Jump to content


Serious Android Security Risk in Fully Patched Phones


5 replies to this topic

#1 LFC

    Fiscal Conservative

  • Members
  • PipPipPip
  • 31793 posts
  • LocationPennsylvania

Posted 03 December 2019 - 11:57 AM

Android phones have a serious security flaw that is already being exploited by at least 36 malware apps.

Quote

A vulnerability in millions of fully patched Android phones is being actively exploited by malware that's designed to drain the bank accounts of infected users, researchers said on Monday.

The vulnerability allows malicious apps to masquerade as legitimate apps that targets have already installed and come to trust, researchers from security firm Promon reported in a post. Running under the guise of trusted apps already installed, the malicious apps can then request permissions to carry out sensitive tasks, such as recording audio or video, taking photos, reading text messages or phishing login credentials. Targets who click yes to the request are then compromised.

Researchers with Lookout, a mobile security provider and a Promon partner, reported last week that they found 36 apps exploiting the spoofing vulnerability. The malicious apps included variants of the BankBot banking trojan. BankBot has been active since 2017, and apps from the malware family have been caught repeatedly infiltrating the Google Play Market.

The vulnerability is most serious in versions 6 through 10, which (according to Statista) account for about 80% of Android phones worldwide. Attacks against those versions allow malicious apps to ask for permissions while posing as legitimate apps. There's no limit to the permissions these malicious apps can seek. Access to text messages, photos, the microphone, camera, and GPS are some of the permissions that are possible. A user's only defense is to click "no" to the requests.

" 'Individual conscience' means that women only get contraceptives if their employers, their physicians, their pharmacists, their husbands and/or fathers, pastors, and possibly their mayors, Governors, State Secretaries of Health, Congressmen, Senators, and President all agree that in that particular case they're justifiable." --D.C. Sessions

"That's the problem with being implacable foes - no one has any incentive to treat you as anything more than an obstacle to be overcome."

"The 'Road to Serfdom' is really all right turns." --Progressive Whisperer

""The GOP ... where every accusation is also a confession." --Progressive Whisperer

#2 LFC

    Fiscal Conservative

  • Members
  • PipPipPip
  • 31793 posts
  • LocationPennsylvania

Posted 03 December 2019 - 12:02 PM

There have been plenty of complaints about how hard-nosed Apple can be about their app store but in today's world where digital attacks are occurring on an every millisecond basis (at least) it seems to be the only reasonably effective approach. Google seems to have a poor track record due to their more open environment. Tech companies need to simply assume that anything that could potentially be used for malicious reasons will be. That lesson, delivered repeatedly for decades, still hasn't been taken fully to heart by the industry and corporations.

Google is now seeking outside help to try to clean up the mess. At least they're admitting the problem as compared to who knows how many companies who tried to hide or downplay their own issues.

Quote

Android has a bit of a malware problem. The open ecosystem's flexibility also makes it relatively easy for tainted apps to circulate on third-party app stores or malicious websites. Worse still, malware-ridden apps sneak into the official Play Store with disappointing frequency. After grappling with the issue for a decade, Google is calling in some reinforcements.

This week, Google announced a partnership with three antivirus firms—ESET, Lookout, and Zimperium—to create an App Defense Alliance. All three companies have done extensive Android malware research over the years, and have existing relationships with Google to report problems they find. But now they'll use their scanning and threat detection tools to evaluate new Google Play submissions before the apps go live—with the goal of catching more malware before it hits the Play Store in the first place.
"On the malware side we haven’t really had a way to scale as much as we’ve wanted to scale," says Dave Kleidermacher, Google's vice president of Android security and privacy. "What the App Defense Alliance enables us to do is take the open ecosystem approach to the next level. We can share information not just ad hoc, but really integrate engines together at a digital level, so that we can have real-time response, expand the review of these apps, and apply that to making users more protected."

It's not often that you hear someone at Google—a company of seemingly limitless size and scope—talk about trouble operating a program at the necessary scale.

" 'Individual conscience' means that women only get contraceptives if their employers, their physicians, their pharmacists, their husbands and/or fathers, pastors, and possibly their mayors, Governors, State Secretaries of Health, Congressmen, Senators, and President all agree that in that particular case they're justifiable." --D.C. Sessions

"That's the problem with being implacable foes - no one has any incentive to treat you as anything more than an obstacle to be overcome."

"The 'Road to Serfdom' is really all right turns." --Progressive Whisperer

""The GOP ... where every accusation is also a confession." --Progressive Whisperer

#3 D. C. Sessions

    I don't have to pretend to be an adult any more

  • Members
  • PipPipPip
  • 10399 posts
  • LocationCentral New Mexico

Posted 03 December 2019 - 01:57 PM

View PostLFC, on 03 December 2019 - 11:57 AM, said:

Quote

The vulnerability is most serious in versions 6 through 10, which (according to Statista) account for about 80% of Android phones worldwide. Attacks against those versions allow malicious apps to ask for permissions while posing as legitimate apps. There's no limit to the permissions these malicious apps can seek. Access to text messages, photos, the microphone, camera, and GPS are some of the permissions that are possible. A user's only defense is to click "no" to the requests.


Emphasis added. It doesn't help at all that a lot of Google and carrier apps demand essentially across-the-board permissions. Why does my mobile hotspot function require camera access (invented)? I don't know but the alternative is to not do mobile hotspotting, which I depend upon. So the result is that users are trained by Google and the carriers to be sloppy and uncritical about the permissions they grant.
The way a lot of catastrophes happen is that X doesn't occur because there are safeguards in place, therefore people assume X isn't a worry and they remove the safeguards. Then X happens.
— Nate Silver
"Robots aren't the problem. Capitalism is." -- Last words of Stephen Hawking.
These days, "libertarian" is just a euphemism for a Nazi who's afraid to commit.
"If you're not outraged, you're not paying attention." -- Heather Heyer
"I'd rather have my child, but by golly, if I gotta give her up, we're gonna make it count." -- Her mother
"Your purpose, then, plainly stated, is that you will destroy the Government, unless you be allowed to construe and enforce the Constitution as you please, on all points in dispute between you and us. You will rule or ruin in all events." -- some RINO

#4 golden_valley

    Advanced Member

  • Members
  • PipPipPip
  • 6244 posts
  • LocationNorthern California

Posted 03 December 2019 - 02:29 PM

View PostD. C. Sessions, on 03 December 2019 - 01:57 PM, said:

Emphasis added. It doesn't help at all that a lot of Google and carrier apps demand essentially across-the-board permissions. Why does my mobile hotspot function require camera access (invented)? I don't know but the alternative is to not do mobile hotspotting, which I depend upon. So the result is that users are trained by Google and the carriers to be sloppy and uncritical about the permissions they grant.

I'm not sure I'd call it "trained." It's more like trapped. Your choices are to not hot spot at all or to allow camera access.

#5 D. C. Sessions

    I don't have to pretend to be an adult any more

  • Members
  • PipPipPip
  • 10399 posts
  • LocationCentral New Mexico

Posted 03 December 2019 - 03:39 PM

And after a few rounds like that do you keep trying or do you surrender?

Training.
The way a lot of catastrophes happen is that X doesn't occur because there are safeguards in place, therefore people assume X isn't a worry and they remove the safeguards. Then X happens.
— Nate Silver
"Robots aren't the problem. Capitalism is." -- Last words of Stephen Hawking.
These days, "libertarian" is just a euphemism for a Nazi who's afraid to commit.
"If you're not outraged, you're not paying attention." -- Heather Heyer
"I'd rather have my child, but by golly, if I gotta give her up, we're gonna make it count." -- Her mother
"Your purpose, then, plainly stated, is that you will destroy the Government, unless you be allowed to construe and enforce the Constitution as you please, on all points in dispute between you and us. You will rule or ruin in all events." -- some RINO

#6 AnBr

    Advanced Member

  • Members
  • PipPipPip
  • 14029 posts

Posted 03 December 2019 - 09:49 PM

This is why I never do any financial stuff on my phone. I don't ever use any wireless connection. I would note that Apple's record is not spotless, either, though Google seems to have purposefully left holes in place for its own revenue. "Don't be evil" is now a distant memory.
“Trump’s a stupid man’s idea of a smart person, a poor man’s idea of a rich person & a weak man’s idea of a strong man.”

— Fran Lebowitz


“One of the saddest lessons of history is this: If we've been bamboozled long enough, we tend to reject any evidence of the bamboozle. We’re no longer interested in finding out the truth. The bamboozle has captured us. It's simply too painful to acknowledge, even to ourselves, that we’ve been taken. Once you give a charlatan power over you, you almost never get it back.”

— Carl Sagan


Pray for Trump: Psalm 109:8

"Science is more than a body of knowledge; it is a way of thinking. I have a foreboding of an America in my children's or grandchildren's time - when the United States is a service and information economy; when nearly all the key manufacturing industries have slipped away to other countries; when awesome technological powers arc in the hands of a very few, and no one representing the public interest can even grasp the issues; when the people have lost the ability to set their own agendas or knowledgeably question those in authority; when, clutching our crystals and nervously consulting our horoscopes, our critical faculties in decline, unable to distinguish between what feels good and what's true, we slide, almost without noticing, back into superstition and darkness.

— Carl Sagan
The Demon-Haunted World: Science as a Candle in the Dark
1995


“As democracy is perfected, the office of president represents, more and more closely, the inner soul of the people. On some great and glorious day the plain folks of the land will reach their heart's desire at last and the White House will be adorned by a downright moron.”

— H.L. Mencken
On Politics: A Carnival of Buncombe


“The test of our progress is not whether we add more to the abundance of those who have much; it is whether we provide enough for those who have too little.”

— Franklin Delano Roosevelt
Second inaugural address January, 1937





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users