September 25, 2016

Google Removes 22 Dangerous Apps from Android Market

(LiveHacking.Com) – Over the past week Google has removed 22 malicious apps from its official Android Marketplace again highlighting the weakness of Google’s (almost non-existant) approval process. The malicious apps were spotted by the mobile security company Lookout who then notified Google. In response Google removed the apps.

The apps all used the RuFraud malware to send SMS messages to premium rate numbers. The apps didn’t affect users in the USA, but it did target users in Great Britain, Italy, Israel, France, and Germany as well as Russia, Azerbaijan, Armenia, Georgia, Czech Republic, Poland, Kazakhstan, Belarus, Latvia, Kyrgyzstan, Tajikistan, Ukraine and Estonia.

The initial batch of apps that Google posted in the Android Market place appeared as horoscope apps with an unclear ToS pointing out the charges. Once the app started, tapping on “Continue” meant the user accepted the terms.

Next come apps designed to capture a wider audience: 3 wallpaper apps for popular movies (including Twilight), and 3 apps claiming to be downloaders for popular games such as Angry Birds and Cut the Rope.

The final wave of apps again masqueraded as free versions of popular games. In total 22 apps appeared in the Android Market and were downloaded over 14,000 times. Do the maths. That is a very quick way to make some money and Google helped by not having a decent app review process.

Android Flaw Allows Apps to Send SMS Messages and Record Calls Without Permission

(LiveHacking.Com) – A group of researchers from North Carolina State University have discovered [PDF] flaws in non-vanilla versions of Android which leak permissions or capabilities to other applications. By exploiting these leaked capabilities a 3rd party app can send SMS messages, record calls and even reboot the phone without asking for any permission.

Unlike Apple who strictly control their App Store and offer only one source for downloads, Android has multiple app stores and none of them, including the official Google Market, perform any kind of security checks on the apps made available for download. This means that when vulnerabilities are discovered in Android, hackers are free to upload apps to the Android Market which exploit the weaknesses.

To combat this, Android uses a permissions model where any app wanting to do something extra (including connecting to the Internet) needs to ask permission from the user. The model is severely flawed as most non-technical people have no idea what these permissions mean and normally just accept them anyway.

Michael Grace, Yajin Zhou, Zhi Wang and Xuxian Jiang have discovered that non-vanilla versions of Android come with extra pre-loaded apps and that these bundled apps have access to some permissions that are too privileged to be granted to third-party apps.

The team built an app called Woodpecker which scans the pre-loaded apps to see which apps offer a public interface exposing a capability that would normally require permission. They also use another technique to find “implicit capabilities” among apps signed with the same user identifier.

The researchers analyzed eight popular Android (2.2 and 2.3 based) smartphones (HTC
Legend, HTC EVO 4G, HTC Wildfire S, Motorola Droid and Droid X, Samsung Epic 4G and the Google Nexus One & Nexus S) and discovered 11 privileged permissions that are “leaked”. One phone, the HTC EVO 4G, leaks eight permissions.

In a video posted on YouTube Michael Grace demonstrates the installation of the Woodpecker app (which required no special permissions) and then how the app was able to record sounds (including phone calls), send an SMS message (which could have been to a premium phone number) and reboot the device without asking.

“The results are worrisome: among the 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. These leaked capabilities can be exploited to wipe out the user data, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain the user’s geo-location data on the affected phones – all without asking for any permission” say the report authors.