• Welcome to Peterborough Linux User Group (Canada) Forum.
 

Android 'spoofing' bug helps targets bank accounts

Started by ssfc72, December 02, 2019, 06:38:44 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

ssfc72

https://www.bbc.com/news/technology-50605455

A major security weakness in Google's Android OS.  Bug can allow  fake login screens that can be inserted into legitimate apps to harvest data.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

#1
Interesting. Thanks for sharing. It does sound like an OS vulnerability but this line isn't right:

QuoteThe bug lets attackers create fake login screens that can be inserted into legitimate apps to harvest data.

Not quite. You still have to have downloaded a malicious app.

The bug alone isn't what makes this dangerous, there has to be a malware app already on the system for this to work. It's called a Trojan Dropper. The necessity of having a malicious app already is mentioned at their link to StrandHogg. Sadly, though, this isn't hard to do. It used to be that you could recommend that users not get apps that have only been downloaded <50K or <100K but some of this malware has been downloaded in the millions before they were discovered. That's the kind of thing that really worries me.

The link to StrandHogg is quite interesting and shows with graphics how the malicious app uses the exploit to collect personal information. Check it out. It mentions in the Q&A that, while there is no effective way to block or even detect Trojan-Dropper, there are some discrepancies you can watch for:


       
  • An app or service that you’re already logged into is asking for a login.
  • Permission popups that do not contain an app name.
  • Permissions asked from an app that shouldn’t require or need the permissions it asks for. For example, a calculator app asking for GPS permission.
  • Typos and mistakes in the user interface.
  • Buttons and links in the user interface that does nothing when clicked on.
  • Back button does not work as expected.

The best thing to do is that where it involves money, keep an eye on your banking and credit cards. For example, I have a low balance credit card. Every day it emails me the total balance and every transaction. With my bank, I have it notify me of all transactions >$20. Most people would probably put it at $100 but chances are the option is there in your online banking settings. Of course, you could just not do any financial transactions on your device. But these malicious apps + the vulnerability can still steal a lot of personal info like login passwords and such and even send/read texts without you knowing it (though they will ask for permission the first time it does that).

It might be helpful knowing that 2FA is an excellent defence against this sort of thing since even if the attackers get your password, they can't do anything with it without the second factor. I wish banks in Canada offered it.

Hopefully, Google addresses this soon. However, malicious apps are much more difficult to block. There are millions of apps every day and it's a moving target - updates are put out several times a week for many apps. And some apps start out as legitimate and then malware is later added to them which builds up trust and gets more people to use them before they're discovered, such as CamScanner.

Google recently announced a partnership with several security firms to improve the detection of malicious apps in Google Play but this should also be a hole they can fix but it's hard to know. Fixing an SDK risks breaking a lot of apps in the process so it's not something they can rush.

Note that this isn't a Linux issue. Most Android apps are running on Java with the Android SDK and the vulnerability is specific to Android versions 6 and above.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

fox

Quote from: Jason Wallwork on December 03, 2019, 12:12:52 AM
....
Of course, you could just not do any financial transactions on your device.
....
Yup!

I have an LG Android tablet that is running Android 7 and hasn't gotten an update. Any way to deal with security issues on this one?
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

Jason

Quote from: fox on December 03, 2019, 07:05:02 AM
Yup!

I have an LG Android tablet that is running Android 7 and hasn't gotten an update. Any way to deal with security issues on this one?
AFAIK, Google hasn't patched this yet. Other than being super careful about what you install and watching for the signs that I already mentioned, there's nothing you can do right now.  And even then, it depends on the manufacturer rolling out the update they do put out which doesn't usually happen immediately.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

fox

This is where iOS has it over Android. With Android, you're at the mercy of Google first, and your manufacturer second. Even my wife's 5 year old iPad 2 was updated to the latest iOS (iPadOS) as soon as it came out. Problem is, I still really like my LG gPad III 8.0. It is light, hi-resolution (compared to Samsung's equivalents) and it has a plastic stippled back, making it easy to hold in any position. The latter may not be considered classy, but it works better for grip than any device I've had. I know of no 8" replacement that light, easy to hold and easy to read.
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

Jason

While true for the most part, you can also get a Google device which promises updates for 3 years, I believe.

https://store.google.com/

If you're lucky (or planned it out), you have a device that lets you replace the firmware with stock Android which should let you apply all those Android updates.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

While there still isn't a fix yet, Google has now rated StrandHogg with its highest severity rating which likely means a lot of resources will be brought to bear on fixing it.

Most of the article is about what app developers can do so that their apps can't be exploited by StrandHogg. Expect lots of updates over the next few weeks and months to your apps!
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13