Keeping Educated: More Android Market security woes - 2 PART (READ POST 1 and 2)
Wildman
Legend

Trojan found in Android Market

Malicious files once again have found their way into the Android Market, with a set of applications being hijacked, reverse engineered with malicious code injected, and published alongside the legitimate applications.

Two thing need mention up front -- Google has already removed the apps from the Market, and this time around they only affected users in China, where they also originate from.  If you're reading this story, you probably are safe and never were at risk.  But this is still a big concern.  A set of bad guys (that's my safe-for-work version) were able to de-compile apps from a legit developer, put in some code that sends SMS messages to a Chinese subscription service, and then took some really ingenious steps to keep everything hidden from the user.  That's going to happen, because everything that's electronic and popular enough is a target.  The part that is concerning is that these are making their way into the Android Market.

Allow me to have a few hundred words with you about it, after the break.

Source: AegisLabs via Sophos; Thanks, Tony Bag o' Donuts!

 

I'm torn.  As a user and on a personal level I say leave everything open, and force users to be diligent and only install apps they trust, regardless of where they come from.  Learn what the permissions are, and why an app may or may not need them (i.e. Adobe Reader).  But as a blogger and (hopefully) respected Android authority, I have a responsibility to our readers to want what's best for them.  That's you guys.  Many of you are respected Android authorities in your own right, and have no problem discerning what's safe and what's not.  Many others aren't, and depend on Android Central and other Internet resources to offer good advice on how to stay safe.  This leaves me in a bit of a pickle.

While reading the various security publications about this one, I came across a really interesting idea from Vanja Svajcer at Sophos.  His idea is simple and easy to implement -- what we need is two sets of signing keys.  Applications that want or need to do things like send SMS messages, or play around with your contact list should have to use a set of verified keys tied to a legitimate developer account that's been approved by Google.  Let the fart apps and themes keep using user-generated keys -- don't force hobby developers to jump through any hoops for the people at Mountain View if they aren't going to be doing anything that could create a potential security issue.  But the moment an app wants to access your phone book or use your GMail authToken, check the signing key and verify it.  Keep the users safe, and they will stay happy.  Happy users buy more apps, and more Android products.  Rocket science it ain't.  Vanja hit the nail squarely on the head with this one -- what say ye, Google?

Anyhoo, this one's over and done.  If you're curious, here's a list of the affected applications.  Do take note that they all were promptly removed from the Market and only affected users with a Chinese locale and phone number.

  • iBook
  • iCartoon
  • LoveBaby
  • 3D Cube horror terrible
  • Sea Ball
  • iCalendar
  • iMatch
  • Shake Break
  • ShakeBanger
  • iMine
  • iGuide

We'll keep an eye on things, and let you know the next time it happens.  And there will be a next time -- the trade-off for being able to have kick-**bleep** apps like Handcent is having apps that use the same functions and openness for things we would rather they didn't.  At this point, I'm going to have to suggest two things:

  1. Use a "virus" scanner.  Yes, I know there aren't any viruses for Android, but names sort of get stuck.  All the security issues so far have required the end-user to want to install them.  You won't get infected with anything just by using your phone.  There are several in the Market to choose from.  They all work, so check the features of each and make a choice.  Then be glad we have them to do the dirty work for us.
  2. Don't install any apps you shouldn't be.  Yes, it's tempting and we made it fairly easy with the Sideload Wonder Machine (but that was not my intent!).  Security bloggers aren't just blowing smoke when they warn you about this.  If you're capable, hit one of those pirate app forums and download a handful, then reverse engineer them and compare them against the official versions.  If you're not capable, just trust us.  About half of them have some serious differences in the code.  Stick with apps you trust.  Or stick to the Market -- if you do get stuck with a trojan Google will fix you up.  Not only do the developers deserve the few bucks they are asking for their hard work, you'll be safer in the end.

Original Post:   http://www.androidcentral.com/more-android-market-security-woes-and-novel-idea-fix-them-sophos

0 Likes
1 Solution

Correct answers
Re: Google rolling out server-side fix for Android sidejacking issue
Wildman
Legend

Google is rolling out a patch on their servers to fix the Google calendar and contacts sidejacking issue we talked about in a recent Sunday editorial.  This will require no user action, and even your carrier won't be able to stop it so they can put Bing on it first.

To review: there is a bug (that was fixed in Gingerbread) that lets an attacker have potential access to your Google calendar, contacts, and Picasa account if you log in on an unsecure Wifi network.  Because there are about a gazillion phones affected, and many of them will never see Gingerbread, the server-side fix is welcomed.

We don't know the exact details of the fix, but a statement by Google says:

Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.

We still say the bug should have never made it out to users in the first place, but a speedy resolution is always good.  Just don't forget about Picasa while you're playing in the server code, Google.

 

Origianal Post : http://www.androidcentral.com/google-rolling-out-server-side-fix-android-sidejacking-issue

View solution in original post

0 Likes
Re: Google rolling out server-side fix for Android sidejacking issue
Wildman
Legend

Google is rolling out a patch on their servers to fix the Google calendar and contacts sidejacking issue we talked about in a recent Sunday editorial.  This will require no user action, and even your carrier won't be able to stop it so they can put Bing on it first.

To review: there is a bug (that was fixed in Gingerbread) that lets an attacker have potential access to your Google calendar, contacts, and Picasa account if you log in on an unsecure Wifi network.  Because there are about a gazillion phones affected, and many of them will never see Gingerbread, the server-side fix is welcomed.

We don't know the exact details of the fix, but a statement by Google says:

Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.

We still say the bug should have never made it out to users in the first place, but a speedy resolution is always good.  Just don't forget about Picasa while you're playing in the server code, Google.

 

Origianal Post : http://www.androidcentral.com/google-rolling-out-server-side-fix-android-sidejacking-issue

0 Likes
Re: Keeping Educated: More Android Market security woes - 2 PART (READ POST 1 and 2)
Ann154
Community Leader
Community Leader

I like the idea of Google fixing it on the server side for all of us especially those that have hardware limitations and will never see Gingerbread on their device.

I'm most definitely NOT a VZW employee. If a post answered your question, please mark it as the answer.

0 Likes
Re: Google rolling out server-side fix for Android sidejacking issue
Synycalwon
Contributor - Level 1

The Android apps issue reminds me of the same thing with computers, especially all the fake AV stuff that many users are tricked into installing. Whether a smartphone or computer, I strongly believe in the less is more principle. Don't go installing everything and the kitchen sink if you want to keep your computer (or smartphone) secure and running in peak condition. Many will say that goes counter to what these things are made for. While there is some truth to that, there is a balance that needs to be struck. It's always about security versus convenience (or usability). But, hey, locking your car or house doors isn't very convenient is it? But, you do it and accept the trade off for security. People need to think in these terms for electronic devices too!

 

As to the recent Android bug that may provide access to your Google Calendar/Contacts when using insecure public Wi-Fi hotspots, it also points out the security versus convenience issue. Many, many people simply do not understand the inherent insecure nature of untrusted public networks and the potential risks they take in choosing to use them. Sure, they are convenient, but how secure? Also, one last point, just like limiting what software is installed, one should also limit what your smartphone is syncing. Not only will it save on battery life, but in this case, by turning off syncing of say the calendar and contacts (just sync mail), could thwart or minimize the side jacking threat. :smileyhappy:

0 Likes
Re: Google rolling out server-side fix for Android sidejacking issue
Wildman
Legend

Synycalwon wrote:

The Android apps issue reminds me of the same thing with computers, especially all the fake AV stuff that many users are tricked into installing. Whether a smartphone or computer, I strongly believe in the less is more principle. Don't go installing everything and the kitchen sink if you want to keep your computer (or smartphone) secure and running in peak condition. Many will say that goes counter to what these things are made for. While there is some truth to that, there is a balance that needs to be struck. It's always about security versus convenience (or usability). But, hey, locking your car or house doors isn't very convenient is it? But, you do it and accept the trade off for security. People need to think in these terms for electronic devices too!

 

As to the recent Android bug that may provide access to your Google Calendar/Contacts when using insecure public Wi-Fi hotspots, it also points out the security versus convenience issue. Many, many people simply do not understand the inherent insecure nature of untrusted public networks and the potential risks they take in choosing to use them. Sure, they are convenient, but how secure? Also, one last point, just like limiting what software is installed, one should also limit what your smartphone is syncing. Not only will it save on battery life, but in this case, by turning off syncing of say the calendar and contacts (just sync mail), could thwart or minimize the side jacking threat. :smileyhappy:


Yes but if the users go with your views this will just open up other vulnerability possibilites by not running any protection, some protections apps does effect system performance  but I am prepared to make the sacrifice and as for disabling all the sync features other than mail would not benefit a business base user and this will make the need of a smart device being pointless.

0 Likes
Re: Google rolling out server-side fix for Android sidejacking issue
Synycalwon
Contributor - Level 1

Yes but if the users go with your views this will just open up other vulnerability possibilites by not running any protection, some protections apps does effect system performance  but I am prepared to make the sacrifice and as for disabling all the sync features other than mail would not benefit a business base user and this will make the need of a smart device being pointless.


By all means, smartphone users SHOULD be using some type of security software (ex. Lookout). My point was that people shouldn't go installing all kinds of apps (or on computers, software). By limiting what is installed, you lower the attack surface of the device and reduce the amount of patching that is required. Not to mention minimize software issues that may negatively impact the operation of said device. Like I said though, it's about a balance between security and usability. :smileyhappy:

 

As to the business user (or any user), enable whatever syncing is needed. Again, I was trying to point out the benefit of turning off things you may not need (to reduce the attack surface). Also, for most business users, they are probably not using Google, but connected to their company's mail system and the phone itself is configured and/or locked down by their IT/Telecom staff.

0 Likes
Re: Google rolling out server-side fix for Android sidejacking issue
Wildman
Legend

Ok, I didnt understand your statement correctly, you have a very good point....  Sorry for the misunderstanding..

0 Likes
Re: Keeping Educated: More Android Market security woes - 2 PART (READ POST 1 and 2)
Ann154
Community Leader
Community Leader
Yet another batch a malware were found recently. Sigh :smileysad:

http://www.droid-life.com/2011/06/01/lookout-identifies-another-34-droiddream-malware-apps-in-the-an...

I'm most definitely NOT a VZW employee. If a post answered your question, please mark it as the answer.

0 Likes
Re: Keeping Educated: More Android Market security woes - 2 PART (READ POST 1 and 2)
Wildman
Legend

 


Ann154 wrote:
Yet another batch a malware were found recently. Sigh :smileysad:

http://www.droid-life.com/2011/06/01/lookout-identifies-another-34-droiddream-malware-apps-in-the-an...

Thanks for update, I missed that one..  This is starting to get a bit crazy,

0 Likes
Re: Keeping Educated: More Android Market security woes - 2 PART (READ POST 1 and 2)
B33
Legend

All these post are great as they keep all of us out of Harms Way or going into Harms way. Thanks for the Great Info .!  Ra

an wildman your last statment above your right it is getting a bit crazy.! :smileywink:

0 Likes