
Mobile Devices Compromised by Fake Secure Messaging Clients - Dowwie
https://www.eff.org/press/releases/eff-and-lookout-uncover-new-malware-espionage-campaign-infecting-thousands-around
======
tptacek
Not a whole lot of new lessons to be learned from this, but basic
reinforcement of old ones:

* It's easy to get users, even high-profile at-risk users, to install arbitrary applications. Since there's little to be gained from litigating this basic fact, we have to work around it. We recommend at-risk users stick to relatively recent iPhones, not because Android phones can't be made to be asymptotically as secure, but simply because it's more difficult (technically and logistically) to set up a deployment process that gets an application installed on an iPhone that can do as much as these backdoored Android apps can.

* The biggest threat facing users on general-purpose computers (Windows _or_ Mac) is email attachments. The most profitable desktop infection vector here seems to have been Word macros. There's no point in litigating whether people should or shouldn't use Word documents; they're going to do that. So we have to work around that. Our recommendation is that users be trained _not to view attachments on general-purpose computers by clicking on them_. Two options: view attachments on iOS devices, where the viewers are less privileged and less full-featured, or always opening them using Google's office tools.

To me, the big lesson of the past few years working with non-technical users
targeted by attackers is: general purpose computers simply aren't secure, and
can't (for normal users) be made secure. Get people out of computer apps and
onto phone or web apps.

~~~
tammer
I think this is absolutely correct which is why I believe the days where we
can count macOS on having the ability to execute non-sandboxed applications
are numbered. I think in hindsight apps that have already made the transition
to the App Store (or were designed for it) will be at a tremendous advantage
over the ones that either aren't adopting that model or have left it.

Google has an even greater advantage than Apple here because they became fully
invested in sandboxing much earlier (the browser).

~~~
dannyw
I disagree, I think Apple will always have the option. The recent iMac Pro
comes with an option to disable verified boot entirely.

~~~
icelancer
There's definitely room for both; for example, a developer mode that requires
physical intervention, tripping a fuse, or complicated instructions that
prevent 95-99% of users from ever looking into it.

------
AdmiralAsshat
I glanced at the report, but I'm not seeing much on how these devices get
compromised.

Let's say I'm a targeted individual with an iPhone or an Android phone. I've
already got Signal installed through the app store, which should be vetting
the apps I download. How does my legitimate Signal app get replaced with an
infected one?

~~~
tptacek
iPhone users aren't targeted. It's difficult to install trojaned Signal on an
iPhone, since you can't sideload them from random websites.

You're infected by being phished to a staging server that looks like a
legitimate launcher/installer site for secure messengers; that site delivers
Android Java applications for WhatsApp, Signal, &c, but those applications are
backdoored to ask for all possible permissions and to quietly set up a C&C
channel back to the operators.

~~~
05
It’s not really that difficult. Just create a clone app, pass the initial
store review, then change the icon/description to be close to the official app
in an update, and opt out of AppStore search, so that it can only be accessed
through a link. It’s just that the payoff is much less impressive than on
Android.. although, I guess, you can always try to sneak in a VPN entitlement,
and hope the reviewer is extra incompetent that day..

~~~
tptacek
That assumes that Apple hasn't automated the process of hunting those
particular targeted applications out, which is not a safe assumption anymore.

To be fair: I'm pretty certain Google also automates detection of this stuff.
The problem with Android is sideloading. Apple was right about this.

~~~
loup-vaillant
> _Apple was right about this._

I hate it when Apple is right. And I hate that their golden numerical prison
has genuine advantages over the alternatives.

Assuming users cannot be fixed, what can? Users sideload apps from the web,
right? Can't there be an easy way to distinguish trustworthy communications
from potentially dangerous ones? Would such a way be systematically worked
around by ever cleverer phishers?

~~~
mulmen
With great power comes great responsibility. There is no way to give users
more power without also giving them more responsibility.

------
staplers

      Some pin codes were within their validity window at the time of writing this report.
    

Wew I can't imagine being one of the targets and getting this memo.. "Your
device has been compromised for the last 5 years."

------
ggm
Please, can somebody explain the threat model in android if you don't
sideload?

~~~
mattnewton
Just fake play store entries. One example of many:
[http://bgr.com/2017/11/05/whatsapp-android-google-play-
store...](http://bgr.com/2017/11/05/whatsapp-android-google-play-store-fake-
app/)

~~~
gtirloni
Additionally, at least on the Play Store, you can have ads showing before
search results.

Right now, if I search for Signal, WhatsApp, Telegram or Wire, the first
result is the official app.

If I search for Messenger, an ad for Facebook comes at first and the second
entry is something called "The Messenger" from a company I never heard of.
There's where user confusion starts enabling these attacks.

I remember this being worse in the recent past though.

