Google Makes it Tough for Rogue App Developers Get Back on Android Play Store

android malware google play store

Even after Google’s security oversight over its already-huge Android ecosystem has evolved over the years, malware apps still keep coming back to Google Play Store.

Sometimes just reposting an already detected malware app from a newly created Play Store account, or using other developers’ existing accounts, is enough for ‘bad-faith’ developers to trick the Play Store into distributing unsafe apps to Android users.

Since the mobile device platform is growing rapidly, every new effort Google makes apparently comes with trade-offs.

For example, Google recently made some changes in its Play Store policies and added new restriction in Android APIs that now makes it mandatory for every new app to undergo rigorous security testing and review process before appearing in the Google Play Store.

These efforts also include:

Unfortunately, many developers are not happy with the process, and handling of manually reviewed cases after the team of experts at Google made false-positive malware and policy violation detections and failed to timely respond developers on whether their apps meet policy requirements.

“When we began enforcing these new SMS and Call Log policies, many of you expressed frustration about the decision making process,” Sameer Samat, VP of Product Management, Android & Google Play says in a blog post.

Continuing its efforts over this ground, Google has now announced the company’s plan to adopt more detailed communication with developers, explaining why a decision was made, as well as offering improved and transparent evaluations and appeal process.

Google says the company is expanding its “team to help accelerate the appeals process.”

Besides this, Google has also planned to spend more time in reviewing Android apps by new developers before approving them to go live in Google Play Store in an effort to avoid taking decisions in error.

The review for an app from any new developer who doesn’t have a proven track record with the tech giant will now take “days, not weeks,” allowing the company to do “more thorough checks” before approving apps to publish over the Play Store.

“While the vast majority of developers on Android are well-meaning, some accounts are suspended for serious, repeated violation of policies that protect our shared users,” Android developers say in a blog post.

“While 99%+ of these suspension decisions are correct, we are also very sensitive to how impactful it can be if your account has been disabled in error.”

From now, those developer accounts disable in error can immediately appeal any enforcement, which will be carefully reviewed by the Android team. If the team discover that an error has been made, it will restore the account.

Let’s block ads! (Why?)

Link to original source

Hackers Could Turn Pre-Installed Antivirus App on Xiaomi Phones Into Malware

xiaomi antivirus malware

What could be worse than this, if the software that’s meant to protect your devices leave backdoors open for hackers or turn into malware?

Researchers today revealed that a security app that comes pre-installed on more than 150 million devices manufactured by Xiaomi, China’s biggest and world’s 4th largest smartphone company, was suffering from multiple issues that could have allowed remote hackers to compromise Xiaomi smartphones.

According to CheckPoint, the reported issues resided in one of the pre-installed application called, Guard Provider, a security app developed by Xiaomi that includes three different antivirus programs packed inside it, allowing users to choose between Avast, AVL, and Tencent.

Since Guard Provider has been designed to offer multiple 3rd-party programs within a single app, it uses several Software Development Kits (SDKs), which according to researchers is not a great idea because data of one SDK cannot be isolated and any issue in one of them could compromise the protection provided by others.

“The hidden disadvantages in using several SDKs within the same app lie in the fact that they all share the app context and permissions,” the security firm says.

“While minor bugs in each individual SDK can often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off.”

xiaomi antivirus for android

It turns out that before receiving the latest patch, Guard Provider was downloading antivirus signature updates through an unsecured HTTP connection, allowing man-in-the-middle attackers sitting on open WiFi network to intercept your device’s network connection and push malicious updates.

However, the actual attack scenario is not as straightforward as it may sound.

As explained by CheckPoint, researchers successfully achieved remote code execution on the targeted Xiaomi device after exploiting four separate issues in two different SDKs available in the app.

The attack basically leveraged the use of unsecured HTTP connection, a path-traversal vulnerability and lack of digital signature verification while downloading and installing an antivirus update on the device.

“It is completely understandable that users would put their trust in smartphone manufacturers’ preinstalled apps, especially when those apps claim to protect the phone itself,” the firm says.

Check Point reported the issues to the company and confirmed that Xiaomi has now fixed the issues in the latest version of its Guard Provider app.

So, if you own a Xiaomi smartphone you should make sure your security software is up-to-date.

Let’s block ads! (Why?)

Link to original source

Android Q — Google Adds New Mobile Security and Privacy Features

Android Q security and privacy features

Google has recently released the first beta version of Android Q, the next upcoming version of Google’s popular mobile operating system, with a lot of new privacy improvements and other security enhancements.

Android Q, where Q has not yet been named, offers more control over installed apps, their access, and permissions, and location settings; more support for passive authentication like face ID, and warnings when you install a new app targeting Android Marshmallow or older.

Instead of directly going through dozens of different pages Google published about Android Q, here I have summarized all new privacy and security features of the new version of Android you can quickly learn from:

1) Stop Android Apps From Tracking Your Location in the Background

Android Q gives you more control over how an app can use your device location information. Currently, you have a single option to either allow or deny an app access to your device location, doesn’t matter if it is in-use or running in the background.

However, starting from Android Q, you can choose between three options, just like iOS: allowing an app to access location “all the time,” “while in use,” i.e., when the app is in the foreground, or “Deny.”

“The new location control allows users to decide when device location data is provided to an app and prevents an app from getting location data that it may not need,” Google says.

If you are an Android developer and your application requires location data when running in the background, you must declare the new permission in your app’s manifest file.

“Your app’s use case relies on periodic checks of a user’s location all the time, such as geofencing or location sharing. In that case, your app should explain to the user that they need to allow your app to access their location all the time in order to operate correctly, then request access to background location,” Google warns Android developers.

2) New Restrictions On Apps’ Access to Device Identifiers

A) Contacts Affinity — Starting from Android Q, the operating system will no longer keep the track of contacts affinity information, meaning that apps searching for user’s contacts will not be able to do so.

B) Making MAC Address Randomization a Default Feature — Introduced in Android 6.0 Marshmallow, the feature will now come enabled by default with Android Q, preventing app developers, location analytics firms, stores, and others from using MAC addresses to build a history of your device activity.

For those unaware, MAC address randomization works by replacing the number that uniquely identifies your device’s wireless hardware with randomly generated values, preventing your device from being tracked when connected to different Wi-Fi networks.

C) Non-Resettable Device Identifiers — From Android Q, only some apps with the READ_PRIVILEGED_PHONE_STATE privileged permission will be able to access your device’s non-resettable identifiers, such as your phone’s IMEI and serial number.

D) Restricting Access to Clipboard Data — With Android Q, Google also restricted apps from accessing the operating system’s clipboard data. Only apps that are running in the foreground (on screen) or apps that are the default input method editor, or IME (e.g., default keyboard apps) can access the clipboard data.

Android Q Privacy features

E) Removing Access to Device’s Network State — Android Q also removes access to the information about a device’s network state. Apps that require access to this information, like Virtual Private Network (VPN) apps, can refer to the NetworkStatsManager and ConnectivityManager classes.

F) Access to USB serial — Apps running Android Q will only be able to read the serial number of a USB device after users themselves grant permissions to access the USB device or accessory.

3) Background Apps Can’t Start A New Activity Without User Interaction

Android Q also comes with new restrictions, preventing apps from launching activities while in the background without user interaction, keeping users more in control of what’s shown on their screen.

“As long as your app starts activities as a direct result of user interaction, however, your app most likely isn’t affected by this change. In fact, the majority of apps are unaffected by this change,” Google says.

In nearly all cases, Google has now made it mandatory for apps that are in the background to create notifications in order to provide information to users instead of directly starting an activity.

App developers who want user’s attention urgently can create high-priority notifications and provide a full-screen intent.

4) Apps Can’t Change Location and Network Settings

Android Q makes it mandatory for apps to have the ACCESS_FINE_LOCATION permission to use several methods within the Wi-Fi, Wi-Fi Aware, or Bluetooth APIs.

This means now third-party apps will not be able to make changes to your device Wi-Fi (enable or disable); instead apps have to prompt users to enable or disable Wi-Fi in the device settings manually.

To protect user privacy, performing manual configuration of the list of Wi-Fi networks will now be only restricted to system apps.

5) Scoped Storage to Protect Data Stored by One App from Others

Android Q will give each app an isolated storage sandbox into an external storage device so that no other app can directly access data saved by other apps on your device.

That means, apps don’t require any special permissions to save and access their own sandboxed files on external storage. However, if an app needs to access or modify files that other apps have created, it must first request the appropriate permission.

“Because files are private to your app, you no longer need any permissions to access and save your own files within external storage,” Google notes. “This change makes it easier to maintain the privacy of users’ files and helps reduce the number of permissions that your app needs.”

Instead of just making Android Q Beta 1 available for developers, Google has allowed anyone to sign up and install the beta operating system as far as they own Google’s Pixel phones, including the original Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3 and Pixel 3 XL.

Android Q is scheduled to be made available to end users sometime in the third quarter of this year, according to the company’s timeline — likely at the end of August.

Let’s block ads! (Why?)

Link to original source

First Android Clipboard Hijacking Crypto Malware Found On Google Play Store

android play store malware

A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users.

The malware, described as a “Clipper,” masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging to attackers, ESET researcher Lukas Stefanko explained in a blog post.

Since cryptocurrency wallet addresses are made up of long strings of characters for security reasons, users usually prefer copying and pasting the wallet addresses using the clipboard over typing them out.

The newly discovered clipper malware, dubbed Android/Clipper.C by ESET, took advantage of this behavior to steal users cryptocurrency.

To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called MetaMask, claiming to let users run Ethereum decentralized apps in their web browsers without having to run a full Ethereum node.

Officially, the legitimate version of MetaMask is only available as a web browser extension for Chrome, Firefox, Opera, or Brave, and is not yet launched on any mobile app stores.

However, Stefanko spotted the malicious MetaMask app on Play Store targeting users who want to use the mobile version of the service by changing their legitimate cryptocurrency wallet address to the hacker’s own address via the clipboard.

[embedded content]

As a result, users who intended to transfer funds into a cryptocurrency wallet of their choice would instead make a deposit into the attacker’s wallet address pasted by the malicious app.

“Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds,” Stefanko said.

“Android Clipper targeted Bitcoin and Ethereum cryptocurrency addresses when being copied in to clipboard and replaced them with the attacker’s wallet address. Once this transaction is sent, it can not be canceled.”

Stefanko spotted the malicious MetaMask app, which he believes was the first Android Trojan Clipper to be discovered on Play Store, shortly after its introduction to the app store on February 1.

Google took down the malicious app almost immediately after being notified by the researcher.

While the bitcoin price has been dropped steadily since hitting its all-time high in December 2017, there is no reduction (in fact rise) in the cryptocurrency scandals, thefts, and scams that continue to plague the industry.

Just last week, The Hacker News reported how customers of the largest Canadian bitcoin exchange QuadrigaCX lost $145 million in cryptocurrency after the sudden death of its owner who was the only one with access to the company’s cold (offline) storage wallets. However, some users and researchers are suggesting the incident could be an exit scam.

Let’s block ads! (Why?)

Link to original source

Google Makes 2 Years of Android Security Updates Mandatory for Device Makers

android security updates oem

When it comes to security updates, Android is a real mess.

Even after Google timely rolls out security patches for its Android platform, a major part of the Android ecosystem remains exposed to hackers because device manufacturers do not deliver patches regularly and on a timely basis to their customers.

To deal with this issue, Google at its I/O Developer Conference May 2018 revealed the company’s plan to update its OEM agreements that would require Android device manufacturers to roll out at least security updates regularly.

Now, a leaked, unverified copy of a new contract between Google and OEMs obtained by The Verge reveals some terms of the agreement that device manufacturers have to comply with or otherwise they have to lose their Google certification for upcoming Android devices.

Google’s New Terms for Android Security Updates

According to the leaked contract, Android OEMs will now be required to regularly roll out security updates for popular devices—launched after January 31st, 2018 and activated by more than 100,000 users—for at least two years.

The Android device makers are mandated to release “at least four security updates” in the first year following a smartphone’s launch, but for the second year, the number of updates is unspecified.

Besides this, the contract also stipulates that the manufacturers must not delay patch updates for security vulnerabilities for more than 90 days.

In other words, the minimum requirement of the contract is a security patch update every quarter.

A Google spokesperson says that the 90-day requirement is “a minimum security hygiene requirement” and that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.”

As of now, the authenticity of the new Android partner contract is not verified, but the new changes made by Google will definitely have a massive impact on the overall state of Android security and benefit millions of Android users.

In separate news, Google last week announced its plans to charge a licensing fee to European Android phone manufacturers who want to include the Play Store, Gmail, YouTube, Maps, and Chrome on their Android handsets, that otherwise come free with Android OS.

You can read more about it in our previous article published here.

Let’s block ads! (Why?)

Link to original source