Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Google Android Security Technology

New Android Malware Uses Google Play Icon To Trick Users 223

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "A new trojan for Android has been discovered that can help carry out Distributed Denial of Service (DDoS) attacks. The malware is also capable of receiving commands from criminals as well as sending text messages for spamming purposes. The threat, detected as "Android.DDoS.1.origin" by Russian security firm Doctor Web, likely spreads via social engineering tricks. The malware disguises itself as a legitimate app from Google, according to the firm."
This discussion has been archived. No new comments can be posted.

New Android Malware Uses Google Play Icon To Trick Users

Comments Filter:
  • by Anonymous Coward

    Because people will download and run apps from that store.

    And there's little/no AV protection.

    • by masternerdguy (2468142) on Thursday December 27, 2012 @07:06PM (#42407547)
      Actually the android sandbox is quite sophisticated. Jellybean will randomize the location of an application's memory region in order to make buffer overflow attacks harder. Granular permissions allow a user to know exactly what an app wants to do before they even install it (it's written into the API that the app must ask for these permissions). Also Google does automated malware testing on their store in order to weed out undesirables. This thing is spread by installing an APK off of a warez site and ignoring all the scary warnings.
      • by Anonymous Coward on Thursday December 27, 2012 @07:13PM (#42407579)
        Not to mention that by default you aren't allowed to install an APK from a source besides the play store, you have to manually disable that restriction.
        • by alostpacket (1972110) on Thursday December 27, 2012 @07:47PM (#42407797) Homepage

          Yes but this uses an official ICON. Clearly no way to forge that. I've never seen anyone think to use logos or icons for nefarious purposes before. Luckily I am protected here on my Windows 7 machine. I clicked an ad using the Windows 2000 theme that alerted me to major potential threats in my "regisetery"... Had a similar experience on my Macbook Air. Thank goodness for the altruism of all those interwebs ads and sites.

          In all seriousness though, this could be a problem for people who root/ROM and install their Google apps from sources other than Google. Granted, when you root/ROM you should be aware of the risks, but it still presents a small danger.

          Many Google apps however request permissions that need the app be signed with the same key as the ROM and/or the system key.

          See: http://developer.android.com/guide/topics/manifest/permission-element.html#plevel [android.com]

          "signature"
          A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.

          "signatureOrSystem"
          A permission that the system grants only to applications that are in the Android system image or that are signed with the same certificate as the application that declared the permission. Please avoid using this option, as the signature protection level should be sufficient for most needs and works regardless of exactly where applications are installed. The "signatureOrSystem" permission is used for certain special situations where multiple vendors have applications built into a system image and need to share specific features explicitly because they are being built together.

          • by erroneus (253617) on Thursday December 27, 2012 @09:19PM (#42408293) Homepage

            Cricket.

            I was investigating prepaid phone service options because I want to save money and prepaid service seems to be the way to do it. Once shop I visited was "Cricket." The first thing they asked was "what kind of phone do you have?" I said "unlocked GSM." They said, but we have to install our software on it... we have to flash your device before we can put it on our network. I was utterly shocked and then angered. I left before I said anything I might regret, but I will not be doing business with Cricket now or in the future. Bad enough the carriers I buy my phones from want to control my devices. Another carrier wants to modify my property so that I can be their customer.

            No. And why would I object so much to that idea?

            Because I don't know what they will be putting on my computer and nor will they tell me. And so for the same reason I would not do business with Cricket, I will not generally install software from unknown sources.

            • Interesting. Did you get any sense of what they wanted to install? I dont know enough about that specific area but I wonder if there are any legit reasons they might do this. Maybe relating to ESN/MEID/etc, or some type of radio frequency tuning... Still, I would likely have done the same in your shoes.

              • by bedouin (248624)

                The main reason is probably to lock you into their store for ringtones and games. Their guise for it all would probably be so-called security. At least that's the impression I got while I was their customer.

                Check this out, to actually DOWNLOAD apps from their store they made you pay some sort of extra charge. Paying them money for apps wasn't simple enough. I passed and got busy modifying the firmware in a hex editor.

                If you visit a Cricket location you'll see mostly poor folks who can't pass a credit ch

            • by bedouin (248624)

              I was with Cricket for a couple years. I bought a new phone from them on one occasion, and when I asked for a data cable, the salesperson asked what I intended to do with it. I answered "sync my addresses" because I knew that was the answer she was looking for . . .

              When did Cricket switch from CDMA to GSM?

          • 'I clicked an ad using the Windows 2000 theme that alerted me to major potential threats in my "regisetery"'.
        • by synapse7 (1075571)
          Manually disabling is my favorite part.
      • Re: (Score:1, Informative)

        by Anonymous Coward

        Actually the android sandbox is quite sophisticated. Jellybean will randomize the location of an application's...

        It's too bad that it was released in June 2012, and still, nobody has it [android.com]. So while I'm sure newer versions of Android are much improved, but it doesn't much matter to anyone if the horrible manufacturers won't put an ounce of effort into maintaining the devices.

        • by rjr162 (69736) on Thursday December 27, 2012 @07:55PM (#42407847)

          ....
          My Samsung galaxy s3 (gt-i9000) received the 4.1.1 update about 3 or so months ago (from samsung). My neighbors Motorola atrix 2 or whatever received the 4.1.2 update about 2 months or so ago (He has verizon). The Motorola xoom I got my grand father also has received 4.1.1 iirc when I set it up for him after I received it from eBay about 3 weeks ago

          • by Anonymous Coward

            It shouldn't have even taken that long though. When Google releases an Android update, it trickles down to the phone manufactures like Samsung who put their tweaks into the code. Samsung in particular seems pretty fast about it (and I'm sure they get access to the pre-release source as well to speed up go-to-market time).

            The real bottleneck are the carriers who absolutely drag their feet. AT&T (my carrier) took several months to do what is basically just adding in their bloatware and spyware garbage int

            • by SomePgmr (2021234)

              S2 here. It took them a year to deploy ICS after it came out. Seven months since Jelly Bean came out will actually be a huge improvement, even though it'll already be out-of-date.

              While I still prefer Android over iOS, I've learned my costly lesson... don't even consider buying an Android device that isn't a Nexus.

              Also, as someone that writes software for Android, I don't like having to target Gingerbread (circa 2010) or give up half the market. Google needs to do something about the savages leeching the pl

              • by synapse7 (1075571)
                I'm curious what it is in Jelly Bean you are in such great need of that ICS is without?
                • by synapse7 (1075571)
                  To add more, I have loaded Jelly Bean the S3 that I use and I've been considering restoring the samsung rom to gain back the motion gestures, some of which are quite handy.
      • It does sound more like a proof of concept than an actual attack.
      • by BitZtream (692029)

        ASR is cute, but only stops the most trivial of exploit efforts. And this isn't exploiting anything other than the user so ASR is 100% useless.

        Granular permissions in the style of Android are practically useless and heres why, a statement from my wife just last night as she played with her Nexus 7:

        Does anyone even say no to these permissions since every app wants a bunch of them and you can't use it without click yes?

        When every app including crap from Google asks for all sorts of shit, like access to your

        • Does anyone even say no to these permissions since every app wants a bunch of them and you can't use it without click yes?

          Why should someone do that? In 99% of the installs the required permissions match the purpose of the app, so there simply is NO REASON to say no. I definitly would (and did so) say no if suddenly a simple flashlight (or in my case metronome) app asks for access to contacts, location and internet.

          How about letting the app run WITHOUT those permissions? Why do I have to decided if I want an app or not based on the fact that it wants access to my call log at install time rather than saying 'no, you cant see me call log' and still getting the app? Why can I not use the app but tell it to go fuck itself when it wants access to my contacts?

          The answer is simple. Google doesn't actually want it to be too secure as that would prevent them from getting all the information they want to target you.

          Sorry but that's BS. The reason why those rights are asked for at install time is that they are considered as required for the app. What use would a calendar application have that is denied access to the phone calen

      • by erroneus (253617) on Thursday December 27, 2012 @09:12PM (#42408261) Homepage

        Indeed this is the most significant truth of it all.

        In iOS land alone are users "not responsible for their actions." For people to go around installing malware on PCs is a known problem. Save MSIE vulnerabiilities enabling drive-by installations and program execution, people install malware on their own machines.

        Now if this story was about a vulnerability in Android devices which permitted this type of system compromise, we might have a much more significant story. But what we have, instead, is reaffirmation that with Android, users have freedom to install the software of their choice just as they have with MacOSX and Microsoft Windows and other Linux distributions. We also have the recognition that users are not invulnerable to attack because they are using something other than MS Windows.

        Is this a sign that Android has "matured"? No. iOS is pretty mature and does not exactly suffer from such attacks. (oh wait, yes it does! [forbes.com]) It is a sign that bad-wetware has recognized that Android is popular enough and free enough to make its users a target. At the end of the day, of course, it is the users which are being targetted and their devices, software and data are the means and the objective of the attack.

        This story is useful in that it is important that everyone be aware of the risks of running any software, but especially software from dubious sources. But let's hope the real message is not lost in the hype and flag waving.

      • Granular permissions allow a user to know exactly what an app wants to do before they even install it

        No they do not.

        They know what RESOURCES an app would like to have beforehand. But having never run the app they have NO idea when and for what reason they are required.

        On iOS you also have granular access. But the key is, you are asked at the time that resource is required. So for example, you are asked if the application can access your contacts only when you've hit the "send to a friend" button or what

        • A big list of permissions that non-technical users hardly understand helps almost no-one. It allows a technical user to avoid some traps, but it screws over the large majority of users.

          If a user is not technical enough to understand "This app requires access to your contacts" and "This app requires dialing phone numbers", they probably should donate their phone for their own good.

          The more difficult thing is to judge if those permissions are reasonable for that app they want to install. But as they're the only one who know what for they're installing it, no one can take that burden from them.

          • If a user is not technical enough to understand "This app requires access to your contacts" and "This app requires dialing phone numbers", they probably should donate their phone for their own good.

            That's odd, I would like to live in a world where even such people can make use of technology. The world I want to live it allows EVERYONE to benefit from technical advances, not a high-tech priesthood that snickers at the LUsers.

            You can stay up in that ivory tower if you like but I'm trying to make the world be

            • If a user is not technical enough to understand "This app requires access to your contacts" and "This app requires dialing phone numbers", they probably should donate their phone for their own good.

              That's odd, I would like to live in a world where even such people can make use of technology. The world I want to live it allows EVERYONE to benefit from technical advances, not a high-tech priesthood that snickers at the LUsers.

              Well, let me rephrase it: In my ideal world, everyone would understand that "This app requires dialing phone numbers" means that this app might dial phone numbers - at your expense. That's not too difficult. OK, I would love to free users from the burden of permission checking, too. But you can't complety block phone or net access, when you WANT half of the apps to have phone or net access.

              So how could anyone but the user decide if a required permission is neccessary for what the app is supposed to do? Evil

          • If a user is not technical enough to understand "This app requires access to your contacts" and "This app requires dialing phone numbers", they probably should donate their phone for their own good.

            Ah, the old "blame the user" tactic of the fanboy. Well, these are mobile phones. And mobile phones are meant for ordinary people. If they're not suitable for ordinary people, then that's the fault of the hardware/software, not the user.

            The fact is that there's a better way to do it, and iOS shows the way. Ask the user for permissions for a resource whilst the app is running, the first time the app wants access to that resource. That way the user can better assess the app, and whether it is a reasonable req

            • If a user is not technical enough to understand "This app requires access to your contacts" and "This app requires dialing phone numbers", they probably should donate their phone for their own good.

              Ah, the old "blame the user" tactic of the fanboy.

              No objection to that.

              Well, these are mobile phones. And mobile phones are meant for ordinary people. If they're not suitable for ordinary people, then that's the fault of the hardware/software, not the user.

              Cars are meant for ordinary people too. And that's why we don't let anyone drive but require driving licences. Not because we want to keep it some special privilege, but because it is potentially dangerous. And storing private data in a connected device is not without dangers, too. And with that, there are some responsibilities.

              Like servicing your brakes. And if cars are for everyone, not everyone can do that. But the solution is not to do it, but to pay someone to do it. And in exactly

              • I think that overall safety is better on iOS. But that's not due to WHEN an app asks for privileges. It's the stricter checks before something goes into the store.

                It's both.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Because people will download and run apps from that store.

      And there's little/no AV protection.

      There is very little AV protection against users. They are the weakest link, but we can't have successful software companies without end users.

    • by tuppe666 (904118) on Thursday December 27, 2012 @07:20PM (#42407619)

      I know your trying to defend Apples "lets gouge our customers policy" by limiting customer choice (and competition) to Apple on its (not your) phone...but to do do so I think you need to understand that on Android you have to actually go into the settings and *enable* his voluntary, and have to agree to a warning screen...Apple users are do desperate to have this functionality they "Jailbreak" Apples phone, even though Apple have attacked their customers for doing so.

      • by tlhIngan (30335)

        I know your trying to defend Apples "lets gouge our customers policy" by limiting customer choice (and competition) to Apple on its (not your) phone...but to do do so I think you need to understand that on Android you have to actually go into the settings and *enable* his voluntary, and have to agree to a warning screen...Apple users are do desperate to have this functionality they "Jailbreak" Apples phone, even though Apple have attacked their customers for doing so.

        And practically every US Android user ha

        • anyone smart enough to understand that option would be smart enough to not install apps from a non-reputable source.
  • by Anonymous Coward

    nice disguise

    • This is not from the Android PlayStore, it may originate from a Russian website.
    • nice disguise

      I thought the opposite. The first think someone is going to do when they see a two stores on their phone...is look up why? It even has a different name, they would have been better hiding it behind a simple RSS feed or torch app

      • The first think someone is going to do when they see a two stores on their phone...is look up why?

        No, if the user notices the duplication, and cares, their fist step is likely to be to click on each of them to see what the difference is.

        "looking up why" (in Google or the manual) is what people might do after they've looked for themselves.

  • OK, sorry I got enough of this in the X-Mas special, seriously. I think it infected me. - HEX
  • by mythosaz (572040) on Thursday December 27, 2012 @07:41PM (#42407757)

    Users SPREAD the app. The app itself does not spread. It's an important distinction.

    • by BitZtream (692029)

      They didn't call it a virus, the summary in fact states likely spread by users. Guess what, its malware.

      Did you have a point and what the fuck is it/how the fuck are you modded +5?

      • by mythosaz (572040)

        "The threat, detected as "Android.DDoS.1.origin" by Russian security firm Doctor Web, likely spreads via social engineering tricks"

        That, from the summary, says that the threat spreads by social engineering -- and clearly identifies the threat as the malware, not the social engineering bit. TFA says that the malware spreads. Passive or active is important. The author of the summary is a twit. That's my point.

"Ignorance is the soil in which belief in miracles grows." -- Robert G. Ingersoll

Working...