Google Play Caught Hosting An App That Steals Users' Cryptocurrency (arstechnica.com)

← Back to Stories (view on slashdot.org)

Google Play Caught Hosting An App That Steals Users' Cryptocurrency (arstechnica.com)

Posted by BeauHD on Sunday February 10, 2019 @08:20AM from the here-we-go-again dept.

The Google Play Store has been caught hosting an app designed to steal cryptocurrency from unwitting end users, according to researchers with Eset security company. "The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers," reports Ars Technica. "As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers." From the report: So-called clipper malware has targeted Windows users since at least 2017. The clipper malware available in Google Play impersonated a service called MetaMask, which is designed to allow browsers to run apps that work with the digital coin Ethereum. The primary purpose of Android/Clipper.C, as Eset has dubbed the malware, was to steal credentials needed to gain control of Ethereum funds. It also replaced both bitcoin and Ethereum wallet addresses copied to the clipboard with ones belonging to the attackers. Eset spotted the app shortly after its introduction to Google Play on February 1. Google has since removed it. Stefanko said it's the first time clipper malware has been hosted in the Android app bazaar. Eset malware researcher Lukas Stefanko wrote: "This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app -- only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims' cryptocurrency funds."

32 of 66 comments (clear)

Min score:

Reason:

Sort:

Caught by Luthair · 2019-02-10 08:43 · Score: 3, Insightful

implies they were somehow supposed to know.
1. Re: Caught by Rockoon · 2019-02-10 08:47 · Score: 1
  
  I know I expect every app to always be available without a man in the idle attack.
  
  Even if the app *is* the man in the middle?
  
  Yeah you went there. You decided that this wasnt the problem.
  
  --
  "His name was James Damore."
2. Re: Caught by Anonymous Coward · 2019-02-10 09:11 · Score: 1
  
  So Google Voice shouldn't be a dialer from the phone book? Ad blockers should all be banned? All VPN apps should be removed?
  You didn't think this through, did you.
3. Re:Caught by drinkypoo · 2019-02-10 09:40 · Score: 3, Insightful
  
  They were. The Play Store is supposed to be curated.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:Caught by DNS-and-BIND · 2019-02-10 09:44 · Score: 1
  
  Well, the journalist has to do that, to get the clicks. The author used to work for the Associated Press and has a master's in journalism from Berkeley. He knows what he's doing and how to do it. Remember the days when journalists were about truth and were on our side?
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
5. Re:Caught by Luthair · 2019-02-10 10:00 · Score: 1
  
  Nope.
6. Re:Caught by alvinrod · 2019-02-10 10:04 · Score: 2
  
  This is an age old problem. It doesn't matter how good your defenses are because they need to focus on the hundreds or thousands of adversarial actors and stop all of them. An attacker need not divide its efforts or attention and will eventually be able to sneak through. You can't rely on anyone else to provide you with perfect security. It's simply unobtainable and believing that you can have it is only leaving yourself vulnerable. Personal vigilance will always be necessary in order to minimize your own exposure.
7. Re:Caught by drinkypoo · 2019-02-10 10:25 · Score: 1
  
  Nope.
  Please explain "Play Protect"
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
8. Re:Caught by drinkypoo · 2019-02-10 10:35 · Score: 1
  
  This is why app stores are bad. They can't (google) or won't (apple) put in the effort to properly vet all the apps, but the fact that they are in an app store lends them an undeserved legitimacy. The vendors have to drive traffic to their app store to make money, so it's not in their best interest to be too exclusive. Both Apple and Google have delivered malware via their app stores, and so has Microsoft for that matter, so this is a universal problem. With Google or Microsoft, at least you're not forced to use their app store. You can still use the old-fashioned method of going directly to trusted distributors.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
9. Re:Caught by CaptainDork · 2019-02-10 10:48 · Score: 1
  
  This.
  CaptainDork's 17th Corollary: "For every motherfucker out there with a computer, there's another motherfucker out there with a computer."
  There's no computational hierarchy such as "commercial," vs "residential" or "government" vs "civilian."
  It's the same goddam hardware/software all the fucking way down.
  
  --
  It little behooves the best of us to comment on the rest of us.
10. Re:Caught by Luthair · 2019-02-10 14:01 · Score: 1
  
  Play Protect is for malware which is software that attempts to compromise the system. How the fuck is what amounts to an anti-virus scanner supposed to detect an application that doesn't work as advertised? Was Google (or Apple) supposed to do a code audit? Are application developers going to pay Apple/Google 10s of thousands of dollars to do this for every patch?
  I guess its too much to ask for some common sense about technology even on Slashdot these days.
11. Re:Caught by drinkypoo · 2019-02-10 15:36 · Score: 2
  
  Play Protect is for malware which is software that attempts to compromise the system. How the fuck is what amounts to an anti-virus scanner supposed to detect an application that doesn't work as advertised? Was Google (or Apple) supposed to do a code audit?
  According to Google's page on Play Protect, "All Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app and developer in Google Play, and suspend those who violate our policies. Then, Play Protect scans billions of apps daily to make sure everything remains spot on. That way, no matter where you download an app from, you know itâ(TM)s been checked by Google Play Protect." And also:
  
  How can I protect my device from harmful apps?
  First, make sure youâ(TM)re downloading all apps from trusted sources like the Google Play Store.
  
  Google claims they do precisely what you say they cannot do. They need to make up their mind whether they do "rigorous security testing" or not, and whether google play protect actually protects users from malware or not. From what I can tell, they do not, and it does not, but they certainly claim that it does, and that it does.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
12. Re:Caught by drinkypoo · 2019-02-10 15:51 · Score: 1
  
  The level of scrutiny you want would lead to no third party apps ever being published.
  It would probably require that full sources be sent to the app store vendor, and the software compiled by them for distribution. You know, like with an Ubuntu PPA. Of course, you then have to trust the vendor not to rip off your sources — but if you don't trust Google, you're already not selling through their app store, right?
  One way to handle that trust issue would be to offer verification as an optional feature, with the caveat that users would be able to search for only verified apps. Since Android users are not forced to install only apps from the app store, those who would be unwilling to download non-source-verified apps from the Play Store could still get apps from popular, trusted vendors such as Autodesk or [amusingly] Adobe, and sideload them. Developers who didn't want to provide sources to Google could choose between competing with source-verified apps in the Google Play Store, and competing with the Play Store itself by hosting the apps on their own sites.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
13. Re:Caught by HarrySquatter · 2019-02-10 16:51 · Score: 1
  
  What is untruthful in the story?
14. Re:Caught by DNS-and-BIND · 2019-02-10 17:01 · Score: 1
  
  He said "caught" like it was a crime or something. Needlessly sensational, but that's journalism for you.
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
15. Re:Caught by thegarbz · 2019-02-10 22:12 · Score: 1
  
  One of the wonderful things about testing for unknowns is that you need to have a testing methodology designed to detect the thing you don't know is happening. Play Protect or any curation system can't ever detect all possible nefarious actions by apps. It can only detect the ones that are known and scanned for.
  Stop pretending a curated experience is something it's not. If you want a white list, then just download apps listed as "Google LLC".
16. Re:Caught by drinkypoo · 2019-02-11 02:09 · Score: 1
  
  I'm not the one pretending. Google is. They're the ones saying their vetting process keeps users safe.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
17. Re:Caught by thewolfkin · 2019-02-11 03:04 · Score: 1
  
  Play Protect wouldn't exist if the Play Store was curated, dumbass.
  just because youpick a good looking app doesn't mean you don't test it to make sure nothing's wrong.
  
  --
  Just another second banana
18. Re:Caught by thewolfkin · 2019-02-11 03:06 · Score: 1
  
  The level of scrutiny you want would lead to no third party apps ever being published.
  It would probably require that full sources be sent to the app store vendor, and the software compiled by them for distribution. You know, like with an Ubuntu PPA. Of course, you then have to trust the vendor not to rip off your sources — but if you don't trust Google, you're already not selling through their app store, right?
  One way to handle that trust issue would be to offer verification as an optional feature, with the caveat that users would be able to search for only verified apps. Since Android users are not forced to install only apps from the app store, those who would be unwilling to download non-source-verified apps from the Play Store could still get apps from popular, trusted vendors such as Autodesk or [amusingly] Adobe, and sideload them. Developers who didn't want to provide sources to Google could choose between competing with source-verified apps in the Google Play Store, and competing with the Play Store itself by hosting the apps on their own sites.
  that's how sponsored malware happens. Oh this one was compiled by google do you know it has the google search bar built in regardless of how annoying that is.
  
  --
  Just another second banana
19. Re:Caught by drinkypoo · 2019-02-11 04:54 · Score: 1
  
  that's how sponsored malware happens. Oh this one was compiled by google do you know it has the google search bar built in regardless of how annoying that is.
  Nice FUD you've got there. Google doesn't need to build the search bar into your app, because they already have it built into their OS. If anything, the fear should be that they would include telemetry, but it would make more sense to build that into their OS, too. They could already be recording your activity and sending it home if they wanted to, but then they would probably get caught, so even if they want to they probably won't do that.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
20. Re:Caught by thewolfkin · 2019-02-11 13:26 · Score: 1
  
  that's how sponsored malware happens. Oh this one was compiled by google do you know it has the google search bar built in regardless of how annoying that is.
  Nice FUD you've got there. Google doesn't need to build the search bar into your app, because they already have it built into their OS. If anything, the fear should be that they would include telemetry, but it would make more sense to build that into their OS, too. They could already be recording your activity and sending it home if they wanted to, but then they would probably get caught, so even if they want to they probably won't do that.
  I wasn't literally talking about a search bar. That would make no sense both for a mobile program and for android/google. I was using it to reference the way apps often com bundled with things like a search bar. my point was that when you force an organization to compile it themselves what tends to happen is that eventually they start injecting their own stuff in there.
  
  --
  Just another second banana
21. Re:Caught by thegarbz · 2019-02-12 03:15 · Score: 1
  
  Google is not pretending. They did not say anywhere on their site they capture 100% of all malware as well as vet the nefarious actions of all possible malevolent developers.
  Stop pretending Google said they do something they don't.
Re:Appy app apps by drinkypoo · 2019-02-10 09:48 · Score: 1

Apps literally exist because corps found the web sandbox too restrictive, and wanted to suck up vastly more data (especially accurate location data).
Applications existed before the web did. What are you on about?

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:Appy app apps by drinkypoo · 2019-02-10 10:19 · Score: 1

Don't play stupid with me. These aren't applications, they're "apps".
Quick quiz, hotshot. What is "apps" short for?

It's commodified software for retards, and the normalization of not being in control of your own hardware.
As opposed to webapps, where you're not in control of your own data?

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I never MetaMask ... by CaptainDork · 2019-02-10 10:42 · Score: 1

... that I didn't like.

--
It little behooves the best of us to comment on the rest of us.
Re:Appy app apps by AHuxley · 2019-02-10 12:04 · Score: 1

The "a" in apps is for ads.

--
Domestic spying is now "Benign Information Gathering"
When did app stores begin? by tepples · 2019-02-10 12:38 · Score: 1

Applications existed before the web did.

Correct. But did an app store, which I define as an interactive package manager for optionally proprietary, optionally commercial, downloadable applications on residential computing devices, predate the web?
1. Re:When did app stores begin? by drinkypoo · 2019-02-10 17:43 · Score: 1
  
  Correct. But did an app store, which I define as an interactive package manager for optionally proprietary, optionally commercial, downloadable applications on residential computing devices, predate the web?
  Not to my knowledge, although one of the corporate BBSes (like Prodigy or GEnie) might have had some of that kind of functionality, and I could be unaware of it. But what does any of this have to do with whether it makes sense to run applications on one's computer?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:When did app stores begin? by tepples · 2019-02-11 02:44 · Score: 1
  
  But what does any of this have to do with whether it makes sense to run applications on one's computer?
  I was seeing if I could rescue some underlying point from Anonymous Coward's comment despite its (mis)use of the term "apps" to mean "applications downloaded from an app store". With "apps" redefined thus, the claim becomes as follows:
  On devices whose OS ships with both a web browser and a client to download paid applications from a repository, native applications exist because corporations found the web sandbox too restrictive, and wanted to suck up vastly more data (especially accurate location data). All applications in those repositories are malware.
3. Re:When did app stores begin? by drinkypoo · 2019-02-11 02:54 · Score: 1
  
  I assumed they were talking about the early days of iOS, when everything was supposed to run in a browser. Ironically, this might actually work today, because the browser now has more functionality, but at the time it was totally ridiculous.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:Appy app apps by Luthair · 2019-02-10 14:05 · Score: 1

Apple actually launched the original iphone without apps and expected people to use web apps originally. Obviously this made it a dumb phone with a web browser and people wouldn't have it. https://9to5mac.com/2011/10/21...
Re:Android should never be considered secure. by Luthair · 2019-02-10 14:11 · Score: 1

This has nothing to do with the security of Android, it has to do with users downloading a random fucking application that dealt with money. Would you download some random PayPal alternative and put your credit card in it?