Archive for Android

Two File Management Apps On The Google Play Store Sending The Data Of 1.5 Million To China 

Posted in Commentary with tags , on July 11, 2023 by itnerd

A detailed in a report published by Pradeo, analysts discovered two file management apps on the Google Play Store to be spyware, secretly sending the user data of 1.5 million Android users to servers in China. 

Seemingly harmless Spyware apps, File Recovery and Data Recovery (1 million plus installs) and File Manager (500k plus installs), are developed by the same malicious group and assure users that no data is collected, automatically launch when the device reboots, and hides their icons on home screens.

Pradeo’s analytics engine has found stolen data to include contact lists, media files, real-time location, mobile country code, network provider details, SIM provider network code, operating system version, device brand, and model. Each app performs more than a hundred transmissions and then transmits the data to multiple servers in China which are deemed malicious.

Ted Miracco, CEO, Approov Mobile Security had this to say:

   “The security issues related to this story are deeply concerning, albeit not surprising. The most fundamental problem is the false sense of security that consumers and businesses have related to app stores like Google Play (and Apple’s Appstore) in terms of actually protecting devices and individuals from these malicious apps. 

   “Both Apple and Google are actively promoting their security efforts at developer conferences, achieving record profits and sales while many of the apps available have huge discrepancies between their stated privacy policies and the actual information and data collected. These include both legitimate mainstream apps, that bend the rules without apparent consequences, and malicious apps that engage in deceptive behavior, claiming not to collect data while secretly doing so. 

   “App marketplaces must prioritize the implementation of more robust security measures to detect and prevent the infiltration of malicious apps that compromise user data.  It is also important for users to remain vigilant in protecting their devices and for businesses to be extremely wary of deceptive and modified apps that can compromise their data and their employers’ data. 

   “The fact that the data is being sent to malicious servers in China compounds the gravity of the threat while making it extremely difficult for consumers and businesses to mitigate the repercussions and long term damage that might occur from the stolen data. It also highlights the complex global nature of cyber threats and the importance of international collaboration in addressing such issues. 

   “Cooperation between security experts, app stores, and law enforcement agencies is vital to combatting these malicious activities and safeguarding user data, yet it is a monumental task that may take decades to be resolved, due to the complexity and competing global agendas.”

This illustrates why you shouldn’t just install anything on your Android or iPhone. Because you simply don’t know what the apps do and where your data is going.

Microsoft Discovers Security Flaws In Android Apps Provided By Canadian Telcos Among Other Telcos

Posted in Commentary with tags , , , , , on May 30, 2022 by itnerd

This isn’t a good look for Rogers, Bell, Freedom Mobile, TELUS and a few other telcos. According to BleepingComputer, Microsoft has found some serious vulnerabilities in Android apps that they distribute:

The researchers found these vulnerabilities (tracked as CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601) in a mobile framework owned by mce Systems exposing users to command injection and privilege escalation attacks.

The vulnerable apps have millions of downloads on Google’s Play Store and come pre-installed as system applications on devices bought from affected telecommunications operators, including AT&T, TELUSRogers CommunicationsBell Canada, and Freedom Mobile.

“The apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers,” according to security researchers Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar of the Microsoft 365 Defender Research Team.

“All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.

“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.”

Well, that’s not good. But these apps have been fixed. Sort of. Microsoft reached out to the relevant parties and these vulnerabilities were fixed. But the at-risk framework is likely used by numerous other service providers who may still have apps out there that aren’t fixed. Which means that threat actors can still launch attacks.

To protect yourself, search for the package name com.mce.mceiotraceagent on you Android device. If you find it, delete it ASAP if you can. I say that because you might need root access to delete it.

Android Phone Owners With Skype Installed Are Vulnerable To A Passcode Bypass Exploit

Posted in Commentary with tags , , on January 4, 2019 by itnerd

If you use Skype for Android, you should pay attention. Someone who is in possession of an Android phone with Skype installed on it simply has to to receive a Skype call and answer it without unlocking the handset. They can then view photos, look up contacts, send a message, and open the browser by tapping links in a sent message, all without ever unlocking the phone. The Register first reported this and I have a video below that demonstrates the exploit:

The vulnerability was reported to Microsoft and a fix is already out there via updating to the latest version of Skype. By doing so, you will ensure that you do not get pwned.

Android Pie Is Now Shipping….. Though You May Never Actually Get It On Your Device

Posted in Commentary with tags on August 7, 2018 by itnerd

Google’s latest Android operating system update, Android 9 Pie, has been officially released to customers. Here’s a video that shows you what this new version of Android brings to the table:

Here’s a quick list of notable features:

  • A new gesture-based system interface that’s similar to the interface of the iPhone X
  • There’s a new Android Dashboard, designed to tell you how much time you’re spending on your device. Which sounds like Apple’s Screen Time feature that’s coming in iOS 12.
  • A new Do Not Disturb option called “Shush” which silences Android devices when placed facedown
  • A Wind Down option lets Android users select a specific bedtime to turn the interface gray to discourage smartphone usage at night.
  • An Adaptive Battery feature that maximizes battery power by prioritizing the apps you’re most likely to use next,
  • App Actions for predicting what you’ll want to do next. Which to me sounds a lot like Siri Suggestions,
  • There’s a future feature Slices which is a feature that brings up information from your favorite apps right in search.

Android Pie is available to Pixel phones today. For everyone else, you may get an update if your device is recent enough. But as typical for Android devices, your ability to get a major update to Android largely depends on who makes your phone, what carrier it is on, and how old it is as many devices use customized versions of the Android OS. Which means that both device manufacturers and/or carriers have the ultimate say as to what updates users get. Thus it is entirely possible that you may never get this update on your phone, and you may need to get a new phone to get Android Pie.

Buy A Low Cost Android Phone, And Get Pwned For Free

Posted in Commentary with tags , on May 25, 2018 by itnerd

More than 100 different low-cost Android models from manufacturers such as ZTE, Archos, and myPhone ship with malware pre-installed, researchers at Avast Threat Labs reported on Thursday. Users in more than 90 countries, including the U.S., are affected by this, the researchers said:

The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps. The app consists of a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,'” wrote Avast.

The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. “The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we’ve never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK.”

Well. That’s not cool. These companies need to explain why their phones ship with this stuff. Or better yet, I say that governments should say that if this stuff is on phones when they ship, then they can’t be sold. But I suspect that neither is going to happen and consumers will have to fend for themselves by sticking to iOS or the Samsungs or LGs of the world and avoiding this low end market entirely.

When It Comes To Privacy For In Car Infotainment Systems, It’s An Open Question As To What Data Google And Apple Collects From You

Posted in Commentary with tags , , , on April 20, 2018 by itnerd

The issue of privacy when it comes to in car infotainment systems like Android Auto and Apple CarPlay flared up again yesterday when it came to light that Toyota took a pass on Android Auto because of privacy concerns. They joined Porsche who famously did the same thing a few years ago.

That made me wonder if it is spelled out clearly what data either of these systems collects and how it is used. Why does that matter? I’d like to know if Google or Apple is motioning how aggressively I drive. And what they do with that information and who gets to see it.  Thus I spent a day looking around the Internet to see if such documentation exists. The net result of my research is that neither company does a great job of spelling out what data they collect via their infotainment systems and how it is used. To illustrate this, I want to use Tesla as an example of what I am looking for. Their privacy policy makes it very clear what they collect in terms of data. And they go into a great amount of detail about how it is used. That way, you know exactly what Tesla is doing. As far as I am concerned, this is the gold standard when it comes to this sort of thing as it removes any questions from my mind about what Tesla may or may not be doing.

Now let’s go over to Apple. They have a privacy microsite that is better than most and specifically mentions Apple CarPlay here where it says this:

All the rigorous privacy measures built into your iPhone and apps carry over to CarPlay. Only essential information that enhances the CarPlay experience will be used from your car. For example, data such as your car’s GPS location can be used to help iPhone produce more accurate results in Maps.

That’s something I suppose, but beyond that there’s no specific mention in their privacy policy or anywhere else on their microsite about what CarPlay collects and what is done with that information.

In the case of Google and Android Auto, I was unable to find anything that specifically mentions Android Auto, and I looked at the Android Auto site and their privacy and terms microsite which if you dig for bit lists pretty much every product that they make except Android Auto. Which means that I have no idea what info Google collects. And that’s a step behind Apple who at least gives me some minimal information on this front.

So in either case, both Android Auto and Apple CarPlay fall well short of telling their users about what data they collect and how it is used when compared to Tesla. That’s a problem given how privacy and the security of data is now a top of mind issue. As a result, we’re left with rumor rather than fact. And that’s a huge problem for both companies if they want their infotainment systems to be adopted widely.

My challenge to both companies would be for them to make their data collection and usage policies for their infotainment systems as clear as Tesla does. At least when Tesla spells it out, I know what I am getting myself into up front assuming that I read the document. I believe that Google and Apple owe us the same.

So how about it Apple and Google? Will you do what’s right for users of Android Auto and Apple CarPlay, or will you continue to keep them in the dark about what data you collect and how it is used in terms of those products? Inquiring minds want to know.

 

Your Android Phone Might Not Be As Secure As You Think

Posted in Commentary with tags on April 13, 2018 by itnerd

If you own a Android phone from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE, but really any Android phone, you might not be getting the security patches that you need to keep your phone safe based on a recently released study:

The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. “We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” says SRL founder Karsten Nohl.

The number of missing security patches on phones varied between device makers. For example, Google, Samsung, and Sony devices were found to be missing 0 or 1 patches on average. Xiaomi, OnePlus, and Nokia devices were missing 1 to 3 patches on average, while HTC, Huawei, LG, and Motorola were missing 3 to 4 patches on average. Devices from TCL and ZTE fared the worst, missing an average of 4 or more patches that they claimed to have.

One of the huge problems with Android is that is is now so fragmented, and every vendor has filled it with their own custom stuff and they’ve done god knows what to the core of it. That’s horrible for the consumer as you are guaranteed to get this situation because it’s easier to fudge things than to come out with proper patches on a regular cadence.

Contrast that to those on team iOS where everything comes from Apple. Thus every iPhone user that has an iPhone made in the last five years give or take gets every security update that comes out. Sure iOS is a walled garden unlike the freedom that Android provides its users, but the wall surrounding that garden is pretty secure unlike Android.

While people are going to buy Android phones regardless of how insecure they are because they are cheap, Google and company need to do something about this. The fact is that you can’t have millions of phones running around out there which are wide open to being pwned. That’s just a disaster waiting to happen.

Android P Developer Preview Hits The Streets

Posted in Commentary with tags on March 7, 2018 by itnerd

Google today launched the first Android P developer preview which available for download now at developer.android.com.

Some notes on what’s on offer for download:

The preview includes an updated SDK with system images for the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, and the official Android Emulator. Unlike last year, there is no emulator for testing Android Wear on Android P.

Interesting that there’s nothing there to test Android Wear devices. I guess that has something to do with the fact that Android Wear devices pretty much got hammered by Apple Watches in the marketplace. Or they haven’t gotten around to it yet. Who knows?

But I digress.

Why should you care? Here’s what Android P…. One has to wonder what food item that will be used to market this OS…… Popsicles perhaps?…… Has going for it:

  • Android P offers support for “the latest edge-to-edge screens with display cutout for camera and speaker,” with a new “DisplayCutout” class for outlining the size and shape of a notch on an Android device. Seeing as Android device makers are copying the iPhone X and its notch.
  • Indoor positioning APIs so that your phone will more accurately grab a location indoors.
  • Enhanced notifications
  • Multi-camera support
  • HEIF image support
  • Restricted access to the mic, camera, and other hardware
  • Open Mobile API for NFC payments and secure transactions

Expect this OS to ship sometime in Q3.

#Fail: Google Play Protect Can’t Protect You From Malware

Posted in Commentary with tags on October 26, 2017 by itnerd

Google has a new initiative to reduce malware in the Android ecosystem. Called Google Play Protect, it’s supposed to catch the bad stuff before it ends up on your Android  smartphone. Because lots of bad stuff ends up on Android smartphones. And that’s a big problem.

However, it appears that it will not do much for you. Tests by German malware experts AV-Test indicate that Google Play Protect detected just 65.8 percent of recent malware samples, rising to 79.2 percent of malware of around a month old. Meanwhile, third party solutions caught pretty much everything that was thrown at it. The net result was that Google Play Protect finished dead last in this test.

I’m not sure what Google is going to do about it, but I know what you should do. Forget Google Play Protect and invest in a third party anti-virus app that was tested by AV-Test as it seem Google can’t protect you from the bad stuff that’s out there.

 

Android Devices Not Running Android Oreo Vulnerable To Pwnage

Posted in Commentary with tags on September 11, 2017 by itnerd

Well, this is potentially going to be a problem for reasons that I will get to in a bit. If you’re using an Android device and it’s not running Android Oreo which is the latest and greatest from Google, then you’re vulnerable to an “Overlay Attack” as per Palo Alto Networks who spill the details here. Here’s how the attack works in short:

  1. Download a malicious app from the Google Play Store.
  2. The app draws a bogus screen for users to click on (for example, to install an app or accept a set of permissions), hiding what’s really happening.
  3. Users accept the permissions that the malicious app serves up.
  4. Pwnage.

Android is supposed to prevent this happening. But any Android device not running Oreo doesn’t. Thus there need to be patches for this and soon. Here’s the problem. The Android ecosystem is notorious for being slow to deliver patches because of the diversity of devices and quite frankly the manufacturers of these devices not having security as a top of mind item. So it is entirely possible that this threat might be out there for months before devices get patched. If they get patched at all. And that ignores the fact that the malicious apps are being served up from Google Play which is another huge problem. Clearly Android users have something to worry about.