Phishing Android apps explain our maxed-out credit cards
By Chris Ziegler 
posted January 11th 2010 2:07PM
posted January 11th 2010 2:07PM
There's no such thing as a perfect mobile app store strategy -- you're either too draconian, too arbitrary, or too loose in your policies, and as far as we can tell, there's no way to find a balance that isn't going to trigger an alarm here and there or get a few people worked into a lather. If you're too loose, for instance, you're liable end up with the occasional bout of malware, which is exactly what appears to have gone down recently in the Android Market with a few fake banking apps published by a bandit going as "Droid09." As you might imagine, the apps end up doing little more than stealing your information and ending your day in tears; the apps have since been pulled, but that's probably little consolation for those already affected. The moral of the story? Be vigilant, keep a close eye on those system permissions the Market warns you about as you install new apps, report sketchy ones, and -- as always -- use a hearty dose of common sense.
@MattEL
I wonder if the app in question was free or not... how hard would these users of this app be pwned if they actually PAID for it before it stole their money... that would actually be kinda funny.
@MattEL I don't see what paying money for an app has to do with the issue at hand
That's the first time I've ever seen an aesthetically pleasing version of the Android logo.
Just my opinion.
@Floppy I LOVE that logo. Genius. xD
@Floppy looks like a ninja turtle to me
@HighestRanked Whats wrong with ninja turtles and whats with having PC cartoons
Droid does.
I hate when the droid runs around the map with marathon perk, knifing people.
@One Love More like Marathon Pro, Lightweight Pro, and Commando Pro.
@One Love
And the Care Package Marker
This is why the apple closed market system works better in the mass market. People in general ARE NOT SMART.
@ipxnsv
True there
@ipxnsv
but closed markets should only be closed to prevent this, NOT to control content
@ipxnsv
The problem is the exact same thing could happen on the iphone app market too. You simply publish an app which claims to do online banking and then reroutes the information to your own webserver. Eventually you will get caught and your app removed, just as whats happened here on Android.
The misconception people have is that Apple has access to the source code of apps, they do not. Nor do they test every function of your app to see if it does what you claim it does. They simply check if anything inappropriate (obsenity, copyright/trademark infringing) occurs and if your app doesn't chew up excess bandwidth. If your app crashes during their test process they likely will deny your app as well. But the reality is they do not have any access to the code, and if they did the review process would take 2-3 months rather than the 2-3 weeks it currently does to approve apps.
@ipxnsv
agreed...why the need to have ALL your banking info on an app? I don't get it. I've never used a banking app because you can access bank websites directly and not worry about putting your financial info in the hands of some schmo that made an app.
@ljm
Agreed with the "People not being smart" part...not the iPhone crap you posted
Im quite certain apple would pay extra attention to an app that requested very sensitive personal info such as bank accounts. Especially if the program wasn't published by the bank itself
Sorry guys, sure, apps like this will get pulled from Android Market, but Apple has a lot more control over this process, and is much more likely to catch it via vetting and other means. No, Apple doesn't have the source, and sure, a malicious developer could still potentially do this on Apple's App Store. But there will be a LOT more of this on an open market, and a LOT less of it in Apple's model.
And this is why a walled garden approach for mobile/speciality devices isn't a bad idea.
@ipxnsv
Agree. People in general ARE NOT SMART.
Did you remember an app call "I am rich" ?
@fatslug
If it was as easy to get through on the iPhone I assume the hacker would have created the app for the iPhone instead? The amount of info he would have got would have probably have been much higher.
@das Some of you iPhone guys have short memories. Maybe you forgot that iPhone had the same problem with apps slipping by their "review" process (http://www.appscout.com/2009/11/iphone_game_company_sued_for_h.php). Or maybe you forgot that there were no less than 4 instances of malware/worms affecting iPhone in November, granted, they only worked on jailbroken devices where the users were too dumb to change the default passwords. Or maybe you guys forgot how to use a dang computer. What person would EVER download a banking application from anyone other than the bank's website itself??
@put4558350 But it was still a genuine app; it was the buyer's fault if they didn't read the instructions before purchase.
@das My apologies for directing my comments at Das, he/she actually made a very good point that there will be more in the Android Market and less in the App Store. Was just getting frustrated with iPhone guys not facing reality...their devices are FAR from perfect...as several people/organizations have repeatedly proven. I've used both devices, actually done some pretty serious forensics analysis on all 3 of the major platforms and Android is right there with iPhone...I actually prefer it over iPhone, but mostly because I hate Apple as much as some of these people love Apple.
@tvennon - Your point might be valid, but it's a weak argument when 4 out your 5 examples require a Jailbroken phone in order to get into trouble. I think you just supported the "walled garden" ideology.
@ipxnsv
Of course there are exceptions, if you consider a $999 app, like say, the "I'm Rich" app, as one that steals your cash. And it the end it was a scam app. At least that was endorsed by the Apple approval process and hence "legitimate".
@tvennon
"Or maybe you forgot that there were no less than 4 instances of malware/worms affecting iPhone in November, granted, they only worked on jailbroken devices"
You can stop right there. They only worked on jailbroken devices, which means they bypassed the app store, which completely destroys the point you were trying to make about the app store not being secure. In other words, 0% of those malware instances you mentioned got through the app store screening process.
"What person would EVER download a banking application from anyone other than the bank's website itself??"
I would. I use the Bank of America app, because I think it's pretty obvious an app with their name and their logo isn't going to slide past Apple's vetting process if it's a fake. That's why they have that process.
@OriginalJosh
That makes zero sense. The whole reason you close a system is to control content.
@ipxnsv
Incorrect. People in general are smart. People in general are not geeks. My grandma is smart with a lot of things, and very computer-savvy for her age. They just trust companies to make products that won't rip them off. Even though Google didn't actually make the app, a lot of people will see it as Android having the problem. Now Google calling their free OS Android makes sense. No need to taint Google's brand name to the masses.
@tvennon
Is that really your defense? Jailbroken iPhones with malware? Wow.
@put4558350
"Agree. People in general ARE NOT SMART.
Did you remember an app call "I am rich" ?"
Do people even know what "in general" means anymore? That means "most". Did "most" people buy I Am Rich or did 9 people?
@fatslug
Android is a wide open, security-free business model.
“Engineers who write for just about any mobile operating system today have to spend time and cash obtaining security keys and code-signing certificates. Android would allow any application to be installed and run, no questions asked.”
http://www.wired.com/techbiz/media/magazine/16-07/ff_android?currentPage=4
An application's process is a secure sandbox. It can't disrupt other applications, except by explicitly declaring the permissions it needs for additional capabilities not provided by the basic sandbox. These permissions it requests can be handled by the operating in various ways, typically by automatically allowing or disallowing based on certificates or by prompting the user. The permissions required by an application are declared statically in that application, so they can be known up-front at install time and will not change after that.
So basically any malicious coder can set his code to 'declare my app has permission to do anything it wants', apply it, and let the user to press the OK button.
@Oghowie
Exactly, why haven't we seen apps like this in the app store. LOL so much for being open.
@put4558350
I am rich was superb.
@ipxnsv
Or maybe YOU are not smart enough to be free?
people need to realize that mobile aps are just like computer programs. you dont download any random program off the internet do you? you google search reviews and make sure that its not malicious. you should do the same for mobile apps especially when dealing with banking in matter of fact you should only use mobile apps from the bank your doing business with. if you have bank of america use the official bank of america app not some random russian app on the market.
@saturnblackhole
There can be phishing Apps created to look just like official Banks also.
Say what you will about Apple's "draconian ways", but least I feel a lot safer recommending iPhones to the family....
@dave95 Correct, even if Apple acts like a nanny
@saturnblackhole
If you didn't get your app from that company directly, then don't get it at all.
@saturnblackhole
Or, better yet: switch to a bank that doesn't require an app to be installed on your phone/PC.
We have high security standards for browsers to communicate with the servers. Use them.
@Endadget
Why would you assume you HAVE to use the app rather than going to the web site? B of A works fine in mobile safari, but the app, while still only a portal to the web site, formats the data better.
Apples App Store don't sound too bad now huh?
@Cg006
Yes, it still does.
True, one good thing about the Apple App Store is that we can download apps we know are safe. Though they should be after all the hubbub about the time it takes to publish apps.
@Cg006
http://gizmodo.com/5445065/apple-approves-porn-app-in-under-12-hours
Yeah the App Store is awesome.
/s
@jon You saying a porn app is a BAD thing? :o
@ChazClout
Not at all. Porn = awesome.
I posted that as an example of how bad the approval process is.
@PATRICKmcnicholl 1 -0 to App store
To further, you can signup to the Apple developer program using a prepaid Visa card, use a fake SSN/taxid when signing up and Apple has no way to verify who you say you are is valid. You are on the program and now can release any app you want.
@fatslug: Really? Then why aren't we hearing about all the iPhone malware? I suspect Apple is more vigilant that you believe (but neither of us really has a clue about it, so its pure speculation either way).
it still get thoroughly reviewed by apple. Usually for more than a week. There goes your hypothesis.