The sky is falling. At least, that’s what some conclude, after hearing about Exodus, a family of targeted malware discovered in the official Google Play app store.
By imitating legit apps, Exodus exfiltrates data from countless apps and Android services. It appears to be a lawful surveillance program that escaped from its tight, court-approved targeting of Italian suspects.
But Google says malware like this is vanishingly rare. In this week’s Security Blogwatch, we let my people go.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: E-crash.
Android angst; government gaffe
What’s the craic? Lorenzo Franceschi-Bicchierai and Riccardo Coluccini are lost in translation—Google Play Store Apps Were Actually Government Malware:
Security researchers have found a new kind of government malware that was hiding in plain sight. … A case of lawful intercept gone wrong.
…
Hackers working for a surveillance company infected hundreds of people with [25] malicious Android apps that were hosted on the official Google Play Store … over the course of roughly two years. … This new case once again highlights the limits of Google’s filters that are intended to prevent malware from slipping onto the Play Store.
…
Android malware … was sold to the Italian government by [eSurv] a company that sells surveillance cameras but was not known to produce malware until now. … The spyware appears to have been faulty and poorly targeted [and] could be illegal.
…
The spyware apps were designed to look like harmless apps to receive promotions and marketing offers from local Italian cellphone providers, or to improve the device’s performance. … Exodus was programmed to act in two stages. In the first stage, the spyware installs itself and only checks the phone number and its IMEI … presumably to check whether the phone was intended to be targeted [but it] does not appear to properly check. … This is important because there are currently some legally permissible uses of narrowly targeted malware.
…
We reached out to eSurv multiple times [but] the company declined to comment. … Italian prosecutors launched an investigation into the company … seizing its computers and shutting down the malware's infrastructure.
What does it do? Doug Olenick quips that it takes data on a different journey:
Dozens of infected apps had been found in the Google Play store with a possible download total in the thousands. … Google has been informed and has removed the apps, but the malicious actors behind the campaign have been known to re-establish them on Google Play.
…
The spyware is quite invasive … extracting not only the phone’s data, but information from the other apps on the device. This includes Facebook contact lists, Facebook Messenger, Telegram, WeChat and WhatApp among many others.
Who discovered it? Security Without Borders—New Android Spyware Made in Italy:
We identified a new Android spyware platform we named Exodus. … We believe this spyware platform is developed by an Italian company called eSurv.
…
Exodus is equipped with extensive collection and interception capabilities. Worryingly, some of the modifications enforced by the spyware might expose the infected devices to further compromise or data tampering.
Time for a knee-jerk, fanboi reaction? butters1337 kindly obliges your need for conflict: [You’re fired—Ed.]
Is the Google Play Store the wild west of security or what? Unless Google starts doing some serious moderation you would be mad to buy an Android phone these days.
…
I just prefer to have someone from the OS developers check the source code of apps for shady **** before allowing it to be published on the store. … If you are running Android … you're running open source [and] trusting a collection of anonymous contributors.
To which, BusterBrownSheep bleats sarcastically:
Yeah, because the first thing I do when I get a new phone is go to the Play Store to download every shady new app I find.
…
You must have no trust in your own ability to avoid stupid things if you think it's Google's fault for people downloading malware. Keep your iPhone, nobody wants to be in such a closed environment anyway.
…
I use a cheap android device because I get much more functionality out of it than any iPhone and I run just the amount of apps I need. … I haven't had a virus on any device in years. … It's simply common sense not to download sketchy software.
Enough of that sort of thing. What does Google have to say? Meghan Kelly and her Android Security & Privacy Team just published their Year In Review:
The broadest statistic for measuring device hygiene is how frequently a full-device scan detects Potentially Harmful Applications (PHAs). … These apps endanger not only the device but also threaten the sanctity of the Android environment. This is why Google Play Protect scans all apps installed on a device regardless of the source.
…
In 2018 only 0.08% of devices that used Google Play exclusively for app downloads were affected by PHAs. … Devices that installed apps from outside of Google Play were affected by PHAs eight times more often.
…
Google Play Protect debuted in 2017 … and quickly became the most widely deployed mobile threat protection service in the world. … By analyzing and reviewing upwards of 500,000 apps daily in its cloud-based vetting process, Google Play Protect helps keep harmful apps from ever reaching Google Play.
…
In 2018, we continued to expand Google Play Protect's machine-learning capabilities by exploring different techniques and leveraging knowledge from all across Google. … The Android Security and Privacy team also uses machine learning to dramatically increase our ability to detect and classify PHAs.
…
Malicious actors increased their efforts to embed PHAs into the supply chain using two main entry points: new devices sold with pre-installed PHAs and over the air (OTA) updates. … Developers of pre-installed PHAs only need to deceive the device manufacturer or another company in the supply chain instead of large numbers of users [and] PHAs can gain more privileged access to the device [which] is increasingly more difficult due to Android’s constantly improving security model.
What now? Steve Gibson pored over the report—Android Security 10 Years In:
The report did share some interesting and impressive stats. … After the twelve and a half years of this podcast, I would imagine that all of our listeners likely have a realistic and sober appreciation for the difficulty of the task Google has willfully undertaken by shepherding Android.
It’s a challenge I would never want to face. They are placing a highly capable and powerful open source operating system running atop equally powerful hardware, sourced very indirectly through partners far and wide and largely out of their control, into the hands of inherently trusting and non-computer-savvy consumers.
…
And for the most part, in an openly hostile environment and against quite unfavorable odds, the damn thing is working. So I say Bravo Google. And thank you.
But Tom Spring isn’t so on-message, with Google Warns of Growing Android Attack Vector:
Google is reporting an uptick in efforts by bad actors to plant … PHAs on Android devices via pre-installed apps and by bundling them with system updates delivered over the air. … The technique is especially troubling.
…
Even smaller phone manufacturers have the potential of compromising hundreds of thousands of users. … On some model BLU handsets, an investigation found that phones came pre-installed with malware and also downloaded more malware via a third-party update tool. … Pre-installed [malware] often have heightened device privileges. That allows the developers behind them to more easily sidestep security tool detection and removal attempts by users.
…
Unlike apps downloaded from Google Play and third-party app stores, which can utilize Android’s built-in security tools, pre-installed apps and backdoored SDKs don’t have that luxury.
Meanwhile, enjoy this insight from Shawn Willden:
Keeping malware out of the Play Store is actually an insanely hard problem, because it inherently conflicts with keeping the Play Store open. Google could lower the numbers quite a bit more by taking Apple's walled-garden approach, with developer account fees and pre-approval inspection processes (even that is not perfect -- the Apple App Store has not been malware-free).
Note that it's also not a "static" problem; it's an arms race. Malware authors continue inventing new techniques, but the Play Protect team is improving their detection techniques faster.
The moral of the story?
No platform promises perfect protection. Security is an end-user responsibility too. Per favore, faccia attenzione!
And finally
Let’s crash some electric cars (and shout a lot)
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Eduardo Woo (cc:by-sa)
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
