Bluebox Finds Malware on Xiaomi Mi 4 (China Version)

xiaomimi4review01

Before we jump the gun, let’s be clear on one thing. Bluebox runs a security check mobile app for Android that measures the security level of your phone. It can be downloaded here.

What the folks at Bluebox found was that their test device was, let’s say obtained, from third party sellers which may have compromised. They ran the security check app and found loads of malware.

The Xiaomi Mi4 phone itself was a Chinese version, this means it’s not the international version sold in Singapore, India or Malaysia that is at fault.

What they found on the phone is scary. The third party Chinese retailers have been busy installing stuff into the phone without you knowing about it.

One particularly nefarious app was Yt Service. Yt Service embeds an adware service called DarthPusher that delivers ads to the device among other things[2]. This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google). Yt Service is highly suspicious because it disguised its package to look as if it came from Google; something an Android user would expect to find on their device. In other words, it tricks users into believing it’s a “safe” app vetted by Google.

Other risky apps of note included PhoneGuardService (com.egame.tonyCore.feicheng) classified as a Trojan, AppStats classified (org.zxl.appstats) as riskware and SMSreg classified as malware[3]

So how do you know if your device is safe? You can take the Bluebox challenge and find out yourself. All you need is to download the free software from Bluebox on the Google Playstore

BlueBox Android App

2015-03-08-11-01-30

What this app does is explain some of problems found on your OS. Most of these are not fixable on your own and require updates on the OS. For example the “Settings PendingIntent” vulnerability and ‘GraphicsBuffer Overflow’ are system based. You can’t change them on your own.

Apps with System Level Privilege

Another problem here is Bluebox will flag your device if  you have too many System Level Privilege mobile apps installed. This is something out of your control as the apps are on Google Playstore with these requirements. Developers will make use of these APIs in order to create a functioning app and in the process, needs to read your phone state. This makes it difficult for people to approve or deny the system privileges as should you deny them, the app won’t install.

What you can do is write to the developer to ask them for clarification on why they would require these privileges in the first place before installing. If they ignore you, you can flag them up as suspicious.

Beyond this, there is nothing much you can do. Even by having security software installed, you can only detect suspicious apps during installation and avoid them. Security problems inherent in KitKat can only be solved when the system is updated. In the past, at least for my Samsung device, security updates have been rolled out to address some of the problems but Android security problems are much deeper and can only be rectified by Google themselves.

Advertisements

Anti-Malware: Why Scam Apps are not Covered

art-typography-scam-500x500

For fear mongers, this is probably the first and last place to be when it comes to detecting malware on your Android device. AV-testgo.org is an independent antivirus testing lab that does one thing, review and text Android anti-malware apps for effectiveness. Nice place, but does it work for Scam ware? Sorry, I am afraid not.

Scamware Doesn’t quite Count as Malware

One of the problems with a listed apps directory is that Scamware doesn’t quite get detected in the first place.

app-scam-mk-ii-0213-500x263

We all remember the scam camera apps from iOS. These blokes passed off the same app with different names and promised you the sky. People who paid for it found it to be sub par in quality and your only way to get your money back was within 15 min of downloading the app. So if you were one of those who downloaded the app, and didn’t check on it fast enough, you would have lost your money.

Google Android has the same problem, it can’t weed out the Scam Apps fast enough. But there is room to maneuver if you made a direct request to Google Playstore.

There is a developer policy which has to be understood by all. And this is very simple.

Section 3.4 of the Android Developer Distribution agreement authorizes Google to provide returns of apps that cannot be previewed for up to 48 hours after purchase:

3.4 Special Refund Requirements. The Payment Processor’s standard terms and conditions regarding refunds will apply except the following terms apply to your distribution of Products on the Market.

Products that can be previewed by the buyer (such as ringtones and wallpapers): No refund is required or allowed.

Products that cannot be previewed by the buyer (such as applications): You authorize Google to give the buyer a full refund of the Product price if the buyer requests the refund within 48 hours after purchase.

Why Aren’t they Stopping the Scams?

This is the most difficult part. They can’t. Malware is easier to deal with, they infect your handset with a virus or get it to send expensive SMS to a foreign country. This sort of double-dealing is all in the code. Scam apps don’t rely on code or APIs to cheat you. They win your confidence over like a trickster.

screen568x568-1

Apple iOS has a built in set of APIs which you cannot change. You are not allowed to develop an app using your own API routines but even this is no promise of safety as Scam apps basically pretend to be something they are not. There is nothing in the code that yells “CHEATER” in the app. Android is more lax, there isn’t such restrictions so any badly made app can be labeled a scam app if it doesn’t work on your device. What’s more, Google was late to the party when it came to parsing code for malware whereas Apple has locked down the APIs as far back as five years ago.

Difference between Scamware and Malware

Malware comes in a few guises, some steal passwords while others will run background apps in secret to mine Bitcoin without you ever knowing it. Finding them isn’t easy unless you have a Malware or virus scanner. Scam ware is even harder to detect. You can only bring such apps to the attention of Google or Apple and ask for action. From a legal standpoint, when an App does not work as advertised on your device, it cannot be automatically assumed to be scamware.

kingmobilesecurity

The problem is further compounded by the absolutely giant market place on the App and Play store. Badly designed app isn’t a crime and if that app suddenly tells you that it can grant you wishes at any Vegas slot, well who are you to disagree? You are already assuming that Apple has protected your interest so it must be true that this app will work.

Google has made it clear that the Playstore is an anything goes place, and they have taken some steps to stop the malware apps but not the Scam ware.

Scams are omnipresent all over the world, there is even an App that tells you about the other worldly scams but not the apps that scam you.

No Solution

The only solution is to have an app depositary that blacklist the very people who sell such apps online. Don’t count on Apple or Google to do this for you. It’s not their beef.

Scam apps are made by snake oil salesmen, they want you dollar and the only way to get it back is to ask for a refund after the first 15 minutes of downloading the app from the Apple Appstore. Apple will not entertain any refunds thereafter unless the purchase was made by a kid. If you were an adult, I think you will have to convince them that you had a child even when you don’t have one to get your money back.

There is still hope for Google if you found out that you have been scammed. Just tell them the app don’t work and doesn’t launch, and you will have your money back as long as it is reported within 48 hours of purchase.

Beware of the in-App purchases

There are loads of in-app purchases that can be classified as scam ware. They don’t offer you anything that works beyond the freebie you just downloaded. I know it sucks but that’s how the way it is. There is no 15 min grace for testing the in-app purchase. So once you hit the buy button, you’re shanghai-ed into another world.

Reading reviews on the app doesn’t always help to validate what it does. These reviews can be manufactured and all you have to do to get a gig going with them is to rate an app advertised on  numerous freelancer sites around the world that are looking for mobile app reviewers. These freelancers get paid to list such reviews and upon doing so, misleads the whole world into a scam trap.

I have Kingsoft’s mobile security install and running all the time on Android. I would recommend you to do the same if you happen to like downloading lots of apps to play with. It is by no means the most secure net, though it is highly rated, since there is no way to protect yourself from scams in the first place.

Your best bet is to read reviews on trusted mobile app review sites to get an idea if this does what it claims to do before buying them online.
 

 

Avast’ ye Pesky Virus!

avast

For the longest time, Android users were put in the same boat as Windows PC users where malware and Trojan horses on the Net would make their way onto the trusty computer to wreck havoc onto your daily lives. This vulnerability gave rise to an industry where major players designed firewall apps to protect you from malicious code.

Google had for some time refused to parse the code contained in apps which gave Android a bad name and only  started doing so after grudgingly admitting to its own faults in the design of the operating system. This meant that some of the exploits had to be plugged but that is by no means a thorough job. Still, malware code can slip through the cracks thanks in part to its open nature.

Apple never had this problem due to it’s Nazi like approach to code validation. If anything is suspicious, and falls outside of their parameter for common decency, it gets booted out. Baby gets thrown out with the bathwater too.

Bring in the Big Guns

Malware, as it appears, is pretty easy to sort the problem out with Avast, which it has been dutifully doing for the last six months on my devices . So without further ado, let us welcome the new Avast Security & Anti Virus premium which unfortunately is more a hit or miss affair.

All Security programs do one thing and do it well, that is to monitor each app and check it for malicious code—something that Google has been far too lazy to do. To detect such code, the app checks it against a background list of malicious code found on a data base and reports back to you if such a program has indeed been infected.

nexusae0_2013-08-23_09h32_59_thumb

Most of these features are already given FREE to users who install the app as can be seen from the above list. I have this running on my Android devices without any noticeable lag and works well even for smartphones and tablets with only 1GB of RAM. Those with far less RAM (512MB and below) will probably skip this as there won’t be enough RAM left to run your apps. So what’s the beef with the Go Premium feature?

Go Premium?

Here is the list of features that you will have to pay for….or so it seems.

★ App Locking: Locks an unlimited number of apps.

★ Ad Detector: Detects ads and provides full details of their tracking systems.

★ Password Check: Automatically locks after 3 wrong attempts to unlock.

★ Geo-Fencing: Phone performs specified actions (e.g. lock, siren, send location) when outside of some set perimeter (e.g. you go to a cafe and enable it with a 500m perimeter, so if somebody steals your phone and takes it beyond this perimeter, it activates your specified actions).

★ Remote SMS: Remotely send SMS from the phone.

★ Remote Data Recovery: Remotely retrieve data from the phone.

★ Remote Identification: Take picture of the thief when he/she tries to unlock device (use front or back camera, with face recognition). Record audio, with voice recognition.

★ Backup Features: Allows backup of video, audio, and apps (including settings and data for rooted phones, e.g. game progress).

★ Premium pricing (auto-renewal): $1.99 monthly, or $14.99 yearly.

nexusae0_Screenshot_2013-08-23-10-34-42_thumb

Curiosity killed the cat and the Ad detector feature is just another way for you to know which are serving up ads in-app versus those which desecrate your notification panel. But you know that already don’t you? In Jellybean, you can find out the offending app that sends out ads onto your notification panel by just holding down the ad that pops up to annoy you. This means there isn’t any use for this if you are already running on Google’s latest OS. It might come in handy if you are on ICS, and this is probably the only feature that will make sense if you don’t plan on upgrading the OS.

But on Jelly Bean,  games like Angry birds already tell you outright that it is ad supported and as such, why would you want Avast to tell you that? And yes, it blindingly does that….and you have to pay just to know this.

Password Check is quite useless as you can already install another app to do that one function. I have Cerberus installed so it takes care of that function if I ever got my device stolen. With Cerberus, I can already remote wipe my device if it came online and take a picture of the culprit—negating the feature offered in Avast Premium.

The only two features in premium that has any form of justification for its cost is the Remote Backup and Geo Fencing.

For Remote Backup, you can take back all your home-made porn before remotely wiping out the data to prevent getting blackmailed  for a million dollars by the pimply faced  kid that stole it. Geo Fencing is great if you happen to lose your device as often as you change underwear as it sets up a parameter (with the help of GPS) should it get stolen. So if your device starts to wail loud enough, be sure to run faster than Usain Bolt if you want to get it back.

Both these premium features don’t mean much in my book coz all devices can be turned off  the moment it is stolen, as the hardware switch will be used to shut the device, failing which they would pry the battery out.

nexusae0_Screenshot_2013-08-23-10-36-46_thumb

Now paying US$15 for an app that is going to help protect your device is well worth the cost but if you can already do so for free, it becomes really difficult to justify going premium. That said Avast is still a great app and I would highly recommend it even if you have no intention of going premium.