the Play Store itself by hosting the apps on their own sites.

Re:Caught

[HarrySquatter]

What is untruthful in the story?

Re:Caught

[DNS-and-BIND]

He said "caught" like it was a crime or something. Needlessly sensational, but that's journalism for you.

Re: Caught

They can check for activity that attacks the operating system or, as Apple does, makes private API calls. But, how would they know the actual behavior of the app is doing something nefarious? Are we expecting them to vet the behavior against every app in the Play store?

Re:Caught

[thegarbz]

One of the wonderful things about testing for unknowns is that you need to have a testing methodology designed to detect the thing you don't know is happening. Play Protect or any curation system can't ever detect all possible nefarious actions by apps. It can only detect the ones that are known and scanned for.

Stop pretending a curated experience is something it's not. If you want a white list, then just download apps listed as "Google LLC".

Re:Caught

[drinkypoo]

I'm not the one pretending. Google is. They're the ones saying their vetting process keeps users safe.

Re:Caught

Yeah, sort of like the apps that were just caught doing screen recording for who the hell knows how long, capturing passwords and banking information. Oh wait, that wasn't the play store. Way to protect your users.

Re:Caught

[thewolfkin]

Play Protect wouldn't exist if the Play Store was curated, dumbass.

just because youpick a good looking app doesn't mean you don't test it to make sure nothing's wrong.

Re:Caught

[thewolfkin]

The level of scrutiny you want would lead to no third party apps ever being published.

It would probably require that full sources be sent to the app store vendor, and the software compiled by them for distribution. You know, like with an Ubuntu PPA. Of course, you then have to trust the vendor not to rip off your sources — but if you don't trust Google, you're already not selling through their app store, right?

One way to handle that trust issue would be to offer verification as an optional feature, with the caveat that users would be able to search for only verified apps. Since Android users are not forced to install only apps from the app store, those who would be unwilling to download non-source-verified apps from the Play Store could still get apps from popular, trusted vendors such as Autodesk or [amusingly] Adobe, and sideload them. Developers who didn't want to provide sources to Google could choose between competing with source-verified apps in the Google Play Store, and competing with the Play Store itself by hosting the apps on their own sites.

that's how sponsored malware happens. Oh this one was compiled by google do you know it has the google search bar built in regardless of how annoying that is.

Re:Caught

And if they vetted out gazillion and one got through, you are going to say they aren't keeping user safe? If no, then what is your number that Google is doing what they say they are?

No software company can keep user completely safe other than user unplug themselves from the internet and turn off the machine

Re:Caught

[drinkypoo]

that's how sponsored malware happens. Oh this one was compiled by google do you know it has the google search bar built in regardless of how annoying that is.

Nice FUD you've got there. Google doesn't need to build the search bar into your app, because they already have it built into their OS. If anything, the fear should be that they would include telemetry, but it would make more sense to build that into their OS, too. They could already be recording your activity and sending it home if they wanted to, but then they would probably get caught, so even if they want to they probably won't do that.

Re: Caught

LOL. You have jumped the shark.

A kid got caught sticking his finger in a socket. Is that a crime? You are a snowflake moron. Caught != a crime was committed.

Re:Caught

[thewolfkin]

that's how sponsored malware happens. Oh this one was compiled by google do you know it has the google search bar built in regardless of how annoying that is.

Nice FUD you've got there. Google doesn't need to build the search bar into your app, because they already have it built into their OS. If anything, the fear should be that they would include telemetry, but it would make more sense to build that into their OS, too. They could already be recording your activity and sending it home if they wanted to, but then they would probably get caught, so even if they want to they probably won't do that.

I wasn't literally talking about a search bar. That would make no sense both for a mobile program and for android/google. I was using it to reference the way apps often com bundled with things like a search bar. my point was that when you force an organization to compile it themselves what tends to happen is that eventually they start injecting their own stuff in there.

Re:Caught

[thegarbz]

Google is not pretending. They did not say anywhere on their site they capture 100% of all malware as well as vet the nefarious actions of all possible malevolent developers.

Stop pretending Google said they do something they don't.

That's what they get the egregious 30% for

Give people their money back and deal with the problem, then. That's why these appstores get the big markup they do.

Appy app apps

Apps literally exist because corps found the web sandbox too restrictive, and wanted to suck up vastly more data (especially accurate location data).
All "apps" are malware.

Re:Appy app apps

[drinkypoo]

Apps literally exist because corps found the web sandbox too restrictive, and wanted to suck up vastly more data (especially accurate location data).

Applications existed before the web did. What are you on about?

Re:Appy app apps

Don't play stupid with me. These aren't applications, they're "apps".
A particular form of software, served from a store, with uniform visual branding, and launch icons.

It's commodified software for retards, and the normalization of not being in control of your own hardware.
Too stupid for GNU/Linux package managers, too stupid for the web, too stupid to be trusted with random windows .exe, just about able to stab an icon on a touchscreen, and install the top 10 malware "apps".

Re:Appy app apps

[drinkypoo]

Don't play stupid with me. These aren't applications, they're "apps".

Quick quiz, hotshot. What is "apps" short for?

It's commodified software for retards, and the normalization of not being in control of your own hardware.

As opposed to webapps, where you're not in control of your own data?

Re:Appy app apps

App (noun)
1. (archaic) Short form of application. Software from before computers were pozzed.
2. A Trojan horse malware piece of shit for phonetards, and winbabbies.

Webapps are shit too. Everything should be local storage. The idea of cloud office "apps" is a fucking joke. Electron developers should be gassed while being hung, and shot.

Re:Appy app apps

Apps existed before the app store. What kind of weird "web sandbox" shit are you talking about?

Re: Appy app apps

Yeah what the hell. I will browse for and get whatever I want and there is no App Store Eula that says otherwise. End of story

Re:Appy app apps

The internet was infinitely better before people like you were allowed to use it.
Phones have lowered the barrier to entry, and now we have to acknowledge that inbred flyover retards like you actually exist.
Now the question is how do we get rid of you.

Re:Appy app apps

[AHuxley]

The "a" in apps is for ads.

Re:Appy app apps

[Luthair]

Apple actually launched the original iphone without apps and expected people to use web apps originally. Obviously this made it a dumb phone with a web browser and people wouldn't have it. https://9to5mac.com/2011/10/21...

creimette

seen frantically hiding his silver coin stacks

What is "apps" short for?

A
Poor
Program
Substitute

I never MetaMask ...

[CaptainDork]

... that I didn't like.

Android should never be considered secure.

I don't leave valuable data on my phone and everything I do using it takes its utter insecurity into account.
Part of good security practice is not wanting what you cannot have and minimizing your exposure. The only email account linked to my phone is expendable and besides voice, SMS and navigation my phone gets little use. I never use it for online shopping.

Re:Android should never be considered secure.

[Luthair]

This has nothing to do with the security of Android, it has to do with users downloading a random fucking application that dealt with money. Would you download some random PayPal alternative and put your credit card in it?

When did app stores begin?

[tepples]

Applications existed before the web did.

Correct. But did an app store, which I define as an interactive package manager for optionally proprietary, optionally commercial, downloadable applications on residential computing devices, predate the web?

Re:When did app stores begin?

[drinkypoo]

Correct. But did an app store, which I define as an interactive package manager for optionally proprietary, optionally commercial, downloadable applications on residential computing devices, predate the web?

Not to my knowledge, although one of the corporate BBSes (like Prodigy or GEnie) might have had some of that kind of functionality, and I could be unaware of it. But what does any of this have to do with whether it makes sense to run applications on one's computer?

Re:When did app stores begin?

[tepples]

But what does any of this have to do with whether it makes sense to run applications on one's computer?

I was seeing if I could rescue some underlying point from Anonymous Coward's comment despite its (mis)use of the term "apps" to mean "applications downloaded from an app store". With "apps" redefined thus, the claim becomes as follows:

On devices whose OS ships with both a web browser and a client to download paid applications from a repository, native applications exist because corporations found the web sandbox too restrictive, and wanted to suck up vastly more data (especially accurate location data). All applications in those repositories are malware.

Re:When did app stores begin?

[drinkypoo]

I assumed they were talking about the early days of iOS, when everything was supposed to run in a browser. Ironically, this might actually work today, because the browser now has more functionality, but at the time it was totally ridiculous.

Krypto Kurrency

Make Greed Great Again(TM).

lol

good

turdcoin lol