backtop

Print 33 comment(s) - last by Lazarus Dark.. on Mar 3 at 10:04 PM

Android phone users have been struck by repackaged apps with malicious code injected inside. These clones of popular apps received over 50,000 downloads in only 4 days. The apps, which were all from a single publisher have since been removed.  (Source: Android Police)
The bad news is that many users may have been exploited; the good news is the apps were quickly pulled when reported

Apple goes through apps with a fine-tooth comb.  While it casts a blind eye to certain practices (data mining) it delights in playing moral police and banning apps which may be malicious or infringing on other's content (for example, reskins/repackages of popular apps).  This has outraged many.

Google, by contrast, is much looser in app approvals.  While it ostensibly screens for malicious apps, much of its screening is autonomous.  As a result some developers have taken to grabbing images and code from a popular app, repackaging it, and republishing it for profit and glory.  While this practice is rather disturbing from a developer perspective, more disturbing still is the malware that's sneaking into the Android Marketplace.

I. A BIG Trojan -- The Bad News

Android site Android Police has stumbled upon what appears to be a massive attack against the Android user-base, preying on Google's loose App screening.  The attack was first noticed by Reddit user "lompolo" who writes that an Android app publisher by the name of "myournet" has taken "21 popular free apps from the market, injected root exploits into them and republished."  The user notes that the apps recorded "50k-200k downloads combined in 4 days."

The apps appear to contain the "rageagainstthecage" exploit, which can be used to grant apps root access to the users' phone.  To add insult to injury, another APK on the trojan grabs the user's product ID, model, partner (provider?), language, country, and userID.  And the code offers support for downloading and executing future code.

The app was sending information, according to Android Police, to  "http://184.105.245.17:8080/GMServer/GMServlet", a site IP which appears to be hosted in Fremont, CA.

At the end of the day over 50,000 Android users likely have had some of their information stolen and their phones compromised.

II.  The Good News

Now, that's the bad news; here's the good news.  After Android Police contacted Google, they removed the apps incredibly fast -- in under 5 minutes.  No trace of the app remains in the app store.

From this response it's clear that there is hope for the security of Android, but it's reliant on community feedback.  Where as Apple screens its own apps and is relatively unresponsive to requests and feedback, Google does little screening, but is ultra-responsive.

The other good news is that Google may be able to remove the offensive apps with its "remote kill switch".  Google has already used this capability before to remove other Trojans.

Users should also be able manually remove the apps, though they may want to format their Android Phone to be on the safe side.  To format your phone, go to Settings > Privacy > Restore Factory Settings (NOTE: You will want to back up your pictures, phone numbers, etc. first).

If you downloaded one of the following apps in the last couple weeks, you should format your phone:
  • Falling Down
  • Super Guitar Solo
  • Super History Eraser
  • Photo Editor
  • Super Ringtone Maker
  • Super Sex Positions
  • Hot Sexy Videos
  • Chess
  • ????_Falldown
  • Hilton Sex Sound
  • Screaming Sexy Japanese Girls
  • Falling Ball Dodge
  • Scientific Calculator
  • Dice Roller
  • ????
  • Advanced Currency Converter
  • App Uninstaller
  • ????_PewPew
  • Funny Paint
  • Spider Man
  • ???
III. Conclusions

Ultimately, Google's model could be superior to Apple's, but it needs more alert users like "lompolo" and the Android Police to be so.  

Developers also need to do a better job being alert for clones.  The recent trojan attack not only cost users the loss of privacy, it cost Super Guitar Solo both business and reputation.  If the developer had monitored its apps on a daily basis, it could have alerted Google far sooner.

There's good and bad with openness and Google's approach, as illustrated by this incident.  The openness of Android is a "freedom", so to speak, and freedoms are seldom free.  To some degree app store policing and openness are mutually exclusive.  Android users' have received what they wished for -- now its their challenge to educate themselves, be aware, and make it work.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Scan for viruses before opening?
By quiksilvr on 3/2/2011 11:36:42 AM , Rating: 3
Seems like the best approach really. I do that automatically with every file I download.




RE: Scan for viruses before opening?
By JasonMick (blog) on 3/2/2011 11:40:18 AM , Rating: 4
quote:
Scan for viruses before opening?


Have you tested whether your scan checks for the affected rootkit? Your approach will only work if the "virus" scanner detects the rootkit APK.

If it works, yea, that would be a good approach...

But again, you have to be alert as your scanner may not recognize every rootkit. I think a better tool would be to download apps that let you monitor outgoing traffic on your phone.

This would be useful for identifying & removing both malicious apps and overly data mining legit apps alike.


RE: Scan for viruses before opening?
By nafhan on 3/2/2011 12:16:30 PM , Rating: 2
Anti-virus def. isn't going to step everything, but it can make an infection less likely.

Slightly off topic, but something I've noticed lately: people clicking, OK, OK, through the page displaying the app permissions. Obviously, that's a bad idea!

A root kit, of course, could get around permission limitations, but why even bother with a root kit when many people are going to straight up give the app permission to export all their info!?


RE: Scan for viruses before opening?
By JasonMick (blog) on 3/2/2011 12:23:22 PM , Rating: 2
I'd assume the purpose of the root kit is to be able to obtain that info without asking nicely (which I believe root can do in Android) and, more importantly, the ability to remotely install additional malware.


RE: Scan for viruses before opening?
By theapparition on 3/2/2011 1:02:06 PM , Rating: 2
Root apps on Android always prompt the user for permission elevation.

I've never seen one that didn't. Not saying it can't happen, just more likely that people just pressed through.


By chick0n on 3/3/2011 11:59:59 AM , Rating: 3
Yep, most people just "OK OK OK OK" the whole day. never even read what it saids.

all my friends do that, none of them are tech savvy and most of them uses a Mac and love Mac, got Android phone because it was free :)


By Anakha on 3/2/2011 3:14:40 PM , Rating: 2
One app that I found invaluable in controlling data usage on my Android (rooted) phone is DroidWall. It allows one to set what programs have access to the web over your data connection and WIFI connection. No idea if it would help with malware or if it would read the app but there is that app...


By snakeInTheGrass on 3/3/2011 10:19:51 AM , Rating: 3
It's Windows on a phone.

Ha. Haha. Hahahahaha.


How do I know?
By Lanister on 3/2/2011 11:58:01 AM , Rating: 2
Ok so I had always assumed that the apps on the stores had passed some sort of approval process and were safe. Since that is not the case how should I go about deciding what apps are safe and which are not? I have seen antivirus apps on the store, should I get one?

I love my droid but this concerns me.




RE: How do I know?
By JasonMick (blog) on 3/2/2011 12:05:28 PM , Rating: 2
quote:
Ok so I had always assumed that the apps on the stores had passed some sort of approval process and were safe. Since that is not the case how should I go about deciding what apps are safe and which are not? I have seen antivirus apps on the store, should I get one?


I would check out the website of the developer who's releasing the apps to see if it looks legit -- that should be a quick litmus test that will screen out many questionable apps.

Beyond that, A/V software is useful, but only as good as its list of signatures.

Aside from that, the ultimate method of protection would be monitoring outgoing network communications from apps.


RE: How do I know?
By nafhan on 3/2/2011 12:19:03 PM , Rating: 2
Also, looking at the the most recent pages of reviews can be helpful. If there's something screwy, there's a good chance it'll get mentioned there.


RE: How do I know?
By theapparition on 3/2/2011 1:04:52 PM , Rating: 2
Exactly. Don't scroll to the bottom of the list and pick the bottom feeder apps. Most are crap anyway.


RE: How do I know?
By Souka on 3/2/2011 3:26:27 PM , Rating: 2
Not exact science, but I never download newly relased 1st gen apps.

Also, any app with few comments or just recent comments are on my "do I really need this app" list.


RE: How do I know?
By ShaolinSoccer on 3/3/2011 6:05:25 PM , Rating: 2
"Lookout" is supposedly the best free anti-virus app for Android phones.


RE: How do I know?
By Lazarus Dark on 3/3/2011 10:04:58 PM , Rating: 2
Personally, I think ALL these people deserve what they got. The ones getting sex apps or whatever those are, did you think there would be less viruses with porn apps than with all the rest of the porn on the web?
And as for the "free" ripped apps:
If you see a paid and free version, usually one is ad supported, but they will BOTH be by the same developer. If you see one paid app and one free, by different developers, the free one is OBVIOUSLY a pirate version and you deserve the virus it comes with, you cheap*#%. Don't tell me you couldn't afford the 4 dollar app?


Monitoring App
By darkhawk1980 on 3/2/2011 12:49:01 PM , Rating: 2
Well Jason, since you seem to know so much (not being sarcastic), what is a good monitoring app? I haven't done much searching, but I haven't found anything that is really worth my time yet. I'd really like to know, since I would like to know what is going on as far as my data is concerned.

Thanks!




RE: Monitoring App
By kraeper on 3/2/2011 3:00:04 PM , Rating: 2
It does seem like this kind of breach would be better addressed with an outbound firewall than with an AV scanner, so this is a good question.


Ummm...
By Motoman on 3/2/2011 12:57:12 PM , Rating: 4
...WTF is "Hilton Sex Sound?"

Don't tell me that it does something like replace your ringtone with the sound of Paris Hilton getting buttsecks.




????_PewPew
By silverblue on 3/2/2011 2:31:35 PM , Rating: 2
I'm going to presume that this is not the actual PewPew game, created by Jean-François Geyelin?




RE: ????_PewPew
By Souka on 3/2/2011 5:01:08 PM , Rating: 2
Hope not! I have it installed, and like it! :)


iPhone sucks!
By headbox on 3/2/2011 11:45:01 AM , Rating: 1
So what if your personal data is stolen- you can customize it! You can't do that with an iPhone!




RE: iPhone sucks!
By SkullOne on 3/2/2011 12:17:16 PM , Rating: 2
In other news Apple offers zero customization options and throws in stolen personal data as a free bonus via their "secure" App Store!

"Several iPhone apps have been pulled from the App Store after being found to be harvesting user data, intentionally or unintentionally. A game called Aurora Feint was uploading all the user contacts to the developer's server, and salespeople from Swiss road traffic information app MogoRoad were calling customers who downloaded the app. Game app Storm8 was sued last fall for allegedly harvesting customer phone numbers without permission, but it later stopped that practice. And users also complained that Pinch Media, an analytics framework used by developers, was collecting data about customer phones."

Via CNET: http://news.cnet.com/8301-27080_3-10446402-245.htm...

ALL mobile devices are targets at this point.


WANT: a user customisable jail
By carniver on 3/2/2011 2:01:11 PM , Rating: 3
I wish I can assign which specific privileges to assign to an app myself. Say an app requests my contacts and my gps location in order to install, I want to be able to install it and run it without having to adhere to that requirement. Android should provide, in this case, dummy data to the app until I decide to actually enable the app with access to such data.

This way trojans will steal nothing from us, and we don't have to fall prey to a malicious app, before we know it's a trap.




So...
By chagrinnin on 3/2/2011 5:45:46 PM , Rating: 2
quote:
The app was sending information,...to "http colon //184.105.245.17:8080/GMServer/GMServlet",... in Fremont, CA.


...is somebody at this location getting a beatdown? I would love to hear through an update that this guy is currently residing in Folsom prison and making his own "buttsecks",(props to Motoman), sounds app.




Such is Life
By Goty on 3/2/11, Rating: 0
Apple isnt' any better
By sprockkets on 3/2/11, Rating: -1
RE: Apple isnt' any better
By nafhan on 3/2/2011 12:24:15 PM , Rating: 2
I think both are screening for malware to a degree. Ostensibly, Apple does a more thorough job, but the very act of allowing third party software to run means they can never be 100% the software is legit.


RE: Apple isnt' any better
By Tony Swash on 3/2/2011 12:38:22 PM , Rating: 2
quote:
Sure this is one of the risks of Google doing their open model for apps.

But guess what? Apple approved an app which violated their own TOS by using one of the volume buttons as a camera shutter.

Quite an obvious feature. It should have never been approved. But it was, and only pulled later after getting noticed by the web.

If apple can't be bothered to screen for obvious TOS violatoins, what makes me think they are screening for malware?


What defensive and absurd tosh.

Why can't you just say 'I like the Google model but this is one of it's downsides'

Instead you have to prattle on about Apple when you know and I know that any system which tries to vet apps before they go public is inherently safer than one that doesn't.

Just because the cops sometimes don't catch the criminals doesn't mean that a city without cops is as safe as a city with cops.


RE: Apple isnt' any better
By sprockkets on 3/2/11, Rating: 0
RE: Apple isnt' any better
By The Raven on 3/2/2011 3:59:01 PM , Rating: 2
I think it comes down to what devs you trust. If you are a layperson who doesn't know any better then you can rely on the reviews, ratings, and selections of other "experts". It has been like this since people have been selling software. I don't know why Apple has to step in and do this for you. I mean the store is just a framework for such decision making. And Apple's store might be more organized and such than Google's. But that should be considered separately when arguing which model is better. It's like saying that Amazon has a poor model because they don't screen software. Well the community pretty much takes care of that. Reviews are written in mags and sites and customer reviews and ratings are made. If you want to buy a piece of crap with out researching it then you are an idiot.

But then again, there are sites that go through the screening for you, like Majorgeeks and Softpedia but you are ultimately not buying from them like the Apple model.

That is until Majorgeeks or Softpedia lose your trust.


RE: Apple isnt' any better
By kmmatney on 3/2/2011 10:10:45 PM , Rating: 2
From what I can see, these Apps have cloned other legit Apps, so it may be hard to tell if the App is actually coming from a trustworthy source.


RE: Apple isnt' any better
By omnicronx on 3/3/2011 2:12:41 AM , Rating: 2
Apple seems to be more thorough, thats for sure..

What I find funny is the tomcat application server that these apps are talking too is still up and running ;)

You can even access the tomcat manager console (though its password protected). Seems pretty amateur to me..


RE: Apple isnt' any better
By bah12 on 3/3/2011 11:11:20 AM , Rating: 2
Yah my guess is a certain youngster will be getting a knock on his door shortly. He/she was not very good at covering their tracks.


"Nowadays you can buy a CPU cheaper than the CPU fan." -- Unnamed AMD executive











botimage
Copyright 2013 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki