Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Android Google

Android Malware Pretends To Be WhatsApp, Uber and Google Play (fireeye.com) 57

Reader itwbennett writes: Security vendor FireEye said on Tuesday that malware that can spoof the user interfaces of Uber, WhatsApp and Google Play has been spreading through a phishing campaign over SMS. Once downloaded, the malware, which has struck Android users in Denmark, Italy and Germany, will create fake user interfaces on the phone as an 'overlay 's top of real apps. These interfaces ask for credit card information and then send the entered data to the hacker.
This discussion has been archived. No new comments can be posted.

Android Malware Pretends To Be WhatsApp, Uber and Google Play

Comments Filter:
  • by nehumanuscrede ( 624750 ) on Wednesday June 29, 2016 @12:23PM (#52414349)

    It's the App version of an ATM skimmer :|

  • Easy fix (Score:4, Insightful)

    by wbr1 ( 2538558 ) on Wednesday June 29, 2016 @12:32PM (#52414427)
    Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this, and is the default on most mainstream devices. It gets turned off when people want hacked versions of games, etc, then the malware creeps in. That setting should be on a use count timer. Use it once, then have to go set it again (manually, not a simple yes like UAC), for a fresh sideload install.

    Make the user think!

    • Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this

      And when app fragments are downloaded and installed automatically over web pages as the latest version of Android does?

      • by wbr1 ( 2538558 )
        Never heard of this.. app fragments?? Some linkage is in order.
      • Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this

        And when app fragments are downloaded and installed automatically over web pages as the latest version of Android does?

        Not just the latest version of Android. "Instant apps" will be available on every platform version from 4.1 up.

        However, instant apps can *only* be downloaded from the Play store -- there is no equivalent of "allow untrusted sources". They'll run inside a sandbox which is part of Google Play services, so it can be updated at any time if any abuse is detected -- including the ability to remove APIs, disable specific abused instant apps, or even shut the whole system off if needed. In addition, Google will b

        • That all sounds really good but sandboxes can be broken, and where did you get "Google will be vetting them more closely" - that sounds like a hope, I didn't hear them say that... and will they be vetting them so closely after many updates?

          Fundamentally the fact remains that going to a web page will download some executable code onto your device without consent or explicit installation action. Then from there it's just a matter of how it escapes.

          • That all sounds really good but sandboxes can be broken

            Sure, they can, but putting code into them that tries to break out of the Sandbox will get caught by the Play store review systems. Oh, I suspect that we'll occasionally see a clever 0day that can do it and sneak by the review systems, just as there are occasional apps that can break out of the sandbox and obtain root. Such techniques are quickly understood and apps that use them removed from the Play store. In the case of instant apps, there are some additional levers of control: the sandbox can be updated

            • There is a BIG difference between Javascript and native code (though admittedly the difference is somewhat less since everyone started adding native Javascript acceleration engines).

              It is good to hear such apps are more strongly vetted, but I'm still not sure how well that will work out over time...

              How quickly you can update the sandbox to remove discovered vulnerabilities is also very important.

              I agree but a newer sandbox like this is bound to be more vulnerable than an established sandbox for something li

              • Instant apps aren't native code.
              • Also, I should mention that there are some powerful techniques for effectively sandboxing native code as well, when/if instant apps can use native code. NaCl's history of safely sandboxing x86 code has been outstanding.

                http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/34913.pdf

            • It's certainly safe to assume that instant apps will always be at least as safe as the Play store in general... and that's quite safe.

              ORLY? [google.com]

              • Yep. You should look at those links. Or if you want quantitative measurements, check out http://static.googleuserconten... [googleusercontent.com]
                • Question: is Google planning on doing anything about the new trend in browser redirects that take you to the store? Can they do anything about it?

                  Combine that very annoying trick with this fake GooglePlay malware and I see a glaring vulnerability, in addition to the major annoyance of trying to read a website only to suddenly be yanked into the play store to install some dumb game.
                  • I see the annoyance, though that's the web site's decision. I don't see the vulnerability. If you install this sort of malware, there are all sorts of things it can do and such redirects don't make things worse. If you don't, then there's no vulnerability.
                    • It should not be any website's decision to redirect ME from the page I'm trying to read to the play store. That alone is a gaping vulnerability, if any web page can just call another app without my approval that is a vulnerability, not just an annoyance. Add in this malware and it becomes a potentially critical vulnerability.
                    • That's how hyperlinks and Android intents work.
    • Allow apps from unknown sources should always be off, unless you know what you are doing. Period. That should stop this, and is the default on most mainstream devices. It gets turned off when people want hacked versions of games, etc, then the malware creeps in. That setting should be on a use count timer. Use it once, then have to go set it again (manually, not a simple yes like UAC), for a fresh sideload install.

      Make the user think!

      This is exactly how Apple implemented the "Allow Apps from Anywhere" setting in their "Gatekeeper" feature in OS X/macOS.

      If you set it to that level, after a time (I think it is 30 days) it will revert to the next-more-secure-level (Allow Apps from Registered Developers; which, BTW, does NOT mean "only from the App Store"). I think it should be shorter; but it's the right idea for most people, and the timeout strikes a fairly decent balance between "too naggy" and "too dangerous", IMHO.

      And since Apple w

    • Make the user think!

      Product fail

  • by Anonymous Coward

    Once downloaded, the malware, which has struck Android users in Denmark, Italy and Germany

    Denmark, Italy and Germany are all in the EU. The UK is unaffected!

  • If you're gonna make a malware app, and if you're gonna make it pretend to be three things, then why not change what three things it pretends to, and simply call your app GooFaceTwit.
  • FUD! Pay us cash! (Score:4, Insightful)

    by chill ( 34294 ) on Wednesday June 29, 2016 @03:25PM (#52415833) Journal

    This is a 24 page report that can be summed up as "An amazing number of people are stupid enough to click links embedded in SMS messages. However, since this sort of attack is blocked by anyone with the default 'do not allow third-party apps' setting in Android, we only saw 38 actual instances of infected devices contacting the C2 systems. Please take the other 23 1/2 pages of the report as proof we are highly technically skilled, but in general spreading FUD so you pay us lots of money to protect against a threat that has an almost insignificant likelihood of affecting you."

    • This is a 24 page report that can be summed up as "An amazing number of people are stupid enough to click links embedded in SMS messages. However, since this sort of attack is blocked by anyone with the default 'do not allow third-party apps' setting in Android, we only saw 38 actual instances of infected devices contacting the C2 systems. Please take the other 23 1/2 pages of the report as proof we are highly technically skilled, but in general spreading FUD so you pay us lots of money to protect against a threat that has an almost insignificant likelihood of affecting you."

      I wonder if your comment would be different if the article was about the iOS App Store?

      • by chill ( 34294 )

        It wouldn't, as my criticism was directed at the 3rd party security tool vendor, not the OS vendor. I would have been equally derisive if the malware was for iOS and only was effected on jail broken devices.

        Thought, to correct your assertion, you actually wonder if my comment would be different if the target of the malware was iOS.

        I personally prefer Google's model because it gives me the choice whereas Apple's does not. Android says "you should" whereas iOS says "you must".

Genius is ten percent inspiration and fifty percent capital gains.

Working...