Over a 100 million Android users are being spied upon by over 500 apps
So recently, I made a post about malicious apps on Android. Well, it seems like that issue isn't a small one.Recently, Security researchers discovered that an advertising SDK used in apps that have been downloaded over a 100 million times was recording call usage data.
About the Malware
If you're an app developer who wants to put ads in your app, you generally don't develop the technology needed to do that all by yourself. There are a lot of companies(the most notable among them being Google) that collect money from advertisers, and run their ads on various platforms, and split some of the revenue with the app/website developers. The way this generally works, is that you use an SDK(Software Development Kit) provided by these advertising companies to show ads in your apps.Integrating an SDK into your app is often as simple as pasting a single line in a file(the build.gradle file) and rebuilding your app. You now have full access to all the features and options that the advertising company provides, without worrying about handling the backend details of what ads are to be shown, how many ads do you show in a single session, etc.
This generally means that you, as an app developer quite often have absolutely NO IDEA what that SDK contains. Most developers will use an SDK solely based on it's reputation in the community, without actually knowing what that SDK does.
Well, Igexin is such an advertising company that provides an API and an SDK to use that API. It looks like Igexin was pretty successful company, because over 500 apps, that in total have been downloaded over a 100 million times, use this SDK to show ads.But Igexin's SDK actually does a lot more than what it's customers expect it to do. It downloads additional code from Igexin's servers. That code is the real malware.
That code, depending on the permissions that the app has, runs additional code that records:
- Call state(whether the phone is idle, ringing, or in a call)
- Calling number
- Time of the call
The malicious code will then send this data, in plain text to Igexin's servers.
What's truly scary about this is that the app developer will quite often never know that they are being used to deliver malware.
This is the kind of malware that can only be discovered by someone who is looking for these things, a Security researcher. Most app developers will never know, and most users won't even think about such a thing.
My thoughts
I think there is a trend in a lot of these cases of malware. In most of these cases, the initial app that the user downloads is entirely safe, but that then downloads additional stuff which is the real malware. Now, these kinds of attacks aren't rare or unique. They have been used for a long time on PCs and on the web. But what I think what makes these things more effective on mobile is the fact that most mobile OSes are much more restrictive about user preferences and user choice than the desktop or the web. With the mobile OS, you just don't get to see a lot of the data(unless you are a researcher and know the system well) that you will see on a desktop quite easily. And that's what matters. Of course, the casual user will never see any of the low-level data, anywhere, but enthusiasts will do that, and often, that's what makes it easier to discover such stuff on the desktop.On the desktop, you could have used an app that captures network activity and if you were a bit investigative, you would have found out about this, without any special equipment or devices. But on mobile,that's not possible, because the OS doesn't give access to a lot of the APIs that are needed for such an app.So the onus to secure an Android phone entirely falls on Google, the OEM that manufactures the phone, and app developers, and it's clear they are lacking at that.
How to stay safe from this malware(and malware on Android in general)
1. Keep the Google Play / Services App updated
Generally, the Play app auto-updates, but if you haven't say, turned ON your phone in days, be sure to update the Google Play Services App. I know that a lot of people don't like that app because of the permissions it requires, but the Play app also has a feature that scan apps on your device, and can even remove apps that are deemed malicious. In general, when a Security researcher discovers a vulnerability, they notify the company before they release it in public. Even in this case, all of the apps using that SDK have been removed.
2. Watch the permissions that an app asks for
I know that people have gotten used to tapping "Yes" to every dialog, but it's important that you take a close look at the things your app does. If your phone has Android 6.0 or above, you can turn off/on individual permissions.So for example, if you know for a fact that you don't use the location-related features of an app, don't give that app permission to access your location.
3.Only Install apps from the store
In general, installing apps from an APK file is not a good idea, because you don't know whether that APK is the authentic one, and you could end up installing something that looks similar but has malware.
If you are concerned about your privacy and don't want to use the official app store, use another app store like f-droid.
Security-related improvements in software are always good, but malware will never be stopped if users don't change their behavior.
Thanks for reading this post. If you liked it, please smash that follow button for more content like this :-)
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by harshal from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, someguy123, neoxian, followbtcnews/crimsonclad, and netuoso. The goal is to help Steemit grow by supporting Minnows and creating a social network. Please find us in the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
Good advice. And one of the few good things about apple.
Yeah they definitely are better when it comes to security