Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Android Technology

Vulnerability In Fully Patched Android Phones Under Active Attack By Bank Thieves (arstechnica.com) 98

An anonymous reader quotes a report from Ars Technica: A vulnerability in millions of fully patched Android phones is being actively exploited by malware that's designed to drain the bank accounts of infected users, researchers said on Monday. The vulnerability allows malicious apps to masquerade as legitimate apps that targets have already installed and come to trust, researchers from security firm Promon reported in a post. Running under the guise of trusted apps already installed, the malicious apps can then request permissions to carry out sensitive tasks, such as recording audio or video, taking photos, reading text messages or phishing login credentials. Targets who click yes to the request are then compromised.

Researchers with Lookout, a mobile security provider and a Promon partner, reported last week that they found 36 apps exploiting the spoofing vulnerability. The malicious apps included variants of the BankBot banking trojan. BankBot has been active since 2017, and apps from the malware family have been caught repeatedly infiltrating the Google Play Market. The vulnerability is most serious in versions 6 through 10, which account for about 80% of Android phones worldwide. Attacks against those versions allow malicious apps to ask for permissions while posing as legitimate apps. There's no limit to the permissions these malicious apps can seek. Access to text messages, photos, the microphone, camera, and GPS are some of the permissions that are possible. A user's only defense is to click "no" to the requests.
"The vulnerability is found in a function known as TaskAffinity, a multitasking feature that allows apps to assume the identity of other apps or tasks running in the multitasking environment," reports Ars Technica. While Google has removed the [unnamed] malicious apps from its Play Store, according to Promon, the vulnerability is still unfixed in all versions of Android.

"Promon is calling the vulnerability 'StrandHogg,' an old Norse term for the Viking tactic of raiding coastal areas to plunder and hold people for ransom," the report adds. "Promon researchers said they identified StrandHogg after learning from an unnamed Eastern European security company for financial institutions that several banks in the Czech Republic reported money disappearing from customer accounts."
This discussion has been archived. No new comments can be posted.

Vulnerability In Fully Patched Android Phones Under Active Attack By Bank Thieves

Comments Filter:
  • Android is OK for technical people who know what they are doing, but it's simply too dangerous for non-technical people to use without coming to harm from things like this. There is no excuse to propagate the lack of security from the PC world into the mobile future.

    • by khchung ( 462899 )

      So, what phone do you propose non-tech people to use? Only allowed to choose between old flip phones with no apps, or iPhone?

      • Yes, sadly (Score:2, Insightful)

        by SuperKendall ( 25149 )

        Only allowed to choose between old flip phones with no apps, or iPhone?

        Yes, sadly, I like choice but as we can see Android is just a bad choice currently.

        What I would really love to see is some Android maker committed to making a really secure Android phone, that would guarantee ASAP delivery of security patches and work quickly to patch zero day exploits. Then maybe it would be OK for non technical people. The Google devices were supposed to be something like this but even they fall short here. There ne

        • You are just rolling dice with their data.

          I think the solution is somewhat simplistic. Treat the device for what it is. It is untrustworthy for anything data sensitive (banking etc).

          The world is welcome the the rest of my (tediously boring photos of me and my kids doing inane things) data.

        • By that standard, no one anywhere should be recommended to use windows...
      • Don't use an iPhone if you want security. They just got over patching a MUCH more critical security flaw in iOS. Essentially the same flaw, except it was installed by visiting a website, and it didn't require any human to click "approve".

        Apple is objectively worse at security than Google.

      • I bought my first smartphone last December. I never used it for banking or purchasing things. And I never will.
    • Do not let people do banking on smartphones.

      • Pretty much this! The alternative is to have a dedicated cell phone for banking with only your banking apps installed on it, although not very practical for most people. Banking on a cell phone that is crowded with apps from all kinds of sources is definitely a big no-no, just as much as doing anything else sensible on that crowded with apps phone. You are only as strong as the weakest link in the chain then...

        • Banking on a cell phone that is crowded with apps from all kinds of sources is definitely a big no-no

          Not on an iPhone. What could they do? Nothing that's what.

          I guess instead of apps on a phone your rather they use a window in a browser that has forty pages loaded on a desktop that gets updates every now and then....

          This goes way beyond platform flamewars and right into the ethics that all developers have in relation to real people that use systems.

          • How can you say that? Have you audited the source code? Has anybody not beholden to Apple audited the source code? Or are you just shilling?

            • He is just shilling. It's what Kendall does. From the same article: "In an email sent after this post went live, a Lookout representative said none of the 36 apps it found was available in Google Play."
        • Good-enough smartphones can be had for as little as USD 100 now. "Not very practical for most people" is a rewording of "people are too lazy to own a second, cheap but recent phone and use it exclusively for a very limited number of very high-security applications because the threat perception of most people is based entirely on the media's, which feeds them unrealistic and unlikely threat scenarios as real and common every day for many decades".

          The extroverted 2/3rds of human beings in Western society cann

          • It is not practical.
            Because you need to keep the contacts on both phones up to date.

            People complaining should simply look how real banks do it: you can only transfer between preregistered accounts. You get sideway information via email and/or SMS. Bit companies like cable or power are preregistered, they manage your amount and reference number for your.

            With three buttons you pay this or that. Top up your SIM card etc. It is not really plausible that a random attacker e.g. can access my Bangkok bank account

        • The alternative is to have a dedicated cell phone for banking with only your banking apps installed on it, although not very practical for most people.

          Well some people have a dedicated chromebook for banking and only banking, through the chrome browser, never running the Android compatibility stuff. Not as mobile but probably much less expensive.

          • I just go to the bank when I need to do banking.

            It's a novel point of view, I know...

            • by drnb ( 2434720 )

              I just go to the bank when I need to do banking. It's a novel point of view, I know...

              And likely to become less of an option. Have you seen the latest in banking, basically its a coffee shop with an atm and the ability to open new accounts and help you download the online banking app for your phone. I'm hoping they keep doing safe deposit boxes since that's my offsite backup in case the house burns down.

      • Do not let people do banking on smartphones.

        News flash - people do EVERYTHING on smartphones. You can't just hand everyone a powerful device that can totally replace a computer, then say "Oh but you cannot use it for anything serious".

        At this point smart phones have replaced computers for most things they do in their lives - including managing bank accounts.

        So what you CAN DO is make sure that anyone who doesn't understand technology is using a platform that is far more serious about keeping user data secu

        • by robot5x ( 1035276 ) on Tuesday December 03, 2019 @12:55AM (#59479230)

          News flash - you are not obliged to use apps

          I regularly do banking on my phone, but I don't use my banks app - just the mobile optimised version of their website. It works great and I don't have to worry about this kind of stuff, or annoying push notifications, etc etc.

          • Does not seem wise (Score:3, Interesting)

            by SuperKendall ( 25149 )

            I don't use my banks app - just the mobile optimised version of their website.

            To me it seems way more a gamble to trust a browser that may well visit scores of dicey websites every day will never be compromised, vs. an application that any least is more distinct and supposedly harder to corrupt in some way.

            • Re: (Score:2, Interesting)

              by ptaff ( 165113 )

              more a gamble to trust a browser that may well visit scores of dicey websites every day will never be compromised, vs. an application

              Who codes those phone applications? It appears like a nice project for interns, cheap 3rd parties and random juniors who followed a "Mobile Bootcamp" and learned their "trade" in two months. After all they don't have to touch thoroughly audited back-end code, only use an API, so worst case if the app ends up as total crap, just move it to /dev/null and reiterate with someone

          • by AmiMoJo ( 196126 ) on Tuesday December 03, 2019 @04:15AM (#59479528) Homepage Journal

            You are reducing your security by not using the bank's app.

            Android has an API for verifying the integrity of the OS and the app to ensure nothing has been tampered with, which most banks make use of. It's why their apps often take a few seconds to open, they are checking that the phone hasn't been compromised.

            The browser doesn't use that API. It also doesn't use other security features like blocking the ability to take screenshots of your bank details.

        • by MeNeXT ( 200840 )

          simple is not possible on IOS except for those that have jailbroken...

          In your own sentence you prove yourself wrong. In a device that is not controlled by you, you can never be sure of your security. You can't control security because you are restrained by the devices undocumented design. On the desktop you can run applications which can identify how much control you have. On mobile you have no such control. Simple features are disabled from the owner that require that you compromise the phone to gain access. It is not a feature.

          I am not bashing Apple. It's the reality of mob

        • I manage many bank accounts with several different institutions, and I've never accessed any of these accounts with a phone, nor will I ever. It's only "unrealistic" because people are lazy and stupid.
        • "News flash - people do EVERYTHING on smartphones. You can't just hand everyone a powerful device that can totally replace a computer, then say "Oh but you cannot use it for anything serious"." Then those people are freaking idiots. Pure and simple. They deserve to get scammed or screwed. How many more news stories, radio reports, newspaper articles on online theft do they need to see before wising up?
      • Should they use the spyware infesfed windows machine then?
      • For several years now I've been telling people to NEVER do any kind of financial transaction on cell phones. But they just blow me off.
        • "But I have a password!"

          "If you forget your password, how is it reset?"

          "I get an email and a text with a verification code!"

          "So basically, anyone finding/stealing your phone has everything?"
        • Banking has its own security systems. All you do is file a police report for the missing phone, then call your bank and have the transactions reversed. Just because the security system predates the Internet doesn't mean it hasn't worked for decades.

    • "Running under the guise of trusted apps already installed, the malicious apps can then request permissions to carry out sensitive tasks, such as [...] phishing login credentials. Targets who click yes to the request are then compromised. "

      Well, Google might want to take out that particular permission, perhaps? ;-)

      • by Anonymous Coward

        That permission is required for the Google Spyware and Google Advertizing to work. They will never remove it. Perhaps the dumfrucks that click "yes" to every permission request should be removed (from the gene pool).

        • IBM Mainframe solved this problem, oh, 50 years ago! I'll incorrectly make it simple. Tasks have their own control blocks. Besides memory keys that prevent you reading other peoples memory, you can set security permissions so that memory is allocated out of a particular pool. When the task ends, all memory is released, bar a forced cancel. No memory leaks ever. For shared memory, there are special pools/numbers used, while security address space has its own pool. Problem solved. The downside is simple getma
      • Hmm “ a function known as TaskAffinity, a multitasking feature that allows apps to assume the identity of other apps or tasks running in the multitasking environment”. Even if that function doesn’t do exactly what is described here, it still seems like a nasty security hole. Why does this even exist?

        Apple’s idea of strictly sandboxing each app seems like a good idea now. On iOS, apps can interact with each other, but that interaction doesn’t really go much beyond the equiv
        • On iOS, apps can interact with each other, but that interaction doesn’t really go much beyond the equivalent of “Open With” in Windows.

          Last I looked at that API, many years ago, one basically creates marked up text defining parameters. So to interact with the mail app you created something like:
          to=""
          subject=""
          body=""
          and handed that off to iOS, which would then hand it off to the mail app, which will create an email with these fields filled in. The user would then have to press the send button.

          I think a developer can define a markup for their app if they want other 3rd party apps to communicate, well, hand off info, its not much of a

          • What you are describing is called "intents" but I think this is distinct from the newer (and evidently flawed) "task affinity". Intents were fine. But shitty developers always want a new shittier way to do something, so now we get task affinity and stolen money.

            The barrier to entry to develop apps should be going UP not down.

      • under the guise of trusted apps

        Now, you understand why I refuse to use "any" online banking scam er I mean scheme.

    • Android is OK for technical people who know what they are doing, but it's simply too dangerous for non-technical people to use without coming to harm from things like this. There is no excuse to propagate the lack of security from the PC world into the mobile future.

      So you are admitting that a Linux based OS is too difficult for non-technical people to figure out?
      Just who is propagating this "lack of security from the PC world" - Google? Or is it the asshole phone companies who have their own set of trained monkeys to "fix" Android to fit their corporate masters?

      • The irony here is that for non technical people I think the safest option for banking is certainly desktop Linux.

    • by AmiMoJo ( 196126 )

      Android is the most secure option for most people. Look at how this is being handled - Google has developed a way to detect apps using this vulnerability, scanned the entire Play Store and is actively removing affected ones from people's phones without any need for action on their part. It will roll out a patch, also via the Play Store, to mitigate this flaw in the API as soon as it's ready and tested.

      There is a reason you don't see vast botnets of infected Android phones, or massive bank heists from stolen

      • Re: (Score:3, Insightful)

        by drnb ( 2434720 )

        Android is the most secure option for most people ...

        No, its not. A recent premium Android device from Google or Samsung might get patched but there are Android phones being sold right now that are running versions of Android several generations out of date and will never get patched. Again these are brand new in the box phones at retailers. They are very inexpensive budget phones but they are new US carrier phones, they are not used, they are not gray market internationals, etc. I've bought such budget pre-paid phones at Walmart for development purposes. Don

        • by AmiMoJo ( 196126 )

          Android gets patches even if the manufacturer doesn't update.

          Android is separated out into the kernel and drivers, which the manufacturer updates, and the rest of the OS, services and core apps which Google updates. Essentially you can think of Android as a layer on top of a Linux kernel, with that layer providing all the Android APIs and services.

          Google distributes patches via the Play Store. Also they have the ability to remove apps remotely when they are found to be infected.

          That way they can mitigate is

          • Android gets patches even if the manufacturer doesn't update.

            There might be source code patches in source code repositories for old Android versions but they *DO NOT* make it to users. They provide nothing more than giving Google the opportunity to say "we did our part". Again, brand new out of the box US retail Android phones, admittedly dirt cheap budget phones at places like Walmart, ship with obsolete code and are never offered patches. When you go to the Android option to check for a software update you are told the obsolete and unpatched version is the *CURRENT

            • by AmiMoJo ( 196126 )

              No they ship the binary patches direct to users via Google Play.

              • by drnb ( 2434720 )

                No they ship the binary patches direct to users via Google Play.

                We are not talking about updating Google apps that run on Android. We are talking about Android itself. And updating Carrier Services and Webview is not even close.

                • by AmiMoJo ( 196126 )

                  That is updating the core Android binaries. They moved most stuff out of the kernel. Next version will use a stock kernel.

                  • by drnb ( 2434720 )

                    That is updating the core Android binaries.

                    No, that is a very small piece of it.

                    They moved most stuff out of the kernel.

                    No, "most stuff" was never in the Linux kernel. Android is effectively its own operating system, the Linux kernel merely hosts. Android provides all the operating system services for 70% of all Android apps, the remaining apps that go native pretty much stick to a few posix APIs. Linux hosting is little more than a hardware abstraction layer. Android is effectively the operating system of these mobile devices.

                    Next version will use a stock kernel.

                    So your statements are really about last spring's announcement

                    • by AmiMoJo ( 196126 )

                      Google "Project Treble". It was announced nearly 3 years ago.

                    • by drnb ( 2434720 )

                      Google "Project Treble". It was announced nearly 3 years ago.

                      Requires Android 9 or greater, which 90% of visitors to the Google Play store do not have.

                      https://developer.android.com/... [android.com]

                      And which the brand new dirt cheap Android phones at Walmart and elsewhere are not shipping with.

        • Apple does not patch older devices, so that you will have to throw them away and buy a new one

        • by MeNeXT ( 200840 )

          Created this mess in the first place by (1) allowing users to load apps outside the Google Play store and (2) created an environment that they could not patch and required downstream entities (phone retailers) to deliver patches.

          And yet this has less to do with side loading apps than actual security. Even if you load apps just by Google Play you need apps to change simple system behavior because you don't control the OS. Stupid things like separating the ringer volume from the notification volume. The feature was available, then some genius at Google decided they were one of the same. Now you load an app that you know nothing of the quality and need to to give it sound permissions. Any security vulnerability on this app now gives a

        • The summary states that apps with the malware were found in Google Play so removing the option to install apps from outside it wouldn't have made any difference in this case. Also, that option is disabled by default so the user has to willingly enable that possibility. I'd rather have that than a platform that is completely controlled by a single company. If the reason to forbid installation of "untrusted" apps on smartphones is the user's own good would you do the same to PC's?
          That said I agree that iOS i
        • I don't think that for the majority, iPhone devices are an option. Half the world just can't afford one. Make that 4/5ths. Regarding iPhone updates, Apple is still updating the 6s, stopped updating the iPhone 6. Here in Switzerland, the world's number one iPhone country, guess which model you can still buy? My oneplus 3t has been not been sold anymore since April 2017. It got updated to android 9 earlier this year (third major system update) . If the iPhone 6s gets a major update two years after Apple sells
    • Android is OK for technical people who know what they are doing, ...

      By "know what they are doing" you mean "technical people" knowing to not use a mobile device for banking, at all, ever?

    • And apparently for those that actually read the article. "Update: In an email sent after this post went live, a Lookout representative said none of the 36 apps it found was available in Google Play."
  • Don't have your main bank account smartphone-accessible... maybe not even on e-banking at all. Open a secondary one!
  • LOL. Does anyone actually have such a phone? Android users don't update their phones. Most vendors don't update the OS and the ones that do make it so that the users refuse it.

    • My mod-grade Moto gets monthly updates, for security and other things.

      It doesn't come with bloatware and the bootloader is unlocked. Motorola doesn't try to stop you from rooting.

      The only thing that has been bugging me about the phone is it keeps nagging me to update. I kinda didn't want to because I might have to spend 10 minutes re-rooting it. :D

      Btw this is, as far as I recall, my first Motorola phone in 10 years or more. I'm not a brand fan. I've been happy enough with this one that when it's time to

      • Can confirm, bought an LG phone because I liked the LG Pop. Worst fucking phone I ever owned. Changed to a Moto One 32GB, works great. Could be stronger but it's a good all-round phone.
      • My mod-grade Moto gets monthly updates, for security and other things.

        It doesn't come with bloatware and the bootloader is unlocked. Motorola doesn't try to stop you from rooting.

        The only thing that has been bugging me about the phone is it keeps nagging me to update. I kinda didn't want to because I might have to spend 10 minutes re-rooting it. :D

        Btw this is, as far as I recall, my first Motorola phone in 10 years or more. I'm not a brand fan. I've been happy enough with this one that when it's time to replace it, I will certainly look at what Motorola offers then.

        Actually there is one thing I wish was different - the model naming. They have a bunch of different phones in the e5 line - e5, e5 plus, e5 play, etc. It can get confusing when shopping. I bought the highest spec in the mid-range line, the e5 Plus.

        Yup, got more updates with my Moto E4 than with any other phone, and they have never broken anything. Nice experience.

    • Said the iPhone user?

      I seem to get updates about every 3 or 4 months and always apply them. Why not?

    • My Moto X4 has been getting regular security updates. I recently loaded lineage os 16 (unofficial) on my nexus 7, and they're actually providing otas for that, so that's an antique device still being updated, just through the foresight to get a device with an unlockable bootloader. Both are now running pie, and will run 10 eventually one way or another. (Motorola continues to stall on the subject of whether they will release 10 for my X4, but there will be a lineage OS 17 port for it sooner or later, and th

    • ...and a phone that's stopped receiving patches doesn't say "I'm in need of an update" either (and asking for any updates says "no updates available" - which is the same as it says when it's just applied the latest update). So almost no one knows if they're "fully patched" or not.

    • All of my Android devices have received regular updates which I've applied. I've had at least a dozen devices. You don't have a clue what you're talking about.

  • Users can hand over their permissions to enterprise data to web apps by pressing the consent button.
    That is default O365 settings
    https://securityintheenterpris... [blogspot.com]

  • people keep installing crap on their devices for whatever silly reasons.
    i've seen it enough in the windows world and android is no different in that regard.

    Hahaha, listen to these fartsounds i have on this new app.

  • by DogDude ( 805747 ) on Tuesday December 03, 2019 @07:45AM (#59479834)
    If you're doing banking on a phone, you really deserve whatever happens to you. Of all the things to do on a "smart" phone, banking is the dumbest thing to do, hands down.
    • It is very common in Asia.
      And for internet banking in Europe you soon need a two factor auth app on your phone.

      • by DogDude ( 805747 )
        Lots of things are common in Asia that I'd personally never do.

        And while 2 factor is great if somebody steals your phone, it doesn't do anything in this case.
        • And while 2 factor is great if somebody steals your phone, it doesn't do anything in this case.
          Of curse it does. The phone is locked, he does not know how to get into my internet account, so how the funk should the app on my lost phone receive a code, he can use for anything?
          Or do you happen to know my log in credential for my bank? I doubt it. So: who do you want to exploit my 2FA app on my phone? Hu?

  • Vulnerability In Fully Patched Android Phones Under Active Attack By Bank Thieves

    Do tell, don't spare the details.

    By exploiting this vulnerability, a malicious app installed on the device can attack the device [promon.co]

    An already installed malicious app can “hack” your device but first the end-user has to download it from the Google Play Market. For fuck sake slashdot editors, have you no self respect left, spouting this waffle.
  • Both of them?

  • Task affinity sounds like a feature no one wanted. Just get rid of it. And stop adding new ways for phone apps to act like desktop apps. There's a reason phone apps are locked down from interacting with one another. Intents solved pretty much all IPC problems that needed to be solved. We don't need any more APIs.

  • It seems inevitable that everything gets hacked eventually.
  • ... I never used a smartphone for banking or purchasing. Ever. They can suck it.
  • I'm mocked for refusing to install any and all apps on my smartphones(iPhone and Android). A fast food employed asked if I wanted their app. I told her I install nothing on my phones. Her look was priceless.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...