I certainly flags PhoneGap Build apps without a signing certificate. So at least you know that the malicious parties have paid some money to get a cert!
> Has anyone ever got any app flagged by PlayProtect?
Yes, it started flagging all the apps my company distributes internally for testing purposes. Getting it to stop seemed impractical, so my company's guidance is now to disable Play Protect on any test device.
That is and for many, always an issue. Adverts help pay for content, be that a game or website - people literally make a living that way that it has become a bit of a defacto approach.
But when you are tied to including some code that goes off to a site that you have no or very little control over, you are outsourcing part of your company (web or app) into the hands of another in which, if they mess up. You are the the one that takes all the PR flack.
After all, if somebody slips an exploit into an AD hosted on a 3rd party site and offered up by a reputable AD serving company. Whilst the blame and fault may clearly be with the AD serving company for not screening what they offer. You are the ones that from a consumer and as it also transpires - the media as the one to blame. As we all know, corrections and retractions are always less viewed and eyeballed than the initial drama article based upon a small picture view of the issue/drama, instead of the root cause. Even with the best most respected media sites in the World, such retractions/corrections never get the same attention as the initial article of drama and doom.
That is one problem that even today, still prevails - media does an article with the finger pointing at one direction and the truth, even when it comes out and updated, never tracks as well as the initial finger pointing and is very much the old saying of "if enough mud is slung, some will stick".
{EDIT spelling and below}
With that all said, ad-blocking by the likes of https://pi-hole.net/ is more than just avoiding AD's, it's about privacy and more and more so - security.
So what exactly did this malware do most of the time?
In the original kaspersky report it says "For example, an app with this malicious code may show intrusive ads and sign users up for paid subscriptions.".
So how/did it sign up users for paid subscriptions without user interaction? Does android allow something like that? Aren't all apps sandboxed?
In general how is the android sandboxing and permission system nowadays? I'm considering switching back to it from iOS, but reports like this are kinda discouraging.
This. As an iOS user / developer who isn't too familiar with Android, I also don't get it. Either these reports are lacking, and there is in fact a vulnerability being exploited down the line, or Android is completely broken. I find it odd that this important detail is being ignored in the reports/discussion.
> So how/did it sign up users for paid subscriptions without user interaction? Does android allow something like that? Aren't all apps sandboxed?
This sandbox isn't a VM per-se in that the apps can view and interact with other apps via various api-interfaces, sometimes with devastating consequence (like apps with storage permission scraping location information from EXIF, or apps with SMS permission scraping inbox for your financial transactions).
> In general how is the android sandboxing and permission system nowadays?
There's lot of confusion and most users simply grant all access. Ask-on-first-use doesn't really help with privacy, at all. iOS, I think, has it better: Grant permission only when app is in the foreground.
That said, I am working on an app that'd help revoke and grant permissions automatically to apps depending on whether they're in the foreground or background; firewall apps from internet; block trackers. This isn't something you can't not do on Android today. And if you choose to root your device, there are apps like AF+ Wall, Privacy Guard (on LineageOS), XPrivacyLua (with XposedMod), NoRoot Firewall, NetGuard that are excellent offerings but sometimes feel like they're built for the power-user.
I don't know this particular case, but "malware" seems to be used to describe "adware" these days by some blogs to generate more clicks.
Android is just as secure/unsecure as iOS. Some recent "malware" campaigns targeted both platforms but in general Apple silently removes them while Android gets scrutinized to death.
Edit: to answer your questions, these apps still operate within the limits of the sandbox. Which is maybe a reason the term "malware" should not be used.
Ironically this is right next to "Google just deleted my nearly 10-year-old free and open-source Android app" on the front page. False negatives and false positives.
IOW, Google is clearly failing to keep up and accurately monitor it's Play Store.
It is not an easy job to do even at small scales, and their scale is massive. But, it is the job they signed up for, and they need to properly provide resources for it (and it isn't like Google or Apple are short of resources).
I've been using this app for years and also telling other people to use it, so this sucks.
If anyone else is looking for a replacement there's a Microsoft app called "Office Lens" that seems to do a really nice job and is as safe a bet as anything.
I was about to write something cocky like "I thought facebook had more installs than that" since the title didn't name the malware app.
But damn, I'm (sort of) affected. I've had the paid version of CamScanner for years before the alternative existed. Apparently the paid version isn't affected, but it's still gone from my phone.
I had been using it until a FLOSS alternative showed up (Open Note Scanner), it was very annoying in terms of ads, but I'm surprised that is has some kind of malware inside
I use Genius Scan on my iPhone to scan documents that I need to archive (I think it's also available for Android).
In addition to automatic cropping it fixes any distortions so the documents look as if they had been scanned with a flatbed scanner. It works really well for my purpose.
(I have no affiliation with them, just love the app)
This seems like such a common occurrence, not only with android apps but anything with auto updates. It seems like the only solution right now is to purely limit yourself to apps from f-droid. Not necessarily because open source is resistant to this, but because no spammer would bother attacking such a small group.
That's not accurate, really. 100M+ users didn't install the thing overnight--they've downloaded it over the course of years. If they had it installed, and they had automatic updates turned on (which most people do), there was a several month window when they had a version of the app that contained malware, even if it was eventually removed.
For the past few days I've been seen spam events in my calendar about "free iPhones" and "webcam girls" - I couldn't figure out where they were coming from. I have CamScanner installed, so presumably that's the source...
Now, I can remove CamScanner (which is a shame, it's a really good app), but how can I ensure the trojan is also removed?
I tried the Avast AntiVirus app, but it didn't find anything.
Does anyone have information on affected and unaffected version numbers? I have a version of this installed, but it's an old one, and may not have updated to the malware one because I disabled automatic updates. (Specifically because I was afraid of this, in fact.)
Rather than disappear it from the Store entirely, it would be nice if Google could leave a placeholder with a warning; at least it would serve an educational purpose.
Also, does the Play Store app have a way to notify users of a banned app that is still installed? I decided to check my wife's phone proactively, but I don't think she would otherwise have had a clue of malware (but has been getting weird and annoying pop-up ads).
> So a dropper might be used to install malware that steals banking credentials or generates fake advertising clicks or signs up for fake subscriptions.
This is basically wrong, you can't modify a browser or charge someone's card without breaking out of the sandbox.
Worst case they could burn your cellular data or encrypt your photos and such if you gave it permission.
Is there any evidence they maliciously used this or was it probably just in there so they could drop more creepy ad code?
So does the ad network just get away with this? Isn't it criminal to spread malware like this? Seems they were in a serious business relation with CamScanner, not some seedy underground place.
Do other apps run the same ad library, do they run the same risk?
> CamScanner was actually a legitimate app, with no malicious intensions whatsoever, for quite some time. It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.
IMO, this is more a legal matter than a technical one.
Google needs to sue this company, not engage in a whack-a-mole game with their AI algorithm and useless scanner.
I had the CamScanner app on my iPhone for quite some time, then uninstalled when I launched it and saw (IIRC) Chinese text appear. I'm assuming that ownership changed around that time, and if the Android and iOS apps have the same owner, I wouldn't trust it either.
An iOS trojan would have slightly more limited impact, but if (for example) you gave the app "Access to your Photos" in order to save something, the app would still be able to read all of your photos and potentially send them back to home base as it chooses.
Malicious code found in ad networks, but I still get downvoted every time I complain that a given website was unusable by me because after trying to enable some (hopefully safe) javascript domains it still wouldn't render in a usable form.
There is a problem here. Trying to protect yourself from third-party malware running on your machine breaks half the damn web because of our over-reliance on javascript frameworks and ad networks. We have to find a better way.
Anyone remembers when the android play store wasn't ranked by how much revenue google got out of it? Remember when even google employees put out their own apps free of ads like solitare etc. But all these free, ad-less apps mysteriously either disappeared from play store or got sent to the very bottom of every search query?
[+] [-] Abishek_Muthian|6 years ago|reply
I've tested it via manual scan on PlayProtect as well, no dice. Isn't that what it is supposed to do?
Has anyone ever got any app flagged by PlayProtect? If it's useless, then rather I would disable it than to give it access to all my installed apps.
Google Engineers here, please ping your Google Play team reg PlayProtect.
Edit: More detail.
[+] [-] GeneralTspoon|6 years ago|reply
I know it famously flags the Apptoide app store (a Google Play rival) as malware[1]
[1]: https://techcrunch.com/2019/06/04/aptoide-a-play-store-rival...
[+] [-] ocdtrekkie|6 years ago|reply
https://www.av-test.org/en/antivirus/mobile-devices/
[+] [-] AnssiH|6 years ago|reply
[+] [-] wickedsickeune|6 years ago|reply
[+] [-] lern_too_spel|6 years ago|reply
[+] [-] Marsymars|6 years ago|reply
Yes, it started flagging all the apps my company distributes internally for testing purposes. Getting it to stop seemed impractical, so my company's guidance is now to disable Play Protect on any test device.
[+] [-] mtgx|6 years ago|reply
[deleted]
[+] [-] chkuendig|6 years ago|reply
[+] [-] Zenst|6 years ago|reply
But when you are tied to including some code that goes off to a site that you have no or very little control over, you are outsourcing part of your company (web or app) into the hands of another in which, if they mess up. You are the the one that takes all the PR flack.
After all, if somebody slips an exploit into an AD hosted on a 3rd party site and offered up by a reputable AD serving company. Whilst the blame and fault may clearly be with the AD serving company for not screening what they offer. You are the ones that from a consumer and as it also transpires - the media as the one to blame. As we all know, corrections and retractions are always less viewed and eyeballed than the initial drama article based upon a small picture view of the issue/drama, instead of the root cause. Even with the best most respected media sites in the World, such retractions/corrections never get the same attention as the initial article of drama and doom.
That is one problem that even today, still prevails - media does an article with the finger pointing at one direction and the truth, even when it comes out and updated, never tracks as well as the initial finger pointing and is very much the old saying of "if enough mud is slung, some will stick".
{EDIT spelling and below}
With that all said, ad-blocking by the likes of https://pi-hole.net/ is more than just avoiding AD's, it's about privacy and more and more so - security.
[+] [-] a254613e|6 years ago|reply
In the original kaspersky report it says "For example, an app with this malicious code may show intrusive ads and sign users up for paid subscriptions.".
So how/did it sign up users for paid subscriptions without user interaction? Does android allow something like that? Aren't all apps sandboxed?
In general how is the android sandboxing and permission system nowadays? I'm considering switching back to it from iOS, but reports like this are kinda discouraging.
[+] [-] yonilevy|6 years ago|reply
[+] [-] ignoramous|6 years ago|reply
This sandbox isn't a VM per-se in that the apps can view and interact with other apps via various api-interfaces, sometimes with devastating consequence (like apps with storage permission scraping location information from EXIF, or apps with SMS permission scraping inbox for your financial transactions).
> In general how is the android sandboxing and permission system nowadays?
There's lot of confusion and most users simply grant all access. Ask-on-first-use doesn't really help with privacy, at all. iOS, I think, has it better: Grant permission only when app is in the foreground.
That said, I am working on an app that'd help revoke and grant permissions automatically to apps depending on whether they're in the foreground or background; firewall apps from internet; block trackers. This isn't something you can't not do on Android today. And if you choose to root your device, there are apps like AF+ Wall, Privacy Guard (on LineageOS), XPrivacyLua (with XposedMod), NoRoot Firewall, NetGuard that are excellent offerings but sometimes feel like they're built for the power-user.
[+] [-] panpanna|6 years ago|reply
Android is just as secure/unsecure as iOS. Some recent "malware" campaigns targeted both platforms but in general Apple silently removes them while Android gets scrutinized to death.
Edit: to answer your questions, these apps still operate within the limits of the sandbox. Which is maybe a reason the term "malware" should not be used.
[+] [-] pjc50|6 years ago|reply
[+] [-] higginsc|6 years ago|reply
[+] [-] toss1|6 years ago|reply
It is not an easy job to do even at small scales, and their scale is massive. But, it is the job they signed up for, and they need to properly provide resources for it (and it isn't like Google or Apple are short of resources).
[+] [-] habosa|6 years ago|reply
If anyone else is looking for a replacement there's a Microsoft app called "Office Lens" that seems to do a really nice job and is as safe a bet as anything.
[+] [-] emmelaich|6 years ago|reply
They work better, you're not expanding your privacy risk ... and they're free and integrated with Google docs etc.
* namely, Drive Scan and Photoscan
[+] [-] 0xfaded|6 years ago|reply
But damn, I'm (sort of) affected. I've had the paid version of CamScanner for years before the alternative existed. Apparently the paid version isn't affected, but it's still gone from my phone.
[+] [-] naruciakk|6 years ago|reply
[+] [-] eknkc|6 years ago|reply
[+] [-] smush|6 years ago|reply
[+] [-] fauigerzigerk|6 years ago|reply
In addition to automatic cropping it fixes any distortions so the documents look as if they had been scanned with a flatbed scanner. It works really well for my purpose.
(I have no affiliation with them, just love the app)
[+] [-] yazan94|6 years ago|reply
[+] [-] elcomet|6 years ago|reply
[+] [-] Kovah|6 years ago|reply
[+] [-] curiousgal|6 years ago|reply
[+] [-] sp332|6 years ago|reply
[+] [-] baroffoos|6 years ago|reply
[+] [-] AdmiralAsshat|6 years ago|reply
[+] [-] m463|6 years ago|reply
When tencent bought the iOS version, the "user contract" was grossly changed.
Just uninstall it and use the native iOS Notes app to scan your .pdf documents.
[+] [-] OrgNet|6 years ago|reply
[+] [-] pbhjpbhj|6 years ago|reply
[+] [-] exolymph|6 years ago|reply
[+] [-] GordonS|6 years ago|reply
Now, I can remove CamScanner (which is a shame, it's a really good app), but how can I ensure the trojan is also removed?
I tried the Avast AntiVirus app, but it didn't find anything.
What does everyone else do for AV on Android?
[+] [-] jimrandomh|6 years ago|reply
[+] [-] blisterpeanuts|6 years ago|reply
Also, does the Play Store app have a way to notify users of a banned app that is still installed? I decided to check my wife's phone proactively, but I don't think she would otherwise have had a clue of malware (but has been getting weird and annoying pop-up ads).
[+] [-] buildzr|6 years ago|reply
This is basically wrong, you can't modify a browser or charge someone's card without breaking out of the sandbox.
Worst case they could burn your cellular data or encrypt your photos and such if you gave it permission.
Is there any evidence they maliciously used this or was it probably just in there so they could drop more creepy ad code?
[+] [-] tripzilch|6 years ago|reply
Do other apps run the same ad library, do they run the same risk?
[+] [-] doggydogs94|6 years ago|reply
[+] [-] flyGuyOnTheSly|6 years ago|reply
[+] [-] panpanna|6 years ago|reply
IMO, this is more a legal matter than a technical one.
Google needs to sue this company, not engage in a whack-a-mole game with their AI algorithm and useless scanner.
[+] [-] thebruce87m|6 years ago|reply
[+] [-] 0942v8653|6 years ago|reply
An iOS trojan would have slightly more limited impact, but if (for example) you gave the app "Access to your Photos" in order to save something, the app would still be able to read all of your photos and potentially send them back to home base as it chooses.
[+] [-] godshatter|6 years ago|reply
There is a problem here. Trying to protect yourself from third-party malware running on your machine breaks half the damn web because of our over-reliance on javascript frameworks and ad networks. We have to find a better way.
[+] [-] _fbpt|6 years ago|reply
[+] [-] cannedslime|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] PunksATawnyFill|6 years ago|reply
Revoke the app and developer account of that guy who wrote the free transit-mapping app for Montreal.
Google: hypocrisy on a colossal scale.