Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android Bitcoin Google Software

Google Play Caught Hosting An App That Steals Users' Cryptocurrency (arstechnica.com) 66

The Google Play Store has been caught hosting an app designed to steal cryptocurrency from unwitting end users, according to researchers with Eset security company. "The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers," reports Ars Technica. "As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers." From the report: So-called clipper malware has targeted Windows users since at least 2017. The clipper malware available in Google Play impersonated a service called MetaMask, which is designed to allow browsers to run apps that work with the digital coin Ethereum. The primary purpose of Android/Clipper.C, as Eset has dubbed the malware, was to steal credentials needed to gain control of Ethereum funds. It also replaced both bitcoin and Ethereum wallet addresses copied to the clipboard with ones belonging to the attackers. Eset spotted the app shortly after its introduction to Google Play on February 1. Google has since removed it. Stefanko said it's the first time clipper malware has been hosted in the Android app bazaar. Eset malware researcher Lukas Stefanko wrote: "This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app -- only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims' cryptocurrency funds."
This discussion has been archived. No new comments can be posted.

Google Play Caught Hosting An App That Steals Users' Cryptocurrency

Comments Filter:
  • Caught (Score:4, Insightful)

    by Luthair ( 847766 ) on Sunday February 10, 2019 @03:43PM (#58100258)
    implies they were somehow supposed to know.
    • Re:Caught (Score:4, Insightful)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday February 10, 2019 @04:40PM (#58100516) Homepage Journal

      They were. The Play Store is supposed to be curated.

      • by Luthair ( 847766 )
        Nope.
        • Nope.

          Please explain "Play Protect"

          • by Luthair ( 847766 )

            Play Protect is for malware which is software that attempts to compromise the system. How the fuck is what amounts to an anti-virus scanner supposed to detect an application that doesn't work as advertised? Was Google (or Apple) supposed to do a code audit? Are application developers going to pay Apple/Google 10s of thousands of dollars to do this for every patch?

            I guess its too much to ask for some common sense about technology even on Slashdot these days.

            • Play Protect is for malware which is software that attempts to compromise the system. How the fuck is what amounts to an anti-virus scanner supposed to detect an application that doesn't work as advertised? Was Google (or Apple) supposed to do a code audit?

              According to Google's page on Play Protect [android.com], "All Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app and developer in Google Play, and suspend those who violate our policies. Then, Play Protect scans billions of apps daily to make sure everything remains spot on. That way, no matter where you download an app from, you know itâ(TM)s been checked by Google Play Protect." And also:

              How can I protect my device from harmful apps?

              First, make sure you

              • One of the wonderful things about testing for unknowns is that you need to have a testing methodology designed to detect the thing you don't know is happening. Play Protect or any curation system can't ever detect all possible nefarious actions by apps. It can only detect the ones that are known and scanned for.

                Stop pretending a curated experience is something it's not. If you want a white list, then just download apps listed as "Google LLC".

                • I'm not the one pretending. Google is. They're the ones saying their vetting process keeps users safe.

                  • Google is not pretending. They did not say anywhere on their site they capture 100% of all malware as well as vet the nefarious actions of all possible malevolent developers.

                    Stop pretending Google said they do something they don't.

      • This is an age old problem. It doesn't matter how good your defenses are because they need to focus on the hundreds or thousands of adversarial actors and stop all of them. An attacker need not divide its efforts or attention and will eventually be able to sneak through. You can't rely on anyone else to provide you with perfect security. It's simply unobtainable and believing that you can have it is only leaving yourself vulnerable. Personal vigilance will always be necessary in order to minimize your own e
        • This is why app stores are bad. They can't (google) or won't (apple) put in the effort to properly vet all the apps, but the fact that they are in an app store lends them an undeserved legitimacy. The vendors have to drive traffic to their app store to make money, so it's not in their best interest to be too exclusive. Both Apple and Google have delivered malware via their app stores, and so has Microsoft for that matter, so this is a universal problem. With Google or Microsoft, at least you're not forced t

        • This.

          CaptainDork's 17th Corollary: "For every motherfucker out there with a computer, there's another motherfucker out there with a computer."

          There's no computational hierarchy such as "commercial," vs "residential" or "government" vs "civilian."

          It's the same goddam hardware/software all the fucking way down.

    • Well, the journalist has to do that, to get the clicks. The author used to work for the Associated Press and has a master's in journalism from Berkeley. [arstechnica.com] He knows what he's doing and how to do it. Remember the days when journalists were about truth and were on our side?
  • ... that I didn't like.

Truly simple systems... require infinite testing. -- Norman Augustine

Working...