First malware in the wild found exploiting Bluebox's Android app signing flaw

Posted:
in iPhone edited January 2014
Just three weeks after Bluebox Security first announced the discovery of a key flaw in Google's Android with the potential to turn devices into a "zombie botnet," Symantec has reported finding rogue apps that take advantage of the vulnerability.

Android malware
Source: Symantec spots new signed malware that Android can't


At the beginning of July, Bluebox went public with news of the flaw, which affected virtually every Android device in use.

Google "declined to comment on the matter," but quickly acted to block distribution of apps seeking to exploit the issue in its own Google Play market. However, one of the primary key features of Android is the "openness" to allow users to install software from other stores.

That freedom has now morphed into a liability. While researchers quickly released "test tube" apps demonstrating how the vulnerability can be exploited, Symantec has now identified the first malware in the wild that's seeking to take advantage of the flaw, and Google's extreme difficulty in patching millions of vulnerable devices.

Android security flaw

There's a role in Post-PC devices for Symantec after all

In a new report, Symantec stated, "we expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has.""They can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code." - Symantec

The company has been scanning Android apps from "hundreds of marketplaces" using its Norton Mobile Insight tool, and initially discovered two on Tuesday.

Both (show above) were "legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments."

The next day, Symantec identified another four contaminated apps, "infected by the same attacker and being distributed on third-party app sites." The exploited apps included "a popular news app, an arcade game, a card game, and a betting and lottery app," all targeting Chinese users.

The discovered malware apps are secretly modified versions of legitimate apps that most Android devices can't detect as being contaminated, thanks to longstanding flaws in Android's security system that all the eyes of the open source community failed to detect.

Weaponized for malware monetization, facilitated by flaws

Symantec earlier explained that "Injecting malicious code into legitimate apps has been a common tactic by malicious app creators for some time."

However, "they previously needed to change both the application and publisher name and also sign any Trojanized app with their own digital signature."

These modifications would render the contaminated apps easy to spot, thanks to app signing. "Someone who examined the app details could instantly realize the application was not created by the legitimate publisher," the security firm explained.

With the newly discovered Android flaw, "attackers no longer need to change these digital signature details," meaning that "they can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code."

While iOS apps can also be hacked, Apple's app signing security works to identify and block contaminated apps from working. Apple's App Store also serves as the only source for third party software outside of custom development that requires organizations to distribute their own security credentials to sign the secure encryption of such apps.

Android malware authors party like its 1999

Android apps routinely demand vast, unnecessary and inappropriate permissions to a wide range of capabilities prior to installation, in a process most users click through without examination. The malware in the wild that Symantec has discovered has modified both apps with code "to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available."

The firm subsequently discovered the the malware payload, dubbed "Android.Skullkey," is also designed to send a spam text message to all phone numbers in the device's contacts, directing them to a malware website URL in a customized message that addresses the recipient by name.

Apple's iOS 6 does not allow apps to access contacts or message users without the permission of the user, but Android apps routinely demand vast, unnecessary and inappropriate permissions to a wide range of capabilities prior to installation, in a process most users click through without examination.

Android is the platform of wide open marketing research

Examples of such broad and unnecessary permissions demands start at the top: Facebook for Android, the platform's most popular app, demands access to a broad range of permissions before installation, including the ability to observe phone numbers in contacts and on calls in progress.

Google Play


Earlier this month, the popular app was caught harvesting users' entire phone books for upload into the social network's vast graph, without notice, and subsequently "sharing" information with other users "having some connection to them" on the site.

Samsung, the largest Android licensee, also launched a "free" Jay Z app this month promoting its flagship "SAFE" Galaxy S4 and Note 2 phones, but with conditions that demanded access to users' precise GPS location, access to users' contacts and or social network accounts, and stats on what apps they used and what phone numbers they were calling.


Jay Z Samsung app


Source: Google Play


Facebook and Samsung are both simply using Android the way Google intends for its platform to work. Earlier this year, after it was reported that Google Play was sending third party developers that name, physical address and email of anyone buying their apps, with "no indication that this information is actually being transferred."

Google's response was to take offense at journalists' characterization of the matter as a "flaw" and lean on publishers to remove any unflattering description of the practice from their headlines, stories, and SEO on the subject so that users simply wouldn't be aware of the issue and unable to search for information about it.
«134567

Comments

  • Reply 1 of 124
    negafoxnegafox Posts: 480member

    Quote:

    Originally Posted by AppleInsider View Post



    Both (show above) were "legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments."



    The next day, Symantec identified another four contaminated apps, "infected by the same attacker and being distributed on third-party app sites." The exploited apps included "a popular news app, an arcade game, a card game, and a betting and lottery app," all targeting Chinese users.


    In other words these applications are being distributed on third-party app stores in China. This is akin to crying wolf about malware being distributed via Cydia. So stick to Google Play and you will be fine then.

  • Reply 2 of 124
    just_mejust_me Posts: 590member


    So two chinese apps?


     


    Not in the google play or amazon store. 


     


    Reminds me of this vid.


    https://www.youtube.com/watch?v=NO04VXBIS0M

  • Reply 3 of 124
    sockrolidsockrolid Posts: 2,788member
    Yay open!

    Oh. Wait.
  • Reply 4 of 124
    cnocbuicnocbui Posts: 3,613member


    DED seems quite desperate to engineer this into a big issue and stir up a panic.

     

  • Reply 5 of 124
    nexusphannexusphan Posts: 260member

    Quote:

    Originally Posted by Just_Me View Post


    So two chinese apps?


     


    Not in the google play or amazon store. 


     


    Reminds me of this vid.


    https://www.youtube.com/watch?v=NO04VXBIS0M



     


    They don't care. They don't realize that if you keep you never change your standard security features that this can't happen. That you have to go in the security setting and bypass the warning that pops up. That Google scans every app in it's app store using the same tools that Symantec does. That Google's nexus phones have already been patched. None of this matters to them. They just want to hate.

  • Reply 6 of 124
    just_mejust_me Posts: 590member

    Quote:

    Originally Posted by SockRolid View Post



    Yay open!



    Oh. Wait.


     


    Apple has strict review. Nothing like this will ever happen.


     


    Oh. Wait


     


    http://www.macworld.com/article/2037099/ios-app-contains-potential-malware.html

  • Reply 7 of 124
    mikejonesmikejones Posts: 323member

    Quote:

    Originally Posted by Negafox View Post


    In other words these applications are being distributed on third-party app stores in China. This is akin to crying wolf about malware being distributed via Cydia. So stick to Google Play and you will be fine then.



    So then tell all the fandroids to stop crowing over being able to side-load third party apps. You can't have it both ways. Either Google Play is the only valid place to get apps or it's not.

  • Reply 8 of 124
    mikejonesmikejones Posts: 323member

    Quote:

    Originally Posted by NexusPhan View Post


     


    That Google's nexus phones have already been patched. None of this matters to them. They just want to hate.



    Google Nexus phones? You mean the ones that make up probably less than 2% of all Android phones in use because they sell extremely poorly?


     


     


    Quote:


    Thanks to the case of Apple vs. Samsung, we now know the sad truth about Samsung’s Galaxy Nexus: After two quarters, the phone only captured 0.5% of the smartphone market at most, and brought in a mere $250 million in sales revenue, Bloomberg reports. Given that the Galaxy Nexus never cost less than $349 at unsubsidized rates, the total units sold is far less than a million, compared to 10 million of Samsung’s Galaxy S III and at least five million of the Galaxy Note.


  • Reply 9 of 124
    just_mejust_me Posts: 590member

    Quote:

    Originally Posted by MikeJones View Post


    So then tell all the fandroids to stop crowing over being able to side-load third party apps. You can't have it both ways. Either Google Play is the only valid place to get apps or it's not.



    Its not. Amazon app store.

  • Reply 10 of 124
    drblankdrblank Posts: 3,383member
    I'm glad I don't use Android. Oh well. Maybe this is one of the many reasons why most Enterprise customers stay away from Android devices.
  • Reply 11 of 124
    mikejonesmikejones Posts: 323member

    Quote:

    Originally Posted by Just_Me View Post


    Its not. Amazon app store.



    So another curated app store. Either Android is great because you can side-load third-party apks or curated app stores (Google Play and Android app store) are the only valid places to get apps. Again, you can't have it both ways.

  • Reply 12 of 124
    just_mejust_me Posts: 590member

    Quote:

    Originally Posted by MikeJones View Post


    Google Nexus phones? You mean the ones that make up probably less than 2% of all Android phones in use because they sell extremely poorly?


     


     



     


    Also these devices running 10.1


     


    http://wiki.cyanogenmod.org/w/Devices

  • Reply 13 of 124
    nexusphannexusphan Posts: 260member

    Quote:

    Originally Posted by MikeJones View Post


    Google Nexus phones? You mean the ones that make up probably less than 2% of all Android phones in use because they sell extremely poorly?


     


     



     


    They don't realize that if you keep you never change your standard security features that this can't happen. That you have to go in the security setting and bypass the warning that pops up. That Google scans every app in it's app store using the same tools that Symantec does.


     


    These apps will NEVER make it to the app store. This is completely a non-issue.


    It's as much of an issue as jailbreaking an iPhone and installing a malicious pirated app and then trying to blame Apple. It's the exact same thing.

  • Reply 14 of 124
    mikejonesmikejones Posts: 323member

    Quote:

    Originally Posted by Just_Me View Post


     


    Also these devices running 10.1


     


    http://wiki.cyanogenmod.org/w/Devices



    So an even smaller group of devices?

  • Reply 15 of 124
    Aren't many people missing the point of this article? There is a new method of sending out malware without signing new info - so genuinely legitimate looking apps will be able to trick more people from here on out.
  • Reply 16 of 124
    mikejonesmikejones Posts: 323member

    Quote:

    Originally Posted by NexusPhan View Post


     


    These apps will NEVER make it to the app store. This is completely a non-issue.


    It's as much of an issue as jailbreaking an iPhone and installing a malicious pirated app and then trying to blame Apple. It's the exact same thing.



    But fandroids go on and on about how Android is great because one can install apps from anywhere! That is until these malware stories comes up and they backpedal and say one should only install from curated app stores. Hypocrisy. LOL.

  • Reply 17 of 124
    just_mejust_me Posts: 590member

    Quote:

    Originally Posted by MikeJones View Post


    So another curated app store. Either Android is great because you can side-load third-party apks or curated app stores (Google Play and Android app store) are the only valid places to get apps. Again, you can't have it both ways.



     


    You can.  Would also trust these places too


     


    http://www.appup.com/


    http://www.xda-developers.com/


    goo.im


    https://github.com/


     


    nothing .cn though

  • Reply 18 of 124
    just_mejust_me Posts: 590member

    Quote:

    Originally Posted by MikeJones View Post


    But fandroids go on and on about how Android is great because one can install apps from anywhere! That is until these malware stories comes up and they backpedal and say one should only install from curated app stores. Hypocrisy. LOL.



     


     


    Choice and freedom.  That is what you can get with open.  You control how safe you want to be.


     


    Blindly trusting a single source is foolish.

  • Reply 19 of 124
    just_mejust_me Posts: 590member

    Quote:

    Originally Posted by MikeJones View Post


    So an even smaller group of devices?



    About 100 devices from 21 different vendors. You have a strange definition of smaller.   

  • Reply 20 of 124
    nexusphannexusphan Posts: 260member

    Quote:

    Originally Posted by MikeJones View Post


    But fandroids go on and on about how Android is great because one can install apps from anywhere! That is until these malware stories comes up and they backpedal and say one should only install from curated app stores. Hypocrisy. LOL.



     


    Yup. That should only be used if you know the risks and Google clearly tells you. Fortunately it's so easy to enable again that we can have it both ways.


    I only do it when I'm on airplane mode and always block sideloading again as soon as my one app is installed. And that's probably waaay more paranoid that I need to be. I've only installed 3 or 4 apps that way.

Sign In or Register to comment.