Jump to content

Search the Community

Showing results for tags 'google play'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 13 results

  1. Malicious apps on Google Play dropped banking Trojans on user devices The utility apps contained a previously-unknown dropper for financial malware. Google has removed 10 apps from the Play Store which contained droppers for financial Trojans. On Tuesday, Check Point Research (CPR) said in a blog post that the Android applications appear to have been submitted by the same threat actor who created new developer accounts for each app. The dropper was loaded into otherwise innocent-looking software and each of the 10 apps were utilities, including Cake VPN, Pacific VPN, BeatPlayer, QR/Barcode Scanner MAX, and QRecorder. The utilities' functionality is ripped from existing, legitimate open source Android apps. In order to avoid detection by Google's standard security protections, Firebase was used as a platform for command-and-control (C2) communication and GitHub was abused for payload downloads. According to the researchers, the hidden dropper's C2 infrastructure contains parameters -- enable or disable -- to 'decide' whether or not to trigger the app's malicious functions. The parameter is set to "false" until Google has published the app, and then the trap springs. Dubbed Clast82, CPR says the newly-discovered dropper has been designed to deliver financial malware. Once triggered, second-stage payloads are pulled from GitHub including mRAT and AlienBot. "If the infected device prevents installations of applications from unknown sources, Clast82 prompts the user with a fake request, pretending to be 'Google Play Services' requesting the user to allow the installation every five seconds," the team says. MRAT is used to provide remote access to a compromised mobile device, whereas AlienBot facilitates the injection of malicious code into existing, legitimate financial apps. Attackers can hijack banking apps to obtain access to user accounts and steal their financial data, and the malware will also attempt to intercept two-factor authentication (2FA) codes. The researchers reported the malicious apps to Google on January 29, a day after discovery. By February 9, Google had confirmed that the malware had been removed from the Play Store. The apps accounted for roughly 15,000 installs. "The hacker behind Clast82 was able to bypass Google Play's protections using a creative, but concerning, methodology," commented Aviran Hazum, Check Point mobile research manager. "With a simple manipulation of readily available third-party resources -- like a GitHub account, or a FireBase account -- the hacker was able to leverage readily available resources to bypass Google Play Store's protections." Source: Malicious apps on Google Play dropped banking Trojans on user devices
  2. Barcode Scanner app on Google Play infects 10 million users with one update Late last December we started getting a distress call from our forum patrons. Patrons were experiencing ads that were opening via their default browser out of nowhere. The odd part is none of them had recently installed any apps, and the apps they had installed came from the Google Play store. Then one patron, who goes by username Anon00, discovered that it was coming from a long-time installed app, Barcode Scanner. An app that has 10,000,000+ installs from Google Play! We quickly added the detection, and Google quickly removed the app from its store. Simple scanner turns evil Many of the patrons had the app installed on their mobile devices for long periods of time (one user had it installed for several years). Then all of sudden, after an update in December, Barcode Scanner had gone from an innocent scanner to full on malware! Although Google has already pulled this app, we predict from a cached Google Play webpage that the update occurred on December 4th, 2020. Malicious intent The majority of free apps on Google Play include some kind of in-app advertizing. They do this by including an ad SDK to the code of the app. Usually at the end of the app’s development. Paid-for versions simply do not have this SDK included. Ad SDKs can come from various third-party companies and provide a source of revenue for the app developer. It’s a win-win situation for everyone. Users get a free app, while the app developers and the ad SDK developers get paid. But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive. Sometimes even landing the apps that use it in the Adware category. When this happens, it is not the app developers’ doing, but the SDK company. I explain this method to say that in the case of Barcode Scanner, this was not the case. No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions. Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR. Bad behavior The toughest part of malware analysis can be replicating what our users are experiencing. That wasn’t a problem with Barcode Scanner, it went into action within minutes of install. Watch the short video below to see its malicious behavior: Removed from Play, but not from mobile device Removing an app from the Google Play store does not necessarily mean it will be removed from affected mobile devices. Unless Google Play Protect removes it after the fact, it remains on the device. This is exactly what users are experiencing with Barcode Scanner. Thus, until they install a malware scanner like Malwarebytes for Android, or manually remove the app, it will continue to display ads. Lying dormant It is hard to tell just how long Barcode Scanner had been in the Google Play store as a legitimate app before it became malicious. Based on the high number of installs and user feedback, we suspect it had been there for years. It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know. App Information App Name: Barcode Scanner MD5: A922F91BAF324FA07B3C40846EBBFE30 Package Name: com.qrcodescanner.barcodescanner Source: Barcode Scanner app on Google Play infects 10 million users with one update
  3. Malicious phishing apps have once again made their way into the Google Play Store, this time imitating six online banks and a cryptocurrency exchange. ESET researchers spotted fake finance apps impersonating banks from New Zealand, Australia, the U.K., Switzerland and Poland, and the Austrian cryptocurrency exchange Bitpanda, according to a Sept. 19 blog post. The malicious apps imitated the Commonwealth Bank of Australia (CommBank) The Australia and New Zealand Banking Group Limited (ANZ), ASB Bank, TSB Bank, PostFinance, and Santander Bank Polska SA (formerly Bank Zachodni). Although they each operated slightly differently, they all display forms requesting the user to enter their credit card details and/or login credentials to the targeted bank or service apps then present their victims with a “Congratulations” or “Thank you” message, researchers said. The malicious apps all used obfuscation which most likely helped them to bypass Google’s security features. Despite being uploaded under different developer names, researchers suspect the same group or person is behind the malicious apps and that they were all uploaded in June 2018. They have since been installed more than a thousand times before they were shut down by Google. Source
  4. Security is an important factor when it comes to technology, and in most cases you can never have too much. In 2014, our smartphones know more about us than we know about ourselves, and if malware were to creep onto our smartphones then we could potentially suffer some major consequences. As a result, like any reasonable person, we would look to secure our device. This is what Deviant Solutions, the creator of the current #1 Play Store app, decided to capitalize on. No, ZERO! Virus Shield claims it is an antivirus that "protects you and your personal information from harmful viruses, malware, and spyware" and "Improve the speed of your phone," and it does this all with one click. It also claims to have a minimal impact on battery, run seamlessly in the background, and if that wasn't enough, it also acts as ad-block software that will stop those "pesky advertisements." This app costs $3.99, has been on the Play Store for just under two weeks and has already had 10,000 downloads with a 4.5 star review from 1,700 people. 2,607 people hit the Google "recommend" button. This means that the app must be doing something right... right? Unfortunately for the buyers, Android Police has discovered that all the app does is change a red "X" graphic to a red "check" graphic. Literally. The 859kb app doesn't protect, secure, or scan anything. More work went into the Settings menu than the actual "security" portion of the app, and it appears that thousands of users have been scammed out of their money. For $3.99, you get to see the image on the left turn into the image on the right In tracking down the creator, it appeared that the creator was a well known scammer who had been banned from forums for trying to scam people out of low-valued online game items. This calls into question some concerns about the openness of the Play Store. Is a walled-garden approach where the app goes through a strict review process, similar to what currently takes place in Apple's App Store, a better model for smartphones? Or does the freedom that comes from Google's approach outweigh the negatives of a bad app creeping in every now and then? Source : malwaretips
  5. Google has once again shifted its target API level requirement for all apps submitted to Google Play. Since August 3, 2020, all new apps submitted to Google Play were required to target at least Android 10. Starting today, all updates to existing apps must target Android 10 (API level 29) or higher. The search giant made similar changes at the end of last year and has been requiring Android app developers to target newer API levels since 2017. Since its stable release in September of 2019, Android 10’s distribution has grown steadily, with the operating system running on 100 million devices just 5 months post-launch. As of April of 2020, Android 10 was running on 8.2% of all Google-certified devices, though that percentage has likely gone up significantly in the last few months because Google has requirements on the OS version that new devices can launch with. Source: Google When you take a look at the many new APIs available in Android 10, you start to realize how important the release is. Some of the notable APIs include support for foldable devices, support for 5G, support for Dark Theme, and improved privacy features. Most developers by now have likely adapted their apps to target Android 10 or higher, but any developer that hasn’t must now comply with Google’s rules or risk abandoning their software, which ultimately leaves consumers in a lurch. By requiring app developers to target last year’s release of Android, Google is hoping to encourage the adoption of new APIs, thus providing users with an improved experience. Earlier versions of Android are still more prevalent than more recent releases, but with initiatives like Project Treble, Google is slowly closing the fragmentation gap and making it easier for OEMs to update their devices. It will eventually be the same story next year when Google will require that developers target Android 11 (API level 30), which is the most recent release. Source
  6. Be careful what you're downloading from Google Play. Especially if it's one of 13 apps posing as driving games created by one developer called Luiz Pinto. More than 560,000 have already been tricked into downloading the games, which include a mix of luxury car and truck simulation apps, as discovered by Android malware researcher Lukas Stefanko. Once installed on a user's Android device, the games don't actually work. Looking at the reviews on Google Play, users who downloaded them complained it was a virus. For instance, among the masses of one-star reviews for the Truck Cargo Simulator, one noted his device slowed down after it forced him to download an app that wasn't the game itself. Many simply called it a scam. For the Luxury Cars SUV Traffic app, one user warned: "The app tries to update via unknown sources. Most likely very unsafe." As others found, they couldn't find the icon for the game once downloaded. That was because, according to Stefanko, the developer hid it from view. Stefanko told Forbes he wasn't entirely sure just what extra software was being installed on infected Androids, but it could've been adware—malware that clicks on ads on behalf of the user so whoever is in control of the ads (probably the hacker) gets money. The researcher reported his discovery to Google earlier Monday. The company hadn't provided comment at the time of publication. The writer of the malware, Luiz Pinto, hadn't responded to emails to the address listed on Google Play. Google could do better to protect users on Google Play, Stefanko added. "Many times it would be simply enough to scan apps with anti-virus software before uploading them on to Google Play," he said. Given Google owns an organization that could do just that, Virus Total, that shouldn't be too much of an ask. For users who've already downloaded the malware, they should either attempt to find it and remove it themselves, using the phone search features, or use an anti-virus to delete it for them, Stefanko said. Source
  7. Across six apps, the spyware managed to spread to 196 different countries. An Android spyware dubbed MobSTSPY has managed to ride trojanized apps to a widespread, global distribution, mainly via Google Play. The malware masquerades as a legitimate application purporting to be things like flashlights, games and work productivity tools. While it’s not uncommon to come across weaponized fare in third-party app stores, MobSTSPY is notable for having managed to also infiltrate Google Play with at least six different apps over the course of 2018. “Part of what makes this case interesting is how widely its applications have been distributed,” said Trend Micro researchers Ecular Xu and Grey Guo, in a posting on Thursday. “Through our back-end monitoring and deep research, we were able to see the general distribution of affected users and found that they hailed from a total of 196 different countries.” Click to Expand These run the gamut from Mozambique to Poland, Iran to Vietnam, Algeria to Thailand, Germany to Iraq and so on. The Google Play apps specifically were Flappy Birr Dog, FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher and Flappy Bird, all of which appeared last year and are now gone from the store. Some were downloaded more than 100,000 times by users from all over the world. In terms of capability, the bad code is mainly an information-stealer, though it has a unique phishing aspect as well. When it comes to the former, it lifts data like user location, text messages, contact lists, call logs and clipboard items; and, the malware is capable of stealing and uploading files found on the device. Trend Micro observed that it uses Firebase Cloud Messaging (FCM) to communicate with its command-and-control (C&C) server, and that it exfiltrates data depending on which command it receives. It also collects useful device information in a beginning step, such as the language used, its registered country, package name, device manufacturer and so on, which can be used to “fingerprint” the device for follow-on social engineering or exploit attacks. “It sends the gathered information to its C&C server, thus registering the device,” the researchers said. “Once done, the malware will wait for and perform commands sent from its C&C server through FCM.” In addition to its info-stealing capabilities, the malware can also gather additional credentials through a phishing attack. It displays fake Facebook and Google pop-ups asking for the user’s account details; if they’re entered, it returns a “log-in unsuccessful” message that might not raise a red flag for a user. “[The case of MobSTSPY] demonstrates that despite the prevalence and usefulness of apps, users must remain cautious when downloading them to their devices,” noted the Trend Micro researchers. “The popularity of apps serves as an incentive for cybercriminals to continue developing campaigns that utilize them to steal information or perform other kinds of attacks.” Google Play Malware Google Play malware is relatively rare, but this is of course not the first time that malware has evaded the Google Play filters and policies. In November, a booby-trapped Android app called Simple Call recorder was taken down — after being available for download for almost a year. The main purpose of the malware was to trick the user into installing an additional app, which purported to be an Adobe Flash Player Update. Also, early last year, Google removed 22 malicious adware apps ranging from flashlights, call recorders to WiFi signal boosters that together were downloaded up to 7.5 million times from the Google Play marketplace. And in 2017, Google booted 700,000 apps from Google Play for violating marketplace policies. Not all of these were malware however – most of them purposely copied a more popular app or served up inappropriate content. The issue of course is that when malicious applications are taken down, people who already have them on their smartphone are not notified of the issue – so it’s likely that millions of users still have various malware installed on their device. A study conducted by the Pradeo Lab in November 2018 in fact showed that 89 percent of malicious applications that were deleted from stores are still installed on active devices, six months after their deletion. source
  8. Chinese-made drone app in Google Play spooks security researchers DJI Go 4, installed more than 1 million times, can execute arbitrary code. Enlarge / A DJI Phantom 4 quadcopter drone. Andri Koolme 82 with 64 posters participating The Android version of DJI Go 4—an app that lets users control drones—has until recently been covertly collecting sensitive user data and can download and execute code of the developers’ choice, researchers said in two reports that question the security and trustworthiness of a program with more than 1 million Google Play downloads. The app is used to control and collect near real-time video and flight data from drones made by China-based DJI, the world's biggest maker of commercial drones. The Play Store shows that it has more than 1 million downloads, but because of the way Google discloses numbers, the true number could be as high as 5 million. The app has a rating of three-and-a-half stars out of a possible total of five from more than 52,000 users. Wide array of sensitive user data Two weeks ago, security firm Synacktiv reverse-engineered the app. On Thursday, fellow security firm Grimm published the results of its own independent analysis. At a minimum, both found that the app skirted Google terms and that, until recently, the app covertly collected a wide array of sensitive user data and sent it to servers located in mainland China. A worst-case scenario is that developers are abusing hard-to-identify features to spy on users. According to the reports, the suspicious behaviors include: The ability to download and install any application of the developers’ choice through either a self-update feature or a dedicated installer in a software development kit provided by China-based social media platform Weibo. Both features could download code outside of Play, in violation of Google's terms. A recently removed component that collected a wealth of phone data including IMEI, IMSI, carrier name, SIM serial Number, SD card information, OS language, kernel version, screen size and brightness, wireless network name, address and MAC, and Bluetooth addresses. These details and more were sent to MobTech, maker of a software developer kit used until the most recent release of the app. Automatic restarts whenever a user swiped the app to close it. The restarts cause the app to run in the background and continue to make network requests. Advanced obfuscation techniques that make third-party analysis of the app time-consuming. This month's reports come three years after the US Army banned the use of DJI drones for reasons that remain classified. In January, the Interior Department grounded drones from DJI and other Chinese manufacturers out of concerns data could be sent back to the mainland. DJI officials said the researchers found “hypothetical vulnerabilities” and that neither report provided any evidence that they were ever exploited. “The app update function described in these reports serves the very important safety goal of mitigating the use of hacked apps that seek to override our geofencing or altitude limitation features,” they wrote in a statement. Geofencing is a virtual barrier that the Federal Aviation Administration or other authorities bar drones from crossing. Drones use GPS, Bluetooth, and other technologies to enforce the restrictions. A Google spokesman said the company is looking into the reports. The researchers said the iOS version of the app contained no obfuscation or update mechanisms. Obfuscated, acquisitive, and always on In several respects, the researchers said, DJI Go 4 for Android mimicked the behavior of botnets and malware. Both the self-update and auto-install components, for instance, call a developer-designated server and await commands to download and install code or apps. The obfuscation techniques closely resembled those used by malware to prevent researchers from discovering its true purpose. Other similarities were an always-on status and the collection of sensitive data that wasn’t relevant or necessary for the stated purpose of flying drones. Making the behavior more concerning is the breadth of permissions required to use the app, which include access to contacts, microphone, camera, location, storage, and the ability to change network connectivity. Such sprawling permissions meant that the servers of DJI or Weibo, both located in a country known for its government-sponsored espionage hacking, had almost full control over users’ devices, the researchers said. Both research teams said they saw no evidence the app installer was ever actually used, but they did see the automatic update mechanism trigger and download a new version from the DJI server and install it. The download URLs for both features are dynamically generated, meaning they are provided by a remote server and can be changed at any time. The researchers from both firms conducted experiments that showed how both mechanisms could be used to install arbitrary apps. While the programs were delivered automatically, the researchers still had to click their approval before the programs could be installed. Both research reports stopped short of saying the app actually targeted individuals, and both noted that the collection of IMSIs and other data had ended with the release of current version 4.3.36. The teams, however, didn’t rule out the possibility of nefarious uses. Grimm researchers wrote: In the best case scenario, these features are only used to install legitimate versions of applications that may be of interest to the user, such as suggesting additional DJI or Weibo applications. In this case, the much more common technique is to display the additional application in the Google Play Store app by linking to it from within your application. Then, if the user chooses to, they can install the application directly from the Google Play Store. Similarly, the self-updating components may only be used to provide users with the most up-to-date version of the application. However, this can be more easily accomplished through the Google Play Store. In the worst case, these features can be used to target specific users with malicious updates or applications that could be used to exploit the user's phone. Given the amount of user’s information retrieved from their device, DJI or Weibo would easily be able to identify specific targets of interest. The next step in exploiting these targets would be to suggest a new application (via the Weibo SDK) or update the DJI application with a customized version built specifically to exploit their device. Once their device has been exploited, it could be used to gather additional information from the phone, track the user via the phone’s various sensors, or be used as a springboard to attack other devices on the phone’s WiFi network. This targeting system would allow an attacker to be much stealthier with their exploitation, rather than much noisier techniques, such as exploiting all devices visiting a website. DJI responds DJI officials have published an exhaustive and vigorous response that said that all the features and components detailed in the reports either served legitimate purposes or were unilaterally removed and weren’t used maliciously. “We design our systems so DJI customers have full control over how or whether to share their photos, videos and flight logs, and we support the creation of industry standards for drone data security that will provide protection and confidence for all drone users,” the statement said. It provided the following point-by-point discussion: When our systems detect that a DJI app is not the official version – for example, if it has been modified to remove critical flight safety features like geofencing or altitude restrictions – we notify the user and require them to download the most recent official version of the app from our website. In future versions, users will also be able to download the official version from Google Play if it is available in their country. If users do not consent to doing so, their unauthorized (hacked) version of the app will be disabled for safety reasons. Unauthorized modifications to DJI control apps have raised concerns in the past, and this technique is designed to help ensure that our comprehensive airspace safety measures are applied consistently. Because our recreational customers often want to share their photos and videos with friends and family on social media, DJI integrates our consumer apps with the leading social media sites via their native SDKs. We must direct questions about the security of these SDKs to their respective social media services. However, please note that the SDK is only used when our users proactively turn it on. DJI GO 4 is not able to restart itself without input from the user, and we are investigating why these researchers claim it did so. We have not been able to replicate this behavior in our tests so far. The hypothetical vulnerabilities outlined in these reports are best characterized as potential bugs, which we have proactively tried to identify through our Bug Bounty Program, where security researchers responsibly disclose security issues they discover in exchange for payments of up to $30,000. Since all DJI flight control apps are designed to work in any country, we have been able to improve our software thanks to contributions from researchers all over the world, as seen on this list. The MobTech and Bugly components identified in these reports were previously removed from DJI flight control apps after earlier researchers identified potential security flaws in them. Again, there is no evidence they were ever exploited, and they were not used in DJI’s flight control systems for government and professional customers. The DJI GO4 app is primarily used to control our recreational drone products. DJI’s drone products designed for government agencies do not transmit data to DJI and are compatible only with a non-commercially available version of the DJI Pilot app. The software for these drones is only updated via an offline process, meaning this report is irrelevant to drones intended for sensitive government use. A recent security report from Booz Allen Hamilton audited these systems and found no evidence that the data or information collected by these drones is being transmitted to DJI, China, or any other unexpected party. This is only the latest independent validation of the security of DJI products following reviews by the U.S. National Oceanic and Atmospheric Administration, U.S. cybersecurity firm Kivu Consulting, the U.S. Department of Interior and the U.S. Department of Homeland Security. DJI has long called for the creation of industry standards for drone data security, a process which we hope will continue to provide appropriate protections for drone users with security concerns. If this type of feature, intended to assure safety, is a concern, it should be addressed in objective standards that can be specified by customers. DJI is committed to protecting drone user data, which is why we design our systems so drone users have control of whether they share any data with us. We also are committed to safety, trying to contribute technology solutions to keep the airspace safe. Don't forget the Android app mess The research and DJI’s response underscore the disarray of Google’s current app procurement system. Ineffective vetting, the lack of permission granularity in older versions of Android, and the openness of the operating system make it easy to publish malicious apps in the Play Store. Those same things also make it easy to mistake legitimate functions for malicious ones. People who have DJI Go 4 for Android installed may want to remove it at least until Google announces the results of its investigation (the reported automatic restart behavior means it's not sufficient to simply curtail use of the app for the time being). Ultimately, users of the app find themselves in a similar position as that of TikTok, which has also aroused suspicions, both because of some behavior considered sketchy by some and because of its ownership by China-based ByteDance. There’s little doubt that plenty of Android apps with no ties to China commit similar or worse infractions than those attributed to DJI Go 4 and TikTok. People who want to err on the side of security should steer clear of a large majority of them. Chinese-made drone app in Google Play spooks security researchers
  9. A new type of Android-centric spyware has been found that is capable of avoiding Google’s app-vetting process. Malicious actors have placed the spyware in an app, called Radio Balouch, aka RB Music, which does in fact deliver on its advertised promise of playing Balouchi-style music, a traditional music that encompasses classical, semi-classical, and folk music originating from the region of southwest Pakistan, southeast Iran, and southwest Afghanistan. However, in addition to delivering the music the app steals the users personal information, ESET reported. The app is built on the AhMyth open-source malware and its ability to dodge Google’s security enabled it to sneak into Google Play twice, although there have been less than 200 downloads for both. AhMyth was made publicly available in December 2017, but the Radio Balouch app is the first to successfully use the malware to infiltrate Google. “Besides Google Play, the malware, detected by ESET as Android/Spy.Agent.AOX, has been available on alternative app stores. Additionally, it has been promoted on a dedicated website, via Instagram, and YouTube. We have reported the malicious nature of the campaign to the respective service providers, but received no response,” ESET wrote. ESET reported the first appearance of this app on the official Android store to the Google security team on July 2, 2019, and it was removed within 24 hours. It then reappeared on July 13, was reported and again removed. ESET also found AhMyth-based malware in some third-party stores. Source
  10. Opinion: Google says there are no exceptions. Should Epic Games bite the bullet? After Fortnite launched on the Android mobile operating system, users were made aware that the installation process was somewhat unusual. Rather than visiting the Google Play Store and downloading the software directly, Epic Games employed a different installation technique known as sideloading, which requires the app to be downloaded from another source; in this case, Epic Games' website. Adding additional purchase or installation barriers to consumers in a market where easily-accessible and streamlined processes have become a priority is generally frowned upon and is not considered best business practice. In this case, however, the Fortnite developer wanted to avoid Google's requirements when it comes to in-app billing. As of this year, Epic Games says there are roughly 250 million active Fortnite players, and when you combine this with the app's virtual currency V-Bucks -- used to purchase everything from outfits to weapons in-game -- you can see the potential profit margins. Market tracker Edison Trends estimates that Fornite in-app revenues dropped by 52 percent between Q2 2018 and Q2 2019, but the game is still a cash cow that outstrips everything else on the market with billions of dollars already banked. Currently, developers must adhere to terms of service which include the implementation of Google Play In-app Billing to make in-app purchases, rather than their own payment methods. So when you consider a commission rate of roughly 30 percent levied on in-app purchases made by apps hosted on Google Play, you can see why the developer may wish to protect this revenue stream. A 9to5 Google report emerged over the past week which suggested Epic Games had submitted Fortnite to Google Play in the hopes of a special exception to the 30 percent rule. Google said no. In a statement, the tech giant told the publication: "Android enables multiple app stores and choices for developers to distribute apps. Google Play has a business model and billing policy that allow us to invest in our platform and tools to help developers build successful businesses while keeping users safe. We welcome any developer that recognizes the value of Google Play and expect them to participate under the same terms as other developers." This is no surprise in itself as if Google made one exception -- especially to a massively popular app -- more developers would come knocking at the door asking for special treatment. Epic Games CEO Tim Sweeney has previously described Google and Apple's 'tax' as "a high cost in a world where game developers' 70 percent must cover all the cost of developing, operating, and supporting their games." Sweeney also cited "economic efficiency" as a reason for maintaining sideloading rather than pay the commission, but the decision has been met with criticism by the security community. Google Play is not an untouchable gold standard in security as, on occasion, malicious apps do circumvent existing security controls and become hosted in the official Android app repository. However, it is generally considered wise to download apps from sources such as Google Play and the Apple App Store as these companies are constantly improving their security measures and there is less of a chance that the software you are downloading is malicious as external researchers, too, are monitoring the stores. Downloading an app from a third-party website requires high levels of trust in these sources as they are not checked for malware, and they also require users to enable the "allow unknown apps to be installed" setting to be enabled on handsets. It is this avenue that can be exploited by attackers to perform phishing, Man-in-The-Middle (MiTM) attacks and to download malicious payloads on to devices. Shortly after the launch of the Android version of Fortnite, Google disclosed a vulnerability in the Fortnite installer APK which could be exploited to allow attackers to hijack the app through a Man-in-The-Disk (MiTD) attack, leading to the substitution of packages for malicious code, high privileges and permission levels to be granted, and device hijacking. At the time, Sweeney branded the disclosure, made a week after a patch had been developed, as a way to "score cheap PR points." Check Point, too, found a bug in Fortnite's infrastructure which gave attackers access to user accounts with very little effort. Over nine million Fortnite accounts were reportedly hacked last year. It does not, and should not, just come down to money. We've seen in the past that it can take no more than one overlooked security issue to bring a company's reputation crashing down, landing them a hefty bill to repair the damage and for compensation, and while a 30 percent rate may be high, users do benefit from an improved app security posture. As Fortnite does handle payment data, the need to maintain adequate security is even more important considering its massive customer base. The company has launched schemes to try and boost app security, including rewards for users that enable two-factor authentication (2FA). However, given that the app does tend to have a younger audience that may be more susceptible to phishing, downloading installers from untrusted sources, and giving away the keys to their accounts unwittingly, choosing to stay with sideloading could end up costing the company -- and its customers -- far more in the long run than Google's commission. Source
  11. Apps spotted abusing use-after-free() bug seven months before patch At least three malicious apps with device-hijacking exploits have made it onto the Google Play Store in recent weeks. This is according to eggheads at Trend Micro, who found that the since-removed applications were all abusing a use-after-free() flaw in the operating system to elevate their privileges, and pull down and run further malware from a command-and-control server. The malicious apps were Camero, FileCrypt, and callCam, so check if you still have them installed. "The three malicious apps were disguised as photography and file manager tools," said Trend researchers Ecular Xu and Joseph Chen on Monday. "We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps." The exploited programming blunder was CVE-2019-2215, a use-after-free() vulnerability present in the inter-process messaging system of the Android kernel, specifically in binder.c. Successful exploitation of the flaw allows a local app to execute arbitrary code on the infected gizmo with kernel-level privileges, aka God mode. It is not clear how many times the apps had been installed, though the reach may have been minimal as a screencap for Camero lists its installs at "5+". Interestingly, while the apps themselves have been available since March 2019, the fix for CVE-2019-2215 was only posted in the October 2019 Android security update. However, the exploit for that vulnerability may have been added after March, such as when the hole was first disclosed. According to the researchers, exploitation occurred when a victim downloaded either Camero or FileCrypt Manager. The supposedly legitimate apps contacted a command and control server from which they download a pair of files that, in tandem, exploited CVE-2019-2215 to gain kernel-level privileges and installed the final piece of the scheme, the callCam app. The callCam tool is able to collect device hardware information as well as location, installed apps, and data from specific applications like WeChat, Outlook, Twitter, Yahoo Mail, Gmail, and the Chrome browser. The pilfered data is then stored as an encrypted file for upload at a later time. It is believed that, based on the command and control servers, the group behind the infections is the SideWinder crew, a hacking operation active since 2012. The team is believed to have largely targeted government and military systems in Pakistan and has until now relied mostly on exploits and malware for Windows PCs. Source
  12. The heavily obfuscated adware was found in 238 different apps on Google Play. Consumers and enterprise customers expect the apps they download from Google Play, Apple's App Store, and other officially sanctioned app repositories to be secure and have at least minimal respect for privacy. But security researchers at Lookout found 238 applications in Google Play that hid BeiTaAd, a well-obfuscated ad plugin that could display ads on the device's lock screen, trigger video and audio advertisements even while the phone is asleep, and display ads outside the app that interfered with the user experience in other applications. Kristina Balaam, security intelligence engineer at Lookout and author of the blog post on the research, says that the company's research into the apps began with a phone call. "We [Lookout] got a support call from an enterprise user who noticed strange pop-up ads on their devices," Balaam says. "The support person contacted the research team, we started digging through the apps, and realized that there were other samples." What they found was a collection of 238 apps from a single publisher, all of which contained adware that someone had gone to great lengths to hide. The publisher, CooTek, is known for legitimate Android apps and is listed on the NYSE. And the simple presence of adware in free apps isn't unprecedented: Many publishers use in-app advertising as a way to profit from free apps. The difference in this case, Balaam says, is that "as official stores start to lock down the ads that can be shown, the publishers have to become more creative in how they hide adware." In the case of the CooTek apps, someone used very sophisticated techniques to obfuscate the adware executable bundled with the app. The adware was renamed, given a different filetype extension, and given AES encryption. All of this might have been a small annoyance, but BeiTaAd is so aggressive that it effectively rendered the device unusable for enterprise purposes. The combination of CooTek apps and BeiTaAd adware was effective at spreading the ads to a wide audience. In a screen shot used in the research report, one of the apps — TouchPal Keyboard — shows more than 100,000,000 downloads. Together, the infected apps showed more than 440 million downloads, according to Lookout. The research report states that as of May 23, 2019, all affected apps had been either removed from Google Play or updated to versions that do not contain BeiTaAd. Still, Balaam says, "Whoever is responsible for this plug-in, they're aware that it doesn't comply with the Google terms of service." She doesn't point a finger at the company or any individual, but continues, "Someone knew that what they were doing was wrong and they tried not to get caught." Source
  13. Tinder is exploring a different approach to fighting app store fees -- it's simply ignoring what the store operators want. The dating giant has introduced a default payment process into its Android app that skips Google Play's system entirely, instead taking payments directly. And if you go this route, you lose the option of switching back to Google Play after the fact. Match Group spokeswoman Justine Sacco characterized this as an experiment to Bloomberg, saying that the firm "constantly" tests new features and that payment options which "benefit [the users'] experience" were an example of this. We've asked Google for comment, although it hadn't responded to Bloomberg's request as of this writing. It's entirely practical for Android developers to enable direct payments without using Google Play, but that typically means bypassing Google Play altogether, like Epic did with Fortnite. It's another matter entirely to remain in the store but ditch Google's usual requirements. Tinder may be betting that Google won't pull such a high-profile app despite the obvious defiance. Services like Tinder and Spotify are rebelling against app store revenue cuts for one simple reason: they want a larger slice of the pie. Google and Apple both take up to 30 percent from in-app subscriptions (15 percent after the first year), and that's a large hit for services that often cost $10 or less per month. Developers either have to take a revenue hit for customers who subscribe through the stores or else raise prices to compensate. They've also argued that the revenue sharing leads to unfair competition when it involves similar services. Apple gets all of the revenue from Apple Music subscriptions at $10 per month, for instance, but Spotify only gets $7 from in-app memberships. Tinder and other objectors are unlikely to get what they want without a fight. While third party app subscriptions aren't vital to Google's bottom line, they likely represent a significant amount. Sensor Tower recently estimated that Tinder alone raked in $497 million of total revenue across Android and iOS in the first half of 2019. Even if you limit that to Google's cut, that could still be tens of millions of dollars lost from one company. Source
  • Create New...