Android Security is a Hot Mess (yet Again)
Google’s Android smartphone platform is under fire again. Hundreds of “legitimate” apps have been infected with malicious third-party libraries—and not for the first time. These apps account for more than 320 million downloads.
The so-called SimBad and Operation Sheep SDKs are malicious, according to researchers. They’re able to phish, steal data and pop up ads over other apps.
Google keeps talking a grand talk, but is it proactive enough about nuking malware in the Play Store? In today’s SB Blogwatch, we avoid an Android army ambush.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: nun rules.
Nuke it from Orbit
What’s the craic, Zack Whittaker? “New Android adware found in 200 apps on Google Play”:
Security researchers have found a new kind of mobile [malware] hidden in hundreds of Android apps [which have been] downloaded more than 150 million times from Google Play. The malware [is] masquerading as an ad-serving platform, dubbed SimBad.
…
Likely unbeknownst to the app developer, [it] would open a backdoor to install additional malware as a way to outsmart Google’s app store scanning … and persists in the background.
…
A Google spokesperson … did not provide comment. The search giant typically doesn’t discuss app removals, largely because it’s an issue that keeps occurring. … Google’s official figures put the number of apps it removed last year at about 700,000.
How many apps are we talking about? Jon Fingas fingers the number—Google pulled 210 apps carrying ‘SimBad’:
As much as Google has done to keep malware out of the Play Store, some notable examples still get through. … Unfortunately, these weren’t just specialty apps with few users. … the largest (Snow Heavy Excavator Simulator) had over 10 million [downloads].
…
SimBad may have been difficult to stop compared to some malware, since it was piggybacking on otherwise legitimate apps. … Even so, this illustrates a familiar problem with the Play Store.
Who discovered it? Check Point’s Elena Root and Andrey Polkovnichenko:
The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘addroider.com’ as an ad-related SDK. We believe the developers were scammed … leading to the fact that this campaign was not targeting a specific county or developed by the same developer.
…
After installation, the malware connects to the designated Command and Control (C&C) server, and receives a command to perform. [It] comes with a … list of capabilities … such as removing the icon from the launcher, thus making it harder for the user to uninstall. [It] has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications.
…
The actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user. … The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware.
…
The domain expired 7 months ago. As a result, it may be that are looking into a compromised, parked domain that was initially used legitimately, but is now participating in malicious activities.
But it gets worse. Naveen Goud worries about another malware SDK— Operation Sheep:
[In] the data-stealing cyber attack campaign dubbed ‘Operation Sheep’ … Android apps are massively harvesting contact info on mobile phones. … 12 different apps were found using a data-scraping Software Development Kit (SDK) … downloaded more than 111 million times.
Ouch. Subrahmanyam KVJ—@SuB8u—tweets a familiar refrain:
Friends don’t let friends buy Android phones.
Anyone saying Android isn’t a mess is delusional. Google can’t control it because it’s too fragmented and quite frankly badly managed.
Time to install an anti-malware app? Not so fast, says Paul Wagenseil—”Two-Thirds of Android Antivirus Apps Are Total BS”:
Most of the Android antivirus apps in the Google Play store are a complete waste of time and money, and some even make your phone more likely to be infected. … AV-Comparatives tested 250 antivirus apps in Google Play against 2,000 malware samples.
…
Most Android antivirus apps are phony, and many of them seemed to have been created only to display ads or promote a developer’s career. [Even] Google’s own Play Protect … did poorly, with a detection rate of only 69 percent.
So this Anonymous Coward adds 2+2:
And this is surprising . . . . . why?
This is what happens when you create an environment based on “give everything away for free and make money from advertising.”
But is Apple’s store any better? dcw3 shines a light on the situation:
Have you ever tried searching for “Flashlight” on iTunes? How many apps are there?
…
Its the same Junkware on Apple store as Google store.
Meanwhile, I found this insightful—if mildly depressing—comment by found404:
When will Google rain down hell and fury at this nonsense? When will our own government take action against this reckless and fraudulent activity?
…
This is just another example of the ****show we’re all living through.
And Finally:
Life rules from a nun (my favorite is #4)
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Rob Bulmahn (cc:by)
