Android Malware Pretends To Be WhatsApp, Uber and Google Play

Reader itwbennett writes: Security vendor FireEye said on Tuesday that malware that can spoof the user interfaces of Uber, WhatsApp and Google Play has been spreading through a phishing campaign over SMS. Once downloaded, the malware, which has struck Android users in Denmark, Italy and Germany, will create fake user interfaces on the phone as an 'overlay 's top of real apps. These interfaces ask for credit card information and then send the entered data to the hacker.

Outstanding

[nehumanuscrede]

It's the App version of an ATM skimmer :|

Easy fix

[wbr1]

Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this, and is the default on most mainstream devices. It gets turned off when people want hacked versions of games, etc, then the malware creeps in. That setting should be on a use count timer. Use it once, then have to go set it again (manually, not a simple yes like UAC), for a fresh sideload install.

Make the user think!

Not so easy...

[SuperKendall]

Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this

And when app fragments are downloaded and installed automatically over web pages as the latest version of Android does?

Re:

[wbr1]

Never heard of this.. app fragments?? Some linkage is in order.

Re:

[swillden]

https://developer.android.com/... [android.com]

Re:

[wbr1]

Read.... the parts still download from Google play when needed. Still vetted by the Google, and does not require sideline settings.

Re:

[swillden]

https://slashdot.org/comments.... [slashdot.org]

Re:

[wbr1]

Thanks.. I had not gone back to read the entire thread my view was limited by the link I followed to reply and did not think to.. Also, thanks for being a voice of reason amongst the FUD.

Re:

[swillden]

I figured :-)

Re:

[swillden]

Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this

And when app fragments are downloaded and installed automatically over web pages as the latest version of Android does?

Not just the latest version of Android. "Instant apps" will be available on every platform version from 4.1 up.

However, instant apps can *only* be downloaded from the Play store -- there is no equivalent of "allow untrusted sources". They'll run inside a sandbox which is part of Google Play services, so it can be updated at any time if any abuse is detected -- including the ability to remove APIs, disable specific abused instant apps, or even shut the whole system off if needed. In addition, Google will b

Re:

[SuperKendall]

That all sounds really good but sandboxes can be broken, and where did you get "Google will be vetting them more closely" - that sounds like a hope, I didn't hear them say that... and will they be vetting them so closely after many updates?

Fundamentally the fact remains that going to a web page will download some executable code onto your device without consent or explicit installation action. Then from there it's just a matter of how it escapes.

Re:

[swillden]

That all sounds really good but sandboxes can be broken

Sure, they can, but putting code into them that tries to break out of the Sandbox will get caught by the Play store review systems. Oh, I suspect that we'll occasionally see a clever 0day that can do it and sneak by the review systems, just as there are occasional apps that can break out of the sandbox and obtain root. Such techniques are quickly understood and apps that use them removed from the Play store. In the case of instant apps, there are some additional levers of control: the sandbox can be updated

Re:

[SuperKendall]

There is a BIG difference between Javascript and native code (though admittedly the difference is somewhat less since everyone started adding native Javascript acceleration engines).

It is good to hear such apps are more strongly vetted, but I'm still not sure how well that will work out over time...

How quickly you can update the sandbox to remove discovered vulnerabilities is also very important.

I agree but a newer sandbox like this is bound to be more vulnerable than an established sandbox for something li

Re:

[swillden]

Instant apps aren't native code.

Re:

[swillden]

Also, I should mention that there are some powerful techniques for effectively sandboxing native code as well, when/if instant apps can use native code. NaCl's history of safely sandboxing x86 code has been outstanding.

http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/34913.pdf

Re:

[macs4all]

It's certainly safe to assume that instant apps will always be at least as safe as the Play store in general... and that's quite safe.

ORLY? [google.com]

Re:

[swillden]

Yep. You should look at those links. Or if you want quantitative measurements, check out http://static.googleuserconten... [googleusercontent.com]

Re:

[dwillden]

Question: is Google planning on doing anything about the new trend in browser redirects that take you to the store? Can they do anything about it?

Combine that very annoying trick with this fake GooglePlay malware and I see a glaring vulnerability, in addition to the major annoyance of trying to read a website only to suddenly be yanked into the play store to install some dumb game.

Re:

[swillden]

I see the annoyance, though that's the web site's decision. I don't see the vulnerability. If you install this sort of malware, there are all sorts of things it can do and such redirects don't make things worse. If you don't, then there's no vulnerability.

Re:

[dwillden]

It should not be any website's decision to redirect ME from the page I'm trying to read to the play store. That alone is a gaping vulnerability, if any web page can just call another app without my approval that is a vulnerability, not just an annoyance. Add in this malware and it becomes a potentially critical vulnerability.

Re:

[swillden]

That's how hyperlinks and Android intents work.

Re:

[LichtSpektren]

There are legit reasons for turning on unknown sources. Humble Bundle is one that comes to mind.

And Adguard. But if you're going to install a third-party program, it's very wise to only turn on "Install from unknown sources" during the installation/update, and then immediately turn it back off.

Re:

[mlts]

F-Droid as well.

Re:

[macs4all]

Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this, and is the default on most mainstream devices. It gets turned off when people want hacked versions of games, etc, then the malware creeps in. That setting should be on a use count timer. Use it once, then have to go set it again (manually, not a simple yes like UAC), for a fresh sideload install.

Make the user think!

This is exactly how Apple implemented the "Allow Apps from Anywhere" setting in their "Gatekeeper" feature in OS X/macOS.

If you set it to that level, after a time (I think it is 30 days) it will revert to the next-more-secure-level (Allow Apps from Registered Developers; which, BTW, does NOT mean "only from the App Store"). I think it should be shorter; but it's the right idea for most people, and the timeout strikes a fairly decent balance between "too naggy" and "too dangerous", IMHO.

And since Apple w

Re:

[invictusvoyd]

Make the user think!

Product fail

Another Win For Brexit!

[Anonymous Coward]

Once downloaded, the malware, which has struck Android users in Denmark, Italy and Germany

Denmark, Italy and Germany are all in the EU. The UK is unaffected!

Re:

[LichtSpektren]

Can you provide even a single example of somebody running a web server on Android?

Linux servers don't get "constantly rooted and defaced". But, regardless, nobody is saying Linux is invulnerable. We'll have to settle on merely being orders of magnitude more secure than Windows, which is the point of the comparison.

Re:

[macs4all]

We'll have to settle on merely being orders of magnitude more secure than Windows, which is the point of the comparison.

Is that actually true anymore?

I am absolutely the farthest thing from being a WIndows fanboi; but it has been QUITE a while since I heard of a new IIS exploit being discovered. In fact, the newest search result on Google for "IIS vulnerability" is from over a year ago [sucuri.net].

Re:

[seksi-seppo]

Linux servers don't get "constantly rooted and defaced". But, regardless, nobody is saying Linux is invulnerable. We'll have to settle on merely being orders of magnitude more secure than Windows, which is the point of the comparison.

AFAIK most of the security issues around lunix installations are related to false sensation of security under which the user installs bit too liberally things on their server and "once it works, don't touch it" is sadly common practice encouraging neglecting security updates. Also, more things installed in luserspace, more things requiring potential security updates. Some distributions, especially certain infamous South African one, makes it far too easy to install a lot of crap.

All self-developed things on

Re:

[LichtSpektren]

Use iOS.

Great plan. Because as we all know, iOS is 100% secure and never has to receive security patches. [apple.com]

Re:

[macs4all]

Use iOS.

Great plan. Because as we all know, iOS is 100% secure and never has to receive security patches. [apple.com]

At least iOS GETS Security Patches, right? Now where's the same page for your non-Nexus Android phone?

Thought so.

Re:

[LichtSpektren]

Use iOS.

Great plan. Because as we all know, iOS is 100% secure and never has to receive security patches. [apple.com]

At least iOS GETS Security Patches, right? Now where's the same page for your non-Nexus Android phone? Thought so.

I happen to have a Nexus 5X and I don't recommend anything other than the Nexus phones, thanks.

While it's true that iPhones have a longer support life than most Android phones, what you're failing to mention is that Apple quickly dumps support for the major iOS versions, so to get security updates, you have to bump up a major version. Since each newer version uses more resources than the older ones, the older iPhones slow to a crawl and become generally unusable.

Re:

[macs4all]

Use iOS.

Great plan. Because as we all know, iOS is 100% secure and never has to receive security patches. [apple.com]

At least iOS GETS Security Patches, right? Now where's the same page for your non-Nexus Android phone? Thought so.

I happen to have a Nexus 5X and I don't recommend anything other than the Nexus phones, thanks. While it's true that iPhones have a longer support life than most Android phones, what you're failing to mention is that Apple quickly dumps support for the major iOS versions, so to get security updates, you have to bump up a major version. Since each newer version uses more resources than the older ones, the older iPhones slow to a crawl and become generally unusable.

That's why Apple sometimes releases sub-versions ("point" releases) that have changes specifically designed to address performance issues in older hardware. The most recent that comes to mind was, IIRC, the iOS 9.3.1 Update (later replaced with the more-stable (and slightly faster overall) iOS 9.3.2, both of which were specifically designed to improve performance on the iPad 2 and (IIRC) the iPhone 4s. Speaking of which, this site conducted an informal performance comparison [redmondpie.com] between iOS 9.3.1 and 9.3.2 on i

If you're gonna make a malware app . . .

[DickBreath]

If you're gonna make a malware app, and if you're gonna make it pretend to be three things, then why not change what three things it pretends to, and simply call your app GooFaceTwit.

FUD! Pay us cash!

[chill]

This is a 24 page report that can be summed up as "An amazing number of people are stupid enough to click links embedded in SMS messages. However, since this sort of attack is blocked by anyone with the default 'do not allow third-party apps' setting in Android, we only saw 38 actual instances of infected devices contacting the C2 systems. Please take the other 23 1/2 pages of the report as proof we are highly technically skilled, but in general spreading FUD so you pay us lots of money to protect against a threat that has an almost insignificant likelihood of affecting you."

Re:

[macs4all]

This is a 24 page report that can be summed up as "An amazing number of people are stupid enough to click links embedded in SMS messages. However, since this sort of attack is blocked by anyone with the default 'do not allow third-party apps' setting in Android, we only saw 38 actual instances of infected devices contacting the C2 systems. Please take the other 23 1/2 pages of the report as proof we are highly technically skilled, but in general spreading FUD so you pay us lots of money to protect against a threat that has an almost insignificant likelihood of affecting you."

I wonder if your comment would be different if the article was about the iOS App Store?

Re:

[chill]

It wouldn't, as my criticism was directed at the 3rd party security tool vendor, not the OS vendor. I would have been equally derisive if the malware was for iOS and only was effected on jail broken devices.

Thought, to correct your assertion, you actually wonder if my comment would be different if the target of the malware was iOS.

I personally prefer Google's model because it gives me the choice whereas Apple's does not. Android says "you should" whereas iOS says "you must".