back to article Multi-part Android spyware lurked on Google Play Store for 4 years, posing as a bunch of legit-looking apps

A newly uncovered strain of Android spyware lurked on the Google Play Store disguised as cryptocurrency wallet Coinbase, among other things, for up to four years, according to a new report by Bitdefender. The malware, named Mandrake by the threat intelligence agency, featured a three-part structure that allowed its operators …

  1. Anonymous Coward
    Anonymous Coward

    So...

    Does this mean Bitdefender can detect these tools?

    1. Charlie Clark Silver badge

      Re: So...

      Not with a simple scan, no. But that's true of a lot of malware: scanning the code will not necessarily tell you how it behaves, you can only look for some tell tale signs. You need to run it in a sandbox to see what kind of connections it makes outgoing and incoming.

      1. Captain Scarlet Silver badge
        Unhappy

        Re: So...

        In this case it detects if its being virtualised and doesn't download the payload if it doesn't meet certain criteria, so unless if it appears as a geniune phone or tablet it won't make those outgoing connections!

        1. Anonymous Coward
          Anonymous Coward

          Re: So...

          "...it detects if its being virtualised..."

          People don't realize how common this is. I write network diagnostic software, among other things, and the first thing my utilities do is check if they are running in a virtualised environment, and let the user know with the appropriate warnings that they should take that into account when evaluating the info the utilities are reporting.

          1. bombastic bob Silver badge
            Devil

            Re: So...

            when I started reading this, I was thinking that you had to load multiple applications, but apparently that loading is coordinated by the original. I did not see whether or not the user still had to confirm and allow permissions, etc. but most people just "click through" all of that blindly.

            However, what _IF_ the malware was in parts, and would NOT run unless ALL of the parts were loaded? That is, you might need to install the wallet, the e-mail, AND the music player [for example] and let's say all three of them SELF PROMOTE [and to make the ads stop you can install them]. Then when all three are loaded, the malware does its thing... how well could THAT be detected by current means?

            At any rate, what the article made me think [initially] is actually a bit WORSE than a "payload downloader". But it definitely points out that "App Stores" are NOT inherently "safe", no matter how much of a LOCK DOWN [that would be YOU, Apple] is being done to "prevent infections".

            Hey. LOCK DOWNS DO NOT WORK. There. I said it.

            1. Anonymous Coward
              Anonymous Coward

              Re: So...

              What IF the APP required JUST TWO thumb presses that just TRIGGER a reverse MALWARE EM Pulse and ENDS the worLD by activating RUSSIAN ICBMs? WOULD THAT be DEteCTED by CURRENT DETECTION syStEMS?

              EATING poo IS GOOD for YOU! THERE, I saID IT!!!!!

            2. Glen 1

              Re: So...

              "Hey. LOCK DOWNS DO NOT WORK. There. I said it."

              Ugh OK I'll take the bait. It depends on what you mean by "work". If you mean "reduce the loss of life" then yes, they do. As evidenced by anyone paying attention. You'd have to be PRETTY FUCKING STUPID (or a young child) not to grasp the reasons why that is. Pick a country. South Korea, New Zealand, China. Even in the UK the delayed lockdown has now passed the peak of the first wave. Unless you think the reduction in daily deaths is unrelated?

              Hey, if you know better than the epidemiologists, then perhaps you went into the wrong career. Perhaps you could teach those climatologists a thing or two while you're at it. PMSL

              People breaking lockdown make them... not work. Half assing the enforcement make them more likely to be broken. People have understood basic quarantine measures since the plague, but apparently Bob knows better.

              That'd be fine, if you were only going to kill yourself, and others who think like you, but unfortunately, many of the people you are endangering don't have a choice. Some professions are *required* for society to continue to function. There is some wiggle room as to which ones those are. Hint: hairdressers are not on that list.

              Then we have those lacking a basic grasp of the concept of how communicable diseases spread. I don't know about in the states, but in the UK the whole "coughs and sneezes spread diseases" thing was pretty well drummed into children with *competent* parents before they got to secondary school.

              So why do we have people arguing technicalities when you know damn well what the social distancing rules are there for? If every break in the transmission chain is saving a life, every person *deliberately* breaking those rules by coughing and spitting on police/health workers should be locked up... and potentially tried for attempted murder.

              Frontline police and health workers not having masks or other PPE is *different* competency issue.

              Edit:

              You coin a metaphor that Bob might listen to. Y'all are out there running Windows XP with minimal anti-virus, while the people running Linux listening to competent experts in their field are staying at home.

              1. Glen 1

                Re: So...

                Or perhaps a slightly more accurate analogy:

                Everyone is running XP with minimal anti-virus.

                Some folks are using external firewalls like face masks

                Some folks are air gapping completely by staying at home.

                and some folks are having fucking LAN parties complaining that the other two groups are pussies.

  2. Mike 137 Silver badge

    "The malware, named Mandrake by the threat intelligence agency"

    I thought Bitdefender was an anti-virus vendor. When did it become a "threat intelligence agency"?

    1. Anonymous Coward
      Anonymous Coward

      Re: "The malware, named Mandrake by the threat intelligence agency"

      Well it ain't a rumor aggregator!

      "director of threat research and reporting at Bitdefender" Titles - internal embiggeneses - don't get hung up on their egos, when the side-effect is that you know more now than you did before.

  3. JohnSheeran

    Impressive

    It's about time they got clever with this stuff. The ole "stupid user" routine is beyond tired. I'm honestly surprised that we don't have more games that do this sort of thing. Carving up the components could make the entire mechanism appear to be innocuous in parts but a real problem when they all pulled together to make Voltron.

  4. Irongut

    > concealing their own presence by hiding notifications

    This makes no sense and comes across as either article padding or editing that removed an important part of the phrase. Why would malware send you notifications about what it is doing? If it doesn't make any notifications in the first place there is no need to hide them.

    1. Qumefox

      Android by default shows notifications when things like wifi and bluetooth, etc are enabled/disabled. The malware is suppressing these notifications.

  5. Mahhn

    whats safe

    are there any truly safe apps on googleplay? seeing how apps auto update, apps get sold to companies that use that update to change the apps purpose from a game/diet/what ever into spy/malware. Can any app like that be trusted?

    1. Mark192

      Re: whats safe

      No. Nothing can be trusted.

      Political activists and people working in sensitive or senior positions within companies of interest should assume they're already compromised because they either are, or are able to be.

      Unfortunately, most of us have lives of so little significance that we won't get hacked for anything other than money, amusement or to be part of a botnet.

    2. Captain Scarlet Silver badge

      Re: whats safe

      Its the same for any software (Including Firmware, Operating Systems, etc...), not just phone apps!

      Even with source, I wouldn't have a clue where to look to see if anything dodgey is going on as it all looks like its held together with copied and pasted code these days!

  6. Pascal Monett Silver badge

    "In-depth spyware is normally the preserve of state-backed agencies"

    Yeah, but since then the NSA was abysmally stupid enough to get its malware base pilfered.

    It was only a question of time.

  7. Anonymous South African Coward Bronze badge

    Yay, more fun and games...

    For the truly paranoid the idea is to have two cellphones, one for general, daily usage.

    The second with only the necessary banking apps, and is used only for online banking, nothing else.

    I'm planning to obtain a second device, and use that for general use, whilst the first device is used only for banking and nothing else.

    The truly paranoid will most probably do regular factory resets on their device(s).

    1. PTW

      re: factory reset

      There's more than one article on el reg that describes android malware that survives a factory reset, so it'd be a case of flashing a factory image

      1. Roland6 Silver badge

        Re: re: factory reset

        I think there are also article(s) on el reg that describes how malware can survive a factory image flashing (PC and phone) - due to much hardware having its functions defined by software which has its own memory that isn't touched by an OS reimage...

        In undating a bunch of PC's recently, I found one device family required a Bios downgrade (to a specific version) followed by an upgrade to the new patched version to ensure UEFI disk and memory areas were overwritten and thus erased.

    2. John Miles

      RE: The truly paranoid will most probably

      will not use a phone for anything important like banking because not only don't they trust the phone, they don't trust the banks app software (or maybe just don't trust the banks)

      1. Anonymous Coward
        Anonymous Coward

        Not truly paranoid but truly realistic

        My Dad has a savings account with, I guess, a few tens of thousands in. I've told him not to get internet banking.

        No banking app means peace of mind and he can continue to go on dodgy porn sites to his hearts content.

        1. Anonymous South African Coward Bronze badge

          Re: Not truly paranoid but truly realistic

          Speaking of banks, how's TSB doing these days?

  8. naive

    Google could incorporate fake API's into Android

    Maybe google could add api's to Android which generate fake privacy related information.

    If a searchlight app asks for access to: photo's, contacts, location etc to work, google could add a checkbox: Give fake information only.

    With the checkbox default on, users would be better protected against such apps.

    Developers of such malicious apps would of course develop techniques to detect they are being conned and make the app stop working, but then the user knows what is the true intent of the developer is.

    1. ThatOne Silver badge

      Re: Google could incorporate fake API's into Android

      > Maybe google could add api's to Android which generate fake privacy related information

      Not only they don't have any reason to want to waste money on this, but most of all it would be shooting themselves in the foot: Their whole business model is based on collecting and reselling "privacy related information".

  9. DrXym

    Tens of thousands

    I think that sums up the threat of these apps - very little.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tens of thousands

      "Yeah, we'll wait until it's a big problem before we do something about it" <-- should be sarcasm but this is genuinely the approach of my organisation.

      Even when they're told it'll blow up in their faces.

      Even when they're told the work will have to be done eventually so they might as well do it before it blows up in their faces.

      They pride themselves on being 'agile'. I've seen slugs with more agility.

  10. Packet

    Why am I not surprised?

    Google's Android handling has been rubbish - security seems to be just an unpleasant after-thought.

    The only real way to cure this is to vote with your wallet - as the consumer.

    If you choose to keep buying Android products, you're enabling these faceless people (both Google and said criminals - no, don't make a joke about a parallel there - that's too easy...)

    (Insert some old trope about the equivalent of helping Nazis here...)

    But it seems to me that every Android user I've spoken to doesn't care about this - they prefer to focus their vitriol on Apple.

    Which makes no sense.

    1. ThatOne Silver badge

      > The only real way to cure this is to vote with your wallet - as the consumer

      And go where? Apparently iPhones aren't any more secure, they're just more expensive.

      1. Anonymous Coward
        Anonymous Coward

        You are confusing Security / Privacy

        There is device security,personal privacy, and malware on the approved app stores. Three separate topics to evaluate when selecting a walled garden to join.

        In my personal opinion Apple do better than Google on all three counts.

        Then consider phone firmware / OS updates, and Apple win hands-down.

        YMMV, you are free to come to a different conclusion.

      2. DerekCurrie
        Megaphone

        Ignorance...

        Apparently iPhones aren't any more secure, they're just more expensive.

        This is an ignorant statement in may ways. But irrational Apple Hate goes on forever. And yes, Apple deserves real anger and hate for many Apple Bungles over the years. It's just that Apple has never even remotely come up to the level of Bungles and outright carelessness of Microsoft and now Google.

        Q1: Are iPhones found to have malware discovered on a weekly basis, like Android malware?

        A1: Of course not.

        Q2: Does the iPhone suffer from OS version fragmentation like Android phones, resulting in unclosed and frequently exploited security holes?

        A2: Of course not.

        Q3: Considering the usable life as well as functionality of iPhones, are they more expensive than Android phones.

        A3: Of course not.

        Q4: Which mobile phones are most often on the cutting edge of innovation? iPhones or Android phones?

        Q4: iPhones of course.

        . . . And so on. I could point out battery explosions, bendable/breakable screens, IP ripoffs, user surveillance tech vs privacy, warranty service, attitude toward customers . . .

        And again yes, Apple has committed plenty of blunders. Apple is never perfect. Apple is simply the best. √ Fact.

    2. DrXym

      So tell me how you scan an app to ensure it does nothing malicious. The reality is that any way you think you know can be circumvented and you have to impose such draconian rules on your platform that you hobble legitimate software.

  11. DerekCurrie
    FAIL

    Google...

    Android Security HELL is entirely on your head, including all the Google Play Store malware.

    Fix this yesterday.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like