Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Android Google Handhelds Security

Malware Posing As Official Google Play Store Evades Most Security Checks 100

Posted by timothy
from the ok-ok-using-ios-doesn't-count dept.
DavidGilbert99 (2607235) writes Mobile malware on Android is nothing new, but now security company FireEye has discovered in the Google Play store a sophisticated piece of malware which is posing as....the official Google Play store. Using the same icon but a different name, the malware is not being detected by the vast majority of security vendors, is difficult to uninstall and steals your messages, security certificates and banking details.
This discussion has been archived. No new comments can be posted.

Malware Posing As Official Google Play Store Evades Most Security Checks

Comments Filter:
  • Link? (Score:4, Interesting)

    by Anonymous Coward on Thursday June 19, 2014 @11:22AM (#47273317)

    Dear submitter,

    Link me to an article. I don't want to search for the company's announcement, and I don't want to just take your word for it.

  • Uh... (Score:2, Insightful)

    by msauve (701917)
    Can I buy a link? Timothy strikes again.
  • by Anonymous Coward

    If you're dumb enough to download the Google Play store FROM THE REAL GOOGLE PLAY STORE THAT YOU'RE ALREADY ON... then you deserve to get some malware.

    • Re:Umm.. (Score:4, Insightful)

      by Jiro (131519) on Thursday June 19, 2014 @11:31AM (#47273423)

      The malware is named "Googl app stoy".

      If you're dumb enough to download something spelled that way, you deserve, well, almost anything.

      • by mythosaz (572040)

        We couldn't find anything for your search - "Googl app stoy".
        Suggestions:
        Make sure all words are spelled correctly.
        Try different keywords.
        Try more general keywords.

  • by Rosco P. Coltrane (209368) on Thursday June 19, 2014 @11:24AM (#47273339)

    I mean, with the recent dumbing down of fine-grained authorizations when installing apps, it's Google Play itself that feels like a security liability.

    • by timeOday (582209)
      Almost every app requests almost every permission anyways, so what was the point of fine-grained permissions? Why do I have to let you access the network and my contact list to play Tetris? It's frustrating.
      • by Anonymous Coward

        That's part of the stupid issue. The 'fine grained permissions' were NOT fine enough and some were grouped in odd places. And of course, App Devs being lazy or intrusive, they ask for exceptionally broad permissions often enough. At least with the fine-grained permissions, you could use a third party tool to revoke individual permissions before running the app.

        Really, you're making the main valid point here though: App Devs are making mandatory a lot of permissions that ought not be mandatory. That's bad de

        • Perhaps an app dev can answer one question: If I install with a particular permission set, but an optional feature some users might want would require an additional permission, could I not prompt the user for that permission when they want to enable the optional feature? If this is possible, not doing it is not excusable on behalf of the App Devs. If it isn't possible, it is not excusable on the Android Devs part.

          It's not possible on Android.

          On iOS it's the way it always works. You are only asked for a given permission at the time the app tries to do the privileged thing.

          • Yes it is, so long as the separate features are factored into separate packages on Google Play Store. Under Android, packages signed with the same software publisher certificate can share data through the sharedUserId mechanism. This lets the user install one main interactive app, which appears in the launcher or IME chooser or whatever, and then several helper apps that expose content provider services to the main application. For example, a keyboard could have helper apps that extend its autocorrect dicti
        • by timeOday (582209)
          My problem is, IIRC, you don't know what broad permissions an app is going to request upfront, until after you have downloaded and partially installed it. By then you have already wasted your time and bandwidth. You are invested. It would take half a day to look at 20 different versions of Tetris to see which is OK. If you could filter Google Play searches - "search for a version of Tetris that doesn't demand to look at my contact list" - then that would create a tiny bit of market pressure to not just
          • by Dishevel (1105119)
            Or you could just take a little bit of personal responsibility for your own actions and decide not to install something. I know it is hard. Having to deny yourself a free Tetris game or slugging through the description of the app on the store to actually read the permissions requested before downloading.

            I feel for you, I really do. I think that is a true shame that you were allowed to grow up in an environment that made you such an entitled person. One day if you are lucky life will step in and teach you w

      • by tlhIngan (30335)

        Almost every app requests almost every permission anyways, so what was the point of fine-grained permissions? Why do I have to let you access the network and my contact list to play Tetris? It's frustrating.

        Part of the problem is Google itself - when Android was released, the only place you could buy apps was in the US, which mean everywhere else trying to hit Google Marketplace was restricted to seeing free apps. Which means developers end up writing free apps loaded with advertising and having to request

    • by mlts (1038732)

      Some Android devs are trying to do their best to work around it. It requires root, but I highly recommend the XPrivacy tool, which will allow you to restrict what apps can actually contact. I also like using a DroidWall successor as a thing of last resort, especially with apps that are bandwidth hungry, so they get forced to Wi-Fi only and not on the cellular network.

      LBE Privacy Guard used to be a good tool, but the successor has yet to be officially translated to English yet.

      The bad thing is that apps fr

    • This kind of thing probably wouldn't happen if Android were Free/Libre Open-Source Software. As Google quietly effectively close-sources Android piecemeal, by making it so that parts of the OS, as provided are Google-PROPRIETARY, like the store itself, security problems will abound. It's only natural. To save time, money, and ink, Google's shortened it's motto by one word, and didn't tell anyone. The one word, in case you didn't already guess, is "Don't". They're every little bit as bad as M$ ever was,

  • Link? (Score:5, Informative)

    by devjoe (88696) on Thursday June 19, 2014 @11:25AM (#47273361)
    Not sure how this brief blurb with no link got posted, but here [techweekeurope.co.uk] is a link to an actual story.
  • Why doesn't Android have a permissions structure that allows the user to explicitly manage the permissions for each app?

      If I want to disable access to the contacts for any given app, I should be able to do that. If it breaks functionality of the app, then that is MY problem, but in most cases, it wouldn't cripple the app; I don't need my shopping list to be able to read my contacts and send premium text messages on my behalf.

    • Re: (Score:3, Insightful)

      by gstoddart (321705)

      Because Google values their ability to sell advertising over user security would be my guess.

      Remember, it's their phone, you're only using it under license -- because Google has long since given up any pretense of the whole "do no evil" thing.

      I see so many things list their permissions and think "WTF would you need these permissions for, and why on Earth would I give them to you?" And then I cancel the download.

  • Easy: Don't. Fucking. Install. It.

    This is yet another piece of software which the user needs to download, enable installation of third-party apps, and install. Or the user might've installed it from a dodgy app store (in which case their device is likely already a teeming mess of malware).

    Either way, the user needs to do something we've spent the last umpteen years trying to indoctrinate people against.

    Wake me up when someone starts injecting this stuff through advertisements in web pages.

    • by Anonymous Coward

      This is yet another piece of software which the user needs to download, enable installation of third-party apps, and install.

      What do you mean "third party apps"? The summary and TFA claim that this one is in the official Google Play store.

      • by c (8461)

        What do you mean "third party apps"? The summary and TFA claim that this one is in the official Google Play store.

        Good point. Mind you, that kinda makes anyone who installs it even dumber than I would have thought.

    • by ray-auch (454705)

      Maybe it came already installed... sounds awfully like one that does (just buy the phone from the ad in the web page...):

      http://www.theguardian.com/tec... [theguardian.com]

  • And this is the reason I won't do banking on an Android phone much the same as I refuse to do online banking from a Windows PC.

    I've been sticking to my Linux distro for that and felt that it's the best way to function with some security on my end.
  • by gstoddart (321705) on Thursday June 19, 2014 @12:09PM (#47273843) Homepage

    So I R'd TFA, and I can't see anything which says *how* you get this. Or if it's in there I can't find it.

    I assume it either piggy backs on something else downloaded from the app store, or comes in from someone enabling apps to come from other places.

    The fact that an application can even disable the uninstall feature is pathetic.

    And, sadly, Google has removed even more permissions control, so this will only get worse.

    I still maintain I should be able to go in at any time and remove permissions from apps -- because, quite frankly, why something like a Flashlight needs access to my messages and contacts has always been a mystery.

  • Nahh, installing Cyanogenmod is quite easy and can get rid of this malware almost instantly.

Dead? No excuse for laying off work.

Working...