Virus agresiv in Google Play

[net3design]

Virusul agresiv in Google Play numit BadNews sta ascuns in reclame insistente

Specialistii romani in securitate spun ca BadNews este o incercare reusita de a introduce virusi in reclamele care apar in aplicatii

Virusul BadNews sta ascuns in spatele unor reclame agresive care apar la unele aplicatii din Google Play. Acestea gazduiau virusul inca din iunie 2012, spun specialistii romani in securitate, care au colectat date prin intermediul Bitdefender Mobile Security.

Dupa instalarea in telefon, versiunile mai recente ale virusului BadNews trimiteau sms-uri false, solicitau utilizatorilor sa instaleze alte aplicatii virusate, sau extrageau date sensibile precum ID-ul aparatului si numarul de telefon.

Versiunea initiala a ceea ce a primit denumirea de Android.Trojan.InfoStealer.AK nu trimitea actualizari false precum o versiune descoperita mai recent, dar ar putea fi o prima incercare de a testa un sistem de livrare de virusi capabil sa treaca de procesele de scanare din Google Play.

’’BadNews este un exemplu care arata ca reclamele agresive introduse in aplicatii pot descarca ulterior virusi, astfel ca pe langa informatiile confidentiale pe care le colecteaza despre utilizator, acestea pot aduce si pierderi financiare serioase. Dezvoltatorii de aplicatii ar trebui sa fie mult mai atenti la comportamentul reclamelor pe care le accepta in aplicatiile lor. Desi acestea sunt la limita legitimitatii pentru ca aduna cantitati mari de date despre utilizatori cu scopuri neclare, incarcarea lor cu virusi are efecte de-a dreptul dureroase. De asemenea procesul de scanare a aplicatiilor din Google Play ar trebui sa fie mult mai complex’’, declara Catalin Cosoi, Chief Security Strategist, Bitdefender.

Desi virusul a fost raportat in repetate randuri in China, acesta a aparut si in tari precum Rusia, Germania si Myanmar. Bitdefender a identificat trei noi aplicatii - ru.yoya.anekdot, com.hellow.world si zh.studio – care se adauga altor 32 cunoscute ca purtatoare ale virusului.

In total cele 35 de aplicatii au fost descarcate de milioane de ori din Google Play.

Bitdefender recomanda utilizatorilor sa instaleze o solutie de securitate pentru mobile care detecteaza atat virusii, cat si aplicatiile ce contin reclame agresive si care pot prezenta un risc de securitate.

[net3design]

The family of Android malware that slipped past security defenses and infiltrated Google Play is more widespread than previously thought. New evidence shows it was folded into three additional apps and has been operating for at least 10 months, according to security researchers.

BadNews, as the malicious ad network library is called, has been included in at least 35 different apps that were available on Google servers for download, researchers from antivirus provider Bitdefender said Monday. As Ars reported last week, figures provided by Google showed they had been downloaded anywhere from two million to nine million times. Although Google had removed 32 apps as of Friday, company security personnel didn't remove the additional three apps until they were flagged this weekend by Bitdefender. Apps that contain the BadNews code upload phone numbers, unique device identifiers, and other data from infected phones and then present end users with prompts to download and install fake updates for legitimate applications such as Skype.

The Bitdefender report came as researchers from security firm Fortinet reported the deactivation of a Google Play developer account that was also pushing a suspicious app.

It's unclear why Google employees removed the additional apps only after Bitdefender discovered them. It's possible that the code uses polymorphism to keep from displaying tell-tale signatures that could be caught by Bouncer, the cloud-based scanning service Google unveiled last year. A more depressing possibility is that the company didn't run a new set of scans on its existing base of offerings after receiving last week's report. Google representatives declined to comment on the record about the Bitdefender report.

"We've been saying for a while that there's aggressive adware that collects your data, collects all kinds of stuff on you, but now you can actually bypass Google security by using the custom-made adware framework," Bitdefender researcher Liviu Arsene told Ars. "As long as I convince enough developers to use my adware framework, I can push any type of content I want through that framework."

Among the malicious apps promoted by BadNews is AlphaSMS, a trojan that racks up charges by sending text messages to pricey services. Arsene said the malicious BadNews code library used to push such apps has been in existence since at least June 2012, although some of the apps that included it didn't initially display the fake update notifications.

"Although it didn't feature the push notification telling users to install fake updates—like the Skype update, for instance—it did have the function built into it," he explained. "It was kind of like someone was testing it but they didn't actually go along and have the malware. Somebody was testing the adware framework before it actually went and disseminated malware."

The revelation that some of the malicious functionality was never activated means that some users infected by BadNews may never have noticed anything awry. Even after a malicious update is displayed on an infected device, the user must specifically choose to download and install it and must have configured the phone to install apps from third-party sources. Still, while many Android users in the US rely solely on Google Play, third-party sources are much more popular in China and other countries. Ultimately, there's no independent way to know just how many end users may have fallen for the ruse.

The takeaway for Android users is to consider running a smartphone antivirus app. The Bitdefender product has been detecting BadNews code since June 2012 as Android.Trojan.InfoStealer.AK, Arsene said. Apps from other AV providers, including Lookout Mobile Security, also detect the BadNews apps. Users should think long and hard before allowing their devices to install apps from sources other than Google Play. The fact that the service has been hosting malicious titles for almost a year suggests this protection is by no means ironclad. Still, it can add an important layer of defense even when malicious apps do sneak past Google defenses.