This legit Android app turned into mic-snooping malware – and Google missed it Google Play has been caught with its cybersecurity pants down yet again after a once-legit Android screen-and-audio recorder app was updated to include malicious code that listened in on device microphones. Potentially tens of thousands of people downloaded the software before ESET researchers found the hidden malware and …
You will have a legitimate app - and the rest of the apps from this guy look legit... and then someone emails you saying they'd like to buy your app for [more than you're probably making on it now]. Or would you like to add this totally legit customer engagement framework for [more than you're probably making on it now]? It's happened to me! And he sells it or installs it (I did not). You just usually don't hear about it because it's small apps like this, but if you're watching it's about once a week (of those actually detected, probably a lot more). There was an fairly popular app called CamScanner. And the biggest one that I can think of of was Lavabird's popular 'Barcode Scanner' which had 10M installs. Bus most are like this with under 100K. I guess you're only hearing about this one because instead of just serving up lots of ads like most of them it actually recorded your audio and sent it somewhere.
Part of the problem is that while Apple App store apps have pessimistic permissions to start with and you can have them completely disabled unless you're actually using the app (so they can't do anything weird in the background), Google doesn't want do that in case it hurts ad revenue. It's absolutely possible on Android phones - Cyanogen's Privacy Guard did it. But Google just doesn't care, because infected phones serving up more ads is just more ad money for them.
I am on a Google Pixel phone and when using an app for the first time it asks about permissions and gives options that include "this time only" and "only while using App", it also regularly prompts for removing permissions from apps that I haven't used for a while.
I choose that but so many apps are now running continuously, I wonder what that phrase really means.
I am not sure it was a Saumsung thing or from an older android version, but you could tell it - on a non rooted device - to kill apps from the background and that worked. On my replacement phone running Android 12, I cannot get specific apps to stop running - nothing in developer options,and I do not want to root as it kills all the banking apps
Most apps on my phone I only want to run when I launch them (exceptions are a some messaging apps, doorbell and news apps). All others should shutdown and never run until I load them
But walled gardens! Reviews by minimum-wage developer wannabes! Automatic updates!
Mystical rites carried out For Security Reasons!
Cameras and microphones and radios whether I like them or not and without a physical cut-off! No 3.5mm jack! No screws! Sweat^WWater `damage' detectors!
That radio chip that bus master's the CPU but only to keep you, uh, safe definitely not to protect manufacturer or telco revenue, liability or control honest guv we wouldn't do anything like that!
I thought this was all for my protection?
Pulling the app from the store is nice and appropriate but does nothing for the installed base of up to 50.000 Droids broadcasting through AhMyth/AhRat
Distributing apps through the store works, sending updates too. "Hey google.... remove all apps from my phone not in the app store!"
They used to remotely remove apps back in the early Android days: https://android-developers.googleblog.com/2010/06/exercising-our-remote-application.html?m=1
They invoked that in 2010 and 2011 for similar malware to this incident, though I can't find a more recent case. Perhaps they just rely on Google Play Protect's more traditional virus scanner approach.
I remember the remote deletion being an extremely controversial move at the time... Heh. Have a read of the comments here:
https://forums.theregister.com/forum/all/2010/06/24/google_lifts_two_apps_from_android/
I don't see what's the big deal when Google is the developer of the #1 app in this genre. Called Google Amplifier, Google positions it as an accessibility feature but, going by the PI in Scott Turow's latest novel SUSPECT, it's more widely used to snoop conversations taking place in your neighbor's apartment!
For a moment there, I thought you were going to say Chrome.
Yes, the Chrome that magically links any Google activity in the browser with your phone's Google account and has no option to sign out without literally signing out on your entire phone.
Yes, you can "go incognito" (if you trust it) but that's really not the point. A website running in a browser shouldn't really be hardwired to the phone's account (or accounts, if multiple).
I gave up long ago any hope of Google doing proper review of Play Store apps and now try to limit myself to (1) what is in F-Droid and (2) a quick web search on it does not turn up any obvious red flags. This is by no means fully secure but it is less bad than blindly trusting everything in the Play Store.
I am wondering if the developer did intentionally infect their legitimate app with malware that could listen in on audio from the mic of compromised devices, what they were hoping to gain from it?
Unless it was going to be targeted at specific people that might say something that could be used to blackmail etc, then they would just be getting mostly mundane chatter that would be about stuff such as what time people are home for dinner, boring conversations about what groceries need picking up from the supermarket or just background noise from the TV or music.
We should make developers declare the ASNs associated with the IPs they intend to access, transparently, for all to see, with the option for users to opt-in/out at runtime. Telling end-users which companies networks their data will ultimately be sent to will not only allow people to make more informed decisions, but will also heap much needed pressure upon cloud providers to know their customer instead of sticking their heads in the sand. It wouldn't take too many incidents involving big multinational companies public cloud networks for laypeople to start demanding accountability from them.
I recently bought a new Android 12 phone (with a real audio jack and SD card reader, hooray !) to act as a media player, coffee table browser and eventual replacement for when my trusty 6 year old phone finally dies, and spent a good hour or so removing permissions and disabling/uninstalling almost everything that came pre-installed.
I noticed a permission called something like 'Change system settings', which was enabled on numerous applications that I really didn't see had any reason to be doing anything of that nature. I disabled this everywhere of course, but noticed that if I disabled an application or removed other permissions before removing that one, when I re-opened the application info, the application was magically re-enabled with the default permissions. Disabling the change system settings permission first stopped it doing that.
This setting is a new one on me - my venerable old phone is incompatible with recent versions of Android so I guess it's from a more innocent phase of the permissions/sneaky workaround arms race.
My old phone is on the list of phones that can possibly run a favourable flavour of Linux given enough faffing about, a bluetooth keyboard and probably a magnifying glass to read the bash console, so I do have the option to adopt the new one as my main phone-for-now and re-image the old one, a project for when I'm a little less busy, but a nice thought.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
