Google's policy for developers on Google Play has been updated recently to include a few new changes. It has revised both the Malicious Behavior policy and the Ratings Reviews, and Installs policy, as well as introduced additional policy requirements for Instant Apps distribution. To make things easy, Google also has some new tips on how developers can stay on the right side of its policies in the future.
The security of our mobile apps and private data is a very serious matter. This is particularly true for high value targets like web browsers, which often store login credentials that can be used to access many of the websites we use on a regular basis. Unfortunately, browsers are also very complicated applications with an extensive set of features that are difficult to lock down completely. Sebastián Guerrero Selma of viaForensics recently posted a video demonstrating a newly discovered vulnerability in Firefox for Android which would allow hackers to access both the contents of the SD card and the browser's private data.
A very serious security hole has been discovered in Firefox for Android that allows a website to force the browser to download and run potentially damaging files, usually without the user's knowledge or interaction. The vulnerability was first described and demonstrated publicly on September 9th as part of a posting meant to advertise the attack as being for sale. The method for exploiting the weakness simply requires a webserver to instruct Firefox for Android to initiate a download, after which the downloaded file is automatically opened or executed (depending on the file type).
Here's a demonstration using an apk crafted to look like an update to Firefox:
While the demo video above uses an apk and relies on a user being tricked into installing it, the potential vectors of attack aren't restricted simply to apks and can possibly leverage other weaknesses on a device.
The Google Play Store's "Bouncer," which Google launched back in February to protect Android users from malicious apps, is a service that scans potential Play Store apps by running them in a virtual phone environment, where the app's activities are monitored for any signs of mal-intent.
Taking advantage of that test period, security researchers Charlie Miller and Jon Oberheide have evidently found ways past Bouncer (which they will be presenting at the Summercon conference in New York this week). Their method, in short, allows an app to "know" that it is being run in a virtual environment, meaning malicious apps could conceivably resist carrying out malicious activities until they are running on a real system.
Fake apps in the Play Store are nothing new. We've seen countless fakes hit the Store, many of which contained some form of malware used to steal user data, or worse, charge premium features to their bill. A Latvian firm is now being fined for the latter due to fake apps designed to look like Angry Birds Space, Cut the Rope, and Assassin's Creed.
After downloading one of the aforementioned apps, though, the user wasn't greeted by flying birds or a hungry frog, but instead... nothing. The apps did absolutely nothing in the foreground. Little did the users who installed these apps know that they were being scammed behind the scenes.
Remember DroidDream - one of the worst malware apps that we've seen since Android's inception? Well, it appears that the developer of said malware is back at it again, with a reported 25 infected apps (so far) found in the Android Market. Dubbed DroidDreamLight by the Lookout Security team, this infection is a stripped down version of its predecessor. Make no mistake, though - that doesn't mean it's any less malicious.
This malware was actually found by a developer of one the infected apps, when he noticed that a modified version of his own apk was being distributed in the Android Market.
With a great plugin comes great responsibility - to avoid malicious Flash files, that is. A zero-day exploit has been discovered in Adobe Flash that affects all Android versions of the software, Adobe announced today.
The most common vessel for the exploit is (fortunately) a Microsoft document (.doc) email attachment with an embedded Flash file (.swf) - and I'm not aware of any Word document viewers/editors in Android that support embedded Flash. Once the Flash file is executed, the exploiter can run malicious code on the target device. How, or whether, this could affect Android is unknown.
Still, it's important to remember that Adobe's products, ever the target of hackers and shady enterprise, share common elements across operating systems - including, at times, potentially dangerous flaws and exploits.
With all of the recent concern about malware in the Android Market, it may lead one to make the generalization that the Android OS is nothing but a big loser in the mobile security department. It looks like that may be a faulty conclusion, if the results from hacking competition Pwn2Own are any indication. In this year's contest, held at the CanSecWest Security Conference, Android and Windows Phone 7 both survived unscathed, while iOS and Blackberry fell to the hackers.
Pwn2Own is a computer hacking contest where cyber attackers attempt to hack into a variety of devices and browsers, both mobile and desktop.