back to article This legit Android app turned into mic-snooping malware – and Google missed it

Google Play has been caught with its cybersecurity pants down yet again after a once-legit Android screen-and-audio recorder app was updated to include malicious code that listened in on device microphones. Potentially tens of thousands of people downloaded the software before ESET researchers found the hidden malware and …

  1. sarusa Silver badge
    Devil

    Legit Google Play apps getting compromised happens fairly often

    You will have a legitimate app - and the rest of the apps from this guy look legit... and then someone emails you saying they'd like to buy your app for [more than you're probably making on it now]. Or would you like to add this totally legit customer engagement framework for [more than you're probably making on it now]? It's happened to me! And he sells it or installs it (I did not). You just usually don't hear about it because it's small apps like this, but if you're watching it's about once a week (of those actually detected, probably a lot more). There was an fairly popular app called CamScanner. And the biggest one that I can think of of was Lavabird's popular 'Barcode Scanner' which had 10M installs. Bus most are like this with under 100K. I guess you're only hearing about this one because instead of just serving up lots of ads like most of them it actually recorded your audio and sent it somewhere.

    Part of the problem is that while Apple App store apps have pessimistic permissions to start with and you can have them completely disabled unless you're actually using the app (so they can't do anything weird in the background), Google doesn't want do that in case it hurts ad revenue. It's absolutely possible on Android phones - Cyanogen's Privacy Guard did it. But Google just doesn't care, because infected phones serving up more ads is just more ad money for them.

    1. Is It Me

      Re: Legit Google Play apps getting compromised happens fairly often

      I am on a Google Pixel phone and when using an app for the first time it asks about permissions and gives options that include "this time only" and "only while using App", it also regularly prompts for removing permissions from apps that I haven't used for a while.

      1. Julian 8 Silver badge

        Re: Legit Google Play apps getting compromised happens fairly often

        I choose that but so many apps are now running continuously, I wonder what that phrase really means.

        I am not sure it was a Saumsung thing or from an older android version, but you could tell it - on a non rooted device - to kill apps from the background and that worked. On my replacement phone running Android 12, I cannot get specific apps to stop running - nothing in developer options,and I do not want to root as it kills all the banking apps

        Most apps on my phone I only want to run when I launch them (exceptions are a some messaging apps, doorbell and news apps). All others should shutdown and never run until I load them

  2. ChoHag Silver badge
    Holmes

    But walled gardens! Reviews by minimum-wage developer wannabes! Automatic updates!

    Mystical rites carried out For Security Reasons!

    Cameras and microphones and radios whether I like them or not and without a physical cut-off! No 3.5mm jack! No screws! Sweat^WWater `damage' detectors!

    That radio chip that bus master's the CPU but only to keep you, uh, safe definitely not to protect manufacturer or telco revenue, liability or control honest guv we wouldn't do anything like that!

    I thought this was all for my protection?

    1. Snapper

      Wut?

      Sorry, who are you actually having a go at here?

    2. Huw L-D

      "And we'll hope that the Corporate ears do not listen

      Lest we find ourselves committing some kind of treason

      And filed in the tapes without rhyme, without reason

      While they tell us that it's all for our own protection,

      I swear we never asked for any of this"

      NMA, 225, 1988.

  3. Anonymous Coward
    Anonymous Coward

    Pulling an app form the store will do nothing

    Pulling the app from the store is nice and appropriate but does nothing for the installed base of up to 50.000 Droids broadcasting through AhMyth/AhRat

    Distributing apps through the store works, sending updates too. "Hey google.... remove all apps from my phone not in the app store!"

    1. 142

      Re: Pulling an app form the store will do nothing

      They used to remotely remove apps back in the early Android days: https://android-developers.googleblog.com/2010/06/exercising-our-remote-application.html?m=1

      They invoked that in 2010 and 2011 for similar malware to this incident, though I can't find a more recent case. Perhaps they just rely on Google Play Protect's more traditional virus scanner approach.

      I remember the remote deletion being an extremely controversial move at the time... Heh. Have a read of the comments here:

      https://forums.theregister.com/forum/all/2010/06/24/google_lifts_two_apps_from_android/

  4. sketharaman

    No big deal?

    I don't see what's the big deal when Google is the developer of the #1 app in this genre. Called Google Amplifier, Google positions it as an accessibility feature but, going by the PI in Scott Turow's latest novel SUSPECT, it's more widely used to snoop conversations taking place in your neighbor's apartment!

    1. heyrick Silver badge

      Re: No big deal?

      For a moment there, I thought you were going to say Chrome.

      Yes, the Chrome that magically links any Google activity in the browser with your phone's Google account and has no option to sign out without literally signing out on your entire phone.

      Yes, you can "go incognito" (if you trust it) but that's really not the point. A website running in a browser shouldn't really be hardwired to the phone's account (or accounts, if multiple).

  5. Pascal Monett Silver badge

    "how it managed to miss the malicious update for nearly a year"

    I guess we'll just have to consider ourselves lucky that it finally "found" it.

    Google : promises aplenty, actions lagging far behind. Hey, when you're swimming in money, why sweat the small things ?

  6. YetAnotherXyzzy

    I gave up long ago any hope of Google doing proper review of Play Store apps and now try to limit myself to (1) what is in F-Droid and (2) a quick web search on it does not turn up any obvious red flags. This is by no means fully secure but it is less bad than blindly trusting everything in the Play Store.

  7. Alumoi Silver badge

    So, always update, even if it works

    What could go wrong?

    1. Jason Bloomberg Silver badge

      Re: So, always update, even if it works

      Screwed if you don't and screwed if you do - It's not surprising the average user has no idea what to do, and even techies struggle with that.

      1. FlamingDeath Silver badge

        Re: So, always update, even if it works

        The software world, especial mobile app development, is an absolute shitshow, NGL

  8. mark l 2 Silver badge

    I am wondering if the developer did intentionally infect their legitimate app with malware that could listen in on audio from the mic of compromised devices, what they were hoping to gain from it?

    Unless it was going to be targeted at specific people that might say something that could be used to blackmail etc, then they would just be getting mostly mundane chatter that would be about stuff such as what time people are home for dinner, boring conversations about what groceries need picking up from the supermarket or just background noise from the TV or music.

    1. Anonymous Coward
      Anonymous Coward

      There the 1 in ten million chance of getting

      Aw baby yeah ooh err yeah thats it!

      Beh-eeh-eeh-eeh-eeh-eeh-eeh-eeh!

      was it eeh-eeh-eeh-eeh-eeh-eeh for you too?

  9. Anonymous Coward
    Anonymous Coward

    Make Internet access a permission

    We should make developers declare the ASNs associated with the IPs they intend to access, transparently, for all to see, with the option for users to opt-in/out at runtime. Telling end-users which companies networks their data will ultimately be sent to will not only allow people to make more informed decisions, but will also heap much needed pressure upon cloud providers to know their customer instead of sticking their heads in the sand. It wouldn't take too many incidents involving big multinational companies public cloud networks for laypeople to start demanding accountability from them.

  10. ChrisCoderChap

    I recently bought a new Android 12 phone (with a real audio jack and SD card reader, hooray !) to act as a media player, coffee table browser and eventual replacement for when my trusty 6 year old phone finally dies, and spent a good hour or so removing permissions and disabling/uninstalling almost everything that came pre-installed.

    I noticed a permission called something like 'Change system settings', which was enabled on numerous applications that I really didn't see had any reason to be doing anything of that nature. I disabled this everywhere of course, but noticed that if I disabled an application or removed other permissions before removing that one, when I re-opened the application info, the application was magically re-enabled with the default permissions. Disabling the change system settings permission first stopped it doing that.

    This setting is a new one on me - my venerable old phone is incompatible with recent versions of Android so I guess it's from a more innocent phase of the permissions/sneaky workaround arms race.

    My old phone is on the list of phones that can possibly run a favourable flavour of Linux given enough faffing about, a bluetooth keyboard and probably a magnifying glass to read the bash console, so I do have the option to adopt the new one as my main phone-for-now and re-image the old one, a project for when I'm a little less busy, but a nice thought.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like