I just took a look at Apptoide, why does everything have some sort of coin associated with it.
Does anybody else just close the tab as soon as they see any mention of Bitcoin etc?
I have auto-update turned on, yet I just discovered CamScanner was apparently stuck on an unsafe version from July. Now CamScanner seems to be removed from the play store, yet I had to remove the app manually. Play Protect still thought everything was fine. I have a Google Pixel running stock firmware. I guess it's time for a factory reset.
I had paid version installed with auto update and I didn't receive any warning via PlayProtect.
Kaspersky blog mentioned that the malware was part of the advertising module; so I assumed it gets activated only on the free version, so I manually scanned using PlayProtect in a mobile with free CamScanner installed.
Since both of the instances I've mentioned has auto update, it's likely they were >July 30. But Kaspersky did mention that the latest version was indeed affected.
I certainly flags PhoneGap Build apps without a signing certificate. So at least you know that the malicious parties have paid some money to get a cert!
> Has anyone ever got any app flagged by PlayProtect?
Yes, it started flagging all the apps my company distributes internally for testing purposes. Getting it to stop seemed impractical, so my company's guidance is now to disable Play Protect on any test device.
That is and for many, always an issue. Adverts help pay for content, be that a game or website - people literally make a living that way that it has become a bit of a defacto approach.
But when you are tied to including some code that goes off to a site that you have no or very little control over, you are outsourcing part of your company (web or app) into the hands of another in which, if they mess up. You are the the one that takes all the PR flack.
After all, if somebody slips an exploit into an AD hosted on a 3rd party site and offered up by a reputable AD serving company. Whilst the blame and fault may clearly be with the AD serving company for not screening what they offer. You are the ones that from a consumer and as it also transpires - the media as the one to blame. As we all know, corrections and retractions are always less viewed and eyeballed than the initial drama article based upon a small picture view of the issue/drama, instead of the root cause. Even with the best most respected media sites in the World, such retractions/corrections never get the same attention as the initial article of drama and doom.
That is one problem that even today, still prevails - media does an article with the finger pointing at one direction and the truth, even when it comes out and updated, never tracks as well as the initial finger pointing and is very much the old saying of "if enough mud is slung, some will stick".
{EDIT spelling and below}
With that all said, ad-blocking by the likes of https://pi-hole.net/ is more than just avoiding AD's, it's about privacy and more and more so - security.
(sorry to be picky about an irrelevance but this one grates on me. "Ad" is an abbreviation not an acronym or initialisation - so no need to capitalize it as "AD". Same for "app" over "APP". Makes things hard to read for me as it sounds like someone shouting occasional words in an otherwise normal sentence!)
Yes and I can't think of one single developer who has had to include AD's, ever scrutinising the code they are offered (though I'd bet one that they are out there and hopefully comment back), let alone been able to change it due to the terms such AD requirements impose.
Maybe, Google et all need to make sure APP's have an even more granular control of permissions in that you can seperate the APP from the 3rd party AD's. that would only help more, but alas I suspect that may never happen as that would enable AD control much more accessible at a level that goes against their revenue stream.
So what exactly did this malware do most of the time?
In the original kaspersky report it says "For example, an app with this malicious code may show intrusive ads and sign users up for paid subscriptions.".
So how/did it sign up users for paid subscriptions without user interaction? Does android allow something like that? Aren't all apps sandboxed?
In general how is the android sandboxing and permission system nowadays? I'm considering switching back to it from iOS, but reports like this are kinda discouraging.
This. As an iOS user / developer who isn't too familiar with Android, I also don't get it. Either these reports are lacking, and there is in fact a vulnerability being exploited down the line, or Android is completely broken. I find it odd that this important detail is being ignored in the reports/discussion.
> So how/did it sign up users for paid subscriptions without user interaction? Does android allow something like that? Aren't all apps sandboxed?
This sandbox isn't a VM per-se in that the apps can view and interact with other apps via various api-interfaces, sometimes with devastating consequence (like apps with storage permission scraping location information from EXIF, or apps with SMS permission scraping inbox for your financial transactions).
> In general how is the android sandboxing and permission system nowadays?
There's lot of confusion and most users simply grant all access. Ask-on-first-use doesn't really help with privacy, at all. iOS, I think, has it better: Grant permission only when app is in the foreground.
That said, I am working on an app that'd help revoke and grant permissions automatically to apps depending on whether they're in the foreground or background; firewall apps from internet; block trackers. This isn't something you can't not do on Android today. And if you choose to root your device, there are apps like AF+ Wall, Privacy Guard (on LineageOS), XPrivacyLua (with XposedMod), NoRoot Firewall, NetGuard that are excellent offerings but sometimes feel like they're built for the power-user.
I don't know this particular case, but "malware" seems to be used to describe "adware" these days by some blogs to generate more clicks.
Android is just as secure/unsecure as iOS. Some recent "malware" campaigns targeted both platforms but in general Apple silently removes them while Android gets scrutinized to death.
Edit: to answer your questions, these apps still operate within the limits of the sandbox. Which is maybe a reason the term "malware" should not be used.
This is clearly not the case. Not only is Android’s permission system more permissive, most Android phones don’t get updates as frequently and definitely not as far long as iOS.
In modern Android phones, the core system is updated one a month [if needed - which is often the case during the first year]. Android applications (including things like mail and browser) and a large part of the OS is updated immediately via the store.
The permission system is being updated and apps are being rejected for bad user of permissions (check Reddit for the SMS permission stories)
> most Android phones don’t get updates as frequently and definitely not as far long as iOS.
This is irrelevant. Most phones period don't get updates frequently. Does that mean you shouldn't buy any phone? No, you should buy a phone that does get updated, and there are plenty of Android options.
> How many Android devices get support that far back?
Also irrelevant. Most people don't use phones that old. If they upgrade devices on a normal schedule, there are plenty of Android devices that will get updated during that time. Even better, their system apps will also get updated at an even higher frequency during that time transparently, while iOS users have to wait for an OS update and reboot their devices. This is an issue with highly vulnerable apps like iMessage and Safari.
Also irrelevant. Most people don't use phones that old.
There is a vibrant official second hand market for iPhones where people sell their phones and the hand me down market. It really helps when you can still use an older device with the newest operating system. Anecdotally, my son is still using my circa 2015 iPhone 6s with the latest OS. According to many benchmarks, it was faster than high end Android phones up until 2018 and is still faster than mid tier Android phones.
Even better, their system apps will also get updated at an even higher frequency during that time transparently, while iOS users have to wait for an OS update and reboot their devices. This is an issue with highly vulnerable apps like iMessage and Safari.
Well fortunately we have statistics about how many iOS users are running the latest OS compared to Android users from the prospective companies. We know that your conjecture is probably false.
> There is a vibrant official second hand market for iPhones where people sell their phones and the hand me down market.
Irrelevant. I'm not buying from the second hand market. If you want to push that benefit, push it on somebody who will.
> We know that your conjecture is probably false.
We know I'm right. It takes weeks for iOS users to update their phones if iMessage or Safari has an update. On Android, the SMS and browser apps updates automatically without the user noticing. For the phones that receive system updates, the statistics show they update just as quickly on Android as on iOS. For users who upgrade devices frequently like me, these Android devices are strictly better than iOS devices in security.
> I had to rely on information I could find on the internet....
Which is? I pointed out why it is that these new Android devices are better from a security update perspective than iOS devices. Your response is to point to non-existent statistics. No amount of wishful thinking is going to make statistics appear that violate common sense.
> It might come as a surprise, but the world doesn’t revolve around you and this is a general discussion forum...
Users who don't upgrade phones frequently have no good options. Users who upgrade frequently have Android devices that fit the bill. I don't consider iOS's security updates reasonable, as I have already explained.
Irrelevant. I'm not buying from the second hand market. If you want to push that benefit, push it on somebody who will.
Because you upgrade frequently
Users who don't upgrade phones frequently have no good options. Users who upgrade frequently have Android devices that fit the bill. I don't consider iOS's security updates reasonable, as I have already explained.
Well your “explanation” that iOS security is not acceptable because you have to reboot. Compared to not getting a full update at all is laughable.
I already pointed out why lumping all Android devices together is nonsensical in my very first comment. The rest of your points crumble after you remove this nonsensical foundation.
Right because every part of the OS consist of the apps. First you said that there weren’t any statistics and now that I post statistics from Google they are “nonsensical”.
Do you have any more reliable numbers or just more conjecture?
Because in your world, it is more secure to not be able to update the entire OS than to have to do a reboot.....
> now that I post statistics from Google they are “nonsensical”.
Your statistics are for a nonsensical metric as I have repeatedly pointed out. The correct statistic is how quickly Android devices that are known to get updates get updates because those are the only devices that anybody who cares about security updates should buy.
> Because in your world, it is more secure to not be able to update the entire OS than to have to do a reboot.....
Once again, you are completely ignoring the point. It is more secure to have a device that updates the base system quickly and updates the apps instantly without the user noticing. There are devices that do that, and there are devices that don't. The devices that don't are so inferior to the devices that do that they shouldn't be used.
Do I need to draw a Venn diagram for you, or do you finally understand?
The correct statistic is how quickly Android devices that are known to get updates get updates because those are the only devices that anybody who cares about security updates should buy.
So that’s “the correct statistic” as long as you ignore the literally billion Android phones that don’t get updates compared to the 0% of iPhones that were introduced since 2011 that haven’t gotten an update in the last 3 months.
In other news, everyone in the US is rich as long as you ignore all of the poor people....
It is more secure to have a device that updates the base system quickly and updates the apps instantly without the user noticing. ^
So the “base system” consists of applications* not the underlying operating system....
In 30+ years of being in the computer industry professionally and as a hobbyist, I’ve never heard anyone consider applications as the “base system”.
It is more secure to have a device that updates the base system quickly and updates the apps instantly without the user noticing. There are devices that do that, and there are devices that don't. The devices that don't are so inferior to the devices that do that they shouldn't be used.
So the vast majority of Android phones shouldn’t be used and none should be used considering the average amount of time people are keeping their phones is longer than the time that any manufacturer is supporting them?
So 90%+ of all Android phones “shouldn’t be used” even if you’re charitable and ignore the phones that only get updated for a couple of years....
Btw, to get a clue about how an ecosystem should work where one company is responsible for the operating system and other companies sell the hardware, look no further than Microsoft. Not only are one of my computers that is used as a Plex server over 10 years old and still running the latest version of Windows (a Dell Core 2 Duo circa 2009), my mom is still using my old Mac Mini circa 2006 running a supported version of Windows 7.
> So that’s “the correct statistic” as long as you ignore the literally billion Android phones that don’t get updates compared to the 0% of iPhones that were introduced since 2011 that haven’t gotten an update in the last 3 months
How many times do I have to repeat that it doesn't make sense to group all Android devices together just like it doesn't make any sense to group all phones together?
> So 90%+ of all Android phones “shouldn’t be used”
Yes! That's what I've been trying to tell you! 90% of Android phones shouldn't be used, and 100% of iOS phones shouldn't be used. How is it that you still do not understand this?
> So the “base system” consists of applications* not the underlying operating system....
That explains it. I specifically separated base system, which gets updated quickly with reboots, from applications, which get updated transparently without reboots, and through some incredibly poor reading comprehension, you understood this as saying both are the same.
Yes! That's what I've been trying to tell you! 90% of Android phones shouldn't be used, and 100% of iOS phones shouldn't be used. How is it that you still do not understand this?
So no personal computer should ever be used since you have to reboot to receive security patches. But I guess in that case even Windows 95 was secure since you could update applications without rebooting....
> So no personal computer should ever be used since you have to reboot to receive security patches.
Nope. Try reading my comments again. The base system has to be rebooted when receiving updates. Personal computers, just like Android devices, do not need to reboot when updating the web browser or a messaging app. iOS is so poorly architected that it cannot do this.
Ironically this is right next to "Google just deleted my nearly 10-year-old free and open-source Android app" on the front page. False negatives and false positives.
IOW, Google is clearly failing to keep up and accurately monitor it's Play Store.
It is not an easy job to do even at small scales, and their scale is massive. But, it is the job they signed up for, and they need to properly provide resources for it (and it isn't like Google or Apple are short of resources).
I've been using this app for years and also telling other people to use it, so this sucks.
If anyone else is looking for a replacement there's a Microsoft app called "Office Lens" that seems to do a really nice job and is as safe a bet as anything.
I was about to write something cocky like "I thought facebook had more installs than that" since the title didn't name the malware app.
But damn, I'm (sort of) affected. I've had the paid version of CamScanner for years before the alternative existed. Apparently the paid version isn't affected, but it's still gone from my phone.
I had been using it until a FLOSS alternative showed up (Open Note Scanner), it was very annoying in terms of ads, but I'm surprised that is has some kind of malware inside
I use Genius Scan on my iPhone to scan documents that I need to archive (I think it's also available for Android).
In addition to automatic cropping it fixes any distortions so the documents look as if they had been scanned with a flatbed scanner. It works really well for my purpose.
(I have no affiliation with them, just love the app)
This seems like such a common occurrence, not only with android apps but anything with auto updates. It seems like the only solution right now is to purely limit yourself to apps from f-droid. Not necessarily because open source is resistant to this, but because no spammer would bother attacking such a small group.
a non-perfect solution of mine - update only android apps that actually make sense, or author is Google. There is no reason my simple calculator app should get an update every few weeks (since nothing visibly changed in it for last X years), or linkedin having almost weekly updates.
That's not accurate, really. 100M+ users didn't install the thing overnight--they've downloaded it over the course of years. If they had it installed, and they had automatic updates turned on (which most people do), there was a several month window when they had a version of the app that contained malware, even if it was eventually removed.
If you add the Notes shortcut to your Control Center, you can hard-press on it and tap Scan Document to very quickly be able to scan a document. It does a really good job too!
For the past few days I've been seen spam events in my calendar about "free iPhones" and "webcam girls" - I couldn't figure out where they were coming from. I have CamScanner installed, so presumably that's the source...
Now, I can remove CamScanner (which is a shame, it's a really good app), but how can I ensure the trojan is also removed?
I tried the Avast AntiVirus app, but it didn't find anything.
I got hit by this exact one(free iphone X) recently, and couldn't find anything in my email.
Surely, that kind of email would just look like spam, so isn't the correct solution for google to just not auto-add calendar events if their source email is spam?
Yep, my wife got exactly the same thing. Apparently those entries will appear in your calendar even if the email was sent to spam. You have to configure gmail to not automatically add the entries.
No, it wasn't that - I had the auto invite setting turned off already, and I didn't have any emails that matched the calendar entries.
I was fairly sure it must be malware, but I had no idea how to find out which app it was. I tried Avast AntiVirus, but it found nothing. After finding out about CamScanner I tried Kapersky AV, which did flag CamScanner as malware.
I think it would have to exploit a vulnerability in Android’s sandboxing mechanism (not hard considering how many people can’t or don’t update) to be able to become separate from its parent application. Win32 doesn’t do any kind of app sandboxing at all.
AVs for Android are themselves a privacy nightmare. You need to grant them all sorts of permissions and their privacy policies, oft times, leaves a lot to be desired. That said, Malwarebytes is decent, and so are some other offerings, but I wouldn't recommend using any.
Here's basic steps you can follow:
1. Uninstall apps you don't use.
2. Firewall apps that do not require internet access to function (Calculator, CamScanner, Alarm Clock etc)
3. Block trackers and ads (use pi-hole and set private-dns).
4. Remove permissions from apps that do not really require the permission (Bank apps with all sorts of permissions).
5. Disable notification for apps that do not really need to notify you of anything at all (most games).
6. Install apps you're not comfortable using in work-profile, or in a privacy friendly app-sandbox (parallel-space started as one, but alas, aren't privacy-friendly anymore).
Most antivirus software on Android is more like malware itself. You’re better off only using applications from F-Droid, very carefully vetting everything yourself, or not using Android. The Android security model is getting better, but it’s still really broken compared to anything on iOS.
Does anyone have information on affected and unaffected version numbers? I have a version of this installed, but it's an old one, and may not have updated to the malware one because I disabled automatic updates. (Specifically because I was afraid of this, in fact.)
I don't think that list is accurate. I installed CamScanner on Aug. 23, got a text about apparently being signed up for a $5/month service called GameZone at about 4:30 am on Aug. 24, and factory reset my phone the afternoon of Aug. 24 after an investigation. CamScanner was the only app I installed recently, and I saw other discussion connecting GameZone to the app. I'd say CamScanner was responsible with about 90% confidence.
In addition to factory resetting my phone, I've changed account passwords for all accounts I used on my phone, rotated every entry in my TOTP app, and logged out of all other active sessions on quite a few different services.
Any speculation why they would only leave in the malicious code for about a month? Changed their mind? Done without full knowledge? Achieved some high value heist and rolled it back?
An update to an ad library is what caused the malicious code in the first place. Presumably either the infected library was updated again or the developers switched libraries.
The developers behind this app did not add any malicious code they wrote themselves. The attack either came from the ad library or the ad library was hacked.
If it's the case that it was accidental I feel bad that the app was pulled rather than only vulnerable versions forced off. Although I suppose it would be hard to find assurances that it won't happen again.
Yes. There's a Reddit thread with the version information. I'll see if I can find it later when I'm off work but it made the front page so you could probably search it out fairly easily.
Rather than disappear it from the Store entirely, it would be nice if Google could leave a placeholder with a warning; at least it would serve an educational purpose.
Also, does the Play Store app have a way to notify users of a banned app that is still installed? I decided to check my wife's phone proactively, but I don't think she would otherwise have had a clue of malware (but has been getting weird and annoying pop-up ads).
> Rather than disappear it from the Store entirely, it would be nice if Google could leave a placeholder with a warning; at least it would serve an educational purpose.
If the purpose is education, I feel emails or some other direct notification would be far more helpful. It's not like we usually go to an app's Play store page after installation, save reviewing.
> So a dropper might be used to install malware that steals banking credentials or generates fake advertising clicks or signs up for fake subscriptions.
This is basically wrong, you can't modify a browser or charge someone's card without breaking out of the sandbox.
Worst case they could burn your cellular data or encrypt your photos and such if you gave it permission.
Is there any evidence they maliciously used this or was it probably just in there so they could drop more creepy ad code?
Every Android Security Advisory I looked at contained at least one often multiple Elevation of Privilegues or straight Remote Code Execution holes - my Android One smartphone usally gets the updates 20-35 days after the release of the Advisory - I'm the only one in my wider family that even got a smartphone that still receives monthly security updates at all. Most of them are stuck on an old Android version with years old patch-levels. So I doubt this is hard at all. I have no idea if there are public exploits for these issues but they probably exist.
The exploit downloaded and executed code from some server, so there may have been targeted payloads that rooted specific devices. I hope I'm wrong, but that's the impression I get from the Kaspersky post:
So does the ad network just get away with this? Isn't it criminal to spread malware like this? Seems they were in a serious business relation with CamScanner, not some seedy underground place.
Do other apps run the same ad library, do they run the same risk?
I too wish they should stop using their resources to find security problems Apple should have found themselves.
But I very much disagree this is about embarrassing Apple. In fact, Google is doing them a huge favor.
(The iMessage bug for example could have been turned into a worm and infected ALL iPhones on the planet in matter of minutes if it was found by blackhat hackers instead. Apple should be thankful)
Project Zero is doing Apple a huge favor. Google isn’t a single organism; Project Zero isn’t taking away resources from the Android division. And it’s not like Project Zero doesn’t look for Android vulnerabilities, it’s just that iOS is a much more interesting target from a security standpoint because it’s widely considered to be actually secure (not to mention that people actually run the latest version of it).
I think Fuchsia can’t come fast enough for an opportunity to break backwards compatibility and catch up with the rest of the world on security.
(I also think that Google needs to put some more humans in the Play Store review process, but as we all know Google despises using humans when they can automate a process.)
If we only consider security, Fuchsia is another horrible use of resources. How many Android issues are due to kernel bugs?? Of those, how many are due to Google using is own heavily modifed version of an outdated kernel?
Agreed on humans, Google needs more humans and fewer robots.
I believe my phone was compromised via CamScanner, and I factory reset my phone, changed the passwords to every account I used on my phone, and rotated every entry in my TOTP app. Not sure if any of that was necessary, but better safe than sorry as far as I'm concerned.
> CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time. It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.
IMO, this is more a legal matter than a technical one.
Google needs to sue this company, not engage in a whack-a-mole game with their AI algorithm and useless scanner.
That's a little presumptuous - isn't it likely that CamScanner was somehow compromised? This could happen in the source code or in the build and release pipeline.
I had the CamScanner app on my iPhone for quite some time, then uninstalled when I launched it and saw (IIRC) Chinese text appear. I'm assuming that ownership changed around that time, and if the Android and iOS apps have the same owner, I wouldn't trust it either.
An iOS trojan would have slightly more limited impact, but if (for example) you gave the app "Access to your Photos" in order to save something, the app would still be able to read all of your photos and potentially send them back to home base as it chooses.
Correct me if I'm wrong, but the iOS sandbox also seems weaker - I've seen a few occasions in which calling undocumented functions can be all it takes to bypass protections significantly. I assume this is part of the reason Apple is so reliant on reviews.
I had camscanner and at some time it started trying to upload my pdfs to the cloud. It seems it was bought by tencent around that time.
At first the app store privacy policy was a broken link. Later they got it to work, and it basically used broken english to say: we can collect anything.
uninstall and never looked back.
One tip:
The iOS native Notes app can scan documents into a .pdf file.
This doesn't use an exploit in Android and instead runs payloads with the permissions of the app. The same can happen on iOS and very likely does in many apps but is reported less often because there is no economic incentive (the App Store doesn't allow antivirus services). For an example, see how Xcodeghost went unnoticed by Apple.
So can you somehow load external (from a file or network, etc.) executable code into memory on iOS now? Last I checked, that was not possible, no way to even map executable pages in memory.
Malicious code found in ad networks, but I still get downvoted every time I complain that a given website was unusable by me because after trying to enable some (hopefully safe) javascript domains it still wouldn't render in a usable form.
There is a problem here. Trying to protect yourself from third-party malware running on your machine breaks half the damn web because of our over-reliance on javascript frameworks and ad networks. We have to find a better way.
Anyone remembers when the android play store wasn't ranked by how much revenue google got out of it? Remember when even google employees put out their own apps free of ads like solitare etc. But all these free, ad-less apps mysteriously either disappeared from play store or got sent to the very bottom of every search query?
According to his blog post, his "anti-piracy system" used "custom techniques including dynamic bytecode loading from a local app resource", the exact same technique used by this malicious code to hide from detection.
I seriously doubt that CamScanner wanted that kind of publicity. As for Kaspersky, they are like gun makers, selling you a false/real sense of security depending on who you ask.
To make sure you never find yourself in such trouble, use a reliable antivirus for Android app and scan your smartphone from time to time. (The paid version of Kaspersky Internet Security for Android scans automatically.)
Blogspam happens when someone writes a blog article that sources or references something from a more authoritative source, such as this one linking to the Kaspersky story, without adding anything of significance to the original.
Which I don't think is exactly the case here - the Forbes site is not a blog, it's a news site. This article is their reporting of something newsworthy (even if not the best quality article).
There's no fundamental difference between a news site and a blog. A lot of them even use the same software.
News sites just tend to have lower quality entries than blogs and often engage
in blogspam instead of providing links to superior sources or adding something of value.
Obviously. Since they want to keep people on their site.
I wonder what the average time spent on a "news article" vs. a "blog post" is.
> There's no fundamental difference between a news site and a blog.
There is a difference. A blog is short for web log which implies a personal journal. Anyone can publish a blog without editorial oversight. A news site implies that professional journalists are producing reports with editorial and literary standards. Clearly many media companies blur this line though to the detriment of readers and journalists.
> A lot of them even use the same software.
What difference does that make? The vast majority of web sites use the same web server software (Apache/Nginx)...and the same software elsewhere in the stack.
"Professional journalist" just means you're a blogger that gets paid. And everybody has standards. Some people just like to wave theirs around a little more.
I've tested it via manual scan on PlayProtect as well, no dice. Isn't that what it is supposed to do?
Has anyone ever got any app flagged by PlayProtect? If it's useless, then rather I would disable it than to give it access to all my installed apps.
Google Engineers here, please ping your Google Play team reg PlayProtect.
Edit: More detail.