A pretty healthy number of downloads forĀ an Android app on this planet (btw not the only app in the range)
Bet that adds some motivation for an extra day or two of some independent pen testing. Also bet Google didn’t spend too much time sweating the impending int32 overflow when they first rolled out those counters.
So contrary to some FUD reports, Google Play stays relatively malware-free. Which makes long-running apps like this one especially puzzling.
Enter The Videos Mania, which is active for at least about a year, has been downloaded between 100k and half a million times, and has ~7000 likes on Google+. Its developer has 8 other apps like ringtones and wallpapers, all of which require SMS permissions and all are reported as trojans by Lookout, though the Videos one is by far the most popular. The dude didn’t really bother fudging a proper-looking certificate, simply signing his creations as “DN: C=xx”.
This Videos app is marked by 31/54 Virustotal vendors as an SMS-sending trojan, so I’m just curious, doesn’t Google like own VT? Don’t they VT-scan the apps? Or maybe they do it once during app version releases, and if there are no VT alarms at the time, they never re-scan? Not sure, that doesn’t sound like Google. But here we are with this app, and some more of my favorites coming up in future posts.
With Google Play tightening the security side with Virustotal and Bouncer (when the latter doesn’t crash, that is), you don’t see as much outright malware in that store anymore. However, one type of scammy apps that I still run into every week or so on Play are the ones that wrap some popular service, trying to get a cent or two from Admob.
Basically, it takes about 15 minutes to wrap any popular bank’s or web service’s mobile version in a WebView, stuff it with official-looking keywords, logos and descriptions, and publish on Play. Google can’t really do anything about it short of manual review of every single app. So anyone in the world (including some really not-so-well-off countries) who can write “hello world” for Android and subscribe to Admob, can then whip up a fully functional wrapper of a bank’s website, publish it in the US on Play, get a few hundred downloads from searches, and start collecting the Admob revenue.
For an extra bonus, they can also resell their install base to the real bad guys who can push a small update to the app and start stealing the actual credentials of the bank’s users. I don’t see an easy solution to this except the brands monitoring popular stores, and also trying to limit access to their services via WebView-like clients to at least raise the bar a bit for scammy developers. Because right now publishing a legit-looking service clone is ridiculously easy.
This year-old scam has resurfaced very prominently, and I’ve run into it on various websites that show Yahoo ads, indicating pretty massive malicious advertisement volume. A browser pop-up says the following:
Virus Affecting your Android? Turn on Virus Scanner NOW!
If you click “OK”, you can be taken to a variety of destinations, including:
Very impressive, considering these friendly folks are basically talking people into opening up their phones to every other kind of evil garbage that comes up next.
I ran into this a bunch of times over the last few weeks, as recently as this weekend on Tumblr. I know Yahoo is trying to squash these as fast as humanly possible, but until then, beware. And again, in US, it’s a good idea to never install anything on Android from anywhere other than Play.
This is a great mix of research because it’s not just academic but a good half is coming from people who make a living off of helping their customers fight off malware:
Google and Apple markets: are their applications really secure?!
This one looks like yet another combing of the stores, mostly for privacy?
By analysing over 120,000 applications from the Google market and over 160,000 from the Apple market, we discovered a lot of security issues that can be found on an everyday app. Many popular applications from these markets hide a lot of security breaches, from sending data over an unsecured connection (such as user accounts or passwords) to GPS tracking or uploading highly sensitive data like contact lists or phone numbers. This behaviour may be intended or may result from the use of a third-party advertising framework employed by the author in order to increase the revenue of the application. This paper draws attention to the security flaws of applications in both the Android and Apple markets by providing statistics and well documented examples, as well as the methods used to extract this information.
Analysis of Android in-app advertisement kits
In this paper, we focus on the security risks and inefficiencies posed by ad-kits. And more particularly those embedded into malware. To this end, we study the Android platform, and 90,000 malware samples. We identify 10 representative ad-kits. We further develop a system called Droidlysis to examine potential risks, ranging from uploading sensitive information to remote servers, to downloading and executing untrusted code. We analyse ad traffic and identify sensitive data transmitted over the air.
Our results show that most ad-kits not only collect private information, but probe for data and permissions beyond the ones listed in their documentation. We discover how users can be tracked by an ad provider across applications, and by a network sniffer across ad providers. Finally, we discuss the financial implications for developers and ad providers.
Some very intense claims! Wonder if it works:
real-time malware detection framework for the Android platform that performs dynamic analysis of smartphone applications and detects the malicious activities through in-execution monitoring of process control blocks (PCB) in the Android kernel. We employ a novel scheme to mine the hidden execution patterns – from time-series PCB logs of Android applications – by using information theoretic measures, frequency component analysis and statistical analysis techniques. With the help of this novel scheme, this framework sits in the Android kernel as a loadable kernel module and is able to detect real-world malware applications for Android with very few false alarms. We have validated the framework using real-world Android malware (from well-known malware repositories) and popular benign applications taken from Google’s official app store for Android (i.e. Google Play Store). By carefully designing a series of experiments, we evaluate the detection and runtime performance of our framework. Our framework is able to detect zero-day (previously unseen) malicious applications with over 98% accuracy, while keeping the false positive rate below 1%. It has a runtime processing overhead below 4% on a low-end smartphone.
‘I am not the D’r.0,1d you are looking for’: an analysis of Android malware obfuscation
legitimate obfuscation tool ProGuard from android.com currently obscures class and method names in Android apps.
Nevertheless, it is code obfuscation which would complicate the detection strategy for Android malware, especially given memory footprint limitations. Code obfuscation in malicious apps or PUAs is not only possible, it is inevitable, GooglePlay restrictions notwithstanding. The Dalvik executable (.dex) byte-code instruction set supports registers, arithmetic operators, and even nops, thus providing scope for the insertion of junk polymorphic instructions and metamorphism.
This paper analyses the methods of obfuscation currently used by Android malware authors, and presents examples of .dex byte-code and data obfuscation techniques which are likely to be abused in the future.
GinMaster : a case study in Android malware
Android – practical security from the ground up
Some more info about this one here
The Android Security Team will discuss its approach for securing the Android platform against malware. … We will also give our view into the security of the Android ecosystem, based in part on worldwide data from our Verify Apps tool.
Fancy Mollusk 