Security researchers: Over 5 Billion Android apps open to hacking

“Over five billion downloaded Android apps are vulnerable to being hacked, cybersecurity researchers have found, as attackers exploit flaws in Google’s operating system,” Arjun Kharpal reports for CNBC. “Some 96 percent of malware — or malicious software — employed by hackers target Google Android, according to U.S. firm FireEye, which analysed more than 7 million mobile apps on Android and Apple iOS between January and October 2014.”

“Apps designed to steal financial data were especially popular, the researchers found. The open-source nature of Android allows hackers to find the code behind a popular app, they said, and recreate the app almost identically but with a malicious code to infect users,” Kharpal reports. “Fireye said that one of Android’s biggest vulnerabilities was the way in which its mobile apps communicate information back to servers. It found that much of this communication was unencrypted, leaving it open for hackers to intercept and insert malicious code that can infect end users.”

“It is not only Android apps that are vulnerable, however. Vulnerabilities in apps on iOS devices, once seen as very secure, were also identified,” Kharpal reports. “App developers typically build and test an app in beta mode on Apple’s iOS Developer Enterprise Program. It then goes through stringent tests by Apple for security before it is pushed out on the App Store. But hackers are now creating apps through this program, then sending them to people via text messages or emails as a link. When a user clicks the link, the malicious app is downloaded on their device.”

Read more in the full article here.

MacDailyNews Take: iOS is still seen as very secure. Extremely secure.

F-Secure Android Malware

[Thanks to MacDailyNews Reader “Bill” for the heads up.]

11 Comments

  1. Thank you FireEye for pointing out Google’s well deserved BLACK EYE for having poor Android security. Google is great, helpful, important for finding security vulnerabilities in everyone else’s software, but FAIL miserably at detecting and stopping their own. Sick irony.

    As for the iOS faked software via Enterprise security certificates: Apple has GOT to permanently CLOSE this avenue of app faking / malware infection. It’s NOT ACCEPTABLE. Apple need a whopping huge kick up the backside for allowing this problem to linger on for months and months and months….

    MOVE YOUR ASS APPLE! 😡

    1. This loop is only exploitable through social engineering. Theoretically, if people are only mildly cautious, they are safe.

      An average iPhone user knows that apps are only installed via the app store. The only way to install apps outside of the app store is for corporate (enterprise) customised apps, for which the user must receive an e-mail or a text link from their corporate IT doofus (that’s now the official job title for people working in enterprise IT, right?). So, if they receive a link for an app install from any other source, they should be suspicious.

      Obviously, many people simply aren’t this suspicious. Something must be done in order to prevent this type of drive-by malware installation. Perhaps some sort of password protection?

      1. One concept is a white list from Apple that can be kept up-to-date over time, very similar to Apple’s Xprotect software in Macs. It’s just text with a list of currently valid enterprise security certificates. Apple can yank and add security certificate IDs day by day over the Internet.

        In addition, each security certificate ID could have an associated download site, the only IP where software with that ID can be downloaded.

        I’m no security expert. Apple already have a few working for them. But if I can come up with the idea of a running list of gated certificates and IPs, why hasn’t Apple come up with at least that concept?

        Certainly, this isn’t a massive problem and Apple does warn users before such non-App Store apps are installed. But as I always have to sadly point out, there are ‘LUSERS’ in the world, people who attract computer problems, particularly malware. It’s astounding how common the LUSER Factor is out in the wide world. Go read about the massive running botnets out on the Internet. Even Macs have been implicated in a couple huge botnets in the past (not present, thankfully).

  2. Reminds me vaguely of that fast food place “over X billion served”.

    It would help boost the numbers and make certain organizations look good to their masters if they used combos like “over billions hacked, invaded and tortured.”

Add Your Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.