or Connect
AppleInsider › Forums › Mobile › iPhone › First malware in the wild found exploiting Bluebox's Android app signing flaw
New Posts  All Forums:Forum Nav:

First malware in the wild found exploiting Bluebox's Android app signing flaw

post #1 of 101
Thread Starter 
Just three weeks after Bluebox Security first announced the discovery of a key flaw in Google's Android with the potential to turn devices into a "zombie botnet," Symantec has reported finding rogue apps that take advantage of the vulnerability.

Android malware
Source: Symantec spots new signed malware that Android can't


At the beginning of July, Bluebox went public with news of the flaw, which affected virtually every Android device in use.

Google "declined to comment on the matter," but quickly acted to block distribution of apps seeking to exploit the issue in its own Google Play market. However, one of the primary key features of Android is the "openness" to allow users to install software from other stores.

That freedom has now morphed into a liability. While researchers quickly released "test tube" apps demonstrating how the vulnerability can be exploited, Symantec has now identified the first malware in the wild that's seeking to take advantage of the flaw, and Google's extreme difficulty in patching millions of vulnerable devices.

Android security flaw


There's a role in Post-PC devices for Symantec after all



In a new report, Symantec stated, "we expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has.""They can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code." - Symantec

The company has been scanning Android apps from "hundreds of marketplaces" using its Norton Mobile Insight tool, and initially discovered two on Tuesday.

Both (show above) were "legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments."

The next day, Symantec identified another four contaminated apps, "infected by the same attacker and being distributed on third-party app sites." The exploited apps included "a popular news app, an arcade game, a card game, and a betting and lottery app," all targeting Chinese users.

The discovered malware apps are secretly modified versions of legitimate apps that most Android devices can't detect as being contaminated, thanks to longstanding flaws in Android's security system that all the eyes of the open source community failed to detect.

Weaponized for malware monetization, facilitated by flaws



Symantec earlier explained that "Injecting malicious code into legitimate apps has been a common tactic by malicious app creators for some time."

However, "they previously needed to change both the application and publisher name and also sign any Trojanized app with their own digital signature."

These modifications would render the contaminated apps easy to spot, thanks to app signing. "Someone who examined the app details could instantly realize the application was not created by the legitimate publisher," the security firm explained.

With the newly discovered Android flaw, "attackers no longer need to change these digital signature details," meaning that "they can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code."

While iOS apps can also be hacked, Apple's app signing security works to identify and block contaminated apps from working. Apple's App Store also serves as the only source for third party software outside of custom development that requires organizations to distribute their own security credentials to sign the secure encryption of such apps.

Android malware authors party like its 1999



Android apps routinely demand vast, unnecessary and inappropriate permissions to a wide range of capabilities prior to installation, in a process most users click through without examination. The malware in the wild that Symantec has discovered has modified both apps with code "to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available."

The firm subsequently discovered the the malware payload, dubbed "Android.Skullkey," is also designed to send a spam text message to all phone numbers in the device's contacts, directing them to a malware website URL in a customized message that addresses the recipient by name.

Apple's iOS 6 does not allow apps to access contacts or message users without the permission of the user, but Android apps routinely demand vast, unnecessary and inappropriate permissions to a wide range of capabilities prior to installation, in a process most users click through without examination.

Android is the platform of wide open marketing research



Examples of such broad and unnecessary permissions demands start at the top: Facebook for Android, the platform's most popular app, demands access to a broad range of permissions before installation, including the ability to observe phone numbers in contacts and on calls in progress.

Google Play


Earlier this month, the popular app was caught harvesting users' entire phone books for upload into the social network's vast graph, without notice, and subsequently "sharing" information with other users "having some connection to them" on the site.

Samsung, the largest Android licensee, also launched a "free" Jay Z app this month promoting its flagship "SAFE" Galaxy S4 and Note 2 phones, but with conditions that demanded access to users' precise GPS location, access to users' contacts and or social network accounts, and stats on what apps they used and what phone numbers they were calling.


Jay Z Samsung app


Source: Google Play


Facebook and Samsung are both simply using Android the way Google intends for its platform to work. Earlier this year, after it was reported that Google Play was sending third party developers that name, physical address and email of anyone buying their apps, with "no indication that this information is actually being transferred."

Google's response was to take offense at journalists' characterization of the matter as a "flaw" and lean on publishers to remove any unflattering description of the practice from their headlines, stories, and SEO on the subject so that users simply wouldn't be aware of the issue and unable to search for information about it.
post #2 of 101
Quote:
Originally Posted by AppleInsider View Post

Both (show above) were "legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments."

The next day, Symantec identified another four contaminated apps, "infected by the same attacker and being distributed on third-party app sites." The exploited apps included "a popular news app, an arcade game, a card game, and a betting and lottery app," all targeting Chinese users.

In other words these applications are being distributed on third-party app stores in China. This is akin to crying wolf about malware being distributed via Cydia. So stick to Google Play and you will be fine then.

post #3 of 101

So two chinese apps?

 

Not in the google play or amazon store. 

 

Reminds me of this vid.

https://www.youtube.com/watch?v=NO04VXBIS0M

post #4 of 101
Yay open!

Oh. Wait.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #5 of 101

DED seems quite desperate to engineer this into a big issue and stir up a panic.
 

post #6 of 101
Quote:
Originally Posted by Just_Me View Post

So two chinese apps?

 

Not in the google play or amazon store. 

 

Reminds me of this vid.

https://www.youtube.com/watch?v=NO04VXBIS0M

 

They don't care. They don't realize that if you keep you never change your standard security features that this can't happen. That you have to go in the security setting and bypass the warning that pops up. That Google scans every app in it's app store using the same tools that Symantec does. That Google's nexus phones have already been patched. None of this matters to them. They just want to hate.

post #7 of 101
Quote:
Originally Posted by SockRolid View Post

Yay open!

Oh. Wait.

 

Apple has strict review. Nothing like this will ever happen.

 

Oh. Wait

 

http://www.macworld.com/article/2037099/ios-app-contains-potential-malware.html

post #8 of 101
Quote:
Originally Posted by Negafox View Post

In other words these applications are being distributed on third-party app stores in China. This is akin to crying wolf about malware being distributed via Cydia. So stick to Google Play and you will be fine then.

So then tell all the fandroids to stop crowing over being able to side-load third party apps. You can't have it both ways. Either Google Play is the only valid place to get apps or it's not.

post #9 of 101
Quote:
Originally Posted by NexusPhan View Post

 

That Google's nexus phones have already been patched. None of this matters to them. They just want to hate.

Google Nexus phones? You mean the ones that make up probably less than 2% of all Android phones in use because they sell extremely poorly?

 

 

Quote:
Thanks to the case of Apple vs. Samsung, we now know the sad truth about Samsung’s Galaxy Nexus: After two quarters, the phone only captured 0.5% of the smartphone market at most, and brought in a mere $250 million in sales revenue, Bloomberg reports. Given that the Galaxy Nexus never cost less than $349 at unsubsidized rates, the total units sold is far less than a million, compared to 10 million of Samsung’s Galaxy S III and at least five million of the Galaxy Note.
post #10 of 101
Quote:
Originally Posted by MikeJones View Post

So then tell all the fandroids to stop crowing over being able to side-load third party apps. You can't have it both ways. Either Google Play is the only valid place to get apps or it's not.

Its not. Amazon app store.

post #11 of 101
I'm glad I don't use Android. Oh well. Maybe this is one of the many reasons why most Enterprise customers stay away from Android devices.
post #12 of 101
Quote:
Originally Posted by Just_Me View Post

Its not. Amazon app store.

So another curated app store. Either Android is great because you can side-load third-party apks or curated app stores (Google Play and Android app store) are the only valid places to get apps. Again, you can't have it both ways.

post #13 of 101
Quote:
Originally Posted by MikeJones View Post

Google Nexus phones? You mean the ones that make up probably less than 2% of all Android phones in use because they sell extremely poorly?

 

 

 

Also these devices running 10.1

 

http://wiki.cyanogenmod.org/w/Devices

post #14 of 101
Quote:
Originally Posted by MikeJones View Post

Google Nexus phones? You mean the ones that make up probably less than 2% of all Android phones in use because they sell extremely poorly?

 

 

 

They don't realize that if you keep you never change your standard security features that this can't happen. That you have to go in the security setting and bypass the warning that pops up. That Google scans every app in it's app store using the same tools that Symantec does.

 

These apps will NEVER make it to the app store. This is completely a non-issue.

It's as much of an issue as jailbreaking an iPhone and installing a malicious pirated app and then trying to blame Apple. It's the exact same thing.

post #15 of 101
Quote:
Originally Posted by Just_Me View Post

 

Also these devices running 10.1

 

http://wiki.cyanogenmod.org/w/Devices

So an even smaller group of devices?

post #16 of 101
Aren't many people missing the point of this article? There is a new method of sending out malware without signing new info - so genuinely legitimate looking apps will be able to trick more people from here on out.
post #17 of 101
Quote:
Originally Posted by NexusPhan View Post

 

These apps will NEVER make it to the app store. This is completely a non-issue.

It's as much of an issue as jailbreaking an iPhone and installing a malicious pirated app and then trying to blame Apple. It's the exact same thing.

But fandroids go on and on about how Android is great because one can install apps from anywhere! That is until these malware stories comes up and they backpedal and say one should only install from curated app stores. Hypocrisy. LOL.

post #18 of 101
Quote:
Originally Posted by MikeJones View Post

So another curated app store. Either Android is great because you can side-load third-party apks or curated app stores (Google Play and Android app store) are the only valid places to get apps. Again, you can't have it both ways.

 

You can.  Would also trust these places too

 

http://www.appup.com/

http://www.xda-developers.com/

goo.im

https://github.com/

 

nothing .cn though

post #19 of 101
Quote:
Originally Posted by MikeJones View Post

But fandroids go on and on about how Android is great because one can install apps from anywhere! That is until these malware stories comes up and they backpedal and say one should only install from curated app stores. Hypocrisy. LOL.

 

 

Choice and freedom.  That is what you can get with open.  You control how safe you want to be.

 

Blindly trusting a single source is foolish.

post #20 of 101
Quote:
Originally Posted by MikeJones View Post

So an even smaller group of devices?

About 100 devices from 21 different vendors. You have a strange definition of smaller.   

post #21 of 101
Quote:
Originally Posted by MikeJones View Post

But fandroids go on and on about how Android is great because one can install apps from anywhere! That is until these malware stories comes up and they backpedal and say one should only install from curated app stores. Hypocrisy. LOL.

 

Yup. That should only be used if you know the risks and Google clearly tells you. Fortunately it's so easy to enable again that we can have it both ways.

I only do it when I'm on airplane mode and always block sideloading again as soon as my one app is installed. And that's probably waaay more paranoid that I need to be. I've only installed 3 or 4 apps that way.

post #22 of 101
Quote:
Originally Posted by Just_Me View Post

About 100 devices from 21 different vendors. You have a strange definition of smaller.   

You seem to have a reading comprehension problem. I was referring to the amount of people using Cyanogenmod. By Cyanogenmod's estimates there are 5.6 million active installs. That's barely over 1/2 of 1% of all Android devices. It's a miniscule minority of people.

post #23 of 101
Quote:
Originally Posted by NexusPhan View Post

 

They don't care. They don't realize that if you keep you never change your standard security features that this can't happen. That you have to go in the security setting and bypass the warning that pops up. That Google scans every app in it's app store using the same tools that Symantec does. That Google's nexus phones have already been patched. None of this matters to them. They just want to hate.

 

Hey, where can I get Adblock from?

 

Without enabling possibly trojan infested side loading?

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #24 of 101
Quote:
Originally Posted by Negafox View Post

This is akin to crying wolf about malware being distributed via Cydia. So stick to Google Play and you will be fine then.

 

But you can access nefarious Android stores with a non-rooted Android phone. You need a jailbroken iPhone to get on Cydia, in which case the user is probably sophisticated enough to realize what they're dealing with. 

 

By the time your mom's free Android phone has finished uploading its contact and Google Wallet information to a rogue Croatian server, it's too late. 

post #25 of 101
Quote:
Originally Posted by NexusPhan View Post

 

They don't care. They don't realize that if you keep you never change your standard security features that this can't happen. That you have to go in the security setting and bypass the warning that pops up. That Google scans every app in it's app store using the same tools that Symantec does. That Google's nexus phones have already been patched. None of this matters to them. They just want to hate.

 

It should be noted that any android phone using Google Apps (so any official "Google Certified" android phone) already received a "hotfix" via the Play Services.

This doesn't solve the original file-order problem when checking apk signatures, but verifies sideloaded apps before installing ("verify and install" option when opening a downloaded APK).

 

So basically, if you have an android phone with Google Play Services installed, you're on the safe side even if you install sideloaded apps.

 

Some more informationen about it can be found here: https://support.google.com/accounts/answer/2812853?hl=en

post #26 of 101
Quote:
Originally Posted by MikeJones View Post

So then tell all the fandroids to stop crowing over being able to side-load third party apps.

Would you kindly provide the URLs to such posts here?

post #27 of 101
Quote:
Originally Posted by hill60 View Post

 

Hey, where can I get Adblock from?

 

Without enabling possibly trojan infested side loading?

https://play.google.com/store/apps/details?id=com.appspot.swisscodemonkeys.detector

post #28 of 101

 

He was referring to ad blockers as opposed to ad detectors.  Ad blockers are no longer allowed in the Play Store so one must enable side loading to install an ad blocker.

 

Quote:
Originally Posted by hill60 View Post

 

Hey, where can I get Adblock from?

 

Without enabling possibly trojan infested side loading?

 

How does one get Adblock on their iPhone or iPad?


Edited by DroidFTW - 7/25/13 at 1:36pm
post #29 of 101
Quote:
Originally Posted by DroidFTW View Post

 

He was referring to ad blockers as opposed to ad detectors.  Ad blockers are no longer allowed in the Play Store so one must enable side loading to install an ad blocker.

 

 

How does one get Adblock on their iPhone or iPad?

ah. Here you go

 

http://forum.xda-developers.com/showthread.php?t=1916098

post #30 of 101
Quote:
Originally Posted by hill60 View Post

 

Hey, where can I get Adblock from?

 

Without enabling possibly trojan infested side loading?

https://adblockplus.org/en/android There you go.

post #31 of 101
Quote:
The discovered malware apps are secretly modified versions of legitimate apps that most Android devices can't detect as being contaminated, thanks to longstanding flaws in Android's security system that all the eyes of the open source community failed to detect.

 

...that all the eyes of the open source AND commercial security community failed to detect.

post #32 of 101

 

Quote:

Android malware authors party like its 1999


Android apps routinely demand vast, unnecessary and inappropriate permissions to a wide range of capabilities prior to installation, in a process most users click through without examination.

...but Android apps routinely demand vast, unnecessary and inappropriate permissions to a wide range of capabilities prior to installation, in a process most users click through without examination.

 

I guess once you find a good sentence, it pays to paste it in as many times as you can get away with.

 

 

post #33 of 101
Quote:
Originally Posted by cnocbui View Post

DED seems quite desperate to engineer this into a big issue and stir up a panic.
 

 

You can keep telling yourself that malware and spyware has no impact on the platform, but that didn't work out well for Windows XP did it? 

 

The only difference here is that Microsoft's malware problem trumped its vast advantage in third party developer support over Macs.

Android is a hobbyist platform that doesn't have an advantage of any sort. iOS has the advantage, but Android has the malware. 

 

I wonder how that's going to work out.

post #34 of 101
Quote:
Originally Posted by Negafox View Post

In other words these applications are being distributed on third-party app stores in China. This is akin to crying wolf about malware being distributed via Cydia. So stick to Google Play and you will be fine then.

get a clue - that's how most China consumers do it, and many other developing world countries too. they prefer local services for many reasons including cultural relevancy and peer familiarity as well as getting pirateware free. they have as little to do with Google and Google Play as possible. and that's where hundreds of millions of cheap Android phones are being sold, so the potential for malware infestation is huge.

 

we live in a first world bubble here. malware doesn't.

post #35 of 101
Quote:
Originally Posted by Just_Me View Post

 

Apple has strict review. Nothing like this will ever happen.

 

Oh. Wait

 

http://www.macworld.com/article/2037099/ios-app-contains-potential-malware.html

 

Had you actually read that article, rather than just copy and pasting the link, you'd have seen that the "malware" was an MP3 file with a metadata tag that included a URL to a potential malware site that wasn't active. 

 

There is no way to open such a URL tag on an MP3 on iOS, so calling this malware is such a desperate stretch it makes you look hysterical.

post #36 of 101
Quote:
Originally Posted by Corrections View Post

Had you actually read that article, rather than just copy and pasting the link, you'd have seen that the "malware" was an MP3 file with a metadata tag that included a URL to a potential malware site that wasn't active. 

 

There is no way to open such a URL tag on an MP3 on iOS, so calling this malware is such a desperate stretch it makes you look hysterical.

 

Correction:  the title of the article was written by the editors at Macworld.

 

You can share your opinion about the quality of their writing here: http://www.idgcsmb.com/contact/

post #37 of 101
Quote:
Originally Posted by Alfiejr View Post

get a clue - that's how most China consumers do it, and many other developing world countries too. they prefer local services for many reasons including cultural relevancy and peer familiarity as well as getting pirateware free. they have as little to do with Google and Google Play as possible. and that's where hundreds of millions of cheap Android phones are being sold, so the potential for malware infestation is huge.

 

we live in a first world bubble here. malware doesn't.

Unfortunately, the same goes for the iPhone, too. In China, many iPhone users rarely use the App Store and instead use third-party websites that have leaked distribution keys to install apps via Safari. What stops these third-party websites from distributing malware to Chinese iPhone users?

post #38 of 101
Quote:
Originally Posted by Corrections View Post

Android is a hobbyist platform

Best line you've ever written.  Thanks. Overlaid on a market share pie chart it'll make quite a t-shirt.

post #39 of 101
Zombie botnet… that doesn't sound too bad…
post #40 of 101
Quote:
Originally Posted by DroidFTW View Post

How does one get Adblock on their iPhone or iPad?

Press the button at the top of the browser that says 'Reader'.

1wink.gif

Side-loading: Apparently it can be done from behind you. While over a barrel.
Apple Products: So good that their ‘faulty' products outsell competitor’s faultless ones...
Reply
Apple Products: So good that their ‘faulty' products outsell competitor’s faultless ones...
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • First malware in the wild found exploiting Bluebox's Android app signing flaw
AppleInsider › Forums › Mobile › iPhone › First malware in the wild found exploiting Bluebox's Android app signing flaw