Vulnerability In Fully Patched Android Phones Under Active Attack By Bank Thieves (arstechnica.com) 98
An anonymous reader quotes a report from Ars Technica: A vulnerability in millions of fully patched Android phones is being actively exploited by malware that's designed to drain the bank accounts of infected users, researchers said on Monday. The vulnerability allows malicious apps to masquerade as legitimate apps that targets have already installed and come to trust, researchers from security firm Promon reported in a post. Running under the guise of trusted apps already installed, the malicious apps can then request permissions to carry out sensitive tasks, such as recording audio or video, taking photos, reading text messages or phishing login credentials. Targets who click yes to the request are then compromised.
Researchers with Lookout, a mobile security provider and a Promon partner, reported last week that they found 36 apps exploiting the spoofing vulnerability. The malicious apps included variants of the BankBot banking trojan. BankBot has been active since 2017, and apps from the malware family have been caught repeatedly infiltrating the Google Play Market. The vulnerability is most serious in versions 6 through 10, which account for about 80% of Android phones worldwide. Attacks against those versions allow malicious apps to ask for permissions while posing as legitimate apps. There's no limit to the permissions these malicious apps can seek. Access to text messages, photos, the microphone, camera, and GPS are some of the permissions that are possible. A user's only defense is to click "no" to the requests. "The vulnerability is found in a function known as TaskAffinity, a multitasking feature that allows apps to assume the identity of other apps or tasks running in the multitasking environment," reports Ars Technica. While Google has removed the [unnamed] malicious apps from its Play Store, according to Promon, the vulnerability is still unfixed in all versions of Android.
"Promon is calling the vulnerability 'StrandHogg,' an old Norse term for the Viking tactic of raiding coastal areas to plunder and hold people for ransom," the report adds. "Promon researchers said they identified StrandHogg after learning from an unnamed Eastern European security company for financial institutions that several banks in the Czech Republic reported money disappearing from customer accounts."
Researchers with Lookout, a mobile security provider and a Promon partner, reported last week that they found 36 apps exploiting the spoofing vulnerability. The malicious apps included variants of the BankBot banking trojan. BankBot has been active since 2017, and apps from the malware family have been caught repeatedly infiltrating the Google Play Market. The vulnerability is most serious in versions 6 through 10, which account for about 80% of Android phones worldwide. Attacks against those versions allow malicious apps to ask for permissions while posing as legitimate apps. There's no limit to the permissions these malicious apps can seek. Access to text messages, photos, the microphone, camera, and GPS are some of the permissions that are possible. A user's only defense is to click "no" to the requests. "The vulnerability is found in a function known as TaskAffinity, a multitasking feature that allows apps to assume the identity of other apps or tasks running in the multitasking environment," reports Ars Technica. While Google has removed the [unnamed] malicious apps from its Play Store, according to Promon, the vulnerability is still unfixed in all versions of Android.
"Promon is calling the vulnerability 'StrandHogg,' an old Norse term for the Viking tactic of raiding coastal areas to plunder and hold people for ransom," the report adds. "Promon researchers said they identified StrandHogg after learning from an unnamed Eastern European security company for financial institutions that several banks in the Czech Republic reported money disappearing from customer accounts."
Do Not Let non-Techs use Android (Score:1, Insightful)
Android is OK for technical people who know what they are doing, but it's simply too dangerous for non-technical people to use without coming to harm from things like this. There is no excuse to propagate the lack of security from the PC world into the mobile future.
Re: (Score:3)
So, what phone do you propose non-tech people to use? Only allowed to choose between old flip phones with no apps, or iPhone?
Yes, sadly (Score:2, Insightful)
Only allowed to choose between old flip phones with no apps, or iPhone?
Yes, sadly, I like choice but as we can see Android is just a bad choice currently.
What I would really love to see is some Android maker committed to making a really secure Android phone, that would guarantee ASAP delivery of security patches and work quickly to patch zero day exploits. Then maybe it would be OK for non technical people. The Google devices were supposed to be something like this but even they fall short here. There ne
Re: (Score:1)
You are just rolling dice with their data.
I think the solution is somewhat simplistic. Treat the device for what it is. It is untrustworthy for anything data sensitive (banking etc).
The world is welcome the the rest of my (tediously boring photos of me and my kids doing inane things) data.
Re: (Score:1)
Except you have to be a technical user or just generally paranoid to get this.
Hence the point of GP
Re: Yes, sadly (Score:1)
Re: Do Not Let non-Techs use Android (Score:3)
Don't use an iPhone if you want security. They just got over patching a MUCH more critical security flaw in iOS. Essentially the same flaw, except it was installed by visiting a website, and it didn't require any human to click "approve".
Apple is objectively worse at security than Google.
Re: Do Not Let non-Techs use Android (Score:3)
No, I won't provide an AC troll with a link they can find on their own. I'm not going to play into willful Apple fanboi ignorance. Especially seeing as I originally heard about the story on the very site where this discussion is taking place.
Re: (Score:2)
Re: Do Not Let non-Techs use Android (Score:3, Insightful)
Do not let people do banking on smartphones.
Re: (Score:2)
Pretty much this! The alternative is to have a dedicated cell phone for banking with only your banking apps installed on it, although not very practical for most people. Banking on a cell phone that is crowded with apps from all kinds of sources is definitely a big no-no, just as much as doing anything else sensible on that crowded with apps phone. You are only as strong as the weakest link in the chain then...
Re: (Score:3)
Read TFS, trojan apps capture your screen, camera and whatever else, you are not that much more protected by "not logging in automatically to your bank".
Banking apps are fine on the right platform. (Score:2)
Banking on a cell phone that is crowded with apps from all kinds of sources is definitely a big no-no
Not on an iPhone. What could they do? Nothing that's what.
I guess instead of apps on a phone your rather they use a window in a browser that has forty pages loaded on a desktop that gets updates every now and then....
This goes way beyond platform flamewars and right into the ethics that all developers have in relation to real people that use systems.
Re: (Score:2)
How can you say that? Have you audited the source code? Has anybody not beholden to Apple audited the source code? Or are you just shilling?
Re: (Score:2)
Re: (Score:2)
Good-enough smartphones can be had for as little as USD 100 now. "Not very practical for most people" is a rewording of "people are too lazy to own a second, cheap but recent phone and use it exclusively for a very limited number of very high-security applications because the threat perception of most people is based entirely on the media's, which feeds them unrealistic and unlikely threat scenarios as real and common every day for many decades".
The extroverted 2/3rds of human beings in Western society cann
Re: (Score:2)
It is not practical.
Because you need to keep the contacts on both phones up to date.
People complaining should simply look how real banks do it: you can only transfer between preregistered accounts. You get sideway information via email and/or SMS. Bit companies like cable or power are preregistered, they manage your amount and reference number for your.
With three buttons you pay this or that. Top up your SIM card etc. It is not really plausible that a random attacker e.g. can access my Bangkok bank account
A dedicated chromebook (Score:3)
The alternative is to have a dedicated cell phone for banking with only your banking apps installed on it, although not very practical for most people.
Well some people have a dedicated chromebook for banking and only banking, through the chrome browser, never running the Android compatibility stuff. Not as mobile but probably much less expensive.
Re: (Score:2)
I just go to the bank when I need to do banking.
It's a novel point of view, I know...
Re: (Score:2)
I just go to the bank when I need to do banking. It's a novel point of view, I know...
And likely to become less of an option. Have you seen the latest in banking, basically its a coffee shop with an atm and the ability to open new accounts and help you download the online banking app for your phone. I'm hoping they keep doing safe deposit boxes since that's my offsite backup in case the house burns down.
Re: A dedicated chromebook (Score:1)
Yes. I go to such location and hand the teller my deposit or use the ATM. I have even seen ATMs recently that can accept, not just dispense, cash.
Unrealistic to the Max (Score:2, Insightful)
Do not let people do banking on smartphones.
News flash - people do EVERYTHING on smartphones. You can't just hand everyone a powerful device that can totally replace a computer, then say "Oh but you cannot use it for anything serious".
At this point smart phones have replaced computers for most things they do in their lives - including managing bank accounts.
So what you CAN DO is make sure that anyone who doesn't understand technology is using a platform that is far more serious about keeping user data secu
Re:Unrealistic to the Max (Score:4, Interesting)
News flash - you are not obliged to use apps
I regularly do banking on my phone, but I don't use my banks app - just the mobile optimised version of their website. It works great and I don't have to worry about this kind of stuff, or annoying push notifications, etc etc.
Does not seem wise (Score:3, Interesting)
I don't use my banks app - just the mobile optimised version of their website.
To me it seems way more a gamble to trust a browser that may well visit scores of dicey websites every day will never be compromised, vs. an application that any least is more distinct and supposedly harder to corrupt in some way.
Re: (Score:2, Interesting)
Who codes those phone applications? It appears like a nice project for interns, cheap 3rd parties and random juniors who followed a "Mobile Bootcamp" and learned their "trade" in two months. After all they don't have to touch thoroughly audited back-end code, only use an API, so worst case if the app ends up as total crap, just move it to /dev/null and reiterate with someone
Re:Unrealistic to the Max (Score:5, Interesting)
You are reducing your security by not using the bank's app.
Android has an API for verifying the integrity of the OS and the app to ensure nothing has been tampered with, which most banks make use of. It's why their apps often take a few seconds to open, they are checking that the phone hasn't been compromised.
The browser doesn't use that API. It also doesn't use other security features like blocking the ability to take screenshots of your bank details.
Re: (Score:2)
simple is not possible on IOS except for those that have jailbroken...
In your own sentence you prove yourself wrong. In a device that is not controlled by you, you can never be sure of your security. You can't control security because you are restrained by the devices undocumented design. On the desktop you can run applications which can identify how much control you have. On mobile you have no such control. Simple features are disabled from the owner that require that you compromise the phone to gain access. It is not a feature.
I am not bashing Apple. It's the reality of mob
Not at all unrealistic (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: Do Not Let non-Techs use Android (Score:2)
Re: (Score:2)
Re: (Score:2)
"If you forget your password, how is it reset?"
"I get an email and a text with a verification code!"
"So basically, anyone finding/stealing your phone has everything?"
Re: (Score:2)
"So basically, anyone finding/stealing your phone has everything?" ... perhaps.
If he can unlock it
Re: Do Not Let non-Techs use Android (Score:3)
Banking has its own security systems. All you do is file a police report for the missing phone, then call your bank and have the transactions reversed. Just because the security system predates the Internet doesn't mean it hasn't worked for decades.
Re: (Score:2)
Can we have a pro-APK alliance? As long as APK agrees to stop Jew-bashing?
Permissions problem? (Score:2)
"Running under the guise of trusted apps already installed, the malicious apps can then request permissions to carry out sensitive tasks, such as [...] phishing login credentials. Targets who click yes to the request are then compromised. "
Well, Google might want to take out that particular permission, perhaps? ;-)
Re: (Score:1)
That permission is required for the Google Spyware and Google Advertizing to work. They will never remove it. Perhaps the dumfrucks that click "yes" to every permission request should be removed (from the gene pool).
Re: (Score:2)
Re: (Score:2)
Apple’s idea of strictly sandboxing each app seems like a good idea now. On iOS, apps can interact with each other, but that interaction doesn’t really go much beyond the equiv
Apps communicate via marked up text ... (Score:2)
On iOS, apps can interact with each other, but that interaction doesn’t really go much beyond the equivalent of “Open With” in Windows.
Last I looked at that API, many years ago, one basically creates marked up text defining parameters. So to interact with the mail app you created something like:
to=""
subject=""
body=""
and handed that off to iOS, which would then hand it off to the mail app, which will create an email with these fields filled in. The user would then have to press the send button.
I think a developer can define a markup for their app if they want other 3rd party apps to communicate, well, hand off info, its not much of a
Re: Apps communicate via marked up text ... (Score:2)
What you are describing is called "intents" but I think this is distinct from the newer (and evidently flawed) "task affinity". Intents were fine. But shitty developers always want a new shittier way to do something, so now we get task affinity and stolen money.
The barrier to entry to develop apps should be going UP not down.
Re: Permissions problem? (Score:2)
under the guise of trusted apps
Now, you understand why I refuse to use "any" online banking scam er I mean scheme.
Re: (Score:1)
Android is OK for technical people who know what they are doing, but it's simply too dangerous for non-technical people to use without coming to harm from things like this. There is no excuse to propagate the lack of security from the PC world into the mobile future.
So you are admitting that a Linux based OS is too difficult for non-technical people to figure out?
Just who is propagating this "lack of security from the PC world" - Google? Or is it the asshole phone companies who have their own set of trained monkeys to "fix" Android to fit their corporate masters?
Re: (Score:2)
The irony here is that for non technical people I think the safest option for banking is certainly desktop Linux.
Re: (Score:2)
Android is the most secure option for most people. Look at how this is being handled - Google has developed a way to detect apps using this vulnerability, scanned the entire Play Store and is actively removing affected ones from people's phones without any need for action on their part. It will roll out a patch, also via the Play Store, to mitigate this flaw in the API as soon as it's ready and tested.
There is a reason you don't see vast botnets of infected Android phones, or massive bank heists from stolen
Re: (Score:3, Insightful)
Android is the most secure option for most people ...
No, its not. A recent premium Android device from Google or Samsung might get patched but there are Android phones being sold right now that are running versions of Android several generations out of date and will never get patched. Again these are brand new in the box phones at retailers. They are very inexpensive budget phones but they are new US carrier phones, they are not used, they are not gray market internationals, etc. I've bought such budget pre-paid phones at Walmart for development purposes. Don
Re: (Score:2)
Android gets patches even if the manufacturer doesn't update.
Android is separated out into the kernel and drivers, which the manufacturer updates, and the rest of the OS, services and core apps which Google updates. Essentially you can think of Android as a layer on top of a Linux kernel, with that layer providing all the Android APIs and services.
Google distributes patches via the Play Store. Also they have the ability to remove apps remotely when they are found to be infected.
That way they can mitigate is
Software Update says unpatched Android is current (Score:2)
Android gets patches even if the manufacturer doesn't update.
There might be source code patches in source code repositories for old Android versions but they *DO NOT* make it to users. They provide nothing more than giving Google the opportunity to say "we did our part". Again, brand new out of the box US retail Android phones, admittedly dirt cheap budget phones at places like Walmart, ship with obsolete code and are never offered patches. When you go to the Android option to check for a software update you are told the obsolete and unpatched version is the *CURRENT
Re: (Score:2)
No they ship the binary patches direct to users via Google Play.
Re: (Score:2)
No they ship the binary patches direct to users via Google Play.
We are not talking about updating Google apps that run on Android. We are talking about Android itself. And updating Carrier Services and Webview is not even close.
Re: (Score:2)
That is updating the core Android binaries. They moved most stuff out of the kernel. Next version will use a stock kernel.
Re: (Score:2)
That is updating the core Android binaries.
No, that is a very small piece of it.
They moved most stuff out of the kernel.
No, "most stuff" was never in the Linux kernel. Android is effectively its own operating system, the Linux kernel merely hosts. Android provides all the operating system services for 70% of all Android apps, the remaining apps that go native pretty much stick to a few posix APIs. Linux hosting is little more than a hardware abstraction layer. Android is effectively the operating system of these mobile devices.
Next version will use a stock kernel.
So your statements are really about last spring's announcement
Re: (Score:2)
Google "Project Treble". It was announced nearly 3 years ago.
Re: (Score:2)
Google "Project Treble". It was announced nearly 3 years ago.
Requires Android 9 or greater, which 90% of visitors to the Google Play store do not have.
https://developer.android.com/... [android.com]
And which the brand new dirt cheap Android phones at Walmart and elsewhere are not shipping with.
Re: Do Not Let non-Techs use Android (Score:1)
Apple does not patch older devices, so that you will have to throw them away and buy a new one
Re: Do Not Let non-Techs use Android (Score:4, Insightful)
it seems Apple recently updated at least devices from 2012, so I‘m not sure what your value for older devices‘ is.
I‘m running an iPhone 6 from late 2014 I think, it still gets security updates.
https://support.apple.com/en-u... [apple.com]
Apple has patched "unsupported" iOS (Score:2)
Apple does not patch older devices, so that you will have to throw them away and buy a new one
I have old iPhones for development purposes. I have seen patches for unsupported obsolete models when an extremely bad security flaw is found, especially if it was in Apple code. This is very rare but has happened. I have yet to see something like that happen on my Google Nexus devices.
Re: (Score:2)
Created this mess in the first place by (1) allowing users to load apps outside the Google Play store and (2) created an environment that they could not patch and required downstream entities (phone retailers) to deliver patches.
And yet this has less to do with side loading apps than actual security. Even if you load apps just by Google Play you need apps to change simple system behavior because you don't control the OS. Stupid things like separating the ringer volume from the notification volume. The feature was available, then some genius at Google decided they were one of the same. Now you load an app that you know nothing of the quality and need to to give it sound permissions. Any security vulnerability on this app now gives a
Re: (Score:2)
That said I agree that iOS i
Re: Do Not Let non-Techs use Android (Score:1)
So "techs" never use Android for banking? (Score:2)
Android is OK for technical people who know what they are doing, ...
By "know what they are doing" you mean "technical people" knowing to not use a mobile device for banking, at all, ever?
Re: (Score:1)
Elementary caution?! (Score:2)
Re:Elementary caution?! (Score:4, Insightful)
Don't have your main bank account smartphone-accessible
Today banking, tomorrow something else ; what about using a more secure phone instead, or, at least, not using an insecure one?
Re: (Score:1)
Fully patched android? (Score:2)
LOL. Does anyone actually have such a phone? Android users don't update their phones. Most vendors don't update the OS and the ones that do make it so that the users refuse it.
Motorola does monthly updates. Unlocked boot loade (Score:3)
My mod-grade Moto gets monthly updates, for security and other things.
It doesn't come with bloatware and the bootloader is unlocked. Motorola doesn't try to stop you from rooting.
The only thing that has been bugging me about the phone is it keeps nagging me to update. I kinda didn't want to because I might have to spend 10 minutes re-rooting it. :D
Btw this is, as far as I recall, my first Motorola phone in 10 years or more. I'm not a brand fan. I've been happy enough with this one that when it's time to
Re: (Score:2)
Re: (Score:2)
My mod-grade Moto gets monthly updates, for security and other things.
It doesn't come with bloatware and the bootloader is unlocked. Motorola doesn't try to stop you from rooting.
The only thing that has been bugging me about the phone is it keeps nagging me to update. I kinda didn't want to because I might have to spend 10 minutes re-rooting it. :D
Btw this is, as far as I recall, my first Motorola phone in 10 years or more. I'm not a brand fan. I've been happy enough with this one that when it's time to replace it, I will certainly look at what Motorola offers then.
Actually there is one thing I wish was different - the model naming. They have a bunch of different phones in the e5 line - e5, e5 plus, e5 play, etc. It can get confusing when shopping. I bought the highest spec in the mid-range line, the e5 Plus.
Yup, got more updates with my Moto E4 than with any other phone, and they have never broken anything. Nice experience.
Re: (Score:2)
Said the iPhone user?
I seem to get updates about every 3 or 4 months and always apply them. Why not?
Re: (Score:2)
My Moto X4 has been getting regular security updates. I recently loaded lineage os 16 (unofficial) on my nexus 7, and they're actually providing otas for that, so that's an antique device still being updated, just through the foresight to get a device with an unlockable bootloader. Both are now running pie, and will run 10 eventually one way or another. (Motorola continues to stall on the subject of whether they will release 10 for my X4, but there will be a lineage OS 17 port for it sooner or later, and th
Re: (Score:3)
...and a phone that's stopped receiving patches doesn't say "I'm in need of an update" either (and asking for any updates says "no updates available" - which is the same as it says when it's just applied the latest update). So almost no one knows if they're "fully patched" or not.
Re: Fully patched android? (Score:2)
All of my Android devices have received regular updates which I've applied. I've had at least a dozen devices. You don't have a clue what you're talking about.
Same bug in Office365 (Score:1)
Users can hand over their permissions to enterprise data to web apps by pressing the consent button.
That is default O365 settings
https://securityintheenterpris... [blogspot.com]
the problem is (Score:2)
people keep installing crap on their devices for whatever silly reasons.
i've seen it enough in the windows world and android is no different in that regard.
Hahaha, listen to these fartsounds i have on this new app.
Re: (Score:1)
Banking on a phone? (Score:4, Insightful)
Re: (Score:2)
It is very common in Asia.
And for internet banking in Europe you soon need a two factor auth app on your phone.
Re: (Score:2)
And while 2 factor is great if somebody steals your phone, it doesn't do anything in this case.
Re: (Score:2)
And while 2 factor is great if somebody steals your phone, it doesn't do anything in this case.
Of curse it does. The phone is locked, he does not know how to get into my internet account, so how the funk should the app on my lost phone receive a code, he can use for anything?
Or do you happen to know my log in credential for my bank? I doubt it. So: who do you want to exploit my 2FA app on my phone? Hu?
What fucking Vulnerability? (Score:1)
Do tell, don't spare the details.
By exploiting this vulnerability, a malicious app installed on the device can attack the device [promon.co]
An already installed malicious app can “hack” your device but first the end-user has to download it from the Google Play Market. For fuck sake slashdot editors, have you no self respect left, spouting this waffle.
Fully patched ones? (Score:2)
Both of them?
Task affinity? (Score:2)
Task affinity sounds like a feature no one wanted. Just get rid of it. And stop adding new ways for phone apps to act like desktop apps. There's a reason phone apps are locked down from interacting with one another. Intents solved pretty much all IPC problems that needed to be solved. We don't need any more APIs.
Should I really be surprised ? (Score:1)
HA HA.... (Score:1)
Unnecessary App Installs (Score:1)