Friday, November 06, 2015

Auto-rooting malware for Android

Three new malware strains infect 20k apps, impossible to wipe, only affect Android
By Daniel Eran Dilger
Thursday, November 05, 2015, 02:40 pm PT (05:40 pm ET)

A new adware scourge injecting itself into popular apps such as Facebook and Twitter is also "virtually impossible to uninstall," requiring infected users to replace their phones. Because it only affects users of Google's open-store Android app model, the device replacement requirement may accelerate the trend of users switching to iOS.

"A new trend for adware and an alarming one at that"

Three new families of "auto-rooting adware," detailed by security researchers at Lookout, are "a worrying development in the Android ecosystem" because each can root the device and install itself as a system application, making the contamination virtually impossible to remove as the infection is designed to survive even a "factory data reset" device wipe.

The group found infections among more than 20,000 popular apps, with many contaminated apps appearing to be legitimate, working titles ranging from Candy Crush to Facebook to Snapchat, WhatsApp, The New York Times and even Google Now.

I could use this article as the basis for a gratuitous swipe at Android and laugh at people who protest Apple's rules that force all installations to go through their App Store, but that would just be rude.

More importantly, please note the following text from the article:

The contaminated apps Lookout found were harvested from Google Play, infected with a payload and then republished on third party app sites enabled by Google's open app model allowing Android users to find and download apps from multiple stores.

In other words, if you get your apps from Google's official Play store, you should (it would seem) be safe from these really really nasty pieces of malware. But if you're downloading apps from third-party stores, watch out - you may have no way of knowing that what you get has been tampered with. Ironically, this supports Apple's claim that allowing third-party app stores is inherently dangerous.

Also noteworthy is that this is not (as the headline seems to imply) spread via ads. A legitimate app is not going to be compromised by this malware simply as a result of loading ad images. At least not in the current version of this malware.

Finally a bit of speculation. The article says that the malware installs itself as a system app, so the normal device-wipe procedure doesn't work. I would assume, however that if you completely wipe and reinstall Android (via a USB cable, much like how some people install unofficial/unsupported operating systems), that should purge the malware. So you shouldn't need to discard the entire phone. Someone who has the tools to completely re-image a phone with the carrier's original bundle (like the carrier's own tech support staff) should be able to recover from this.

iPhones can (as far as I know) be completely re-imaged using the iTunes application on Windows or Mac OS X. This is actually part of Apple's recommended procedures when an iPhone gets messed up to the point where nothing else works. I think Android should provide something with similar capabilities, for just this reason. It may be politically tricky, since each phone's manufacturer/carrier combination is going to have a different image, but there's no technical reason why this can't be done.

No comments: