New Android "RAT" infects Google Play apps, turning phones into spyware zombies

1235710

Comments

  • Reply 81 of 186
    solipsismxsolipsismx Posts: 19,566member
    I guess what I do get — and what hasn't been answered — is how Google can push lateral updates that fix all kernel and OS issues without seemingly updating the kernel and OS. If they have been updated then why not call them 4.4 "Kit Kat" and if they have only been patched with virtually [I]duct tape[/I] then how can one say they have don't have the same holes that were discovered in those OSes?
  • Reply 82 of 186
    d4njvrzfd4njvrzf Posts: 797member
    Quote:



    Originally Posted by EricTheHalfBee View Post





    DING DING DING



    We have a winner. Funny to see the uninformed responses claiming you're wrong. Google Play Servics IS NOT the Android kernel, and it can't make changes to the kernel to correct security flaws.

    This is true, but how much malware use actual kernel exploits? I got the impression that most android malware use social engineering to get the user to consciously install and run some mislabeled piece of software. It's like if I were to convince you to try this new messaging app on your mac which is really a script that runs "sudo rm -rf /". The situation is similar to that of OS X and Flashback, except there were actually some versions of Flashback that installed themselves without user intervention. 

  • Reply 83 of 186
    gatorguy wrote: »
    According to the link you pointed me to the ASLR flaw was fixed with 4.0, then further improved with 4.1
    If you bothered to read more about it you'd realize the "fix" in ICS was so half baked it wasn't really a fix. They did the equivalent of installing a lock on the front door but leaving the keys under the mat. There are numerous articles about how poor ASLR was in ICS. It was fully fixed in JB.

    gatorguy wrote: »
    "Because this data is gathered from the new Google Play Store app, which supports Android 2.2 and above, devices running older versions are not included. However, in August, 2013, versions older than Android 2.2 accounted for about 1% of devices that checked in to Google servers (not those that actually visited Google Play Store).
    No need to post something I already know. The bottom line is Google only counts devices where the user initiates access. Google used to count all automatic access (for example, if you had an older device that downloaded an updated App).

    There are devices out there that are getting updates and yet still aren't being counted. So if I had an older phone with 10 Apps I use, and never bother to buy new Apps because my phone works good, then it will never get counted even though it's being used (and getting updated).

    gatorguy wrote: »
    No harm no foul. Theoretical security issues are far removed from real world maliciousness. You know that.

    So then I guess you're going to provide me with proof that Google's Verify Apps has successfully blocked all malware? Or to put it another way, since Verify Apps is nothing more than a fancy name for anti-virus software, are you claiming that Google has somehow managed to create a virus scanner with a 100% success rate?
  • Reply 84 of 186
    Quote:
    Originally Posted by d4NjvRzf View Post

     

    This is true, but how much malware use actual kernel exploits? I got the impression that most android malware use social engineering to get the user to consciously install and run some mislabeled piece of software. It's like if I were to convince you to try this new messaging app on your mac which is really a script that runs "sudo rm -rf /". The situation is similar to that of OS X and Flashback, except there were actually some versions of Flashback that installed themselves without user intervention. 


     

    No way to really know how much is due to kernel exploits. I used the term "kernel" to refer to the base OS itself, outside of Google Play Services. Google Play has no ability to modify the kernel so any past (or future) exploits outside of Google Play will not be able to get updates via Google Play.

     

    All Verify Apps/Google Play will do is get the people writing malware to specifically target areas of Android that are outside their control.

  • Reply 85 of 186
    d4njvrzfd4njvrzf Posts: 797member
    Quote:
    Originally Posted by EricTheHalfBee View Post





    You know exactly how to do that since it's you're trademark. Don't get offended when someone returns the favor.



    You shouldn't talk about security when you know nothing about how OS's are designed. For starters read this:



    http://en.wikipedia.org/wiki/Address_space_layout_randomization



    Only Android JB has fully implemented this feature.

     

    Just curious, how much android malware actually use kernel exploits that would be mitigated by ASLR? OS X lacked a proper ASLR implementation up through Snow Leopard, which is still used by one in five Macs, yet that hasn't been attributed to many real-world security problems.

  • Reply 86 of 186
    MarvinMarvin Posts: 14,230moderator
    droidftw wrote: »
    Any stats on infection rates and geographic locations of those most at risk?  No?  I wonder why that could be.

    If it just came out then that would be why. Previous incarnations that have been manually injected into apps will have bypassed bouncer too but they won't show up in malware tests until they know what to check for.
    solipsismx wrote:
    RAT has got to be the best acronym for malware.

    There's a whole culture developed around this kind of malware already with the PC versions. They call the victims rats or slaves because the perpetrators (ratters/RATers or rat-breeders) watch them like they would a pet. There was a case last year where someone managed to do this to Miss Teen USA Cassidy Wolf:

    http://edition.cnn.com/2013/09/26/justice/miss-teen-usa-sextortion/
    http://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-who-spy-on-women-through-their-webcams/

    The camera light doesn't always come on and they record pictures/videos of them walking past the camera naked and they use the images/videos to bribe them into doing more explicit things just for them:

    "The stalker claimed to have 1,000 photographs of one woman. As an FBI agent was speaking by phone to this young woman, she logged onto her Instagram account to find it populated by nude pictures of her, the complaint said."

    Some people have targeted younger victims and they threaten to post the pictures to relatives and friends that they get from contacts lists if they don't do more explicit things in private via direct webcam. Then of course, they have both the original photos/videos and explicit webcam recordings. Not everyone gets naked in front of their computer, check the guy on the left in the following pic, this is an image from one of the news articles about it:

    1000

    but there was one woman said she watches DVDs in the bath. Tablets take this to a whole new level because they can be used in all sorts of places.

    Sometimes the perpetrators do it to mess around with people. They have control over browsers so they randomly popup really explicit pornography while they are just doing normal browsing. There's a girl here does it to some kid:


    [VIDEO]


    You can see near the end, they have a list of computers that they can freely connect to and watch in multiple locations, some have hundreds of victims. There are other videos (some explicit) if you search for darkcomet on youtube.
    How could these denial of service attacks be fended off?

    With a big enough data center and monitoring and limiting traffic. You couldn't do it to Google for example because they have so many servers, probably the same with Facebook. Google also uses a filter to block suspicious activity. I've had it with some search terms where it can't work them out quickly enough so it asks you to enter a captcha. There's a service called Cloudflare that you can sit your own server behind and traffic will be filtered through it (the server would have to reject direct traffic). They handled one of the biggest attacks known so far:

    http://www.reuters.com/article/2014/03/05/us-cyber-ddos-idUSBREA240XZ20140305

    400GB/s of connection data. People were trying to take down Spamhaus, which is a spam blacklist. If they'd managed it, people would trust Spamhaus less, which benefits the spammers.
  • Reply 87 of 186
    mstonemstone Posts: 11,510member
    Quote:



    Originally Posted by Gatorguy View Post

     
    Quote:
    Originally Posted by mstone View Post



    TLDW

    bold italics, ha




    Whenever I quote long passages from another source I'll usually italicize it for obviousness. As far as being too long the post was for Daniels' benefit. I don't expect others to take the time to read it since most don't care about any inconvenient facts anyway. They already learned all they want to know about it from DED's article. image

    whatever... what you wrote seems like a total damage control piece. Hard to believe you are just a rational contrarian user and not a paid astroturfer

  • Reply 88 of 186
    gatorguygatorguy Posts: 21,283member
    So then I guess you're going to provide me with proof that Google's Verify Apps has successfully blocked all malware? Or to put it another way, since Verify Apps is nothing more than a fancy name for anti-virus software, are you claiming that Google has somehow managed to create a virus scanner with a 100% success rate?

    Ah an all or nothing guy. Despite your mention of virus, which there are not Android viruses AFAIK, I know what you meant. Which OS can you point to with a 100% success rate? Any OS at all?

    If 99.99% avoidance of actually harmful malware will get you close enough there's been recent articles that talk about something in that range.
    http://www.phonearena.com/news/Google-says-less-than-.001-of-Android-malware-evades-Google-Play-security-to-cause-harm_id47960

    So going back to my original comment I thought DED's article was informative. I even added the additional fact that the new RAT had been found in Google Play itself. Almost inexplicable that DED missed the opportunity to announce it.

    The last paragraph tho is easily shown to be untrue. If you were being honest you'd agree. It was never an argument over whether malware exists, It does. The disagreement was with Daniels assertion that Google doesn't care and that most old Google Android phones won't ever get security enhancements. They do and they have.

    Otherwise I didn't voice any other issue with his article and it's entirely possible the last erroneous paragraph could be chalked up to his just not being familiar with Google efforts.
  • Reply 89 of 186
    gatorguygatorguy Posts: 21,283member

    There are devices out there that are getting updates and yet still aren't being counted. So if I had an older phone with 10 Apps I use, and never bother to buy new Apps because my phone works good, then it will never get counted even though it's being used (and getting updated).

    I think you may be confused. App updates come from Google Play, and that old device getting an update to one of your 10 apps would be part of the Google Play count.
  • Reply 90 of 186
    droidftwdroidftw Posts: 1,009member
    Quote:
    Originally Posted by Marvin View Post



    If it just came out then that would be why. Previous incarnations that have been manually injected into apps will have bypassed bouncer too but they won't show up in malware tests until they know what to check for.

     

    Dendroid may have just came out, but the code is more then likely not new.  Symantec states that Dendroid is likely based on AndroRAT which is a tool that's been around for quite awhile and is barely even useable anymore.  There's a very real chance that this $300 price won't get you the great lifetime of customer service, updates and support for all ones skid needs like what is advertised (a shock, I know) and instead is old code repackaged to scam wannabe haxorz out of their money.



    EDIT:  I just noticed that DED left out the graphic that I'm referring to.  Here it is.

     

  • Reply 91 of 186
    Quote:

    Originally Posted by Dick Applebaum View Post





    You dasen't correct Corrections!



    I shan't warn you again!

     

    Their They're now!

  • Reply 92 of 186
    Quote:
    Originally Posted by Gatorguy View Post





    I think you may be confused. App updates come from Google Play, and that old device getting an update to one of your 10 apps would be part of the Google Play count.

     

    No, you're the one who's confused. I'll make it really simple for you:

     

    - Google used to count a device whenever the device checked in with Google (for example, to look for updates).

    - Google now only counts devices when a user specifically visits the Play store (like browsing for Apps).

     

    From Google's announcement when they made the change:

     

    Quote:

    The new device dashboards are based on the devices of users who visit the Google Play Store (rather than devices that have checked-in to Google servers). As a result, the dashboards more accurately reflect the users most engaged in the Android and Google Play ecosystem—and thus most likely to download and use your apps.


     

    This was all explained back when they made the change. As I stated above, your phone can get updates and still not get counted. Updates are not a user-initiated action. Updates are also no use to developers to see who's actually shopping for and buying Apps.

  • Reply 93 of 186
    georgeip5georgeip5 Posts: 225member
    DONT TELL ANDROID USERS JUST TO F*CK WTH THEM
  • Reply 94 of 186
    droidftwdroidftw Posts: 1,009member
    Quote:
    Originally Posted by EricTheHalfBee View Post

     

     

    Android apps that were initially installed thru the Play Store (or ones that come preinstalled) get updated thru the Play Store.  I can't tell if you're aware of that by your post.  Apps don't directly update themselves in the background outside of the Play Store.  Facebook once tried to go that route and they were quickly put in their place by Google.

     

    However, you seem pretty sure that Android apps do update themselves outside of the Play Store and without any user-initiated actions.  This is not normal native behavior for either the Android OS or Android apps.  May I ask if you own an Android device that does this and which one it is?  Also, which app(s) do this on that device?

  • Reply 95 of 186
    comleycomley Posts: 139member
    Android has improved over the years !

    I believe in Apple ecosystem and touchwood I haven't had any viruses !!
  • Reply 96 of 186
    larry9larry9 Posts: 15member
    I guess this editorial passes as news in a corporate PP rag.
  • Reply 97 of 186
    cnocbuicnocbui Posts: 3,613member
    Quote:

    Originally Posted by Benjamin Frost View Post



    Heh—be funny if it were called DEDroid. image



    Not as funny or apropos as if DED changed his byline to Chicken Little.

  • Reply 98 of 186
    chipsychipsy Posts: 287member
    This must be one of the more desperate DED articles to date. Very selective quoting and a serious exaggeration of the actual danger. How about these quotes from the same sources:
    "Malicious apps are still found from time to time on Google Play, but they’re usually quickly removed."

    "While [B]malware distribution on Android is harder to scale than on Windows[/B][B], because Google has gotten much better at policing the Google Play store in recent years[/B], there are variety of techniques that attackers can and have used to trick users into installing malicious apps on their devices. These techniques include distributing malicious apps through [B]third-party app stores[/B] that are very popular in certain markets like China or Russia, using [B]Windows malware to inject rogue messages into Web browsing sessions[/B] to claim the rogue apps are associated with trusted sites like online banking ones, and even [B]selling phones with trojanized apps pre-installed[/B] on them.

    And the Bouncer evading is unproven:
    "they [B]claim[/B] that the new RAT contains techniques to bypass detection by Bouncer, Google Play’s automated malware scanner, and other anti-virus programs. However, [B]it’s not clear how effective those alleged techniques actually are[/B]."
    Yet DED makes it sound as a certainty.

    "[B]We only detected a single application infected with Dendroid and it has already been removed[/B] from the Play Store"
    So not so capable in evading Bouncer after all.

    No idea why DED feels the need to make it appear as if the Google Android ecosystem (and read carefully [B]Google[/B] Android, so Play Store only and no unknown sources) is malware infested while this clearly is not the case. And also no idea why he seems to have this urge to vilify Android at every little opportunity, with what often is misinformation.
  • Reply 99 of 186
    gatorguygatorguy Posts: 21,283member
    No, you're the one who's confused. I'll make it really simple for you:

    - Google used to count a device whenever the device checked in with Google (for example, to look for updates).
    - Google now only counts devices when a user specifically visits the Play store (like browsing for Apps).

    From Google's announcement when they made the change:


    This was all explained back when they made the change. As I stated above, your phone can get updates and still not get counted. Updates are not a user-initiated action. Updates are also no use to developers to see who's actually shopping for and buying Apps.

    Eric, your's is certainly a unique interpretation of a simply concept. Google clearly explains how the count is done and even why the change was made:
    "Beginning in September, 2013, devices running versions older than Android 2.2 do not appear in this data because those devices do not support the new Google Play Store app. Only the new app is able to measure the number of devices that actively visit Google Play Store and we believe this measurement best reflects your potential user-base."

    And where do Android app updates come from? Google Play. And how are app updates initiated? You first have to visit Google Play. Note too that even if you visit to set up automatic updates for some of your apps if there are any significant permission changes with an update you'll still have to pay another visit to the Play Store to approve it first.
    https://support.google.com/googleplay/answer/113412?hl=en

    Prior to the change Google charted the OS versions for Android devices logging into any Google Services (Maps, Search etc.)
    Since the stats are intended to aid developers and those who don't use Google Play are of little interest Google changed the reporting metric. After all it's for developer's benefit, not the press or you or me.

    But to placate those curious souls who believe ten's of millions of old device OS's are left out of the stats Google periodically offers info on those too. You'll see that mentioned under this months chart. As of August 2013 the percentage of Google users with OS's older than 2.2 was an insignificant 1%. https://developer.android.com/about/dashboards/index.html

    We'll just assume tho you visited Google's appstore and successfully set up every one of your ten apps to automatically update, none ever had permission changes, and you never visited since. Sounds as tho you'd be a rare exception but whatever for purposes of discussion. You can't be protected by these new security enhancements right? Surely ya gotta get an OS update or at least visit Google Play to be protected. With the default PlayStore app on your phone, even if you never use it, you're automatically getting those enhancements, no action on your part and no visit to the Playstore necessary. You may not know it, but they are there if you have Android 2.3 or better.

    And that sir is the only thing I publicly took issue with from Daniel's article. He would claim "Google maintains no accountability for the devices that ship with Android (and) Most of these will never receive security updates." I believe he's incorrect on both counts. Am I right? It's a really simple question to answer but somehow I don't expect to get one..
  • Reply 100 of 186
    d4njvrzfd4njvrzf Posts: 797member
    Quote:
    Originally Posted by EricTheHalfBee View Post

     

     

    No, you're the one who's confused. I'll make it really simple for you:

     

    - Google used to count a device whenever the device checked in with Google (for example, to look for updates).

    - Google now only counts devices when a user specifically visits the Play store (like browsing for Apps).

     

    Quote:

     The new device dashboards are based on the devices of users who visit the Google Play Store (rather than devices that have checked-in to Google servers). As a result, the dashboards more accurately reflect the users most engaged in the Android and Google Play ecosystem—and thus most likely to download and use your apps.


     


    Google has other web properties besides the Play Store, such as Gmail and YouTube. I interpret the announcement as merely saying that a device won't be considered an Android device simply because it uses Gmail. The ability to access the Play Store is what distinguishes a Google-certified device from a no-name white-box build using the Android source code, such as what you might find in China. Thus it makes sense to only consider devices that access the Play Store.

     

    It would not make sense for Google to distinguish automated Play Store access from user-initiated Play Store access when measuring the Android population. Once users have found all the software they need, they aren't going to keep looking for apps. If you only count user-initiated app store accesses, you will only see mostly the users new to the platform.

Sign In or Register to comment.