Android Apps Stealing Facebook Credentials

Google has removed 25 Android apps from its store because they steal Facebook credentials:

Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times.

The malicious apps were developed by the same threat group and despite offering different features, under the hood, all the apps worked the same.

According to a report from French cyber-security firm Evina shared with ZDNet today, the apps posed as step counters, image editors, video editors, wallpaper apps, flashlight applications, file managers, and mobile games.

The apps offered a legitimate functionality, but they also contained malicious code. Evina researchers say the apps contained code that detected what app a user recently opened and had in the phone's foreground.


Posted on June 30, 2020 at 10:15 AM • 7 Comments

Comments

Clive RobinsonJune 30, 2020 2:44 PM

@ Bruce,

I should make the same comment today about Google and it's Walled Garden as I did yesterday about Apples Walled Garden.

But the simple fact is it's not just Google and Apple, I've yet to find a Walled Garden with 3rd Party Apps that has honoured it's majorly touted "reason to exist" the promise to keep users safe from malicious programs and exploiters...

I indicated back when Microsoft said similar things about TPM that I doubted it was possible and so it's turned out to be so.

The reality is these walled gardens are not just a failure security wise nor just a way of raising revenue, they are a way to gather PPI data on the users and anti competative against developers.

That is the Cons of walled gardens significantly out weigh any of the promissed Pros, but more importantly the operators of these walled gardens can no longer be bothered to maintain the illusion of checking for malicious use in the applications.

Especially Google, who apparently have the expertise but chose to use it to find failings in other organisations products etc. Back in 2014 Google set up "Project Zero" to go hunting for zero day exploits, and it has had a number of successes. However in that same period they appear to have not realy focused on their walled garden and things have got steadily worse...

One of the things we should all be pushing for is properly open hardware platforms that the users have the level of control they need to get some level of privacy. Which is something all walled gardens clearly do not do, thus they are a security failure of monumental proportions.

FrankJune 30, 2020 3:54 PM

death brews in damp dark corners, but fresh air and sunshine disinfects.

Jesse ThompsonJune 30, 2020 5:27 PM

@Clive

At least in this case, upon our first hearing of it the apps have been identified and eradicated. I did not get that sense from Apple's story.

2.34 million downloads over 25 apps (averaging less than 5 figures per app) doesn't sound like the apps had to have been up for very long before being discovered. And if the malicious code they had in common was a zero day, then we don't have any evidence that Google allowed the apps to remain available for a single day longer than any researcher would reasonably have been able to detect their fault.

Now I do not want to defend Google specifically, and I do not want to defend Walled Gardens specifically. I just want to make sure we're not tilting at windmills as a reflex, regardless who the players are today.

My question is: if this were a federated delivery environment — such as a dozen search engines offering links to these among millions of other apps freely available on the broad network — how would that have either prevented or more quickly cleaned up the problem had a nefarious group published 25 apps that a few million sufficiently naive people downloaded and got infected by?

I think when we see a headline like "Here's a terrible thing that happened that was already fixed prior to our having the data to be able to announce it" our first instinct in general should not be "I am very angry that a $TerribleThing ever had the opportunity to happen at all, and that $Company failed to represent literally flawless defensive security".

Bruce has made the point a number of times in the past that security is not about perfect defense, but about how a party reacts when, not if they get breached.

Now yesterday's news showed us how Walled Gardens absolutely can work against good security and personal autonomy. Google has also demonstrated a number of times in the past not only poor security practices, but much more systemically disrespect for the privacy and autonomy of humanity in aggregate.

But in this very limited circumstance, I don't think we should say "this is outrageous" without being able to clarify any better way it could have realistically been handled.

Clive RobinsonJune 30, 2020 6:30 PM

@ Jesse Thompson,

An analogy...

We can not stop people in the street throwing stones...

I think most would accept that as being a reasonable assumption.

However if we are given sufficient freedom we can put up walls/fences or hedges, shrubs, trees or build our homes a sufficient distance back from the street, such that potential stone throwing is mitigated.

The alternative is that some "authority" comes along and walls off every house from the street, and puts in "one size restricts all" doors and security systems.

If you have seen such barriers in Northern Ireland during the troubles, or the mess the Israeli government/armed forces are putting up or the test pieces for the "Trump Wall" you would understand why the individual solutions of householders is far better.

Don't trust anything, anyone, ever.July 1, 2020 4:00 AM

I think we can safely add Norton/Symantec to this list. Maybe not exactly stealing the credentials but rather *ignoring* some gov't keyloggers/backdoors with their IPS/IDS installed on private user's endpoints and/or collecting *telemetry*, saving it (by writing to a file) in a secret location on a local endpoint, then sending it at a later date (encrypted) to either Symantec or the interested party (gov't) for *analysis* and future product *improvements*. And the dummy, the customer who PAYS for the service/product has no idea he/she is being screwed and paying for it on top. Similar experiences anyone? Please, I'd love your input. Thanks.

Petre Peter July 1, 2020 7:03 AM

Google or Apple cannot scan all the applications in their entirety, so they have to rely on trusting the developers not to be malefic. It's the same way the ESRB rating works for video games with the difference being that when I was playing tekken3 Facebook wasn't around and I didn't have to worry about my bank account because I paid cash for the CD. Today, the priority for these stores is how easy it is to make purchases. Security comes after.

myliitJuly 1, 2020 9:30 AM

At least with Apple, you might have tolerable to excellent functionality, depending on your needs, without having to install many, if any, third party apps.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.