Adware-infected apps in Google Play Store were downloaded ‘millions of times’

Google has pulled numerous apps from its Play Store, after they were found to be infected with malicious software. A Nexus 5 owner named Andrei Mankevich was the first to spot this particular threat, which he discovered while he was trying to understand how his own handset had become infected.

Mankevich posted his findings on the forum of security firm Avast, which today published details of its own investigation, describing the problem as “bigger than [they] originally thought.”

The malicious code buried in seemingly innocent apps causes pop-up messages to appear on the device; in some cases, this happens every time the device is switched on. These messages – many of which are written with a clear sense of urgency and impending doom – encourage users to visit sites to download additional software.

This video, published by Mankevich, shows some of these notifications in action

Full Story: Adware-infected apps in Google Play Store were downloaded ‘millions of times’ – Neowin.

Report finds iOS apps riskier than Android apps

How many apps do you have on your smartphone or tablet right now? Well, take that number, and multiply it by 0.9. That’s about how many of your apps are a potential security concern according to a new study from Appthority.

The Appthority Reputation Report for Winter 2014 was compiled using data from the cloud-based Appthority App Risk Management Service. Appthority performed static, dynamic, and behavioral app analysis of 400 paid and free apps spanning iOS and Android to assess the relative security and risky behavior of the most popular apps.

Appthority found that 95 percent of the top 200 free apps on iOS and Android exhibit at least one risky behavior. That number drops to 80 percent for paid apps—an improvement, but four out of five paid apps exhibiting risky behavior is hardly something to cheer about. Appthority also discovered that iOS apps are riskier overall than Android apps—91 percent contain risky behavior as opposed to 83 percent on Android.

They risky behaviors vary, but include things like location tracking—found in 70 percent of the free iOS and Android apps—weak authentication, sharing data with ad networks, accessing the contact list, or identifying the user or UDID.

“Appthority found that 95 percent of the top 200 free apps on iOS and Android exhibit at least one risky behavior. ”

There are a couple significant caveats to the idea of iOS being a greater risk. First, Android apps have a much higher presence of accessing the UDID or identifying the user. Apple took steps to prevent developers from accessing UDID information on iOS mobile devices—but some developers have found ways to circumvent those rules.

The other thing that separates Android from iOS is that, although there are more iOS apps that exhibit risky behavior, the Android apps tend to collect more information about the user and the user’s mobile activities than their iOS counterparts.

To sum up, a higher percentage of iOS apps include risky behaviors than Android apps, and paid apps are generally less risky than free apps.

The differences in many cases are small and semantic, though. The fact that iOS has a higher percentage than Android may offer some small consolation to Android users, but the fact that nearly all of the apps on both major mobile platforms exhibit at least one risky behavior should be a red flag for both app developers and mobile device users—as well as for Apple and Google themselves.

The real lesson to be found in this report is that app developers recognize the financial value of gathering user data, and that mobile apps in general have a long way to go in terms of security and respecting a user’s privacy.

via Report finds iOS apps riskier than Android apps | PCWorld.

Vulnerabilities found in code library used by encrypted phone call apps

ZRTPCPP, an open-source library that’s used by several applications offering end-to-end encrypted phone calls, contained three vulnerabilities that could have enabled arbitrary code execution and denial-of-service attacks, according to researchers from security firm Azimuth Security.
ZRTPCPP is a C++ implementation of the ZRTP cryptographic key agreement protocol for VoIP (voice over IP) communications designed by PGP creator Phil Zimmermann.
The library is used by secure communications provider Silent Circle in its Silent Phone app, as well as by other programs that support encrypted phone calls, including CSipSimple, LinPhone, Twinkle, several client apps for the Ostel service and “anything using the GNU ccRTP with ZRTP enabled,” said Azimuth Security co-founder Mark Dowd in a blog post on Thursday.
Following the recent reports about the National Security Agency’s data collection programs that appear to cover Internet audio conversations, there’s been an increased interest into encrypted communication services from end users.
The vulnerabilities in ZRTPCPP were found while evaluating the security of some of the products that offer encrypted phone call capabilities, Dowd said.
One vulnerability consists of a buffer overflow in the ZRtp::storeMsgTemp() function, the researcher said. “If an attacker sends a packet larger than 1024 bytes that gets stored temporarily (which occurs many times—such as when sending a ZRTP Hello packet), a heap overflow will occur, leading to potential arbitrary code execution on the vulnerable host.”
Another function, ZRtp::prepareCommit(), contains multiple stack overflows that occur when preparing a response to a client’s ZRTP Hello packet. It is unlikely that this vulnerability is exploitable for remote code execution due to technical constraints, but it can be used to crash the target application, Dowd said.
The third vulnerability is an information leakage one and can be used to obtain information that could be used to achieve reliable remote code execution in conjunction with the previously mentioned heap overflow bug. “In addition, it could possibly be used to leak sensitive crypto-related data, although the extent of how useful this is has not been investigated,” Dowd said.
In a later update to the blog post, Dowd said that patches for the vulnerabilities have been added to ZRTPCPP’s code repository on Github and that Silent Circle has updated its own apps on Google Play and Apple’s App Store with fixes.
This was only an initial analysis of a minor component of encrypted phone call apps, he said. “It would be beneficial for the security community to undertake further study of some of these products.”
via Vulnerabilities found in code library used by encrypted phone call apps | PCWorld.

Microsoft appears to be preparing to update all Windows 8 core apps

If you use Windows 8 on a daily basis, you will surely know that the core apps that ship with the OS could use a bit of sprucing up. If you have been waiting for this to finally occur, it looks like the updates are poised for launch.
Paul Thurott was tipped off by a reader who noticed that all of the core apps are named in the Event Viewer and they are listed as “downloaded and ready”. Seeing that all of the apps are listed, it looks like Microsoft is on the cusp if pushing out a huge update to hopefully improve the functionally of these applications.
The apps that are listed and should be updated in the near future are listed below:
microsoft.windowsphotos (Photos)
Microsoft.ZuneMusic (Xbox Music)
microsoft.windowscommunicationsapps (Mail, Calendar, People, Messaging)
While Microsoft has yet to officially say anything about the updates but seeing that the first steps to update your apps has already occurred, we suspect they will say something soon.
via Microsoft appears to be preparing to update all Windows 8 core apps – Neowin.

Trend Micro claims 1 in 10 Android apps are malware

Trend Micro has been very vocal about the state of Android malware in the past, claiming that there will be 1 million cases of Android malware in 2013, and now the security company is beginning to back these predictions up with facts. Out of 2 million applications scanned using the Mobile App Reputation Service, including the full catalog of apps available on the Play Store, they believe 1 in 10 apps are malware.

From over 2 million applications analyzed, Trend Micro found 293,091 of them to be outright malicious, while a further 150,203 were deemed to be “high risk”, contributing to a grand total of 443,294 dodgy applications for the platform. Of the 293,091 malicious apps, 68,740 of them were sourced directly from the Google Play Store; as the Store currently has around 700,000 apps, that roughly equates to 1 in every 10 apps being malicious.
Aside from just malicious code, Trend Micro found 22% of apps inappropriately leaked user data, sending things such as IMEI numbers, ICCID numbers, contact data, telephone numbers and even microphone data over some sort of network. The security company also found a good 32% of apps were “Poor” in terms of battery usage, while 24% were poor in network usage, and 28% were poor in memory usage.
Trend Micro hopes that by releasing data such as this, people and companies will start to believe that the threat of malware on mobile devices is actually real. They close their blog post on the matter by saying “it would be heartening to see more app stores taking the safety of their customers so seriously”, in reference to BlackBerry integrating Trend Micro technologies into their BlackBerry World.
via Trend Micro claims 1 in 10 Android apps are malware – Neowin.

Answer Line: Creepy permissions for Android apps

As protection against malware, adware, and just plain arrogant software that thinks it owns your phone, Android requires apps to announce what they may access and change. For instance, an app must tell you if it might access your contacts or track your location. The app provides this information at installation, when a list of so-called permissions pops up before you make the final install-or-not-install decision.

But installing an Android app is an all-or-nothing choice. If you object to what an app wants to do, and you’re not willing to root your phone, your only other option is to not install the app.
Apps often ask for permissions that, on the face of it, they shouldn’t really need. For instance, I have a rhyming dictionary called B-Rhymes, that I couldn’t install without giving it permission to check my location. Why? To find rhymes for the cities I visit?
Yes, I know (or at least assume) the real reason: So it can target advertising to match my physical location.

To make matters worse, Apps can add permissions after you install them. You’ve probably noticed that some apps require a manual update. When you update an app manually, examine the screen carefully for a new Permissions section.
Want to check what you’ve allowed your existing apps to do? Depending on your version of Android, tap Menu>Settings>Applications>Manage applications or Menu>Settings>Apps. Tap an app and scroll down to the Permissions section.update. When you update an app manually, examine the screen carefully for a new Permissions section.

On the other hand, you may prefer to look up a permission and see what apps have it. For that you’ll need the free Permission Explorer app, which, you’ll be glad to discover, “requires no special permissions to run.”
If you’re truly determined to keep an app but deny it some of its permissions, you’ll have to root your phone, then use an app like Permissions Denied. But that’s a dangerous process and not one to do lightly.
via Answer Line: Creepy permissions for Android apps | PCWorld.