Got a verified Google Play developer account but would prefer some black market cash? Well, Android malware developers are buying up Google Play developer accounts for $100 apiece, according to security researcher Brian Krebs who took a tour of the underweb to find out how easy it is for anyone to stuff any kind of malware you can imagine through the doors of Google Play, Google’s sanctioned app store that many figure is safe enough.

sounds-legitAlso available on the deep web from the same people are malware packages, like Perkele (Finnish for devil), for patrons with hijacked Google Play accounts to distribute targeting individuals who use their Android phones for banking. Perkeles, for example, “supports” this list of financial institutions and goes for between one and fifteen thousand dollars depending on how many times you want to victimize people with it and for how many banks. Read here how Zitmo can be used to snag two-factor SMS-based authentication credentials.

Other malware packages floating around offer the bad guys the ability to send SMS messages from compromised phones, uploading contacts, photos, GPS coordinates, SMS, SD card contents, open backdoors for more malware, activate and stream the mic and camera, basically everything — and to add insult to injury, to seize similar command of Windows PCs when compromised phones are connected via USB. FinFisher, for example, is disturbingly sophisticated.

Krebs praises Apple’s App Store for managing to relatively effectively fend off such danger from their patrons. Kapersky Labs, which alleges to find several thousand new malicious smartphone apps a month claims that, according to their research, 99% of the smartphone malware they found targets Android.

So, especially if you have an Android phone or tablet and very especially if you use it for any kind of business purpose, resist the urge to hit the Install and Update buttons until you’ve read the system permissions warnings, what the app or app update demands access to, before you proceed whether you’re sideloading from a Chinese warez website or you’re updating Angry Birds from Google Play. Consider not checking automatic updates for each app. Using Google’s Bouncer is helpful, but not completely reliable. Also, reconsider whether or not, in light of this, rooting is the way to go. Hell, and don’t tell anyone I said this, reconsider if Android is the way to go.

Hacking is unnervingly rampant these days and Android has become a gold rush for malware authors, truly brilliant sociopaths, some of them. Obviously security researchers and antivirus companies have a vested interest in spooking us and might be tempted to exaggerate quite a bit, but hey, there’s a lot of smoke here and where there’s smoke… Look, just read the damn permissions request and ask yourself whether or not you should allow Internet Explorer for Android to dig through your text messages before hitting the button. No glove, no love.

Doug Simmons

2 COMMENTS

Comments are closed.