Author Topic: Android 'spoofing' bug helps targets bank accounts  (Read 1045 times)

0 Members and 1 Guest are viewing this topic.

Offline ssfc72

  • Posting Member
  • Hero Member
  • *
  • Posts: 1683
Android 'spoofing' bug helps targets bank accounts
« on: December 02, 2019, 06:38:44 pm »
https://www.bbc.com/news/technology-50605455

A major security weakness in Google's Android OS.  Bug can allow  fake login screens that can be inserted into legitimate apps to harvest data.
Mint 19.1 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MX Linux)
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline Jason

  • President
  • Administrator
  • Hero Member
  • *****
  • Posts: 3479
  • Humanist. Skeptic. Husband.
Re: Android 'spoofing' bug helps targets bank accounts
« Reply #1 on: December 03, 2019, 12:12:52 am »
Interesting. Thanks for sharing. It does sound like an OS vulnerability but this line isn't right:

Quote
The bug lets attackers create fake login screens that can be inserted into legitimate apps to harvest data.

Not quite. You still have to have downloaded a malicious app.

The bug alone isn't what makes this dangerous, there has to be a malware app already on the system for this to work. It's called a Trojan Dropper. The necessity of having a malicious app already is mentioned at their link to StrandHogg. Sadly, though, this isn't hard to do. It used to be that you could recommend that users not get apps that have only been downloaded <50K or <100K but some of this malware has been downloaded in the millions before they were discovered. That's the kind of thing that really worries me.

The link to StrandHogg is quite interesting and shows with graphics how the malicious app uses the exploit to collect personal information. Check it out. It mentions in the Q&A that, while there is no effective way to block or even detect Trojan-Dropper, there are some discrepancies you can watch for:

  • Permission popups that do not contain an app name.
  • Typos and mistakes in the user interface.
  • Buttons and links in the user interface that does nothing when clicked on.
  • Back button does not work as expected.
The best thing to do is that where it involves money, keep an eye on your banking and credit cards. For example, I have a low balance credit card. Every day it emails me the total balance and every transaction. With my bank, I have it notify me of all transactions >$20. Most people would probably put it at $100 but chances are the option is there in your online banking settings. Of course, you could just not do any financial transactions on your device. But these malicious apps + the vulnerability can still steal a lot of personal info like login passwords and such and even send/read texts without you knowing it (though they will ask for permission the first time it does that).

It might be helpful knowing that 2FA is an excellent defence against this sort of thing since even if the attackers get your password, they can't do anything with it without the second factor. I wish banks in Canada offered it.

Hopefully, Google addresses this soon. However, malicious apps are much more difficult to block. There are millions of apps every day and it's a moving target - updates are put out several times a week for many apps. And some apps start out as legitimate and then malware is later added to them which builds up trust and gets more people to use them before they're discovered, such as CamScanner.

Google recently announced a partnership with several security firms to improve the detection of malicious apps in Google Play but this should also be a hole they can fix but it's hard to know. Fixing an SDK risks breaking a lot of apps in the process so it's not something they can rush.

Note that this isn't a Linux issue. Most Android apps are running on Java with the Android SDK and the vulnerability is specific to Android versions 6 and above.
« Last Edit: December 29, 2019, 10:32:29 am by Jason Wallwork »
"With all its sham, drudgery, and broken dreams, it is still a beautiful world." - Max Ehrmann, Desiderata

Offline fox

  • Posting Member
  • Hero Member
  • *
  • Posts: 1832
Re: Android 'spoofing' bug helps targets bank accounts
« Reply #2 on: December 03, 2019, 07:05:02 am »
....
Of course, you could just not do any financial transactions on your device.
....
Yup!

I have an LG Android tablet that is running Android 7 and hasn't gotten an update. Any way to deal with security issues on this one?
« Last Edit: December 03, 2019, 07:08:14 am by fox »
Ubuntu 21.04 on 2019 5k iMac
Ubuntu 20.04 and 18.04 on Dell XPS 13 2 in 1

Offline Jason

  • President
  • Administrator
  • Hero Member
  • *****
  • Posts: 3479
  • Humanist. Skeptic. Husband.
Re: Android 'spoofing' bug helps targets bank accounts
« Reply #3 on: December 03, 2019, 02:37:01 pm »
Yup!

I have an LG Android tablet that is running Android 7 and hasn't gotten an update. Any way to deal with security issues on this one?
AFAIK, Google hasn't patched this yet. Other than being super careful about what you install and watching for the signs that I already mentioned, there's nothing you can do right now.  And even then, it depends on the manufacturer rolling out the update they do put out which doesn't usually happen immediately.
"With all its sham, drudgery, and broken dreams, it is still a beautiful world." - Max Ehrmann, Desiderata

Offline fox

  • Posting Member
  • Hero Member
  • *
  • Posts: 1832
Re: Android 'spoofing' bug helps targets bank accounts
« Reply #4 on: December 03, 2019, 03:05:51 pm »
This is where iOS has it over Android. With Android, you're at the mercy of Google first, and your manufacturer second. Even my wife's 5 year old iPad 2 was updated to the latest iOS (iPadOS) as soon as it came out. Problem is, I still really like my LG gPad III 8.0. It is light, hi-resolution (compared to Samsung's equivalents) and it has a plastic stippled back, making it easy to hold in any position. The latter may not be considered classy, but it works better for grip than any device I've had. I know of no 8" replacement that light, easy to hold and easy to read.
Ubuntu 21.04 on 2019 5k iMac
Ubuntu 20.04 and 18.04 on Dell XPS 13 2 in 1

Offline Jason

  • President
  • Administrator
  • Hero Member
  • *****
  • Posts: 3479
  • Humanist. Skeptic. Husband.
Re: Android 'spoofing' bug helps targets bank accounts
« Reply #5 on: December 03, 2019, 03:15:35 pm »
While true for the most part, you can also get a Google device which promises updates for 3 years, I believe.

https://store.google.com/

If you're lucky (or planned it out), you have a device that lets you replace the firmware with stock Android which should let you apply all those Android updates.
"With all its sham, drudgery, and broken dreams, it is still a beautiful world." - Max Ehrmann, Desiderata

Offline Jason

  • President
  • Administrator
  • Hero Member
  • *****
  • Posts: 3479
  • Humanist. Skeptic. Husband.
Re: Android 'spoofing' bug helps targets bank accounts
« Reply #6 on: December 29, 2019, 10:49:13 am »
While there still isn't a fix yet, Google has now rated StrandHogg with its highest severity rating which likely means a lot of resources will be brought to bear on fixing it.

Most of the article is about what app developers can do so that their apps can't be exploited by StrandHogg. Expect lots of updates over the next few weeks and months to your apps!
"With all its sham, drudgery, and broken dreams, it is still a beautiful world." - Max Ehrmann, Desiderata