Android Market Under Threat From ‘RuFraud’

4/6/2012 11:39:15 AM

Description: RuFraud

Some experts criticize Google for allowing untested apps to enter its Android Market. But, as Tony Bradley & Gregg Keizer explain, the real threat to users is their own behaviour

The Android market was recently hit by spate of malicious apps, designed to trick users into sending expensive text massages. Google again faced criticism for failing to scan apps before they are uploaded to its primary distribution channel.

In fact, in 2011 Google had to remove more than 100 malicious apps from its Android Market. At the beginning of this year, San Francisco based lookout Security said that it and other vendors had notified Google of several recent waves of malicious apps-22 apps altogether that reached the Android Market. Google quickly pulled those programs from its catalogue, said Lookout.

The company dubbed the malware bundled with the recently spotted fake apps ‘RuFraud’, and said that the code sent spurious text messages to premium numbers, racking up revenues for the criminals. As well ad the UK, Android users in France, Germany, Italy, Poland, Russia and several other eastern European and central Asian countries were affected.

What is RuFraud?

Description: What is RuFraud?

As in previous malicious app campaigns, the RuFraud apps borrowed elements of legitimate apps but they did’t simply snatch complete apps, the repackage them with malicious code, said Lookout.

“They borrowed aspects of other apps, including terminology and in some cases identical text,” said Tim Wyatt, a principal engineer at Lookout.

The Rufraud operations began with horoscope apps, then moved on to Android phone wallpapers including one for the Twilight series of movies and downloaders posing as accessories to bestselling games such as Angry Birds and Cut the Rope, then finished with a round of fake games, Lookout’s researchers said.

That last run accounted for th majority of downloads before Google pulled the apps. Lookout estimated that about 14,000 copies of the fake games were downloaded by users. “A couple of instances of the apps really drove that number in a single weekend,” added Derek Halliday, a Lookout senor security product manager. “The others didn’t affect very many people as far as we know.”

Ongoing security concerns

Google has had trouble keeping malware out of the Android Market.

In July 2011, Lookout found four apps that were infected with a variant of the ‘DroidDream Light’ malware. This was the third instance of DroidDream infected apps making it into Google’s Android Market, following an initial campaign in March and a second in early June. Those two waves forced Google to pull more than 80 poisoned apps from its store.

Lookout uses its own malware detection technology to uncover malicious mobile apps. According to Halliday, Lookout detects rogue apps “as soon as they’re published”.

“Google is very responsive,” said Wyatt, referring to the Android maker’s moves when it’s told that tainted apps are in its marketplace. “From notification to pulling the apps is generally on the order of minutes,” Wyatt added.

Another knock for Google

Security experts regularly knock Google for not proactively scanning apps submitted to the Android Market, and are repeating that criticism in the wake of RuFraud.

“We have already stated several times that requirements for becoming an Android developer that can publish apps to the Android market are far too relaxed,” said Vaja Svajcer, a principal virus researcher with antivirus vendor Sophos, in a blog. “The attacks on Android Market will continue as long as the developer requirements stay too relaxed.”

Svajcer identified some of te fake games used to spread RuFraud a list that included Angry Bird, Assassin’s Creed Revelations, Cut the Rope and Need for Speed.

Unlike Google, other app store operators vet submissions and scan apps for possible malware. Microsoft, for example, has promised to review for security issues apps submitted to its PC and tablet oriented Windows Store; Microsoft’s market is slated for opening in late February alongside the release of the first Windows 8 public beta.

When asked if Lookout had offered Google the former’s technology for scanning apps submitted to the Android Market, Halliday declined to comment.

User error

While it may be easier to distribute a shady app without an app store gatekeeper, fraud is not unique to Android and doesn’t even need an app. Fraud is one of the oldest crimes in existence, and relies more on duping people than on circumventing technology.

There are instances of SMS phishing scams that can trick people regardless of mobile platform. The victim receives a spam text message with a link. Inevitably, some users will click the link, and most likely end up approving some sort of charge the RuFraud apps work in a similar way. Getting users to click on a link is a social engineering tactic that transcends the operating system of the target mobile device.

Symantic recently reported on a completely different kind of fraud related to smartphones. Fraudsters marketed a software application called SMS private Spy that promises to enable you to “view the phone screen live, activate and listen on the microphone, view call logs and perform GPS tracking at all times” on a target smartphone, all for just $50.

 No such app exists. If you fall for the marketing and buy SMS Privato Spy, the fraudsters will take your money and run.

The weak spot when it comes to fraud isn’t Android, iOS or any mobile platform or desktop operating system. The Achilles’ heel for fraud is the naïve, gullible user who falls for the bait and unwittingly approves transactions or volunteers to pay for things don’t exist.

The bottom line in the case of the fraudulent Android apps is that the apps do disclose what they intend to do, and the user is approving that activity by accepting the agreement. The term are intentionally buried. Most people won’t read the term of service or end user licence agreement, but there still some simple tricks you can use to avoid being a victim of this type of fraud.

For starters, let the community be your police. Stick with apps that are more heavily downloaded and reviewed. If you do download a more obscure app that has been rarely downloaded, or has only a handful of reviews, be more vigilant about the permissions the app is requesting. Does a game such as Angry Birds really need access to send SMS text messages on your behalf?

Users need to be better educated about mobile security in general, and more aware of emerging scams so they can recognize and avoid them. Most importantly, though, people need to exercise some common sense and maintain a healthy dose of skepticism to steer clear of these kinds of threats.

Top 10
Nikon 1 J2 With Stylish Design And Dependable Image And Video Quality
Canon Powershot D20 - Super-Durable Waterproof Camera
Fujifilm Finepix F800EXR – Another Excellent EXR
Sony NEX-6 – The Best Compact Camera
Teufel Cubycon 2 – An Excellent All-In-One For Films
Dell S2740L - A Beautifully Crafted 27-inch IPS Monitor
Philips 55PFL6007T With Fantastic Picture Quality
Philips Gioco 278G4 – An Excellent 27-inch Screen
Sony VPL-HW50ES – Sony’s Best Home Cinema Projector
Windows Vista : Installing and Running Applications - Launching Applications
Most View
Windows Phone 7 Development : Building a Trial Application (part 3) - Verifying Trial and Full Mode & Adding Finishing Touches
Leverage and Locate Controls and Classes on Silverlight 4
Sony Xperia Go
Pure Sensia 200D - Nice Wireless Speaker
IIS 7.0 : Troubleshooting - Using Tools and Utilities
Programming .NET Components : Building a Distributed Application (part 1) - Programmatic Channel Registration
10 best products of the past 200 issues (part 1)
Samsung Galaxy SIII : Live up to the hype (Part 3)
Corsair SSD Accelerator 45GB - Boost Your System's Performance
Asus GTX 660 Ti DirectCU II Top (Part 1)
Outlining Improvements in SharePoint 2010
Exploiting SQL Injection : Enumerating the Database Schema (part 2) - MySQL
Cheap As Chips: Six Of The Best Budget CPUs (Part 1) : AMD A8-5600K, AMD A10-5700
100 Ways To Speed Up Windows (Part 4)
Discover Services During Runtime (WCF)
Corsair Vengeance M90 - Play With A Vengeance
Play It Smart (Part 1) - A.C. Ryan Playon! HD2
Fujifilm Released The First Version Of CSC
Programming the Mobile Web : Widgets and Offline Webapps - Platforms (part 3) - webOS & Android
PhotoPlus X6 - Great-Value Photo Editing Software