
Getty
Google’s Play Store is not the safe environment it should be. Anyone with even a passing interest in mobile device security will have seen countless stories disclosing the scale of threats facing device users, as malicious apps have bypassed security systems to access the official marketplace and trick users into installing threats. Now, at long last, Google has admitted the scale of the problem.
“The Android ecosystem,” the U.S. tech giant says, “is thriving with over 2.5 billion devices, but this popularity also makes it an attractive target for abuse.” Google has proposed a fix to “quickly find potentially harmful applications and stop them from being published—reducing the risk of app-based malware, identifying new threats, and protecting our users.” Unsurprisingly, not everyone is convinced it will work.
It isn’t just an Android issue, of course. “Where there is software with worldwide proliferation,” Google points out, “there are bad actors trying to attack it for their gain.” But in the mobile world, Android is more vulnerable than anyone else—the scale of the platform, the fragmented nature of the manufacturing base, the challenge in applying universal patches. By comparison, Apple’s competing iOS platform is not immune from malware sneaking into its own App Store—but it’s much rarer and has not become the endemic issue that Google now faces.
The sad truth is that Android users are being put at risk by thousands of apps which hide viruses, scams and frauds, and which have managed to evade the stores’s detection technologies. “In the past year,” Sophos said in its 2020 Threat Report, “we've observed a growing variety and variability of the types of mobile attacks criminals use to target smartphone owners.” The biggest concern, the report explains, is malicious software, “primarily (though not exclusively) on the Android platform.”
The majority of this malware is some form of adware or subscription fraud. Mostly this comes as an add-on module to a vacuous free app, running endless ads or creating ghost clicks, all of which drive fraudulent revenue at the expense of advertisers. But there is also subscription fraud—signing users up to services without their knowledge, or running up bills through premium text or phone numbers, or “fleeceware,” where after a short trial period users are charged heavy monthly fees. The more malicious varieties of malware—SIM-jacking, credential scrapes, eavesdropping, device take-overs, are much less prevalent but still infect high volumes of devices.
So how widespread an issue has this all become?
Already this month, I have reported on Android antivirus apps that seek permission to access phone data and functionality, with 1.6 billion downloads between them. I have reported on “dropper” apps that create backdoors to install malicious software on infected devices. And I have reported on a vulnerability (now patched) that enables bad actors to target contactless NFC technology. Last month, I reported on multiple Android malware stories. The month before, exactly the same.
“Consumers are labouring under a false sense of security with the app stores,” BlackBerry’s Brian Robison told me last month. “I don’t trust apps,” he said, “period.”
Google’s grand plan is its new App Defense Alliance. The initiative is a collaboration between Google and security researchers at ESET, Lookout, and Zimperium. These “hand picked” partners, with a strong track record in hunting out malware, will be given a direct link to Google’s Play Protect—which scans apps before granting access to the store. “Working closely with our industry partners,” Google says, “gives us an opportunity to collaborate with some truly talented researchers... This will generate new app risk intelligence, as apps are being queued to publish. Partners will analyse that dataset and act as another, vital set of eyes prior to an app going live.”
“Google has a reputation and public trust issue,” renowned security guru Ian Thornton-Trump tells me. “The Play Store is a mess of malware infected applications, which in some cases have been downloaded hundreds of thousands at times. Putting malware aside, the other issue which needs addressing is excessive app permissions. Installing some lame app should not hoover up all the data, contacts and pictures on a phone— if it does without a good reason, then that app should be banned as well.”
Lukas Stefanko, a successful malware hunter who is part of the ESET team partnering with Google, tells me they were selected because of their success in “identifying malicious apps on the Play Store—we believe that our cooperation will definitely help reduce the risk of downloading malicious apps by any Android user from Google Play in the future.” Turning to the researchers who have been on the other side of the fence is a smart move by Google. Stefanko publishes reports on the volume of malicious apps on the store. “In September,” he disclosed in a blogpost, “there were 172 harmful apps with 335 million installs found on the Play Store.”
The other benefit with this outsourced approach, is that Google is gaining access to more extensive on-device monitoring as threat actors become more adept at hiding bad code. “Some app makers,” Sophos explains, have devised ingenious methods to conceal their apps' true intent from scrutiny by Google (or by security researchers).” Google’s answer is to spread the load. “Like Google Play Protect,” it says, “our partners’ use a combination of machine learning and static/dynamic analysis to detect abusive behaviour. Multiple heuristic engines working in concert will increase our efficiency in identifying potentially harmful apps.”
So let’s step back from the detail. “This is a move in the right direction,” ethical hacker and infosec blogger John Opdenakker tells me, but is it doing enough or a case of too little, too late? “I think it took Google really long to undertake action,” he says. “But hopefully Android users will finally get the security they might expect from an official app store.” His fellow security researcher Sean Wright echoes the sentiment. “While I think it’s great the partnership is happening, my question is why is Google not tackling this issue themselves? It’s not like they don’t have the resources to do so.”
“What we’re maybe seeing,” Thornton-Trump explains, “is a realisation that the cyber threat has got to the point where malware defences are required no matter what platform you are running. Something security professionals have known for a very long time, now beginning to be understood by the wider public who have been victimised by cyber criminals no matter what platform they chose.”
An unspoken presence through this debate is Apple. For years, the Cupertino giant heralded the security credentials of its platforms. And while some of that gloss has fallen away, it is still seen as the safer and more secure choice between the two platforms. “The idea of leveraging partnerships seems like a smart way to get ahead quickly,” infosec strategist Charl van der Walt tells. “Whether it’s ‘enough,’ only time will tell. Even Apple has fallen short with its walled garden in recent times, which just goes to show that this is a complex problem that’s still far from solved. The timing of Apple’s recent security blunders may even have robbed them of the moral high ground in security, giving Google the impetus to act now.”
Beyond the sheer scale of its malware issue, Google struggles to push patches and updates to its fragmented install base—on this note Apple also wins out. “Data shows clearly that patches take too long to filter down to the device,” van der Walt warns, “and many devices aren’t being patched for months or at all.” But this is not the crux of the issue, it’s a side show. “The most pressing problem for Android security, for most end users, has been the issue of malicious apps in the Play Store. Google has been remiss in not addressing it more forcefully a long time ago.”
“While initiatives like the one just announced by Google are extremely important,” Sophos warns, “some app makers have devised ingenious methods to conceal their apps' true intent from scrutiny by Google. Coupled with a fragmented ecosystem on the Android side, in which a large number of device manufacturers infrequently offer critical operating system updates... Sophos believes that smartphones and tablets will remain a target-rich environment for a broad range of attacks in the coming year.”
And so, the advice I always offer at the end of these articles remains the same. Proceed with caution when it comes to installing apps on your smartphones. Free apps are free for reason—if you’re not openly paying for it, you will likely end up paying for it some other way. The fact that an app is on an official app store is no guarantee of security any more than it’s a guarantee of quality. But if you apply some common sense and ensure your device is always updated with the latest security patches, you will be doing more than 90% of the other device owners out there.
Android - Android - Google News
November 10, 2019 at 09:14PM
https://ift.tt/2Q4SvcY
Google Confirms Play Store Security Threat: Here’s The Fix—But Does It Make You Safer? - Forbes
Android - Android - Google News
https://ift.tt/2qfx6Td
Shoes Man Tutorial
Pos News Update
Meme Update
Korean Entertainment News
Japan News Update
 
No comments:
Post a Comment