Google's Play Protect Is Failing to Catch Obfuscated Malware on the Play Store

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Google’s Play Protect is a user-facing security screening process that scans apps you install, comparing their content against known malware components, and notifies you if any potential risks are found: unfortunately, it wasn’t good enough to catch obfuscated malware with up to 20 million installs on the Play Store. A technique called “packing,” used to hide the intended functionality of a piece of software, has proven effective in fooling Google’s automated systems.

...apps with ExpensiveWall request internet and SMS permissions, connect to a remote server at regular intervals, and run what is sent to it by the server in an embedded WebView. If you follow Android security, this might all sound a bit familiar, and that's because it's basically identical to another piece of malware discovered earlier this year. According to Check Point, Play Protect was configured to detect this malware previously, but it's now been "packed" to fool the existing checks.
 
They changed a ton of really dangerous permissions out of users control in the large permissions revamp update in Lollipop or maybe Marmshmallo.

The Google devs answered to question by regular dev that "since they had protected all your data securely now with request for Contacts,... there was no need for something like Internet permission to be gated".

Its been a long time now that any sane person doesnt try out any apps anymore. There are a ton of crazy scary permissions that all a dev has to do is put in the manifest file and the "user" isnt pestered with.

You go download an app with simple permission prompt? Its not because its safe, its because Google is hiding it ftom you. But they have full access to Internet...
 
I'll bash Apple as a company and it's so-called hardware advancements all day long and not feel even an ounce of guilt for it. However, when it comes to the software ecosystem I don't for one moment have any doubts that they have a safer playground. It'll be a good day when I can trust our android devices for more than basic entertainment.
 
nelsonhaha.jpg


How's that open ecosystem working out for you? Oh yeah... it's not.

As a fellow geek I love open ecosystems as much as the next geek but to be quite honest, for normal people it's just too dangerous. Normal people don't have the technical expertise to remain safe in an open ecosystem, they're either too stupid or they just don't care. Often I find myself thinking that it's more stupidity than anything else.

I have had to (on more than a couple of occasions) stop myself from slapping the shit out of someone as I watched them do something monumentally stupid. I have had to yell at people and ask "What the fuck are you doing?! Didn't you read it?!" and more often than not they look at me with a look not unlike what a deer has as its staring at your headlights and their response is usually "But they were going to give me free stuff". People really do need to have their hand held. For these people I would love to just rip their computers away from them and hand them an iPad.

With all of that said, open ecosystems are great and all... until someone comes along and pisses in the corn flakes. And as we have seen, that happens all too often.

Google really needs to get a handle on this shit because it's going to rot the Android brand from within (that is, if it hasn't already).
 
I found the source quote. ["yes a flashlight app can have internet permission, but it would have to ask for permission to get access to data, since we are protecting the data, its not going to have access to anything we are concerned about"] abbreviated a little, no transcript.

I just dont know how that got signed off by the security folks. Almost anyone could make the analogy of leaving front door open because you put your valuables in a safe is a terrible idea.

I mean, even today, none of the permission names and descriptions match the real world. Talking about evil level premeditated intent to obfuscate and decieve. Google knows damn well what wifi/view networks permission are used for. Monetization. Maybe there is one network monitor app that actually needs its, but the other million games/apps are using it to monetize you. Yet the description still says generic crap, with not a single hint of why its actually used million/billions of times.

You cant even make a gun manufacturer analogy as Google owns the Playstore and Android and has direct access to how, why and when permissions are used. They are in no way some far off third party.
 
Monetization.
Bingo! Give this man his prize!

When it comes to Google and Android it's all about monetization. How can we make money on this? It's Google's job for God's sake! It's the reason why Google exists!!! They exist to make money by selling data about you and making it easy for their partners to as well. Face it people, Android may as well be called an advertising platform since basically that's what it is. It's an advertising platform that just so happens to be a smartphone OS as well.

About the only company out there that comes even close to giving a damn about your privacy is Apple and they're not that great at it either but at least they're a hell of a lot better at it than Google.
 
Back
Top