Over 2,000 malicious apps exists on Play Store

If you thought that the quality control issues plaguing the Google Play Store for Android were finally being ironed out, it couldn't be further from the truth. A two-year-study by the University of Sydney and CSIRO’s Data61 has come to the conclusion that there are at least 2,040 counterfeit apps on Google Play Store. Over 2,000 of those apps impersonated popular games and had malware. The paper, a Multi-modal Neural Embedding Approach for Detecting Mobile Counterfeit Apps, was presented at the World Wide Web Conference in California in May documenting the results.

The study shows that there is a massive number of impersonated popular gaming apps available on Play store. They include fake versions of popular games such as Temple Run, Free Flow and Hill Climb Racing. The study investigated around 1.2 million apps on Google Play Store, available in Android, and identified a set of potential counterfeits for the top 10,000 apps.

Counterfeit apps impersonate popular apps and try to misguide users`. “Many counterfeit apps can be identified once installed. However, even a tech-savvy user may struggle to detect them before installation,” the study says.

It also points out that fake apps are often used by hackers to steal user data or infect a device with malware. “Installing counterfeit apps can lead to a hacker accessing personal data and can have serious consequences like financial losses or identity theft,” reads a blog post by the university.

The study also found that 1,565 asked for at least five dangerous permissions and 1407 had at least five embedded third-party ad libraries.

To investigate these applications on Google Play store the researchers used neural networks.

Google has acknowledged the problem of “malicious apps and developers” in a blog post by Google Play product manager Andrew Ahn on February 13, 2019.

According to Google, the company now removes malicious developers from Play store much faster when compared to previous years. The company says that in 2018 it stopped more malicious apps from entering the store than ever before.

A Google spokesperson, in response to a TOI email, said, “When we find that an app has violated our policies, we remove it from Google Play.”

Google Confirms Several Android Devices Shipped With a Malware




Google tackles yet another vulnerability dubbed as Triada, a malware in the form of a code that affected some Android devices even before they shipped.

The malware is such cunningly structured by the hackers, that it displays ads and spam on a cell phone, on endless Android smartphones and stays undetected for long.

Google, in a rather detailed blog post, clarifies "Triada infects device system images through a third-party during the production process. Sometimes OEMs want to include features that aren't part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development...Based on analysis; we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada."

The activities of Triada were first discovered by Kaspersky Labs through the two posts which had stayed profound into the workings of the malware, first was back in March 2016 and the other in a consequent post in June 2016.

What makes this Trojan progressively perilous is simply the way that it hides itself from the list of applications running and installed on the Android smartphone, making it unimaginable for the anti-virus applications and anti-malware applications to identify it, then again it makes it hard for the framework to distinguish if a peculiar or an undesirable procedure is running in the background.

Triada is additionally known to modify the Android's Zygote process too.

Google, upon finding out about the functions and workings of Triada in 2016, had immediately removed the malware from all devices utilizing Google Play Protect. In any case, the malevolent actors amped up their endeavors and discharged a much smarter version of the Trojan in 2017.

What's more, since this more 'smarter version' was implanted in the system libraries it could furtively download and run noxious modules. The most concerning fact being that it can't be erased utilizing the standard techniques and methods.

As indicated by a well-known software suite Dr.Web, the modified version of Traida is known to be found on several mobile devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.


Many Android devices had pre-installed backdoor: Google

Earlier this year, Forbes reported how a banking Trojan called Triada had been found on a bunch of brand new budget Android smartphones. Google has now confirmed that threat actors did, indeed, manage to compromise Android smartphones with the installation of a backdoor as part of a supply chain attack.

Two years later, on Thursday, Google has now admitted that criminals in 2017 indeed managed to get an advanced backdoor preinstalled on Android devices, even before these left the factories of manufacturers.

The list of affected devices includes Leagoo M5 Plus, Leagoo M8, Nomu S10 and Nomu S20.

To understand what has happened here, we need to go back to 2016 when Kaspersky Lab researchers first uncovered what they called one of the most advanced mobile Trojans Kaspersky malware analysts had ever seen. They named that Trojan "Triada" and explained how it existed mainly in the smartphone's random access memory (RAM) using root privileges to replace system files with malicious ones. Android phones were spotted to have Triada as a preloaded backdoor in 2017.

The firm, Dr. Web’s, researchers had found Triada embedded into one of the OS libraries and located in the system section. Not just that, the Trojan couldn’t be detected or deleted using standard methods.

Triada had, the researchers found, used a call in the Android framework log function instead. In other words, the infected devices had a backdoor installed. This meant that every time an app, any app, attempted to log something the function was called and that backdoor code executed. The Triada Trojan could now execute code in pretty much any app context courtesy of this backdoor; a backdoor that came factory-fitted.

The Mountain View, California-headquartered company initially removed Triada samples from all Android devices using Google Play Protect. But in 2017, it was found that Triada evolved and ultimately became a preloaded backdoor on Android devices. Notably, the latest phones aren't likely to be affected by what has been discovered by Google. The vulnerability did have an impact on various models in the past, though.

Google restricts Huawei’s access to Android apps





Google restricts the access of its Android operating system and apps for Chinese tech giant Huawei after US’s President Donald Trump administration blacklisted the firm.

The order not only impacted Google but the US chip-makers as well.  Intel Corp, Qualcomm Inc., Xilinx Inc., and Broadcom Inc. have all stopped doing business with the Chinese tech giant

"We are complying with the order and reviewing the implications," a Google spokesperson said on Monday. Huawei, the world's No. 2 smartphone seller, relies on a suite of Google services for its devices, including the Android system and the Google Play app store.

Huawei will now only be able to use the public version of Android and the new phones will not have Google play store, Gmail, and other services provided by Google.

The users who are now using the Huawei smartphones will not be affected by this order, but they won’t be able to update their phones. 

However, the Chinese tech company claim that for the last three years that have been working on their own operating system.

"Huawei has been building an alternative operating system just in case it is needed," said Huawei spokesperson Glenn Schloss. "We would like to be able to continue operating in the Microsoft and Google ecosystems," he added.

The company has bought Microsoft’s operating system license for its laptops and tablets. Meanwhile, Microsoft (MSFT) did not immediately respond to a request for comment.



Hackers Now Tricking Users with Fake Address Bars on Chrome



Hackers now take the aid of another and a rather refined phishing attack on Android Chrome only so to shroud the original address bar's screen space by showing its very own fake URL bar when the user scrolls down the site's page.

The fake address bar that relates with the phishing website page posed with real webpage URL by intercepting the original chrome bar. Typically, when users scroll down the site's page, the browser shrouds the URL bar and the page covers overlaps on it in light of the fact that the page is accessible to by means of a "trustworthy browser UI".

Here, the phishing site manhandles this procedure by displaying its very own fake URL bar that acted like an authentic one and trapped users to give away their own personal information.
Security researcher James Fisher exhibited this phishing attack by facilitating his own domain (jameshfisher.com), as he exploited the blemish in chrome browser for mobile.

Fisher used the HSBC domain (www.hsbc.com) as a fake URL bar to proceed with the said demonstration  and by utilizing a similar way the attackers resort to when they utilize any legitimate site, intercept the URL bar and steal the information.

Specialist call it as "scroll jail", when this attack gets even worse for wear, for the most part when the users look up the site page however again reach the first URL bar, here the attackers trap the users to never return on the original URL bar.

According to Fisher, the attack resembles in a dream in inception, the user believes that they're in their own browser, yet they're actually in a browser inside their browser.

 “Is this a serious security flaw? Well, even I, as the creator of the inception bar, found myself accidentally using it! So I can imagine this technique fooling users who are less aware of it, and who are less technically literate. The only time the user has the opportunity to verify the true URL is on page load, before scrolling the page. After that, there’s not much escape”, says Fisher, who is also of the believe that it might be a security flaw in Chrome browser causing the commotion.