Google Play Apps With Over 4.3 Million Downloads Stole Pics, Pushed Porn Ads (arstechnica.com) 48
Google has banned dozens of Android apps downloaded millions of times from the official Play Store after researchers discovered they were being used to display phishing and scam ads or perform other malicious acts. Ars Technica reports: A blog post published by security firm Trend Micro listed 29 camera- or photo-related apps, with the top 11 of them fetching 100,000 to 1 million downloads each. One crop of apps caused browsers to display full-screen ads when users unlocked their devices. Clicking the pop-up ads in some cases caused a paid online pornography player to be downloaded, although it was incapable of playing content. The apps were carefully designed to conceal their malicious capabilities. The apps also hid their icons from the Android app list. That made it hard for users to uninstall the apps, since there was no icon to drag and delete. The apps also used compression archives known as packers to make it harder for researchers -- or presumably, tools Google might use to weed out malicious apps -- from analyzing the wares.
Trend Micro researchers discovered another batch of apps that falsely promised to allow users to "beautify" their pictures by uploading them to a designated server. Instead of delivering an edited photo, however, the server provided a picture with a fake update prompt in nine different languages. The apps made it possible for the developers to collect the uploaded photos, possibly for use in fake profile pics or for other malicious purposes. The developers took pains to prevent users from detecting what was happening. "The remote server used by these apps is encoded with BASE64 twice in the code," Wu wrote. "In addition, several of these apps can also hide themselves via the same hidden technique mentioned above."
Trend Micro researchers discovered another batch of apps that falsely promised to allow users to "beautify" their pictures by uploading them to a designated server. Instead of delivering an edited photo, however, the server provided a picture with a fake update prompt in nine different languages. The apps made it possible for the developers to collect the uploaded photos, possibly for use in fake profile pics or for other malicious purposes. The developers took pains to prevent users from detecting what was happening. "The remote server used by these apps is encoded with BASE64 twice in the code," Wu wrote. "In addition, several of these apps can also hide themselves via the same hidden technique mentioned above."
Re: (Score:2)
Re: (Score:2)
Wait -- so this means that Google has the ability to ban any app, for any reason they choose, at any time? I think this is a far bigger story. Do we really want to live in a world where Google has absolute control over any application on their platform?
Re: (Score:2)
That's not news because the fact that Google and Apple have complete control over their respective app stores is well known. Apple's control over iOS is tighter than Google's control over Android in some ways because at least there are alternative ways of getting pre-built applications for Android (for example, Amazon's app store or F-Droid), whereas the only ways of installing apps on an iOS device other than from Apple's store are to build them from source (on a Mac) or to have a corporate account that l
Re: (Score:2)
Google may be more rigourous, find 99.99% (Score:2)
I understand your frustration. Unfortunately, in security the defender can do a very good job and still miss an attack.
"Missed one" doesn't mean they didn't catch and stop 10,000 others. Google could be catching and preventing 99.99% of attempts to put something nasty in the Play Store, and still some would get through - 0.01%, to be exact.
What we know is that Google didn't do the exact same checks that these researchers did, at the exact same time, on the same apps.
This isn't to excuse any weaknesses that
OMG! (Score:1)
"The remote server used by these apps is encoded with BASE64 twice in the code," Wu wrote.
Those tricky devils!
Did they use QUADRUPLE ROT13 encryption, too? (Score:2)
Stronger than D-ROT13, and MORE FIENDISH!
Common in PHP-based malware (Score:2)
I found that interesting because that has long been common in PHP-based malware, snippets that bad actors add to legitimate PHP pages. Many years ago I wrote software to scan a web server for malware and base64_decode was one thing it looked for.
Re: (Score:2)
Of course, it's also the way you move protobufs from client to server, so don't be surprised if you see it used pretty frequently in some server software. :-)
Re: (Score:2)
I think you're projecting again.
Re: (Score:2)
I didn't say you had a smartphone, nor did I say you need one. I said you're projecting.
The List in plain text (Score:5, Informative)
Indicators of Compromise (IoCs)
Package "Label" Installs
com.beauty.camera.years.pro "Pro Camera Beauty" 1,000,000+
com.cartoon.art.photo.ygy.camera "Cartoon Art Photo" 1,000,000+
com.lyrebirdstudio.emoji_camera "Emoji Camera" 1,000,000+
art.eff.filter.photo.editor "Artistic effect Filter" 500,000+
art.filter.editor.imge "Art Editor" 100,000+
com.beauty.camera.project.cloud "Beauty Camera" 100,000+
com.selfie.camerapro.pro "Selfie Camera Pro" 100,000+
com.camera.beauty.kwok.horizon "Horizon Beauty Camera" 100,000+
com.camera.ygysuper.photograph "Super Camera" 100,000+
com.effects.art.photo.for.self "Art Effects for Photo" 100,000+
com.solidblack.awesome.cartoon.art.pics.photo.editor "Awesome Cartoon Art" 100,000+
com.photoeditor.artfilterphoto "Art Filter Photo" 50,000+
com.photocorner.artfilter.arteffect.prizma "Art Filter Photo Effcts" 10,000+
com.picfix.cartoonphotoeffects "Cartoon Effect" 10,000+
com.picsartitude.arteffect "Art Effect" 10,000+
com.csmart.photoframelab "Photo Editor" 5,000+
com.wallpapers.nuclear.hd.hd3d.best.live.nuclear "Wallpapers HD" 5,000+
com.perfectmakeup.magicartfilter.photoeditor.selfiecamera "Magic Art Filter Photo Editor" 5,000+
appworld.fillartphotoeditor.technology "Fill Art Photo Editor" 1,000+
com.artflipphotoediting "ArtFlipPhotoEditing" 1,000+
com.artphoto.artfilter.artpiczone "Art Filter" 1,000+
com.photoeditor.cartoonphoto "Cartoon Art Photo" 1,000+
com.photoeditor.prismaeffects "Prizma Photo Effect" 1,000+
com.cmds.artphotofiltereffect "Cartoon Art Photo Filter" 100+
com.latestnewappzone.photoartfiltereditor "Art Filter Photo Editor" 100+
com.livewallpaperstudio.pixture "Pixture" 100+
app.pixelworlds.arteffect "Art Effect" 50+
timepassvideostatus.photoarteffect.cartoonpainteffect "Photo Art Effect" 10+
com.techbuzz.cartoonfilter "Cartoon Photo Filter" 5+
Package "Label" Installs
The Problem with App Stores (Score:4, Insightful)
The basic problem (and benefit, sadly) of these wretched App Stores is pretty simple. They put everyone on a level playing field to publish apps. This seems like a good thing, but it's not. Not even close.
Gone are the days of going to a reputable vendor to acquire software you're interested in. Instead, you search the app store, and reputable and disreputable apps are offered up.
This is a serious problem and the Achilles heel of App Store, and why I've railed against them for years. They are not a good idea, not even close. We need to go back to the previous way of doing things, where reputable companies are rewarded by customers when they act responsibly, and disreputable companies go out of business cuz no one buys their garbage.
The App store model short circuits this, and when an App is found to be malicious, the publisher found to be disreputable, they just fold up their junk and republish under a new name, with a new malicious app. This is really broken folks.
Walled garden (Score:2)
Why not me? (Score:2)
Re: (Score:2)
You have to pay extra for that.
I observe that the compromised apps are all of the variety that apply cute stickers to selfies. I wonder what sort of porn those users are being targeted with? Perhaps deepfakes of themselves.
Takes one to know one (Score:2)
Apps hide themselves!?! (Score:2)
Wait.... Why is that even possible? Every app that is installed should have an icon on the home screen, and if the icon is missing or damaged, the OS should substitute a default icon. Is there some valid/reasonable use for this behavior that I'm missing? If not, it seems like the right fix is to just remove the feature.
Re: (Score:2)
Unfortunately it's not possible due to Android architecture. An APK f