Malicious App In Android Market

dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?

Use an Outbound Firewall

[slifox]

One great app I use is DroidWall, which is a simple GUI for iptables.
I set the default outbound policy to DROP, then specifically whitelist the apps that should reasonably have access to the internet.

Since Android apps have to specifically declare the privileges they require before installation (such as ability to read contact data, internet access, etc), then it's easy to make sure that all apps that read personal data are not whitelisted, unless they come from a reputable developer (e.g. Google-made apps). Any app that can read my contacts data, my calendar, my email, etc, is sure as hell not getting internet access for "usage statistics" or whatever other lame excuse they give.

I wish this functionality was built into the OS, rather than having to do it manually (for example, a way to disallow internet access during installation) -- but at least it's doable on Android. I don't think any other phone platforms give this level of permission separation or control. I'm not so sure that app review would really fix the overall problem; it might catch the obviously-malicious phishing apps like in this story, but I bet that the app auditors' opinion on what is a privacy violation differs greatly from my own.

I still wouldn't use my banking info on my phone regardless, since a phone is so easily losable, and locking/unlocking the data everytime with a secure passphrase would probably be too inconvenient. At very most, I would only allow read access to transactions from my phone (if banks offered this), thereby limiting the amount of useful information or control a would-be attacker could gain from compromising my phone.

Re:No sandboxing?

[dumbnose]

Sandboxing wouldn't help here. The app looks like your bank app. So, it just collects the information from you.

Re:An iPhone-like process?

[mounthood]

An iPhone-like vetting process would be "we'll reject it if we don't like the look of it". How about "Linux-distro style vetting process"?

Multiple repositories solve part of the problem, but more then just vetting the repository as a whole we need to score/rank/blacklist/require individual applications and authors. What friends think of an application is much more important than the "average" score of everyone. IT departments need to add/update/remove applications for workers phones, but also let the end user manage applications. Ban lists need to be available in a form that lets the end user (or their tech. support) decide what to trust.

It's amazing that such a big industry has such crappy tools to manage applications. Making things "just work" for the end user does not need to mean a monopoly or tyrant controlling the (only) store.

Nothing new here

[Anonymous Coward]

From time immemorial, bazaars have had pickpockets.

Re:Check for the signed label!

[sznupi]

This is why we can't have nice things.

And I'm sure US cellphone carriers can't wait for more malicious apps.

Re:An iPhone-like process?

[Anonymous Coward]

Even with vetting, it still won't keep a truly determined and malicious attacker away. Say someone makes an app that is popular and releases to the Android market. The only odd thing is that it asks for a lot of permissions. Lots of people download it, and it gains a cool buzz with nobody having problems with it, except for people who wonder about the huge amount of perms asked. But eventually people get to shrugging and continuing.

Then the app maker releases an update and slings in the malicious code. It copies off the addressbook to a remote site to sell to targetted phishers. It sends text messages to shady places subscribing the phone network holder to numerous charge by month "services" (akin to the old modem dialers). It spawns a botnet client which can be used for spamming. It intercepts other apps to obtain their stored usernames and passwords which are used for ID theft attacks (the bogus "hey bud, I'm stuck, could you wire me $500?" which a lot of people on social networks fell for.)

So, even though Android has a very good priv model, in theory, it can still be stung by someone who drops in their malware at a later date.

Separate passcode locked to a verified device

[beakerMeep]

One of the things my bank does for their mobile banking application (which is contracted out to another company) is to give you a special code that is akin to a extra "mobile password." You get this code from the bank's website after putting in your mobile phone number. You then must enter it on your phone and "activate" that phone to access your account. At any time also, you can go into the website and "deactivate" the device. At no time do you ever enter your banking login details into your phone, only this special code which is tied to you phone number, mobile OS, and carrier (that you can deactivate at any time) is entered into your phone.

It's not perfect security, but it certainly puts up a few more decent hurdles against phishing.

Re:Check for the signed label!

[LostCluster]

And that's why certificates can be revoked, and apps can be pulled from the app store after the fact.

Re:Use an Outbound Firewall

[Anonymous Coward]

Any app that can read my contacts data, my calendar, my email, etc, is sure as hell not getting internet access for "usage statistics" or whatever other lame excuse they give.

Usage statistics are the only reliable way to get real feedback about how actual users interact with the software (short of having a horde of QA testers that we can't afford). Some of the more useful things that my apps track (anonymized and with the terms stated clearly on install with an opt-out):

(1) Which settings are most often changed, and to what. This helps us put the most-changed settings near the top and set better defaults. If a setting is changed back and forth a lot, that usually tells that the UI needs widget to control that behavior.

(2) Which functions are used most or used most together. This helps organize the UI in accord with the most common usage patterns. Many times, we will see that users do the same clusters of things over and over and that lets us combine those into a single task in some fashion.

(3) What functions/options are almost never used, especially ones we had imagined would be useful. This is usually a sign that we have either totally dropped the ball on implementation or interface or that we don't understand the user's workflow.

I will admit that this is largely a matter of trust between the developer and the user -- I really can't blame users that opt-out or firewall us because they really don't have a reason to trust us. That said, such distrust does deprive us of very important data that we use to improve our products. I just want to express my deep appreciation for all the users that have let us have their usage statistics -- we really do read and act on them!

Why bother?

[MikeFM]

If you really want to steal people's info just throw up a quick Magento site pretending to sell things at unlikely prices and submit a Froogle feed. Soon you'll be getting lots of orders and you can collect credit card numbers, addresses, etc to your hearts content and then disappear and repeat the process next week. Lots of people will give you their info without thinking about it.

Re:If you want to be free

[mlts]

What I can see is that carriers would have their own Android app stores, similar to how one carrier in the US used to require not just Microsoft code certificates on signed executables, but the carrier's as well. If the app wasn't signed by a certificate either from the carrier, or a key allowed by the carrier, the app won't install on the phone. Of course, the certs can be yanked at a moment's notice.

Re:Check for the signed label!

[Anonymous Coward]

I think it is natural to make the comparison, one of the only reasons that Apple has an advantage is because of the quality control it offers on its app store. Of course, until recently Apple didn't do any in app checking, to find out what exactly the app was doing.

And of course you are happy, until you get your information stolen. You might not even realise it, and even when you do, it would be hard to link it to a phone application rather than one of the usual methods.

I find you comment very odd, it adds nothing to the conversation, and complains about the obvious comparison that someone made, and that everybody was thinking about. Android army or just moron?

Re:Check for the signed label!

[BronsCon]

Do the Underhanded C Contest and Obfuscated C Contest ring any bells?

Even review of every line isn't enough. But it's better than what closed source can offer.

Re:Check for the signed label!

[SQLGuru]

The very same argument has been made as to why the XBox online experience is better than the PS3 or Wii. With MS, the control is in place. To participate, you have to accept the control (ask those banned due to hacked boxes). It's also why the PS network is getting some level of premium status to help curtail some of the problems related to that.

Apple's control is great in terms of keeping the store "clean", but the process they put in place didn't anticipate the number of submissions, overwhelming them. Resulting in slow acceptance times, bogus rejections, etc. Someone will need to figure out a happy medium in terms of control and flexibility.

Re:Check for the signed label!

[RobertM1968]

I think it is natural to make the comparison, one of the only reasons that Apple has an advantage is because of the quality control it offers on its app store. Of course, until recently Apple didn't do any in app checking, to find out what exactly the app was doing.

"Until recently"? So, inotherwords, it took them years, while Google has been at this for a lot less time? I am sure they will learn from their mistakes.

Yet it seems apps that Apple think are bad have slipped through from time to time. That was my point. The comparison would be great if it didnt cover the fact that until recently, such protections werent in place, and things still slip through now and then.

And of course you are happy, until you get your information stolen. You might not even realise it, and even when you do, it would be hard to link it to a phone application rather than one of the usual methods.

I use a very small list of apps, because I am aware of the dangers. The vast majority of those apps are made by Google - thus making their use no more dangerous than my regular online "Google Experience" where they have access to the same exact info.

I find you comment very odd, it adds nothing to the conversation, and complains about the obvious comparison that someone made, and that everybody was thinking about. Android army or just moron?

Really? You cited some reasons why my comment wasn't "very odd" in pointing out that it took a couple years for Apple to make changes to try to prevent such things from occurring.

But that aside... perhaps they should have learned from Apple's mistakes and Apple's improvements by instituting an app marketplace where each app is verified to do only what it claims to do, this could have been prevented.

Because, yes, they shoulda learned... this has already been done, and done better... with their experience in the online area, they shouldnt be playing catch-up to Apple or anyone else.

I just found it odd for someone to jump right on the Apple iPhone vs Android soapbox so quickly without much else to contribute.

My take would have been more along the lines above, indicating I hope they've learned from both this experience and Apples - and that they are making a concerted effort to start checking the 20,000 other apps on the app store.

Re:Check for the signed label!

[brit74]

Open source is another way to stop malware... not every user looks at the source, but enough curious ones will put out the warning should anything not be as its marked.

Out of curiosity, what's to stop this situation: I build a "custom" version of an opensource application that includes a trojan. Maybe I use the application's original name, or maybe I add a few features/artwork and call it something different? People are just grabbing the exe's, afterall, and not building their own copy from the source.

Re:If you want to be free

[Anonymous Coward]

My biggest fear is that a malicious app ends up in the fledgling Android modding community. This would bring bad press, just like the ssh password brought a lot of negative press to the iPhone jailbreak scene. Android modders are concerned right now about people who don't know the consequences of rooting a device [1] causing malware infestations. Bad press about rooted phones would give cellphone carriers and phone manufacturers more reason to have more Draconian means of ensuring their phone offerings do not get rooted (TPMs), or just abandoning Android altogether and championing a closed OS.

[1]: For most things, you don't need to root an Android phone. In general, if you want a dedicated feature, such as cooking and testing custom ROMS, running android apps on the memory card, or enabling swap space, go for it. However, rooting an Android device "just because" is not really needed, and could be dangerous. Especially by people who don't know the ramifications of the "#" prompt and why it isn't good to use it 24/7.

Re:Why bother?

[Mr2001]

Sorry, stores need crypto signatures or you get browser warnings.

So what? It's not hard to get an SSL certificate.

HERE'S HOW ANYONE CAN BEAT ANY Vetting !!

[Anonymous Coward]

Simple. Time delay. Be like a trojan. Wait. Act nice. Then MAUL. Don't do it on all. Do it on 1% of the installs. NO ONE WILL BE THE WISER. Because, after all, you are ALL DUMASSES !! What you do, that's your business.

Re:Check for the signed label!

[LostCluster]

Suddenly your .exe doesn't match the MD5 hash of the real program. People will notice.

Re:Apple's store ain't much better

[dangitman]

Basically, there's nothing in the app description or screenshots to suggest that the application, which uses only publicly available knowledge, violates any of the terms of Apple's app policy.

What about the "we may reject your application for any reason whatsoever" clause of Apple's policy?

Re:Use an Outbound Firewall

[Miamicanes]

> Like any GSM/UMTS network in the world?

You're forgetting that GSM/UMTS phones won't do 3G on any network in America unless they happen to support 850/850 or 1700/2200 uplink/downlink. AFAIK, the US is the only country on earth that does 850/850 and 1700/2200 UMTS. I don't even think *Canada* uses those frequencies. For all intents and purposes, the only phones that support 850/850 UMTS are sold by AT&T Wireless, and the only phones that support 1700/2200 are sold by T-Mobile. So much for interoperability. A "global" phone that supports only 1900/2100 UMTS will give you blazingly-fast 19.2kbit/sec GPRS in America (or serve a more useful purpose as a paperweight in windy weather).

It's sad, but right now, Verizon is ironically the most interoperable carrier in America, just because you can theoretically reflash the Sprint twin of a Verizon phone with Verizon firmware and they'll let you use it if you can figure out how to do it on your own, without any help from them. It's a piss poor, sad excuse for interoperability, but just goes to show how dire the wireless situation *is* in the United States.

Re:Congratulations, you've made it to the big time

[_KiTA_]

It's prudent to note that Avira anti-virus used to be called "AntiVir"...but I'm pretty certain you're not talking about the same people..

Right. There's a rogue called AntiVir as well.

Nowhere near as annoying as the "heck with it, just backup and OSRI"-worthy "Internet Security 2010", however.

Then the developer is screwed

[SuperKendall]

Assuming the app appears to do something 'real' [which I assume it does, as people download and use it], you can have the app access a web page that tells the app if it should harvest data or not. You simply don't enable the harvesting until after Apple has accepted it into the App Store.

And then what do you do about the fact that you have given Apple and address they have verified, and paid for a $99 developer account via some means they can tract back to you, along with probably given them your bank account number and routing code?

That's a lot of exposure for a scam that's likely to be shut down in under a day.

Re:If you want to be free

[tftp]

What makes "mobile" so different from the desktop?

• Availability of the phone. A mobile phone is likely to be owned by large number of people, with all levels of computer knowledge. Many of phone owners neither own a computer nor know how to use it safely.
• Availability of apps. A computer user is less likely to install random apps just because he is bored. That happens, but usually computer owners install apps because they need them. Mobile phone owners are likely to install apps just to see what they do - especially when the price is low or zero.
• Availability of secrets. Many computers do not contain anything particularly secret. More and more computer owners use Web based email, that moves the contact list and emails off of the PC. Usually a computer can't be tied to any specific person. A computer usually runs a firewall and an antivirus / malware checker that is updated at least daily. However a mobile phone definitely has the contact list, and other important, personally identifying information is also available through a well known API. The phone has no antiviruses, so a trojan is perfectly safe on a phone.

Is this itself a scam?

[ibsteve2u]

I note that searches of Secunia, SANS.org, and CERT don't return any mention of it, which is curious given that the...alert...began spreading on or about the 3rd of December, 2009 according to a date-sorted Google search (who is Jeremy Allexon?) [google.com]. Said search likewise fails to turn up any sources which I would call "authoritative".

Given the nature of corporate competition...

Re:Check for the signed label!

[mjwx]

And that's why certificates can be revoked, and apps can be pulled from the app store after the fact.

And applications can be pulled from the Android Market after the fact, which frankly is terrible security.

Apple's security model is still far inferior to Androids. Apple have a gateway only approach, Apples decides what does and does not run on Iphones remotely and forgo any local security, Android has a limited gateway and local security approach, Google can revoke malicious applications and make them go through some kind of testing before hand (probably what Google will end up doing, limited semi/completely automated testing to check for obvious problems) and then you have local security on the device. The idea is that no program is trusted. Now with Apple you have a single point of failure, if a self replicating virus/trojan gets past apple then its over unless apple uses the kill switch, if the kill switch works. With Android if a virus/trojan can replicate you still need each user to authorise install on each device.

You will also have more people watching android applications, Google are quite open to security being questioned where as it is tantamount to heresy to even suggest that Apple has insecurities (and I'm certain some fanboys are frothing at the mouth reading this and typing an incoherent rant). The false sense of security that surrounds Apple is far more dangerous then the open nature of Android or the Android marketplace.

Re:Check for the signed label!

[richaemry]

I agree with you, but your analogy is faulty. The Xbox Live experience is better because MS is a software company, and Sony is a hardware company.

A better analogy is why Ubuntu is more n00b friendly than is parent Debian. The centralized control mechanisms which vet systems before they are implemented from a small group with a specific purpose in mind which does not include doing absolutely everything possible. However I do believe an attack like this is possible, but not probable on the iPhone due to the nature of the people at Apple. Also if this did succeed they would just sew them into the ground. and get them and all their associates imprisoned also due to the nature of the people at Apple.

Re:Use an Outbound Firewall

[Skater]

Want to unlock this app, $5 a month please.

If Verizon does that, AT&T will be quick to point it out in the ads. Somehow, I don't think Verizon is quite that stupid, although I could be totally wrong.

Yes, they are that stupid, but like the other response said, there is no real competition between providers. Verizon has been doing this with their BREW system for years. Some apps have both a "permanent" subscription option and a monthly subscription option, but there are others that are monthly only, such as the navigation application. I bought a permanent license for Tetris for $6 years ago, on my previous phone, instead of paying $1.99/month for it. (Of course, Tetris didn't carry over to my new phone with Verizon, which is why I have the word permanent in quotes.)

Re:Check for the signed label!

[Bakkster]

would you care to elaborate on PSN vs Live ??? Live has nothing more to give than PSN except the cost (I don't see the added value to justify that) Frankly I fail to see a relation between the matter at hand and that.

On Live, if you get banned for violating their ToS (for example, hacking your box, cheating, sufficient complaints of racism) then you are banned from all online play. On the PS3, Sony does not (to my knowledge) participate in the ban process except for their own services. So, if you get banned from Home for racism you can still play all your other games online. Each game needs to ban you individually, thus fewer asshats will be banned for any particular game.

Even the cost itself helps here. If someone gets banned from PSN for cheating, they can just make another free account. If someone gets banned from XBL, they must pony up cash to create a new account, giving a monetary disincentive not to cheat.

Re:Why bother?

[Svartalf]

Uh... NO.

This alone says a bit.

This is a bit more disturbing.

But the ability to generate a rogue CA cert [win.tue.nl] kind of nukes the claims you just made from orbit- just to be sure.

In short, it's NOT hard to get an SSL cert of that nature- just not as easy as snapping one's fingers.

Re:Check for the signed label!

[Bakkster]

You are blaming sony for a lack of control of their hardware ? that should be a first here.

No, control on their network. MS only has control over their hardware in as much as they can limit access to their network capabilities. However, more importantly, they can use this same control to limit any ToS violation, particularly cheating, while any mechanism on PSN can be easily circumvented with a new account.

This made it to the App Store too!

[mdwh2]

I think people are missing the point here - this isn't about a malicious app on some random website, with people saying "Well it wouldn't happen with Apple, because you can only run what they allow you", it's about a product on Google's App Store.

AFAIK, they can and do control what goes on here - the problem was they failed to spot it.

So what this shows is that relying on app stores isn't necessarily safe after all - personally I prefer the freedom to download from where I like, as offered by Android, Symbian, Linux, Windows and every OS on the planet except You Know What.

Re:Check for the signed label!

[Anonymous Coward]

Every app for the android must be signed. Its free to do so, but the only thing missing is a web of trust.