thebruce87m6 years ago
Is this just a non issue on iOS? If so, why?
And it's quite easy to run headless apps/processes.
XcodeGhost was a compromised compiler suite. See https://en.wikipedia.org/wiki/XcodeGhost#Attack_vector
The store rules and moderation is a bit stricter, do that may be one reason we hear less about iOS malware. But it's still out there.
An iOS trojan would have slightly more limited impact, but if (for example) you gave the app "Access to your Photos" in order to save something, the app would still be able to read all of your photos and potentially send them back to home base as it chooses.
At first the app store privacy policy was a broken link. Later they got it to work, and it basically used broken english to say: we can collect anything.
uninstall and never looked back.
One tip:
The iOS native Notes app can scan documents into a .pdf file.
When tencent bought the iOS version, the "user contract" was grossly changed.
Just uninstall it and use the native iOS Notes app to scan your .pdf documents.
Also, does the Play Store app have a way to notify users of a banned app that is still installed? I decided to check my wife's phone proactively, but I don't think she would otherwise have had a clue of malware (but has been getting weird and annoying pop-up ads).
This would also make the Play Store look bad.
June 6, 2019: 5.11.0.20190611 – safe
June 14, 2019: 5.11.3.20190614 – safe
June 16, 2019: 5.11.3.20190616 – unsafe
June 24, 2019: 5.11.5.20190624 – unsafe
July 10, 2019: 5.11.7.20190710 – unsafe
July 23, 2019: 5.12.0.20190723 – unsafe
July 25, 2019: 5.12.0.20190725 – unsafe
July 30, 2019: 5.12.0.20190730 – safe
August 8, 2019: 5.12.3.20190809 – safe
August 14, 2019: 5.12.3.20190814 – safe
August 16, 2019: 5.12.5.20190816 – safe
August 20, 2019: 5.12.5.20190820 – safe
The developers behind this app did not add any malicious code they wrote themselves. The attack either came from the ad library or the ad library was hacked.
In addition to factory resetting my phone, I've changed account passwords for all accounts I used on my phone, rotated every entry in my TOTP app, and logged out of all other active sessions on quite a few different services.
(Forbes contributor posts are almost always blogspam)
News sites just tend to have lower quality entries than blogs and often engage in blogspam instead of providing links to superior sources or adding something of value.
Obviously. Since they want to keep people on their site.
I wonder what the average time spent on a "news article" vs. a "blog post" is.
There is a difference. A blog is short for web log which implies a personal journal. Anyone can publish a blog without editorial oversight. A news site implies that professional journalists are producing reports with editorial and literary standards. Clearly many media companies blur this line though to the detriment of readers and journalists.
> A lot of them even use the same software.
What difference does that make? The vast majority of web sites use the same web server software (Apache/Nginx)...and the same software elsewhere in the stack.
Lately they churn out another "Apple headed for disaster" article every day. Someone there is shorting AAPL and thinking no one will figure it out.
To make sure you never find yourself in such trouble, use a reliable antivirus for Android app and scan your smartphone from time to time. (The paid version of Kaspersky Internet Security for Android scans automatically.)
Read screen: not without permission, even then not on protected screens, unless the malware has gained root access
If the app doesn't get root, the Android sandbox should protect you sufficiently against attacks on the key store of Google Authenticator.
However, if you copy the code to the device clipboard, the malware might read the code from there.
This is basically wrong, you can't modify a browser or charge someone's card without breaking out of the sandbox.
Worst case they could burn your cellular data or encrypt your photos and such if you gave it permission.
Is there any evidence they maliciously used this or was it probably just in there so they could drop more creepy ad code?
Every Android Security Advisory I looked at contained at least one often multiple Elevation of Privilegues or straight Remote Code Execution holes - my Android One smartphone usally gets the updates 20-35 days after the release of the Advisory - I'm the only one in my wider family that even got a smartphone that still receives monthly security updates at all. Most of them are stuck on an old Android version with years old patch-levels. So I doubt this is hard at all. I have no idea if there are public exploits for these issues but they probably exist.
If anyone else is looking for a replacement there's a Microsoft app called "Office Lens" that seems to do a really nice job and is as safe a bet as anything.
They work better, you're not expanding your privacy risk ... and they're free and integrated with Google docs etc.
* namely, Drive Scan and Photoscan
But damn, I'm (sort of) affected. I've had the paid version of CamScanner for years before the alternative existed. Apparently the paid version isn't affected, but it's still gone from my phone.
In addition to automatic cropping it fixes any distortions so the documents look as if they had been scanned with a flatbed scanner. It works really well for my purpose.
(I have no affiliation with them, just love the app)
But I very much disagree this is about embarrassing Apple. In fact, Google is doing them a huge favor.
(The iMessage bug for example could have been turned into a worm and infected ALL iPhones on the planet in matter of minutes if it was found by blackhat hackers instead. Apple should be thankful)
I think Fuchsia can’t come fast enough for an opportunity to break backwards compatibility and catch up with the rest of the world on security.
(I also think that Google needs to put some more humans in the Play Store review process, but as we all know Google despises using humans when they can automate a process.)
Agreed on humans, Google needs more humans and fewer robots.
In the original kaspersky report it says "For example, an app with this malicious code may show intrusive ads and sign users up for paid subscriptions.".
So how/did it sign up users for paid subscriptions without user interaction? Does android allow something like that? Aren't all apps sandboxed?
In general how is the android sandboxing and permission system nowadays? I'm considering switching back to it from iOS, but reports like this are kinda discouraging.
Android is just as secure/unsecure as iOS. Some recent "malware" campaigns targeted both platforms but in general Apple silently removes them while Android gets scrutinized to death.
Edit: to answer your questions, these apps still operate within the limits of the sandbox. Which is maybe a reason the term "malware" should not be used.
This is irrelevant. Most phones period don't get updates frequently. Does that mean you shouldn't buy any phone? No, you should buy a phone that does get updated, and there are plenty of Android options.
Apple also released an OS update in July of this year for iPhones back to the iPhone 4S from 2011.
Also irrelevant. Most people don't use phones that old. If they upgrade devices on a normal schedule, there are plenty of Android devices that will get updated during that time. Even better, their system apps will also get updated at an even higher frequency during that time transparently, while iOS users have to wait for an OS update and reboot their devices. This is an issue with highly vulnerable apps like iMessage and Safari.
There is a vibrant official second hand market for iPhones where people sell their phones and the hand me down market. It really helps when you can still use an older device with the newest operating system. Anecdotally, my son is still using my circa 2015 iPhone 6s with the latest OS. According to many benchmarks, it was faster than high end Android phones up until 2018 and is still faster than mid tier Android phones.
Also the length of time that people are keeping their phones is almost three years (https://www.vice.com/en_us/article/43ejej/study-smartphone-iphone-trade-in-age-apple-event-2018). That’s longer than you can get support for most Android phones.
Even better, their system apps will also get updated at an even higher frequency during that time transparently, while iOS users have to wait for an OS update and reboot their devices. This is an issue with highly vulnerable apps like iMessage and Safari.
Well fortunately we have statistics about how many iOS users are running the latest OS compared to Android users from the prospective companies. We know that your conjecture is probably false.
Irrelevant. I'm not buying from the second hand market. If you want to push that benefit, push it on somebody who will.
> We know that your conjecture is probably false.
We know I'm right. It takes weeks for iOS users to update their phones if iMessage or Safari has an update. On Android, the SMS and browser apps updates automatically without the user noticing. For the phones that receive system updates, the statistics show they update just as quickly on Android as on iOS. For users who upgrade devices frequently like me, these Android devices are strictly better than iOS devices in security.
It might come as a surprise, but the world doesn’t revolve around you and this is a general discussion forum...
We know I'm right. It takes weeks for iOS users to update their phones if iMessage or Safari has an update.
Do you have statistics?
For users who upgrade devices frequently like me, these Android devices are strictly better than iOS devices in security.
Well, since I couldn’t find any statistics about HN users named “lern_too_spel”, I had to rely on information I could find on the internet....
Which is? I pointed out why it is that these new Android devices are better from a security update perspective than iOS devices. Your response is to point to non-existent statistics. No amount of wishful thinking is going to make statistics appear that violate common sense.
> It might come as a surprise, but the world doesn’t revolve around you and this is a general discussion forum...
Users who don't upgrade phones frequently have no good options. Users who upgrade frequently have Android devices that fit the bill. I don't consider iOS's security updates reasonable, as I have already explained.
Well...
10%
Vs
88%
https://www.digitaltrends.com/mobile/ios-distribution-news/
But I guess we should be satisfied because...
Irrelevant. I'm not buying from the second hand market. If you want to push that benefit, push it on somebody who will.
Because you upgrade frequently
Users who don't upgrade phones frequently have no good options. Users who upgrade frequently have Android devices that fit the bill. I don't consider iOS's security updates reasonable, as I have already explained.
Well your “explanation” that iOS security is not acceptable because you have to reboot. Compared to not getting a full update at all is laughable.
I already pointed out why lumping all Android devices together is nonsensical in my very first comment. The rest of your points crumble after you remove this nonsensical foundation.
Do you have any more reliable numbers or just more conjecture?
Because in your world, it is more secure to not be able to update the entire OS than to have to do a reboot.....
Your statistics are for a nonsensical metric as I have repeatedly pointed out. The correct statistic is how quickly Android devices that are known to get updates get updates because those are the only devices that anybody who cares about security updates should buy.
> Because in your world, it is more secure to not be able to update the entire OS than to have to do a reboot.....
Once again, you are completely ignoring the point. It is more secure to have a device that updates the base system quickly and updates the apps instantly without the user noticing. There are devices that do that, and there are devices that don't. The devices that don't are so inferior to the devices that do that they shouldn't be used.
Do I need to draw a Venn diagram for you, or do you finally understand?
So that’s “the correct statistic” as long as you ignore the literally billion Android phones that don’t get updates compared to the 0% of iPhones that were introduced since 2011 that haven’t gotten an update in the last 3 months.
In other news, everyone in the US is rich as long as you ignore all of the poor people....
It is more secure to have a device that updates the base system quickly and updates the apps instantly without the user noticing. ^
So the “base system” consists of applications* not the underlying operating system....
In 30+ years of being in the computer industry professionally and as a hobbyist, I’ve never heard anyone consider applications as the “base system”.
It is more secure to have a device that updates the base system quickly and updates the apps instantly without the user noticing. There are devices that do that, and there are devices that don't. The devices that don't are so inferior to the devices that do that they shouldn't be used.
So the vast majority of Android phones shouldn’t be used and none should be used considering the average amount of time people are keeping their phones is longer than the time that any manufacturer is supporting them?
So 90%+ of all Android phones “shouldn’t be used” even if you’re charitable and ignore the phones that only get updated for a couple of years....
Btw, to get a clue about how an ecosystem should work where one company is responsible for the operating system and other companies sell the hardware, look no further than Microsoft. Not only are one of my computers that is used as a Plex server over 10 years old and still running the latest version of Windows (a Dell Core 2 Duo circa 2009), my mom is still using my old Mac Mini circa 2006 running a supported version of Windows 7.
How many times do I have to repeat that it doesn't make sense to group all Android devices together just like it doesn't make any sense to group all phones together?
> So 90%+ of all Android phones “shouldn’t be used”
Yes! That's what I've been trying to tell you! 90% of Android phones shouldn't be used, and 100% of iOS phones shouldn't be used. How is it that you still do not understand this?
> So the “base system” consists of applications* not the underlying operating system....
That explains it. I specifically separated base system, which gets updated quickly with reboots, from applications, which get updated transparently without reboots, and through some incredibly poor reading comprehension, you understood this as saying both are the same.
So no personal computer should ever be used since you have to reboot to receive security patches. But I guess in that case even Windows 95 was secure since you could update applications without rebooting....
Nope. Try reading my comments again. The base system has to be rebooted when receiving updates. Personal computers, just like Android devices, do not need to reboot when updating the web browser or a messaging app. iOS is so poorly architected that it cannot do this.
The permission system is being updated and apps are being rejected for bad user of permissions (check Reddit for the SMS permission stories)
This sandbox isn't a VM per-se in that the apps can view and interact with other apps via various api-interfaces, sometimes with devastating consequence (like apps with storage permission scraping location information from EXIF, or apps with SMS permission scraping inbox for your financial transactions).
> In general how is the android sandboxing and permission system nowadays?
There's lot of confusion and most users simply grant all access. Ask-on-first-use doesn't really help with privacy, at all. iOS, I think, has it better: Grant permission only when app is in the foreground.
That said, I am working on an app that'd help revoke and grant permissions automatically to apps depending on whether they're in the foreground or background; firewall apps from internet; block trackers. This isn't something you can't not do on Android today. And if you choose to root your device, there are apps like AF+ Wall, Privacy Guard (on LineageOS), XPrivacyLua (with XposedMod), NoRoot Firewall, NetGuard that are excellent offerings but sometimes feel like they're built for the power-user.
I've tested it via manual scan on PlayProtect as well, no dice. Isn't that what it is supposed to do?
Has anyone ever got any app flagged by PlayProtect? If it's useless, then rather I would disable it than to give it access to all my installed apps.
Google Engineers here, please ping your Google Play team reg PlayProtect.
Edit: More detail.
Kaspersky blog mentioned that the malware was part of the advertising module; so I assumed it gets activated only on the free version, so I manually scanned using PlayProtect in a mobile with free CamScanner installed.
Since both of the instances I've mentioned has auto update, it's likely they were >July 30. But Kaspersky did mention that the latest version was indeed affected.
I know it famously flags the Apptoide app store (a Google Play rival) as malware[1]
Yup. I also usually take the time to ridicule the offenders for being very silly.
Yes, it started flagging all the apps my company distributes internally for testing purposes. Getting it to stop seemed impractical, so my company's guidance is now to disable Play Protect on any test device.
IMO, this is more a legal matter than a technical one.
Google needs to sue this company, not engage in a whack-a-mole game with their AI algorithm and useless scanner.
Otherwise this is bound to happen again.
Revoke the app and developer account of that guy who wrote the free transit-mapping app for Montreal.
Google: hypocrisy on a colossal scale.
According to his blog post, his "anti-piracy system" used "custom techniques including dynamic bytecode loading from a local app resource", the exact same technique used by this malicious code to hide from detection.
But when you are tied to including some code that goes off to a site that you have no or very little control over, you are outsourcing part of your company (web or app) into the hands of another in which, if they mess up. You are the the one that takes all the PR flack.
After all, if somebody slips an exploit into an AD hosted on a 3rd party site and offered up by a reputable AD serving company. Whilst the blame and fault may clearly be with the AD serving company for not screening what they offer. You are the ones that from a consumer and as it also transpires - the media as the one to blame. As we all know, corrections and retractions are always less viewed and eyeballed than the initial drama article based upon a small picture view of the issue/drama, instead of the root cause. Even with the best most respected media sites in the World, such retractions/corrections never get the same attention as the initial article of drama and doom.
That is one problem that even today, still prevails - media does an article with the finger pointing at one direction and the truth, even when it comes out and updated, never tracks as well as the initial finger pointing and is very much the old saying of "if enough mud is slung, some will stick".
{EDIT spelling and below}
With that all said, ad-blocking by the likes of https://pi-hole.net/ is more than just avoiding AD's, it's about privacy and more and more so - security.
Maybe, Google et all need to make sure APP's have an even more granular control of permissions in that you can seperate the APP from the 3rd party AD's. that would only help more, but alas I suspect that may never happen as that would enable AD control much more accessible at a level that goes against their revenue stream.
It is not an easy job to do even at small scales, and their scale is massive. But, it is the job they signed up for, and they need to properly provide resources for it (and it isn't like Google or Apple are short of resources).
There is a problem here. Trying to protect yourself from third-party malware running on your machine breaks half the damn web because of our over-reliance on javascript frameworks and ad networks. We have to find a better way.
Do other apps run the same ad library, do they run the same risk?
Now, I can remove CamScanner (which is a shame, it's a really good app), but how can I ensure the trojan is also removed?
I tried the Avast AntiVirus app, but it didn't find anything.
What does everyone else do for AV on Android?
https://play.google.com/store/apps/details?id=com.sophos.smsec
check your emails
Surely, that kind of email would just look like spam, so isn't the correct solution for google to just not auto-add calendar events if their source email is spam?
I was fairly sure it must be malware, but I had no idea how to find out which app it was. I tried Avast AntiVirus, but it found nothing. After finding out about CamScanner I tried Kapersky AV, which did flag CamScanner as malware.
The trojan is inside the app. Remove the app, and you remove the trojan.
Here's basic steps you can follow:
1. Uninstall apps you don't use.
2. Firewall apps that do not require internet access to function (Calculator, CamScanner, Alarm Clock etc)
3. Block trackers and ads (use pi-hole and set private-dns).
4. Remove permissions from apps that do not really require the permission (Bank apps with all sorts of permissions).
5. Disable notification for apps that do not really need to notify you of anything at all (most games).
6. Install apps you're not comfortable using in work-profile, or in a privacy friendly app-sandbox (parallel-space started as one, but alas, aren't privacy-friendly anymore).