Researchers find North Korean spy apps hosted in Google Play
- Thread starter JournalBot
- Start date
What pisses me off the most, collectively the market has rewarded walled-garden phone OSes to the point where alternatives are not really viable for anyone who uses their phone in a professional environment. And the alleged tradeoff for this is that we wouldn't have the Windows problems with malware, it would all be secured and checked before it got in the garden.
But repeatedly this is not the case, the walls around the garden have doors open wide with big Wile E. Coyote type signs pointing at them for bad actors to just stroll right in.
But repeatedly this is not the case, the walls around the garden have doors open wide with big Wile E. Coyote type signs pointing at them for bad actors to just stroll right in.
Upvote
49
(58
/
-9)
It's even worse than that, because the stores provide a completely false sense of security. At least if you're a Windows or Linux user, you know you're on your own downloading some random binary off the internet, and most of use have developed some heuristics to determine how trustworthy software is. Every app on these app stores basically looks the same.
There really are precious few things that really need an app. 95% of this stuff works just as well in a mobile browser. Unless it is running something very high-performance or needs a lot of offline functionality, it's very unlikely that the app is necessary (although you might need to spoof the user agent to get the website to work).
Upvote
31
(35
/
-4)
Android App Store “walls” are like a 6 foot chain link fence. Mostly automated tests, with little, if any, individualized review.
Not remotely comparable to iOS App Store, though better than almost any 3rd party app stores.
But to me the real issue is the permissions structure. How is it possible that people said yes to SMS Access for any of these apps? Did they use some sort of exploit to avoid triggering permissions requests?
Are people just so habituated to clicking ok they don’t read the text on the alert?
Wish there was more detail on what it looked like to the user, how (if) they had a chance to detect before compromise.
Upvote
37
(39
/
-2)
Are there people who install random apps they find in the Google or Apple store? That feels about as wise as eating random food found in the gutter.
The only phone apps I install are from entities with which I already have a relationship, like my employer, the NY Times, or Google itself, and which serve a useful function not readily available from their corresponding website.
The only phone apps I install are from entities with which I already have a relationship, like my employer, the NY Times, or Google itself, and which serve a useful function not readily available from their corresponding website.
Upvote
-2
(6
/
-8)
It is apparently very difficult for Google to even enforce unique names on their apps. Searching "File Manager" gives multiple results with the same name.
I'm aware that the one mentioned in the file shouldn't be available officially anymore. But this is another reason it can be difficult to trust an app. Even knowing the exact name of one you want can't guarantee you won't click to install a different one
I'm aware that the one mentioned in the file shouldn't be available officially anymore. But this is another reason it can be difficult to trust an app. Even knowing the exact name of one you want can't guarantee you won't click to install a different one
Attachments
Upvote
20
(20
/
0)
Both of you are correct, and actually suggest the means of mitigating much of this issue.
The issue is that people believe the apps are safe, when they aren't. Largely because of that, they just download the first thing that strikes their fancy without bothering to check it out in any meaningful way.
The solution is to encourage people to not download ANY apps that aren't essential for one's day to day use. And let the user decide what's essential to them.
As long as they know and understand that not all apps are reviewed, and deemed safe, and that they're taking a non-zero chance of seriously fucking up their phone with every app they download, there'd probably be less of a problem in this arena.
Of course, getting that out and understood would depend on the messaging from Google. So it's probably a non-starter. I suspect that it will take enough lawsuits to impact stock prices to get them to take the security of their apps, and their captured customer's phones, seriously, though. That's going to be a cold day in hell in today's world. But that's the easiest first step to a solution.
After all, what's the one thing that bad guys and politicians (well, same difference there) fear the most?
An informed public.
Upvote
5
(5
/
0)
People do unsafe things all the time. They drive around in lethal machines, they eat things they shouldn't eat and drink things they shouldn't drink.
Installing a random app on iOS is, by societal norms, a safe act. If you think an app off Play is so dangerous that nobody should install one unless absolutely necessary then the remedy is clearly that almost nobody should buy an Android device.
Upvote
6
(11
/
-5)
I agree, but how could I uninstall official YouTube application without root access? It's such a spyware.
Except when web access was relegated to second or third class citizen, and mobile app version is the first. Witness: WhatsApp.
Upvote
4
(5
/
-1)
It was never about that, obvious to anyone who actually can reason about risks and control.
I imported the first iPhone from US, which made it necessary to jailbreak it to be usable (no access to network otherwise). I enjoyed the 3rd party app scene at the same time, something that wasn't even possible with "legit" iPhones.
When announced the App Store in 2008 I thought it was cool they would offer an "official" way of installing/running apps but at the same time I was pissed off because it cames with so many restrictions. Plenty of apps from Cydia would never be able to be downloaded from the official App Store.
Alas, jailbreaking became much more complicated, and too involved for the end user, so we all accepted the compromise of App Store, because there wasn't much other choice in the first place.
It was always obvious that it was about power and money, nothing else. Otherwise, computers would have had the same restrictions to them (Apple is boiling the frog slowly on that front).
At least in the case of Android/Google Play, you have alternatives way to install things and it's not an absolute requirement.
But pretending it improves security significantly is at best an overstatement, at worst an outright lie.
Upvote
-3
(5
/
-8)
Websites aren't trendy anymore.
In the past, the web was the future™. No local apps needed anymore! It sucked/sucks when it's trying to replace real software, but it does make sense for many simplistic online-oriented services like email or banking. But more recently, every second site also provides an app, or worse, turns into one exclusively. I guess it lets them gather more personal info or have more control over ads.
Sad. Though some of it may be partially legit, because modern webdev practices produce sites that are so fragile across different browsers or versions. Some of it, not all, may be to blame on the never-ending flow of small forced browser updates, and HTML and web APIs having abandoned stable major updates. Add to that the framework-over-framework style of webdev that results in sites that are heavy and slow.
I would be useful if stock firmware had permission options beyond allow/deny, like also "allow with fake data". Wouldn't solve the problem of most apps wanting internet access, but it's a start.
Last edited:
Upvote
5
(5
/
0)
I think the biggest problem is that most users have no idea what kind of permissions a random app needs, to work in a legitimate way, and if the app asks for more permissions that it needs. I truly believe that a normal user won't know the difference.
Computers has gone from being something only nerds used, to being in basically every home on the planet, that has electricity. So it used to be a tool for professionals, but's now used to watch cat videos by grandmothers. To assume that all these people know what's dangerous or not, or to configure their networks to be safe, or which permission they should or shouldn't give to an application, simply can't be expected my opinion.
So the real problem the way I view it is, that Play Store(for instance) is run by Google, and even my pensioner dad knows what Google is. So who can blame him for thinking Google is a reputable company, and mistakingly thinking the apps they sell in their store are safe? It would be like going into the food isle of your local grocery and expect to find rat poison in the food isle.
We obviously don't go home and run a chemical test to check if the food is poisoned or that it is what it says it is, we assume them to be safe. The problem really, is that we simply can't make the same assumption when installing software, even from a seemingly "reputable source", like Play Store.
Upvote
7
(8
/
-1)
It’s weird you’d post this on an article about malware that appeared exclusively in the Google Play store, not the Apple App Store. It kind of hurts your argument that Apple’s restrictions are excessive.
Upvote
10
(10
/
0)
deltaproximus
Ars Scholae Palatinae
Kakao Talk is a popular chat app among Koreans and Korean Americans. Everyone on my mom's side of the family and all their friends use it exclusively to text each other. It's no surprise that North Korea would target them by using an ubiquitous name in that community.
Upvote
6
(6
/
0)
Well, you know what they say about how stupid the average person is...
Upvote
2
(2
/
0)
You would if you were Korean, though. Kakao is the #1 messaging app there.
Upvote
4
(4
/
0)
Oh wow, I just thought it was a random app name and was teasing about people that will install any random app on their phones.
That makes a lot of sense, thanks for the background!
Upvote
2
(2
/
0)
Is there any word on whether this particular malware exceeds its authorizations in a way that bypasses the android permissions model in some way; or is it just another case where the (fairly grabby) level of commonly accepted permissions-demanding makes it pretty easy to get granted power worth misusing?
Upvote
2
(2
/
0)
I install almost nothing; but I've absolutely landed on the wrong page loads of times thanks to the exceptionally classy decision by both Google and Apple to put what's basically a paid typo squat in the #1 spot, occupying the top third of the screen, even when you search for precisely the name of the app you are looking for. I assume that one snags people who use 'get' from the search screen rather than from the full listing for the application all the time.
Which is presumably exactly why they put it there.
Upvote
4
(4
/
0)
Yes, it is. As an example, Google also allowed a fake site imitating KeePass using punycode to push malware, to appear on top when people searched for KeePass. It's all about the revenue for those people, and never forget that.
For reference: https://www.malwarebytes.com/blog/t...uses-punycode-to-look-like-legitimate-website
Is it expected that a normal user wouldn't fall for this? I'll forever say no, and I'm willing to die on this hill.
Upvote
2
(2
/
0)
Didn't I read Android was 'bringing their entire library to Windows'? That ought to work out well.
Upvote
1
(1
/
0)