Tuesday, March 25, 2014

Free Android Games! Bonus Malware Included!

You don't want this "night vision" app
Earlier this month, antivirus company Avast alerted us to a piece of malicious software masquerading as a "night vision camera app" that slipped through safeguards and made its way into Google Play Store. The app claimed to let you take pictures in the dark, with the specific example of spying on your neighbor changing (sex still sells, nevermind that unless your neighbor changes with the lights out, a night vision capability will be useless).

Needless to say, the app does not do what it claims to do. But what it does do is quite unpleasant. This particular app collects phone numbers from your contacts list, sends them to a server in order to register them with a premium SMS list, and then depending on some factors that are not clearly explained, can through premium SMS add as much as $50/month to your cell phone bill.

Karma? Maybe, maybe not. Regardless, an app that does one thing on the surface, but something else entirely behind the scenes, is the very definition of Trojan, something that has plagued computing of all forms for many years. PC World reports that malicious apps in the "official" app markets are steadily growing. Apple is not immune - a few years ago a flashlight app included an undisclosed feature that enabled data tethering phone without subscribing to the carrier's added-cost service (not exactly malicious, in fact an ingenious way around certain carriers' fee-boosting shenanigans, but still an example of something hiding under the covers).

What can you do about this?

  • Stick to the major app markets
    While this demonstrates that the major app markets (Apple's App Store, Google's Play Store, Amazon App Store for Android, Windows Phone Store, as well as stores provided by your phone's maker or your cell service provider) can be compromised, they are still far safer than sources off the beaten path. The major markets have at least some protections in place to reduce the risk of malicious apps, and they do a pretty decent job of removing apps found to have undesirable features. Outside of the major markets, it really is the "Wild West."
  • Disable installation from "unknown sources"
    Hand in hand with the above, be sure you cannot accidentally install something from outside the app markets. Android by default only allows installing apps from within a market such as Google Play or Amazon App Store. From within Security Settings there is an option to enable installation of apps from outside these stores - and many times there is a legitimate reason. One of the simplest reasons is that Amazon's App Store does not come standard on many devices, and is not available from Google Play (is that any surprise?) Enabling Unknown Sources long enough to install a specific, intentional app, is fine; but leave it unchecked otherwise.

    Apple devices do not have such a feature - in theory you cannot install apps except through the sanctioned App Store. However at least one developer has
    found a way around this - with no way for you as the device owner to disable it.
  • Use Superuser wisely
    If you choose to root your phone and install a superuser app, by all means configure the app to ask you each time an app requests SU privileges. If you don't know how to do this, you have no business rooting or jailbreaking your device.
  • Mobile Antimalware / Antivirus
    Many of the companies that make traditional AV for desktop computers also make antivirus for mobile devices. As the threat of mobile malware grows, the need for mobile malware protection is becoming more compelling. But smartphones don't have the same processing power as PCs ... allocating some of that precious CPU to an AV program is currently a tough choice to make. Let your degree of paranoia guide you in this choice.
  • Pay attention to permissions
    Perhaps more important than anything else, don't blindly his "accept" when the app installer prompts you with the app permissions requested by an app (this applies both to new apps as well as upgrades!). A Wifi utility naturally needs access to system tools so it can manipulate network settings, and a mapping / navigation app has a legitimate need for precise (GPS-based) location so it can give accurate directions. A flashlight (or camera) app needs neither of these. Read the permissions list with a skeptical eye - a great many apps request far more permissions than are truly needed, and in most cases you can find an alternate app that does not request such permissions.

    The University of Michigan has a pretty handy "App Profiles" project that documents permissions used by a growing list of popular apps. Unfortunately it is not a comprehensive list (though it is improving), and you have to find the "package name" for an app rather than simply using its common name. For instance, the Facebook app has a package name of "com.facebook.katana" (which you would never know unless you looked it up in the Google Play Store and looked for the package name in the browser URL string). The App Profiles project page for Facebook includes the following items, among others:

    - Uses more of your phone's resources (e.g. battery power) than recommended by Google to retrieve your location data.
    - Concerned with your proximity to a given location (for example, may be alerted if you are near a particular store.)
    - Can read your phone number.
    - Uses the internet.

    These may or may not bother you, but it pays to at least be aware of what you are permitting apps to do. Incidentally, this is evidently for an older version of the Facebook app. The current version (as of about the beginning of this year) includes a permission that I personally decided was unacceptable: permission to read your text messages and send email without your knowledge.

    In particular, watch out for any app that requests "Administrator" permission. With this permission, the app can do anything on your device, with or without your knowledge. Some anti-malware, parental control, VPN, and business email apps require this; very few other apps have a legitimate need for this though.

Bottom line? Not all smartphone apps are what they claim to be, but a little careful attention (some might say paranoia ... I prefer healthy skepticism) can keep you out of trouble.

Update March 26, 2014: F-Secure just released an App Permissions app that lets you review the permissions that each app on your device uses, and to filter based on specific permissions or categories of permissions (such as, show all apps that could cost you money or access your private data). It does not let you change or restrict permissions, but it shows you what can do what.

Update October 2, 2015: Trend Micro reported a malicious app for Android that masquerades as PayPal. The giveaway is that the app requests Device Admin permissions - permissions that almost never are legitimately needed by an app. In this case, paying attention to permissions could save you from turning complete control of your device over to a crook.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen