Malicious App In Android Market 340
dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?
Check for the signed label! (Score:5, Insightful)
This is something that is far more unlikely to happen on the iPhone because of Apple's strict control and testing of all apps. Even the "jailbreak" stores will reject things that aren't as advertised.
Allow open development, and you've basically got a platform that the bad guys can target. There's already standards for signing code to prove that an app came from who you thought it did.
Re:Check for the signed label! (Score:3, Insightful)
Wow, second post and already we've got the "iPhone vs Android" debate started! Kudos!
That aside, or the apps Apple has had to remove aside... I'm happy with 99% of the quality control on the Android Apps.
An iPhone-like process? (Score:2, Insightful)
Re:No sandboxing? (Score:5, Insightful)
Sandboxing is an "always deny" tech that keeps legit applications from working easily. Effective, yes. Going to catch on with the average user, no.
Re:Use an Outbound Firewall (Score:5, Insightful)
Sounds like a really easy way for your standard user to administer their phone. My mom would totally get that....no wait....I think I meant the opposite of that. Yeah.
Seriously, though, how do you communicate this to your standard, non-techie user?
Re:An iPhone-like process? (Score:3, Insightful)
How about "Linux-distro style vetting process"?
Impossible, unless all apps are required to be open source (which would not be popular with many commercial developers). I'd even bet a large number of commercial developers would even be annoyed enough to stop developing for Android's app store if required to turn over their complete source code only to Google employees for review -- Apple doesn't even require this for their app store.
Re:An iPhone-like process? (Score:5, Insightful)
iPhone's vetting process has a "AT&T doesn't like it, so Apple will deny" clause that the jailbreak stores don't. Apple then claims that jailbroken apps could be trojans that will overload AT&T's network.
Google seems to be taking a "we'll do what we want and carriers can't stop us" attitude. Good luck with that.
Re:Use an Outbound Firewall (Score:5, Insightful)
The problem isn't technical, but rather lack of user training
The internet is not a safe place. If you want to use it openly, you better not be gullible and hand out your info to anyone who asks.
One solution would be to setup the phone for your non-techie friend, and whitelist all the apps that they'll need that should have internet access. Yes, this means they'll have limited use of new apps, but if they can't figure out when not to give out her bank details, they aren't sufficiently trained to safely use the internet.
Re:An iPhone-like process? (Score:3, Insightful)
No, the iPhone vetting process is unashamedly "that competes with us, denied!"
Re:Use an Outbound Firewall (Score:1, Insightful)
One caveat: Droidwall doesn't work on Android devices which don't have iptables, such as the CLIQ, DEXT, or others. So, if you don't have an HTC phone, don't bother with this app until the handset maker pushes out 2.1, or until your favorite rom cooker bakes the iptables/ipchains functionality in.
Re:Check for the signed label! (Score:5, Insightful)
Reserved words? (Score:3, Insightful)
Re:If you want to be free (Score:4, Insightful)
Tragedy of the Commons comes to mind here. People around here like to bitch about Apple's policies with their app store, but I understood the reasoning behind it from the beginning. The average consumer doesn't know better. A cute app that is malicious can spread to millions of users before someone wises up. And it only takes one or two to make people fearful of the platform.
It will be fun to see if the carriers take advantage of this and try to get control over the handsets back in their court as opposed to that of Google. If it happens a couple more times, I can the Verizon App store popping up and a Verizon UI required on all android phones that only allow users to use their store. And I'm sure a lot of the apps will require extra "monthly" fees.
Re:Check for the signed label! (Score:3, Insightful)
Open source is another way to stop malware... not every user looks at the source, but enough curious ones will put out the warning should anything not be as its marked.
Nice feature, but most software houses see the downside.
Re:Reserved words? (Score:4, Insightful)
"Bank of America" is already a reserved word under trademark law. You could say that "bank" is a reserved word, but then you'll accidentally block "iBank" and such. Such problems.
Re:An iPhone-like process? (Score:4, Insightful)
An iPhone-like vetting process would be "we'll reject it if we don't like the look of it". How about "Linux-distro style vetting process"?
The iPhone vetting process is closer to Slifox's "error on the side of caution" method on his outbound firewall, with the default being set to DROP (deny the app), followed by a specific whitelist (approved apps subject to continuous monitor for "good behaviour").
Quite a number of approved apps in the iPhone App Store have been caught out doing naughty things like accessing and sending "home" users' Contacts - email addresses, phone numbers and home/work addresses - where they really had no business requiring such information for their function (battery charge display apps, games etc) and have promptly been expelled from the app store - quite rightly in my opinion.
The price of true freedom is eternal vigilance, not laissez-faire do-what-you-please laxity...
Re:An iPhone-like process? (Score:3, Insightful)
old problem new platform (Score:4, Insightful)
The fault here lies primarily with the user, but seeing as we cant force the users to be smarter the onus for defeating this attack relies on the bank. Banks can do a variety of things to prevent such phishing attacks from working such as using 2 factor authentication and One Time Passwords. OTP works best when being used for transactions rather then logins, my bank will SMS me a code when I want to make a transaction to another account so even if a phisher has my password, they need my phone to do anything (plus this is a dead give-away that a phisher has gained my password). Banks could also issue a private key to official applications and block any application that does not have the key (granted this is less useful and may be easily defeated)
Iphone style lock downs will not work as they do not address the real problem of phishing and only serve to limit the platform. This isn't a fault with Android, this requires the user to initiate the attack, nor is it self replicating.
My vetting process is simple. . . (Score:5, Insightful)
Why on Earth would you download a 'bank' app from anyone other than *YOUR BANK*? I'm only gonna do online banking from the website or apps provided to me directly from my bank. I'm not gonna download anything from the Android market, from some random user, and do banking with it. Who thinks that it's a good idea to do 'banking' with an app by a random developer? I mean, *maybe*, maybe if it was someone large and established, like IBM, Google, Microsoft, or Apple, I *might* consider using third party software, but certainly not anyone I've never heard of before.
Re:An iPhone-like process? (Score:4, Insightful)
iPhone has youtube and pandora among many other apps that have very high network usage. sort of shoots a hole into the theory that AT&T is rejecting based on potential network overload.
Re:Separate passcode locked to a verified device (Score:3, Insightful)
That prevents the problem of somebody bringing in a mobile device and claiming to be you... but doesn't stop you from giving your main password to a false app that asks for it.
Re:If you want to be free (Score:2, Insightful)
"People around here like to bitch about Apple's policies with their app store, but I understood the reasoning behind it from the beginning. The average consumer doesn't know better."
I don't understand the reasoning behind it.
People seem to assume that a mobile phone app needs to be more controlled than a desktop application. What makes "mobile" so different from the desktop? I would suggest that I am actually much more likely to have sensitive things (banking, personal, or business information) on my desktop than on a mobile device. Yet no one is advocating that someone set up an app store for the desktop.
Re:Use an Outbound Firewall (Score:3, Insightful)
Seriously, though, how do you communicate this to your standard, non-techie user?
You don't. This is NOT A PHONE. This is a little computer with a phone IN IT. The same level of knowledge required to use a computer and install apps safely, etc is necessary here.
call me a cynic, if you wish.. (Score:1, Insightful)
thats not how the world works, probably the "validation" that apple do serve apple beneficts, and is not made for the safety of the users or other romantic option, maybe with the adition of safety theater
Re:Use an Outbound Firewall (Score:3, Insightful)
You make a good point, but that doesn't really do anything to the OP point. Most people who use computers are not techie users. They fall for scams all the time.
Re:Check for the signed label! (Score:3, Insightful)
How do you know the binary you install is the same as the source?
MD5 hash for the win! If your hash doesn't match the published hash, something's up.
Unless you propose that all software be compiled and signed by a trusted authority or be compiled on the end user's device...
Already happening on several platforms. MS Office VBA, MacOS, etc. Unsigned code is allowed, but requires a user's approval to a warning that the publisher is unknown.
And if someone introduces the ability to download and execute arbitrary code, perhaps via a clever and well-hidden exploit?
Would require an app that asks for rights to contact the network, and network traffic can be monitored. Somebody will notice.
Re:Use an Outbound Firewall (Score:4, Insightful)
This explains the explosive spread of viruses on the Apple platform!
Re:Check for the signed label! (Score:5, Insightful)
Re:Check for the signed label! (Score:2, Insightful)
>Do the Underhanded C Contest and Obfuscated C Contest ring any bells?
If you were trying to make a point, you failed miserably. Those are about writing malicious code not searching for it.
Use your brain, dipshit. The point of the Underhanded C contest is to write code that, when read, looks perfectly normal but contains underhanded code. Someone searching for bad code will have a difficult time spotting it because the whole point is to hide the malicious parts from someone who does a code review.
So trivial it's never been done (Score:4, Insightful)
This is not the case. Apple don't perform in-depth testing in this manner; they don't have access to the source code and some developers have already successfully bypassed the rules of the App Store by hiding functionality as easter eggs. It is trivial to put malicious code in an iPhone app that won't be triggered until after the application is already in the App Store.
Hey, what was that old saw about Macs not having any viruses? Wasn't it something like, the platform is not popular and that's why they do not have viruses?
Well here we have a wildly popular mobile platform. Yet the most egregious exploit in an app to date is something that sent your address book somewhere without permission (something that's explicitly allowed by the API).
So given the number of apps there are, perhaps the lack of problems like this is an indicator it is not as "trivial" as you claim to put a malicious app in the store.
What would a malicious app really do anyway? It couldn't delete user data. It can't send passwords not entered in the app (passwords are not stored in the keystroke cache). And what makes you think Apple would not give extra scrutiny to an application that asked for something like your banking details? What makes you think they don't roll the date forward a month or two when testing apps just to see what kind of extra activity might be triggered?
Furthermore, because you have to go through some paperwork to be a registered developer in the first place, you have a lot more exposure to liability if you try something. Apple the has valid bank account details for you (if you registered to sell paid apps), along with your address and other things. So if something like this exploit were found, you'd be pretty screwed.
There are more aspects of protection in a closed system than just the review cycle...
Ask Mint.com (Score:3, Insightful)
Why on Earth would you download a 'bank' app from anyone other than *YOUR BANK*?
Actually there's a very good reason (for the user) - banks cannot write user interfaces to save their lives.
In fact they are so horrible at it, that Mint.com flourished with tens (hundreds?) of thousands of users, despite you needing to give Mint the passwords to EVERY SINGLE BANK you do businesses with.
Would you or I ever, ever do that? Nope. No reasonable person would you would think. Yet many have (and continue to), just because the experience of using bank websites and mobile platforms was so horrific, and honestly I cannot blame them - in fact I envy them the peaceful bliss of ignorance and nice software.
The whole point of using mobile applications is to make your life simpler, something that lots of developers are good at but not banks. So it's no shock someone would be willing to try an app not written by the bank they use.
Re:Then the developer is screwed (Score:5, Insightful)
Quite easy to give and verify a fake address, especially if it's in a foreign country.
Once again, easy to do with a foreign bank.
There are plenty of easy ways to prove addresses that can be easily faked, bank statements, utility bills. Plus there is the idea of using someone else's identity entirely.
Let me put it this way, anyone smart enough to develop a scheme like this is smart enough to defeat Apple's rudimentary address/credit checks.
You seem to have a lot of faith in Apple's ability to detect a hidden scam once it has already penetrated their security (the app store). It's entirely plausible that this kind of phishing go on for weeks or months without anyone noticing, especially seeing as Apple are the only watchman and considering what the average iphone user understands about information security.
Re:Use an Outbound Firewall (Score:2, Insightful)
Uhhh, no. You said "actually, I just went to the apple website and found this..." and I said "oh yeah, I remember that happened last year."
You honestly don't remember Apple only last year admitting that getting some anti-virus might be a good idea? You don't remember how much shit they got for it? I can't really say I'm surprised, being that no-one buys anti-virus for Macs, even now.
Please now, kindly fuck off fanboi.
Re:Check for the signed label! (Score:4, Insightful)
phone providers/google could set up a "safe mode" in android that only allows signed apps to run. if the user wants to leave safe mode to install an unknown app they can but be shown a warning of the consequences. That way people who want to be safe can be safe and people who want to run what they like can run what they like. Kind of like apple putting a jailbreak button on the iphone. That way people can choose between safety or freedom.
given time as more apps get checked and signed, people would have less and less reason to leave safe mode.
it reminds me of the software repositories on ubuntu - for about 2 or 3 years there was essential stuff missing that forced you to manually install dodgy software that potentially broke your system, but now that it's matured there often no reason whatsoever for a home user to stray outside the repos
Re:Check for the signed label! (Score:3, Insightful)
That's because it's an easy target, in spite of all it's "security measures".
Re:HERE'S HOW ANYONE CAN BEAT ANY Vetting !! (Score:5, Insightful)
Re:Check for the signed label! (Score:3, Insightful)
People which use software installation systems that check MD5s by default. Even Windows does something like this, but so many applications don't bother with signatures that "warning unsigned application" is pretty much meaningless.
Re:Check for the signed label! (Score:3, Insightful)
The freedom of the droid is nice; but at the same time it requires more responsibility on the owner.