Some experts criticize Google for allowing untested
apps to enter its Android Market. But, as Tony Bradley & Gregg Keizer
explain, the real threat to users is their own behaviour
The Android market was recently hit by
spate of malicious apps, designed to trick users into sending expensive text
massages. Google again faced criticism for failing to scan apps before they are
uploaded to its primary distribution channel.
In fact, in 2011 Google had to remove more
than 100 malicious apps from its Android Market. At the beginning of this year,
San Francisco based lookout Security said that it and other vendors had
notified Google of several recent waves of malicious apps-22 apps altogether
that reached the Android Market. Google quickly pulled those programs from its
catalogue, said Lookout.
The company dubbed the malware
bundled with
the recently spotted fake apps ‘RuFraud’, and said that the code sent
spurious
text messages to premium numbers, racking up revenues for the criminals.
As
well ad the UK, Android users in France, Germany, Italy, Poland, Russia
and several other eastern European and central Asian countries were
affected.
What is RuFraud?
As in previous malicious app campaigns, the
RuFraud apps borrowed elements of legitimate apps but they did’t simply snatch
complete apps, the repackage them with malicious code, said Lookout.
“They borrowed aspects of other apps,
including terminology and in some cases identical text,” said Tim Wyatt, a
principal engineer at Lookout.
The Rufraud operations began with horoscope
apps, then moved on to Android phone wallpapers including one for the Twilight
series of movies and downloaders posing as accessories to bestselling games
such as Angry Birds and Cut the Rope, then finished with a round of fake games,
Lookout’s researchers said.
That last run accounted for th majority of
downloads before Google pulled the apps. Lookout estimated that about 14,000
copies of the fake games were downloaded by users. “A couple of instances of
the apps really drove that number in a single weekend,” added Derek Halliday, a
Lookout senor security product manager. “The others didn’t affect very many
people as far as we know.”
Ongoing security concerns
Google has had trouble keeping malware out
of the Android Market.
In July 2011, Lookout found four apps that
were infected with a variant of the ‘DroidDream Light’ malware. This was the
third instance of DroidDream infected apps making it into Google’s Android
Market, following an initial campaign in March and a second in early June.
Those two waves forced Google to pull more than 80 poisoned apps from its
store.
Lookout uses its own malware detection
technology to uncover malicious mobile apps. According to Halliday, Lookout
detects rogue apps “as soon as they’re published”.
“Google is very responsive,” said Wyatt,
referring to the Android maker’s moves when it’s told that tainted apps are in
its marketplace. “From notification to pulling the apps is generally on the order
of minutes,” Wyatt added.
Another knock for Google
Security experts regularly knock Google for
not proactively scanning apps submitted to the Android Market, and are
repeating that criticism in the wake of RuFraud.
“We have already stated several times that
requirements for becoming an Android developer that can publish apps to the
Android market are far too relaxed,” said Vaja Svajcer, a principal virus
researcher with antivirus vendor Sophos, in a blog. “The attacks on Android
Market will continue as long as the developer requirements stay too relaxed.”
Svajcer identified some of te fake games
used to spread RuFraud a list that included Angry Bird, Assassin’s Creed
Revelations, Cut the Rope and Need for Speed.
Unlike Google, other app store operators vet
submissions and scan apps for possible malware. Microsoft, for example, has
promised to review for security issues apps submitted to its PC and tablet
oriented Windows Store; Microsoft’s market is slated for opening in late
February alongside the release of the first Windows 8 public beta.
When asked if Lookout had offered Google
the former’s technology for scanning apps submitted to the Android Market,
Halliday declined to comment.
User error
While it may be easier to distribute a
shady app without an app store gatekeeper, fraud is not unique to Android and
doesn’t even need an app. Fraud is one of the oldest crimes in existence, and
relies more on duping people than on circumventing technology.
There are instances of SMS phishing scams
that can trick people regardless of mobile platform. The victim receives a spam
text message with a link. Inevitably, some users will click the link, and most
likely end up approving some sort of charge the RuFraud apps work in a similar
way. Getting users to click on a link is a social engineering tactic that
transcends the operating system of the target mobile device.
Symantic recently reported on a completely
different kind of fraud related to smartphones. Fraudsters marketed a software
application called SMS private Spy that promises to enable you to “view the
phone screen live, activate and listen on the microphone, view call logs and
perform GPS tracking at all times” on a target smartphone, all for just $50.
No such app exists. If you fall for the
marketing and buy SMS Privato Spy, the fraudsters will take your money and run.
The weak spot when it comes to fraud isn’t
Android, iOS or any mobile platform or desktop operating system. The Achilles’
heel for fraud is the naïve, gullible user who falls for the bait and unwittingly
approves transactions or volunteers to pay for things don’t exist.
The bottom line in the case of the
fraudulent Android apps is that the apps do disclose what they intend to do,
and the user is approving that activity by accepting the agreement. The term
are intentionally buried. Most people won’t read the term of service or end
user licence agreement, but there still some simple tricks you can use to avoid
being a victim of this type of fraud.
For starters, let the community be your
police. Stick with apps that are more heavily downloaded and reviewed. If you
do download a more obscure app that has been rarely downloaded, or has only a
handful of reviews, be more vigilant about the permissions the app is
requesting. Does a game such as Angry Birds really need access to send SMS text
messages on your behalf?
Users need to be better educated about
mobile security in general, and more aware of emerging scams so they can
recognize and avoid them. Most importantly, though, people need to exercise some
common sense and maintain a healthy dose of skepticism to steer clear of these
kinds of threats.
