Google Play Malware Used Phones' Motion Sensors To Conceal Itself (arstechnica.com) 55
An anonymous reader quotes a report from Ars Technica: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers -- and possibly Google employees screening apps submitted to Play -- are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.
Security firm Trend Micro found the motion-activated dropper in two apps -- BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious. The motion detection wasn't the only clever feature of the malicious apps. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required command and control server. Once Anubis was installed, it used a built-in keylogger that can steal users' account credentials. The malware can also obtain credentials by taking screenshots of the infected users' screen.
Security firm Trend Micro found the motion-activated dropper in two apps -- BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious. The motion detection wasn't the only clever feature of the malicious apps. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required command and control server. Once Anubis was installed, it used a built-in keylogger that can steal users' account credentials. The malware can also obtain credentials by taking screenshots of the infected users' screen.
It's not the OS but the input (Score:4, Interesting)
This isnt possible with iOS because bothe simulator and phone run the same OS: MAC OS
It's not about the operating system. If I run an Android device simulator under GNU/Linux, it's still Linux on the outside and Linux on the inside. It's about using motion input to distinguish a physically mobile device from one chained to a desk or a server rack. To put it another way: To what extent does running an app in the simulator on an iMac produce motion inputs indistinguishable from those of an iPhone? It'd have to produce, say, minute motions of the device itself when its screen is tapped.
But..what about the impacted users? (Score:2)
The garden wall provides no safety. (Score:5, Insightful)
I think it's time to officially declare walled garden computing a failure from a security standpoint. Malware has had little trouble getting inside, and then the fact that it's inside the supposedly safe garden lulls users into a false sense of security. The only thing the walled garden has succeeded in doing is enriching the gatekeepers and disempowering the users.
Re:The garden wall provides no safety. (Score:4, Insightful)
Android isn't a walled garden - as an OS it's open (albeit needing to have each source whitelisted). Google as a curator of application sis a failure (and there is no reason to expect Amazon others are better.). However, the OS is pretty open.
Apple seems to have their walled garden in order, and their OS is more locked down..
Of course, the "walled garden" on phones before, without allowing random third party devs, worked fine on the older phones. I mean, you don't have many apps, but it was safe.
Comment removed (Score:5, Insightful)
Re: (Score:2)
At the end of a day, you're just not paying for a device, but a service.
Let's run with this analogy. Say I want portable video gaming with physical buttons, which fit some game genres better than the flat sheet of glass that is the input device included with an iPhone or Android phone. But I don't want a Nintendo 3DS or Nintendo Switch because I don't want the service of Nintendo imposing limits on what scenarios may and may not appear in a game. Which handheld device isn't made to impose this unwanted service?
Re: (Score:2)
Re: (Score:2)
Let me rephrase how I understood your post: "Any company disagreeing with Nintendo's monopoly on handheld gaming with buttons ought to be building and selling its own hardware." Do I understand you correctly?
Re: (Score:2)
Re: (Score:2)
What resources are recommended for a startup video game developer that is getting into the handheld gaming hardware market for the first time?
Re: (Score:2)
If you insist, you can get something like this:
https://pyra-handheld.com/boards/pages/pyra/
All the buttons you could ever want, and no walled garden at all.
Re: (Score:2)
Don't like walled gardens, then don't support a company that enforces them. It's that simple.
This is quite an ignorant statement. It pretends to not be aware that we don't live in a world where users have an actual choice. The walled gardens Google and Apple have created is for their own benefit, not due to user demands. We already have tools for dealing with malware by using firewalls and sandbox environments on "normal" operating systems. The lip service Apple and Goole play to gaurding against malware in their gardens is just because they've denied us the ability to protect ourselves. They
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
What does Google do once they find this? The walled garden requires, in theory, that you know who the author is. Does Google try to prosecute the hackers? Of all the companies on Earth who should be able to track someone down, Google and Facebook seem like they could do it.
Re: (Score:2)
While you're certainly espousing a popular sentiment, the facts don't bear out anything you've said.
Take a look at the mobile [statista.com] malware [computerworld.com] reports [forbes.com] from the last few years and if you parse through the details you'll see two consistent trends:
1) Android accounts for the vast majority of malware—about 98% in 2013, rising to within a rounding error of 100% at this point—but that...
2) Nearly all Android malware is coming from sources outside the Google Play Store, mostly via stores in the Middle East and
Re: (Score:2)
I don't see how the existence of a huge amount of malware outside of the walled garden suggests that the inside is safe because it has less, when that number is still enormous, and the primary security purpose is to be free of malware. That's like saying that a submarine that's half full of water has a good functioning hull because it has a much lower percentage of water than the outside ocean. It's like saying that a zoo with five lions running loose in the guest areas has good containment because there ar
Re: (Score:2)
Those aren't ridiculous exaggerations at all. The walled garden's security is just as broken as the flooding submarine or the lion's buffet zoo. But those analogies do fail to account for the downsides of using these things at all when they weren't necessary. It's as if to protect people's safety, we've replaced snorkeling with a submarine and walking in nature with a zoo, causing people to leave their lifevests and rifles respectively at home, only to suffer these terrible problems.
You activities, the wall
Re: (Score:2)
I don't see how the existence of a huge amount of malware outside of the walled garden suggests that the inside is safe because it has less
I see you enjoy moving goalposts. After all, your original assertion (see: subject line) was that "the garden wall provides no safety"—none—which is a patently false claim, but now you're trying to argue that they don't provide enough safety, which is a subjective claim for which you provide no evidence, other than an unspecified but "enormous" amount of malware that is apparently still getting in, despite the links I just provided that seem to contradict that notion.
That's like saying that a submarine that's half full of water has a good functioning hull because it has a much lower percentage of water than the outside ocean.
Not even close. While there
Re: (Score:2)
Well yes if you want to nitpick, I wasn't literally correct to say "no safety" if you compare the safety of a person installing any random app from inside vs. outside the app store, although that's not something a person will normally do. Similarly in my analogies, of course you'd be in more danger inside the lion cage or strapped to the outside of the submarine. If you assume a person would be stupid enough to go there, which they generally aren't.
Title nitpicking aside, you'd have a good argument if you h
Re: (Score:2)
Title nitpicking aside, you'd have a good argument if you had the scale of the malware problem in app stores correct. Which you didn't...you were at least a couple of orders of magnitude low:
I'm not seeing it. Quite the opposite, actually, since your links mention 7, 145, and "more than 50" instances of malware apps making it into the stores, all of which fall in line with my statement that out of the hundreds of thousands of apps that are submitted for review each year, there are "only a few hundred [instances of malware] most years". If anything, your links would suggest that I might have overstated that aspect of the malware problem by an order of magnitude.
That said, it seems like you may b
Re: (Score:2)
Never say never. Walled gardens provide SOME security. No system is perfect. This is as useless as saying "Locks provide no safety. Break-ins still happen." or "Seat belts provide no safety. People still die in car crashes."
"I think it's time to officially declare walled garden computing a failure from a security standpoint."
Well then, by your logic, I guess we can declare EVERYTHING EVER MADE a failure from a security standpoint because exploits still happen, right?
Follow-up question: are walled gardens more secure, about the same as, or less secure than totally open systems?
Time to randomize the sensor inputs in the simu (Score:1)
and other stuff like that.
And with randomize i mean to filter it to something that looks like it is being used for real, not just completely random crap.
Reviews for the app (Score:4, Funny)
The reviews for the app reveal several levels of stupidity:
Reviewer 1: "Just started using still unknown"
Reviewer 2: "you are asking me and I just now installed the app"
^^^ Facepalm 1: Then why did you post the review??
^^^ Facepalm 2: Why does Android prompt people to review apps just after they installed them?
Reviewer 3: "Thanksgiving"
Reviewer 4: "Totally awesome"
^^ WTH?
Re: (Score:1)
My bet, your Facepalm #2 where apps immediately prompt you for a review.
At this point, I've given up on apps. Most of them are written by assholes and offer little value, or as we see constantly, outright malicious.
To me, grabbing a random app with a relativ
Re: (Score:1)
>>> Why does Android prompt people to review apps just after they installed them?
Because people buy apps for the attention, not the app.
Contacting Infected Users? (Score:2)
Does Google or Apple make any effort to contact the infected users when they find malicious apps? Seems like it would be the right thing to do.
Clever girl (Score:3)
Re: (Score:1)