Google Play Caught Hosting An App That Steals Users' Cryptocurrency (arstechnica.com) 66
The Google Play Store has been caught hosting an app designed to steal cryptocurrency from unwitting end users, according to researchers with Eset security company. "The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers," reports Ars Technica. "As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers." From the report: So-called clipper malware has targeted Windows users since at least 2017. The clipper malware available in Google Play impersonated a service called MetaMask, which is designed to allow browsers to run apps that work with the digital coin Ethereum. The primary purpose of Android/Clipper.C, as Eset has dubbed the malware, was to steal credentials needed to gain control of Ethereum funds. It also replaced both bitcoin and Ethereum wallet addresses copied to the clipboard with ones belonging to the attackers. Eset spotted the app shortly after its introduction to Google Play on February 1. Google has since removed it. Stefanko said it's the first time clipper malware has been hosted in the Android app bazaar. Eset malware researcher Lukas Stefanko wrote: "This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app -- only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims' cryptocurrency funds."
Caught (Score:4, Insightful)
Re: (Score:2)
I know I expect every app to always be available without a man in the idle attack.
Even if the app *is* the man in the middle?
Yeah you went there. You decided that this wasnt the problem.
Re: Caught (Score:1)
So Google Voice shouldn't be a dialer from the phone book? Ad blockers should all be banned? All VPN apps should be removed?
You didn't think this through, did you.
Re:Caught (Score:4, Insightful)
They were. The Play Store is supposed to be curated.
Re: (Score:2)
Re: (Score:2)
Nope.
Please explain "Play Protect"
Re: (Score:2)
Play Protect is for malware which is software that attempts to compromise the system. How the fuck is what amounts to an anti-virus scanner supposed to detect an application that doesn't work as advertised? Was Google (or Apple) supposed to do a code audit? Are application developers going to pay Apple/Google 10s of thousands of dollars to do this for every patch?
I guess its too much to ask for some common sense about technology even on Slashdot these days.
Re: (Score:3)
Play Protect is for malware which is software that attempts to compromise the system. How the fuck is what amounts to an anti-virus scanner supposed to detect an application that doesn't work as advertised? Was Google (or Apple) supposed to do a code audit?
According to Google's page on Play Protect [android.com], "All Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app and developer in Google Play, and suspend those who violate our policies. Then, Play Protect scans billions of apps daily to make sure everything remains spot on. That way, no matter where you download an app from, you know itâ(TM)s been checked by Google Play Protect." And also:
Re: (Score:2)
One of the wonderful things about testing for unknowns is that you need to have a testing methodology designed to detect the thing you don't know is happening. Play Protect or any curation system can't ever detect all possible nefarious actions by apps. It can only detect the ones that are known and scanned for.
Stop pretending a curated experience is something it's not. If you want a white list, then just download apps listed as "Google LLC".
Re: (Score:2)
I'm not the one pretending. Google is. They're the ones saying their vetting process keeps users safe.
Re: (Score:2)
Google is not pretending. They did not say anywhere on their site they capture 100% of all malware as well as vet the nefarious actions of all possible malevolent developers.
Stop pretending Google said they do something they don't.
Re: (Score:2)
Play Protect wouldn't exist if the Play Store was curated, dumbass.
just because youpick a good looking app doesn't mean you don't test it to make sure nothing's wrong.
Re: (Score:3)
Re: (Score:2)
This is why app stores are bad. They can't (google) or won't (apple) put in the effort to properly vet all the apps, but the fact that they are in an app store lends them an undeserved legitimacy. The vendors have to drive traffic to their app store to make money, so it's not in their best interest to be too exclusive. Both Apple and Google have delivered malware via their app stores, and so has Microsoft for that matter, so this is a universal problem. With Google or Microsoft, at least you're not forced t
Re: (Score:2)
The level of scrutiny you want would lead to no third party apps ever being published.
It would probably require that full sources be sent to the app store vendor, and the software compiled by them for distribution. You know, like with an Ubuntu PPA. Of course, you then have to trust the vendor not to rip off your sources — but if you don't trust Google, you're already not selling through their app store, right?
One way to handle that trust issue would be to offer verification as an optional feature, with the caveat that users would be able to search for only verified apps. Since Android
Re: (Score:2)
The level of scrutiny you want would lead to no third party apps ever being published.
It would probably require that full sources be sent to the app store vendor, and the software compiled by them for distribution. You know, like with an Ubuntu PPA. Of course, you then have to trust the vendor not to rip off your sources — but if you don't trust Google, you're already not selling through their app store, right?
One way to handle that trust issue would be to offer verification as an optional feature, with the caveat that users would be able to search for only verified apps. Since Android users are not forced to install only apps from the app store, those who would be unwilling to download non-source-verified apps from the Play Store could still get apps from popular, trusted vendors such as Autodesk or [amusingly] Adobe, and sideload them. Developers who didn't want to provide sources to Google could choose between competing with source-verified apps in the Google Play Store, and competing with the Play Store itself by hosting the apps on their own sites.
that's how sponsored malware happens. Oh this one was compiled by google do you know it has the google search bar built in regardless of how annoying that is.
Re: (Score:2)
that's how sponsored malware happens. Oh this one was compiled by google do you know it has the google search bar built in regardless of how annoying that is.
Nice FUD you've got there. Google doesn't need to build the search bar into your app, because they already have it built into their OS. If anything, the fear should be that they would include telemetry, but it would make more sense to build that into their OS, too. They could already be recording your activity and sending it home if they wanted to, but then they would probably get caught, so even if they want to they probably won't do that.
Re: (Score:2)
that's how sponsored malware happens. Oh this one was compiled by google do you know it has the google search bar built in regardless of how annoying that is.
Nice FUD you've got there. Google doesn't need to build the search bar into your app, because they already have it built into their OS. If anything, the fear should be that they would include telemetry, but it would make more sense to build that into their OS, too. They could already be recording your activity and sending it home if they wanted to, but then they would probably get caught, so even if they want to they probably won't do that.
I wasn't literally talking about a search bar. That would make no sense both for a mobile program and for android/google. I was using it to reference the way apps often com bundled with things like a search bar. my point was that when you force an organization to compile it themselves what tends to happen is that eventually they start injecting their own stuff in there.
Re: (Score:2)
This.
CaptainDork's 17th Corollary: "For every motherfucker out there with a computer, there's another motherfucker out there with a computer."
There's no computational hierarchy such as "commercial," vs "residential" or "government" vs "civilian."
It's the same goddam hardware/software all the fucking way down.
Re: (Score:2)
Re: (Score:2)
What is untruthful in the story?
Re: (Score:2)
Re: (Score:2)
Apps literally exist because corps found the web sandbox too restrictive, and wanted to suck up vastly more data (especially accurate location data).
Applications existed before the web did. What are you on about?
Re: (Score:2)
Don't play stupid with me. These aren't applications, they're "apps".
Quick quiz, hotshot. What is "apps" short for?
It's commodified software for retards, and the normalization of not being in control of your own hardware.
As opposed to webapps, where you're not in control of your own data?
When did app stores begin? (Score:2)
Applications existed before the web did.
Correct. But did an app store, which I define as an interactive package manager for optionally proprietary, optionally commercial, downloadable applications on residential computing devices, predate the web?
Re: (Score:2)
Correct. But did an app store, which I define as an interactive package manager for optionally proprietary, optionally commercial, downloadable applications on residential computing devices, predate the web?
Not to my knowledge, although one of the corporate BBSes (like Prodigy or GEnie) might have had some of that kind of functionality, and I could be unaware of it. But what does any of this have to do with whether it makes sense to run applications on one's computer?
Re: (Score:2)
But what does any of this have to do with whether it makes sense to run applications on one's computer?
I was seeing if I could rescue some underlying point from Anonymous Coward's comment despite its (mis)use of the term "apps" to mean "applications downloaded from an app store". With "apps" redefined thus, the claim becomes as follows:
On devices whose OS ships with both a web browser and a client to download paid applications from a repository, native applications exist because corporations found the web sandbox too restrictive, and wanted to suck up vastly more data (especially accurate location data). All
Re: (Score:2)
I assumed they were talking about the early days of iOS, when everything was supposed to run in a browser. Ironically, this might actually work today, because the browser now has more functionality, but at the time it was totally ridiculous.
Re: (Score:2)
Re: (Score:2)
I never MetaMask ... (Score:2)
... that I didn't like.
Re: (Score:2)