Wonder if it's written itself into recovery. Or the SIM card/baseband - SIM card in particular usually includes functionality for triggering a sideload of apps (eg for carrier apps), sending notifications, etc into the main SOC so it fits. Maybe the second instance of SIM card malware ever.
a not insignificant portion of generic weird mediatek chipset android phones come rooted from the manufacturer, because the OS is built with a root/developer configuration. This also helps malware like this spread on the sub-$80 android phones sold to non technically sophisticated users in the developing world.
I remember reading something about mediatek based phones saving on the BOM by utilizing virtualization on a single SoC to run the baseband RTOS and the Smartphone OS.
Until you get bugs like "3D games lag when in fast moving car due to constant cell handovers" and "4G doesn't work at the same time as playing a 1080p60 video, so netflix/youtube are broken unless on wifi".
This happened to me with the Triada virus, on a Nomu S10 - it came with factory ota.
That one patched the Zygote process and became invisible and unremovable without reflashing.
All they'd have to do in order to survive a factory reset is to write to the /system partition, which contains the main OS. A factory reset only wipes /data and a few caches.
Writing to /system requires it to be mounted read/write and permissions to do so, so they'd need a root exploit in order to pull it off, but there's quite a few to choose from especially as devices age and given that they're doing this outside Play Store where Google won't pick them up.
I'm just crossing my fingers advanced users don't lose the ability to side-load apps over bad publicity like this, maybe they should make it harder to enable though.
No. The play store does not check very well and is pretty easy to bypass. Up until recently you could just download .dex (android equivalent of .jar) files into your apps resources at run time then call the classloader. Then for their runtime scan you can either just wait to put the real code online or have a hardcoded switch to execute the main function based on like an NTP server saying it's past X day. I think that is why they removed calls to the classloader from android. There's a few other ways to do basically that that still work but I'm not sharing those for free.
IMO There is a slight flaw to how this question is worded. It's not that they block you from running code that you need to be root to run (you'll just get insufficient perms errors) it's just that you're not root. You could write the code to write to /system, and it will run it just will not work. Thus, you need to utilize some sort of local privilege escalation. That is it's own equally semi-sticky wicket.
True, just disabling it via PackageInstaller by default would do the trick, the root community could re-enable it easily and those who only needed to sideload the occasional app could do so via USB debugging.
It seems like every time I hope for a reasonable solution like this I get let down substantially though.
Yes, AV is in a position where a) it needs regular full priv access to your files and unencrypted web traffic, b) is in a highly competitive, low-margin field where the players are literally attacking each other on your machine [1] to stay even, and c) have enormous motivation to seek other funding sources based on their desktop position [2-5].
I didn't say they created malware, no, but they certainly wave that flag when someone finds some. And it's certainly in their interest to pursue all of these alternatives, or even have a bad third party violate THEM to do so. The money is on the table. Do they take it? They'd be foolish not to.
If you refer to the theory that AV actually wrote viruses (it's not clear), that's as realistic as saying that police commits crimes so that they can get extra reward from the new tasks.
I've followed the VX scene for years (it died long ago) and there has never been shortage of new malware.
Even if we wanted to give some credit to the theory, which type of virus would the AV companies develop? Something trivial, that requires a variation of a signature to detect? Or something extremely complex, that requires month of work, and that slows down the AV engine because it's algorithmically complex to detect?
None of this makes any sense. The truth is very simple - malware has always been an interesting subject, and writing viruses always had a subversive appeal to young rebels.
As a victim of such a falsified crime, testified by half a dozen police officers who couldn't get their stories straight but whom "somehow" were believed, you're only adding credence to the claim with that analogy.
Not really. I'm not doubting that you have been wronged by the judicial system, as I've seen this first hand with a close friend. However, a bold claim like this requires solid evidence that such practices are the norm.
> If you refer to the theory that AV actually wrote viruses (it's not clear), that's as realistic as saying that police commits crimes so that they can get extra reward from the new tasks.
This analogy is not helping your case at all. It's not unheard of for police to plant evidence for such purposes. It's also been proven that law enforcement has been willfully using technology having high rates of false positives for things like drug testing to bring real charges against otherwise innocent people.
> that's as realistic as saying that police commits crimes so that they can get extra reward from the new tasks.
So very realistic then?
Or have you not encountered the numerous incidents where cops plant and manufacture evidence to frame people for various reasons such as increasing their numbers for a promotion or bad culture leading to quotas for arrests/tickets/etc.?
This is how mafia operates. They come to you and offer protection in exchange for a recurring "protection fee". If you refuse, they are the ones who commit crimes against you until you fork out a "protection fee".
This only really goes to the "don't entirely trust their statements regarding their product being the only effective barrier" part of the story. Reputable anti-virus companies do have a huge conflict of interest reporting on viruses they find and can tackle, but they also remain an important source of information about viruses. Disreputable anti-virus companies sell product which could be as simple as a "hollywood OS" green stripe animated GIF which says "virus cleaned" for all they really do: they probably install more malware rather than removing any.
Also, an anti virus company saying they can't understand how a virus remains infected after removal is interesting.
> The ads and notifications redirect users to the Play Store, where victims are asked to install other apps -- a means through which the xHelper gang is making money from pay-per-install commissions.
Software publishers which have been proven to be paying out commission money from "bait and install" app links, for things published in the Play Store, should have their entire app and developer profile removed with extreme prejudice.
That's a bold demand, considering that majority of free games in Play Store monetize themselves via partner installs. For all we know, developers of involved apps are paying a "legit" advertising company for installs, and malware authors act as ordinary partners of that company (likely using a bunch of throwaway accounts).
I sometimes install the app and leave it a one star and a comment with the cause: I was on a page and was forcibly redirected to a marketing page for an app. But major apps (atleast in India) won't get punished by a few one stars.
Play store should offer a screen to the users to allow them to report aggressive ads.
Through screenshots (and photographs, if needed) of the actual malware running on example devices, or in sandbox environments, or both, and what Play store install pages they're sending people to. I'd certainly hope that there's some team of people at Google doing exactly this already.
Also from bulk analysis tools running against known-malware hosting http daemons out on the Internet. Anybody who's used an android phone for a sufficiently long time and visited a few weird places has seen the javascript redirects for scary-looking pages with "CLEAN 581 VIRUSES FROM YOUR PHONE NOW" pages, designed to mimic android or ios system GUI elements. Inevitably accompanied by a link to a play store page.
Suppose they send you to one of 20 hardcoded applications in the playstore, only one of which is theirs and the other 19 are innocent third parties being used as cover. Do you ban all 20?
I'm really confused. How is it possible something like this survives a factory reset? To be fair, I have a very limited knowledge of hardware like this, but my assumption is a factory reset should remove EVERYTHING that didn't come on the phone put of the box.
Some other comments are questioning weather this is happeneing to 'budget' devices sold by sketchy manufacturers. Would that explain something like this.
I sure as hell hope thats not the case on a phone from reputable manufacturer. If I can't wipe everything, including malware from my android device by doing a factory reset, I'm going to throw it in the garbage tomorrow & buy an iPhone.
Android devices have multiple storage partitions. "Factory reset" generally refers to wiping the data partitions, but not the system partitions. It does not mean reflashing the phone's entire storage from an external image as you would expect.
I would imagine this malware modifies one of the partitions that is not customarily wiped. And I would expect that doing a proper full reflash from a computer (eg starting from `fastboot flash bootloader ...`) would remove it, assuming it wasn't already baked into that image at the manufacturer.
And the "not customarily wiped" partitions are not wiped because they are not customarily writable in the first place. Rooting a phone by a prominent manufacturer requires discovering an exploit which overcomes this write protection. This is why manufacturers try to protect against exploits, and why you probably shouldn't use a second-hand phone that has known exploits, where second-hand means touched by basically anyone in even a seemingly-legitimate supply chain.
> you probably shouldn't use a second-hand phone that has known exploits, where second-hand means touched by basically anyone
Clearly unpublished exploits are also bad, meaning this essentially applies to every phone. That's a pitfall of the closed security paradigm - even if you are willing to trust the manufacturer, you still can't be sure that their control has not actually been usurped by some unknown third party.
So you either need to double down and choose the closed system that receives the highest scrutiny (Apple), or opt for a device that has been opened by the community for long enough that any stateful hiding places are known.
>but my assumption is a factory reset should remove EVERYTHING that didn't come on the phone put of the box
A simple proof that this isn't the case is the fact that factory resets do not revert your phone back to the same OS version as it came with out of the box and it does not download an OS image to install. The only device I know that does this is macbooks have a built in recovery which can be used to download a fresh OSX image and install that.
On an unrooted/unexploited phone a factory reset should remove every bit of data bad app has access to. On a rooted phone you can wipe everything by downloading the vendor image (Google supplies these but not all OEMs do) and then you can flash that over the entire phone which replaces everything on the storage.
I'm not sure this is the case. I have a Samsung Note 5. Its been a while since I factory reset, but Im almost positive it was back to the old android version. I always remember having to upgrade again.
Maybe my memory is incorrect, but I'd be surprised if it did not revert back. I'm thinking of reseting soon, so if I do I'll report back :)
>According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.
Sounds big, but likely paltry compared to active Android devices. That said, for other reasons that are more compelling, Apple is killing Google on "captive portal advantages". Google needs to dedicate more resources to both the PlayStore and the Chrome Extension store for many, many, reasons. They are not getting the inflection point of their "automation is fine" approach.
In other words, the conclusion is right, but this incident is NOT the selling point. Ad blockers and manifest V3 is a much better research study into their stupidity.
This doesn't really seem like a detection issue, but more of a design issue that Google needs to fix. Why is an app able to display ads across the system, even when you aren't running it? And how is it even possible for an app to make itself uninstallable?
Those are good specific examples that I might have missed. Good point. The PlayStore is a train wreck that takes a lot of percentage of revenue from apps and adds little value in return.
Just noting that 45,000 users affected IS NOT the PlayStore failure reference story. It's bigger than that.
10 million uBlock Origin Chrome users are soon to be abandoned due to Google's policies. That's way more interesting, and ties the PlayStore issues to the same Chrome Extension issues.
Apple is credibly watching out for their customers. Google is credibly watching out for Google. Pretty much unapologetically with little pushback.
Personally frustrating for me as I've been a loyal Android user for a long time. Almost ready to switch to an iPhone, despite my unfamiliarity and the much higher price point. Google should pay attention.
>Why is an app able to display ads across the system
There is a permission on android called "Draw over other apps" which is disabled by default now when you install the app but the app can open a popup asking you to enable it which android warns you against accepting.
The valid use cases for this permission is you could have PIP for videos.
Yes its pretty bad but its not like any app can just draw adverts over the screen.
I know IOS isn't perfect, however, when I read articles like this, I just have to smile. There's something to be said for a tightly controlled platform and ecosystem.
They get so much wrong, so often, you have to wonder if they really look at the apps at all or just have some checklist, screenshots and a quota to hit. They explicitly approved all the garbage practices that Apple Arcade's billing protects users from.
That doesn't feel like the same thing at all. A shady developer tricking people into a subscription because they don't know any better is way different from malware that reinstalls itself even after a factory reset. People have to agree to pay for the subscription from an OS-level prompt in the first instance. They don't have a choice in the 2nd.
> A shady developer tricking people into a subscription because they don't know any better is way different from malware that reinstalls itself even after a factory reset.
A shady developer tricking people and a shady website tricking people result in bad things.
To get this trojan I'd need to go into settings and tick this box:
Then go to the dodgy website, then download the apk, then install it then pikachu face when I get a trojan.
And you can talk about how great Apple's security is but to fix this issue all Google has to do is remove that tick box in settings so no more sideloading apps.
But that also comes back with drawbacks that I assume an Apple user like yourself wouldn't know about, because all you know is a walled garden. Sort of like how Chinese people love the fact their internet is censored. So safe, so secure.
> And you can talk about how great Apple's security is but to fix this issue all Google has to do is remove that tick box in settings so no more sideloading apps.
And yet, they don’t.
> But that also comes back with drawbacks that I assume an Apple user like yourself wouldn't know about, because all you know is a walled garden.
Funny how Android users keep saying that. I’m an Android developer by profession, which is why I use an iPhone as my personal phone and would never recommend an Android device even to my worst enemy. I’ve seen how the sausage is made and it isn’t pretty. The best thing you can say about Android is that it’s free, which correctly reflects what it’s worth.
>I assume an Apple user like yourself wouldn't know about
Yes, truly... because there's no way that someone who uses an iPhone might know about the existence of Android/Windows/Linux/macOS or any other system that allows for sideloading and/or installing un-certed apps.
The point is, even if Apple allowed sideloading, there's no way that the iOS sandbox model would allow for what's being described here. The comparison wasn't accurate.
Your condescension and ignorance doesn't help that argument at all.
Apple's capricious app store review policy aside, iOS is so locked down that even a completely malicious sideloaded* iOS app can't dig itself into the system like this. Without a local privilege escalation exploit there's just no way to set up a persistent background service and no way to escape the sandboxing to allow an app to leave a mark on the system after your app is uninstalled.
(*a developer can basically sideload any app on their iOS device with an Apple developer license)
If shady devs can get a malicious app past Apple they can definitely get one past the average user. Does Apple get it right 100% of the time? Of course not. Does Apple get it right far more often than I would? Without a doubt.
Getting a malicious app past Apple in this context might mean as little as getting past a cursory review from a single indifferent employee. Apple has let enough bad apps through that, without further information, my default assumption is that the reviewer is doing little more than checking some boxes.
To be fair, if you stick to just using the Google Play Store, _this_ malware wouldn't hit you.
> According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan.
While they were live, they didn’t steal data or gain control of a victim’s device,
....And while the worst effects you’d feel as a victim in this case would be a quicker battery drain and a higher data bill, this latest wave of iOS malware is most notable not for what it does but for how it got there.
Which is a far cry from an unremovable app. It didn’t even get outside of the sandbox and wasn’t an escalation of privilege attack.
The comments upstream are debating whether there's been malware on the app store. There has. Goal posts aside, it's worth remembering that no app review process is infallible, including Apple's.
The actual submission is about apps that install an unremovable piece of software that cause an escalation of privilege. The article you posted is about apps that can be removed just like any other software, don’t escape the sandbox and the most harm they can do is use an above normal amount of CPU and data.
Those aren't links to malware. Those are links to stories about malware that was removed from the App Store. Kinda makes the opposite point of what you're implying, doesn't it?
Sure, except that once you get past the idea of trusting others for your security, and instead learning and securing stuff yourself, you quickly realize that "tightly controlled" is just a synonym for "you don't really own your device, we just let you use it how we see fit". As so recently demonstrated by Apples ability to remove the HKmap.live app.
In general really wonder why people still defend Apple these days. Even if you overlook a combination of stuff like infinite attempts for icloud logins that led to the Fappening, their role in HK protests, and of course their pretty terrible labor practices that go so far as even to supposedly break the Chinese labor laws (which is a feat in itself), there is still issues with stuff they produce. Their hardware and software quality has been on a hard decline, especially if you compare it to alternatives rather than on its own merit. They don't really innovate despite opposite marketing claims, and they still participate in this "technology as a jewelry" thing with their $1000 monitor stands.
You pay attention to what you install, and take advantage of things like unlocking/rooting to remove apps or use a firewall app to limit access of other apps.
They certainly didn't know it was malware but yes, according to the article they installed the software intentionally (they even had to do extra steps and follow instructions on a random website to circumvent the google store).
You can theoretically have the best of both worlds, apples strong vetting without their draconian control. Strong vetting and allowing side loading are not mutually exclusive.
It's basically how linux systems work, most stuff comes from the package manager which has been pretty good at keeping out malware and users can install whatever they want from elsewhere.
It seems like they could get a better outcome by having levels of trust for unsanctioned apps. Like the default for side-loaded apps would be just as an app only. No background processing, notifications, loading services. To get the latter functionality you could make the user jump through a bunch of hoops with nasty warning messages or even just not allow it.
Note that if you enforce this for all side loaded apps are turning Android closer to the walled garden that is iOS.
There are already many legitimate apps distributed outside of Google Play for various reasons, such as weird Google policies or simply being booted out with no or spurious reason & the developer not being able to ever reach a human to fix this.
I wish apple would allow side loaded apps. I'm not saying eliminate side loaded apps all together. Merely, it seems like its a binary view. Either allow side loaded apps and make no attempt to design the installation process with security features, or deny un-approved applications entirely in the name of security.
I think Apple's desktop solution to unverified developers is a good way to split the difference. Deny by default but allow whitelisting. They go even further under the privacy tab and only allow certain applications permission to access accessibility features or full disk access, etc.
This actually seems broadly similar to the issue with "self-XSS" and the developer console in browsers (which is hidden behind a couple of menus). So far most of the mitigations involve the site printing messages into the console telling users to not paste in anything here unless they are a developer.
Maybe it's a good idea to hide the "Allow sideloaded apps" under the developer menu in Android or something, or generally to display a scarier message.
The end result of this is largely to discourage competition. The Google Play Store is not good at security, and the prohibition on sideloading is far less effective at preventing infection than it is at preventing app developers from avoiding Google's 30% app tax.
According to claims on Reddit, this malware can re-enable "Allow installing untrusted apps" checkbox after user unchecks it.
This and it's ability to survive factory reset may indicate, that xhelper can gain complete control over device (probably via improperly built firmware or unpatched root exploits). No amount of sandbox enhancements can stop this kind of priviledge escalation.
I think a large part of "the older generation" doesn't even understand that smartphones have software running on them called "android". My mom calls her Samsung Galaxy "iphone".
I don't know why you're being downvoted. You've got a point. There's no perfection in the App Store when it comes to review, but it's an ecosystem that is built around trying to create a sense of control and privacy. Sorry if you don't disagree but I reckon facts overwhelmingly disagree with you if you do.
That's not to say in any way ANDROID BAD or anything like that, it's just a broader attack vector that you're up against with Android unless you're a very careful experienced customer. Most people aren't. :/
I didn't downvote but I understand why others did (I would have if it wasn't already grey).
It's incredibly frustrating to read these pro-walled-garden-arguments. By the same argument you could say that the people in Hong Kong or elsewhere should just shut up and accept that their leaders will know what's best for them.
I worry about a future where these locked-down devices will be the norm for all of us. Don't defend Apple for locking you in. That's ridiculous.
One crucial difference is whether you can opt-out. Another big difference is the stated intention of the party/entity: i.e. Apple is not a company "of the people, by the people, and for the people".
My objection is that it's not that useful to only look at whether a party wants to restrict freedom. Personally, I don't think that's a very useful dimension at all -- I don't consider the existence of a road limiting to my freedom to drive wherever I feel like it.
Also didn't downvote personally, but I can certainly see why someone would.
Fundamentally, the problem exposed by this particular piece of malware was the ability for it to persist across removals and device resets, not that it was "sideload-able" by the user. Malware persistence should not be possible on a well-designed system, especially one where applications are generally untrusted and sandboxed. Had this been malware that requires sideloading but could be removed when noticed, it wouldn't even have made the headlines at all.
The problem with making the walled-garden argument here is like saying nobody will get sick if we just put everyone in isolation all the time. Like, sure, it is _a_ solution, and assuming the isolation is perfect, it _does_ achieve the goal... But this merely sidesteps the problem, and anything that slips through the wall (which as pointed out by other commenters, does happen on iOS too) will be just as dangerous as before.
The real solution is to "buff up everyone's immune system" and make it easy to restrict and treat malware apps when they inevitably end up on a device, walled garden or not.
https://www.youtube.com/watch?v=31D94QOo2gY
There are only so many places it can be hiding if it's surviving a factory reset.
--Guy who is undoubtedly vastly underestimating the problem given that it's resisted AV vendors for a while