Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android Google Privacy Security

Google Removes 25 Android Apps Caught Stealing Facebook Credentials (zdnet.com) 33

Google has removed this month 25 Android apps from the Google Play Store that were caught stealing Facebook credentials. From a report: Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times. The malicious apps were developed by the same threat group and despite offering different features, under the hood, all the apps worked the same. According to a report from French cyber-security firm Evina shared with ZDNet today, the apps posed as step counters, image editors, video editors, wallpaper apps, flashlight applications, file managers, and mobile games. The apps offered a legitimate functionality, but they also contained malicious code. Evina researchers say the apps contained code that detected what app a user recently opened and had in the phone's foreground. If the app was Facebook, the malicious app would overlay a web browser window on top of the official Facebook app and load a fake Facebook login page (see image below: blue bar = actual Facebook app, black bar = phishing page).
This discussion has been archived. No new comments can be posted.

Google Removes 25 Android Apps Caught Stealing Facebook Credentials

Comments Filter:
  • What? (Score:5, Insightful)

    by ledow ( 319597 ) on Tuesday June 30, 2020 @09:14AM (#60246554) Homepage

    "overlay a web browser window on top of the official Facebook app"

    How is that even possible?

    The problem there is not the app, but that it can even do that.

    Even my TVheadend app overlay (to put TV over the top of the Android interface) requires special permissions and isn't convincing enough, especially where interaction (e.g. typing in details) is concerned.

    • Re:What? (Score:4, Informative)

      by Luthair ( 847766 ) on Tuesday June 30, 2020 @09:29AM (#60246630)
    • Re:What? (Score:5, Interesting)

      by geekmux ( 1040042 ) on Tuesday June 30, 2020 @09:32AM (#60246644)

      "overlay a web browser window on top of the official Facebook app"

      How is that even possible?

      The problem there is not the app, but that it can even do that.

      That's only a side-effect of the problem.

      The actual problem here, is we'll find another 25 (or 250) "bad" apps in the store a year from now abusing this same vulnerability, as Google pretends they give a shit about security with this whack-a-mole tactic while doing nothing to actually fix the real problem you've identified.

      • by vivian ( 156520 )

        The other actual problem here is the only action taken is to just remove the apps from the play store.

        Google should be maintaining identifiable parties who are responsible for each app that goes into the app store, and should be suing the directors and developers of the company into oblivion for this malicious app design - after all, it is causing real damage to their platform and business.

        Legal authorities in the relevant country should also be pressing criminal fraud charges against them.

        Just dropping the

      • by ledow ( 319597 )

        That's a never-ending problem.

        While you are allowing code use, everything from self-modifying code to obfuscation to literal encryption of an executable will hide everything that it's could *possibly* be attempting to do... how do you know that app doesn't have line to delete the whole filesystem on the July 1st 2020? You can't. You literally cannot analyse a binary and tell things like that. Even the source can contain things like that that you have no hope of detecting even with an expert spending year

    • How is that even possible?

      Because... computers.

      • How is that even possible?

        Because Google. Allowing background apps to overlay the foreground app without explicit permission from the user was a security disaster waiting to happen. And it happened.

    • by Bengie ( 1121981 )
      The autofill framework gives a way for one app to overlay another app, but does it in a controlled fashion and not even direct access. The app has tell the framework what elements event exist and what kind, user or password, and the other app can only interact in very certain ways via an API.

      If people want different apps to overlay other apps, it should always be done in a controlled fashion like the autoifill framework.
    • Re:What? (Score:4, Informative)

      by swillden ( 191260 ) <shawn-ds@willden.org> on Tuesday June 30, 2020 @11:03AM (#60246970) Journal

      "overlay a web browser window on top of the official Facebook app"

      How is that even possible?

      The problem there is not the app, but that it can even do that.

      The Android security platform team has been trying to kill the overlay feature for at least six years. Ironically, one of he biggest obstacles to removing it is Facebook Messenger, which uses it to show "chathead" bubbles. There are other legitimate apps that use it, but FB Messenger is the most prominent, I think.

      In Android Q a new "bubbles" API was launched that allows FB Messenger and similar apps to do what they want in a safe way, and the overlay feature is going to be removed from Android. I think users also have to explicitly grant overlay permission and have for some years.

      • by Bengie ( 1121981 )
        Users have been trained to just click through permission prompts. Even if they did read it, they wouldn't understand. That's like saying "users shouldn't get phished, they have to answer the phone. Why would they answer a call from a phisher?". Heck, I am tech savvy and I can't make proper informed decisions about permissions for an app.
        • Users have been trained to just click through permission prompts.

          That's why this isn't a standard permission prompt. Giving overlay approval requires the user to navigate to the special dangerous permissions page and explicitly give approval.

  • 1) This is the first article I have read of this kind that actually LISTED the apps. Way to go author! Normally I read about all these malicious apps, but there's nary a listing of them, leaving me to wonder. Thankfully, I install vary few apps, and only from trusted sources. Not that it makes you that much safer. :(

    2) When you have one of these kinds of apps on your system, and Google removes it from the market, do they remote uninstall from your device? Or is it left there still? Anyone know?

    • ...2) When you have one of these kinds of apps on your system, and Google removes it from the market, do they remote uninstall from your device? Or is it left there still? Anyone know?

      I'm all for helping out the average idiot trying to operate a computer these days, but do you really want companies to hold not only this power, but this responsibility as well?

      With the way Big Tech seems to be leaning, it won't be long before apps are subjected to "remote uninstall" based on nothing but political/religious/ideological differences. Is that what we want/need?

      TL; DR - Be careful what you ask for. You just might get it.

      • by egyas ( 1364223 )

        To be clear, I'm not asking for them to do this. I'm asking if they DO currently. I have so few apps on my phone that it's never been an issue. Some people, like one off my daughters or example, have 17,000 apps (obviously an exaggeration) however. lol

        It wouldn't surprise me at all of she has these kind of things happening to her (installing these compromised apps) all the time.

        I'm just wondering that the major makors (Apple, Android, etc) CURRENTLY do about it.

        • ...It wouldn't surprise me at all of she has these kind of things happening to her (installing these compromised apps) all the time.

          I'm just wondering that the major makors (Apple, Android, etc) CURRENTLY do about it.

          I'm rather surprised. It appears they care about security. Kind of. From TFA:

          "When Google removes malicious apps from the Google Store, the company also disables the apps on a user's devices and notifies users via the Play Protect service included with the official Play Store app."

          "Some of the apps had been available on the Play Store for more than a year before they were removed."

  • So WTF is with the flashlight apps? Who installs those in 2020? Google introduced a native flashlight toggle built right in back in 2014 with Lollipop. That is 5 1/2 years ago!

    And can we please put some context around these reports? How many of these apps were targeted at Chinese? I'm guessing apps with package names like "com.sun.newjbq.beijing.ten", "com.superapp.xincheng", and "com.tiantian.lang.tencent" really don't have much impact in the Americas or Europe.

    It really makes a difference as to the amount

    • by spitzak ( 4019 )

      From the screenshot in the article, it is a "super bright flashlight". I think some people believe that the correct app can make the flash led brighter and download this.

  • I have a global rule blocking everything trying to go to *.bookface.com:* on my phone.

  • What's the point of having a Google "store", if anybody can put whatever they want into the store without any sort of review? How's it any different from just downloading random stuff from the Internet?
    • by nnet ( 20306 )
      What's the point of having any repository, for any software, for any purpose? A rose by any other name...
    • by cusco ( 717999 )

      I don't really even see the point of stealing Facebook credentials, unless the user is stupid enough to tie their account to their bank in order to transfer money through WhatsApp and people that dumb don't normally have enough money to make it worthwhile. This seems one of the more pointless attacks that I've heard of, unless there's something that I'm missing (quite possible since I've never created a FB account.)

  • I recall ever since the first time I've signed into Facebook in an app (be it a game or something like Instagram), it seemed to me that it would be quite trivial to create a pop-up page in an app that looked just the same as what you see for FB, Twitter, etc, and stole your details.

    I don't develop apps, and don't know what sort of checks they go through, but really what's stopping me from doing that in an app?

  • I stopped using the Facebook app years ago when they introduced app overlays. What a horrible feature. I didn't even stop because of the security; I just hated seeing FB put a bubble on my screen while I was browsing shit.

  • My bank shows a user-specific image on its login page. If I don't see a photo of me, I don't enter the password. Problem solved (for non-dumbass users anyway).
    • by spitzak ( 4019 )

      Considering the users are not seeing the double titlebar that is in the screenshot, this may not help any.

  • Why do people persist on using Android? They like shiny things?

It is not best to swap horses while crossing the river. -- Abraham Lincoln

Working...