back to article Cryptocurrency-crafting creeps crept crafty code into Google App Store

Android apps secretly harboring cryptocurrency-mining code have managed to make their way onto the shelves in the official Google Play Store. Researchers at Trend Micro found three programs available for download in the application souk that were surreptitiously using the spare CPU cycles on people's smartphones to mine Monero …

  1. Lee D Silver badge

    Because, despite what every antivirus manufacturer will try to tell you or insinuate, there is NO WAY to prove that a program isn't malicious.

    Even with the source code, you can hide things.

    If you allow Internet access, it could have any kind of state machine operating only when, say, a certain DNS records appears on a particular domain, etc.

    Today's programs are so large that disassembly is ridiculously difficult, even for a language like Java/Dalvik.

    There is no way to certify that a program is "safe". Short of complete, 100%, every byte mathematical analysis compared against a specification which, in itself, it's agreed couldn't possibly be subverted to perform malicious intentions. And even then, it's no guarantee that you've done that right.

    And nobody on Earth has the money to afford to be able to do that for every app in the app store, certainly not on any kind of timely basis.

    The only way you can ensure stuff like this isn't malicious is to not give it the opportunity - i.e. permissions. No permission to run in background, no permission to consume more than 5% CPU, no permission to download from the Internet, etc. etc. etc. Then it's just a matter of determining whether such an app has ever done something it shouldn't ever have permission to do (i.e. by compromising your system).

    Fact is, everyone "just allows all", like they did for Vista and UAC because they don't want to think that "Connects to Internet" and "Can access your photos" could possibly result in "Uploading all your photos to the Internet for people to laugh at". They just want to know where North is, or order a takeaway, and they couldn't care less about security.

    Case in point - Alexa, Siri, et al. "Let's give permission for a device to sit in our house uploading every conversation to the cloud so that maybe once in a blue moon it responds to 'What's 2 plus 2?' so we can geek-out to our guests".

    Honestly, never understood why I can't REFUSE permission (including making it impossible for the app to determine whether or not I really did allow permission, e.g. faking persistent storage and resetting after every use, etc.) for everything and/or grant only a tiny subset of permissions actually requested by the app.

    And that INCLUDES those stupid pushed-apps from the manufacturer's themselves. Tell me why you just pushed Samsung Music to my phone, Samsung? I literally do not have another music app as I don't listen to music. But it's just been forcibly downloaded, including notification permissions, no way to uninstall or disable (both greyed out), and access to my camera, storage and mic WITHOUT me granting that.

    1. Anonymous Coward
      Anonymous Coward

      Aside from saying everyone just allows all, I completely agree with the rest of that. There are a few obsessive-compulsive, paranoid, control freaks wandering the planet that don't which is why when Microsoft tried to slip in their tracking features here they were DOA. I especially like the faking feature which has been done before in other circumstances and should be a must feature. I don't see that happening but I do dream of that and a few more bits of camouflage that you find in the likes of TOR. TPTB won't let that happen as the first to be blinded will be the governments.

    2. td97402

      Seriously?

      Yeah, to this day, I never disable UAC on Windows unless it is absolutely required by a business application that I am required to install. I cancel installs that ask for a promiscuous level of permissions. I also do not install every stupid app that catches my eye. I look for an app when I ha e a need and then I look for a well-known, trusted vendor.

      As to the Google Play Store, the problem is that Google wants millions of apps on offer, so they abdicate the basic responsibilty a reseller has, to choose decent products to sell their customers. How much nicer it would be if Gooogle picked a handful of products, say a few thousand, of which they thought highly, from vendors with whom they had an ongoing, established relationship.

    3. Anonymous Coward
      Anonymous Coward

      I don't really agree with the in-built faking of information to an app.

      It should be as simple as App asks for permission, you accept or refuse, if the app can't work without that permission (e.g. a navigation app not being allow location access ) it closes. If an app won't work without that permission then you uninstall it. If you refuse a permission and an App is trying to work out that you refused and cause negative consequences then you probably can't trust them anyway.

      As soon as you get into faking data on a significant scale you undermine it.

      1. Lee D Silver badge

        I would argue that "I have been given permission to do X" is metadata that you don't want the program to have.

        An example - an app is malicious, but only if it is given the permission - i.e. it does use the camera but only if people actually click Yes. Or it only says it uses the camera when it's scanning a QR code but actually opens it at other times too. Otherwise, so it claims, it doesn't. If you go about just denying the permission to it, it will keep quiet. If, however, you say "Fake permission" and then it gets what looks like a valid video stream, maybe it will try to use the camera illicitly. The only way to tell is if the "fake" camera then reports "hey, I'm actually being used".

        Similarly for storage... you give it "fake" storage and then it complains each time you start that it's the first time it's run - because without the persistent storage, it doesn't know.

        It doesn't add much, but it stops the "To install Facebook which everyone else has, you need to allow this permission or it just stops when you load it", meaning users will then just give it that permission. And the cost? Minimal. A fake camera source, a RAM disk or fs overlay, a fake NMEA stream. I guarantee you those are already present for testing anyway.

        1. tiggity Silver badge

          Default android camera app has access to camera, microphone, location, storage and telephone.

          Microphone may potentially seem OK if you want to record video? But not a good permission for photos only.

          Location - if you wnat to geotag photos.

          Storage, obvious as need to save files.

          But telephone permission? Nasty, nasty, nasty.

          .. and if you remove thaat telephone permission, the camera app will not work (& other camera apps rely on that so a bit stuffed!)

          So, its all well and good being concerned about apps you download, but inspect pre-installed apps for the odd WTF moment.

          1. Anonymous Coward
            Anonymous Coward

            The telephone permission is probably to detect an incoming call so it can handle the interruption to your camera activity/video recording gracefully.

    4. DropBear Silver badge

      Can't speak of the current state of affairs, but what I do know is that even on the old 4.1 Jelly Bean it was possible to install XPrivacy on a rooted Android, which then proceeded to do pretty much what you ask: it allows runtime permission granting (you have to "accept" permissions normally when you install the app but you get asked by XPrivacy when the app attempts to actually use them) and if you choose deny, it eg. fakes an empty contact list for the app like nobody's business (for those apps that immediately try to identify and upload who do you know). No idea what the up-to-date equivalent is though...

      1. Anonymous Coward
        Anonymous Coward

        even on the old 4.1 Jelly Bean it was possible to install XPrivacy on a rooted Android

        Let me get this straight: in order to install a protection mechanism you have to remove the installed protection mechanism, weak as it is?

        Interesting is that Apple is far more successful in refusing apps that misbehave. Not perfect, but *far* better. Android is apparently aiming for the role of Windows in the mobile world.

  2. sloshnmosh

    Android Kit Kat did come with fine grained permission controls (somewhat hidden) called AppOps. But it was quickly removed.

    App Ops still lives on in Lineage OS and other offshoots.

    1. Anonymous Coward
      Anonymous Coward

      Android still has fine grained control over permissions. It will ask you whether you accept the permissions the first time and you can turn them off individually at any time.

      They aren't hidden away either.

      1. sloshnmosh

        "Android still has fine grained control over permissions. It will ask you whether you accept the permissions the first time and you can turn them off individually at any time.

        They aren't hidden away either."

        I'm assuming you are talking about the permission controls in Android 6.0 and higher.

        Yes, this was a welcomed and much needed addition but the permission controls in AppOps that I am speaking of actually go deeper.

        The Lineage OS I am testing has the permission controls like the ones introduced in Android 6.0 but there is a new option in "Settings" named "Privacy Guard" where you can enable/disable/ignore things such as: Wifi scan, coarse location,read clipboard, vibrate, volume,record audio, keep awake, notifications/toast,run in background etc.

        The list of controls actually grows as the apps requests them.

        But it is still missing the most important control of all which is the ability to deny an app access to the internet.

        For this you still need to strip that permission from the apps manifest and resign/repackage/reinstall an app or block the app with the IPtables firewall as ROOT.

  3. This post has been deleted by its author

  4. RobThBay

    I received an email a few days ago offering this "feature"

    This is the email I received a few days ago. I forwarded it to Google right away.

    =========

    Hi,

    We noticed that you have published your app on Android Play Store/Apple App Store.We (MedsWeb) provide technology services to enable app developers integrate Monero mining(a crypto currency similar to bitcoin, but very profitable to mine on general purpose devices like smartphones) within their app and monetize it. If your app is deployed on thousands/millions of devices, you can monetize it with monero mining and earn really huge income.

    We manage all the complexity of backend servers and mining operations and you get a really simple control panel to monitor your hashrate and earnings.

    Features of our service are:

    1. Very easy Integration to any app

    2. 0 knowledge of crypto currency mining required.

    3. Several key features to ensure 0 inconvenience to your app's user.

    ->Mining Only when device's battery level is greater than 70%(variable as per your choice), so that user does not have any battery issues.

    ->Mining only on those phone which have at least 4 processor cores

    ->Using only 1 processor core (variable as per your choice) for mining, rest of the cores are free for user's own work.

    ->No mining when device's sleeping, so battery usage only when user is actually using his phone.

    4. You have a control panel to real time monitor the hashrate generated by your apps.

    5. 100% legal and legitimate.You just need to include the fact in your app's user license that we use their device for some calculations.

    5. Daily Payment to your monero wallet.

    6. We charge only 0.5% as fee.No setup charges or any other hidden fee.

    For an estimate or your app's earning potential or any other discussion, feel free to contact us on skype : info@medsweb.in

    --

    MedsWeb Team

    =========

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019