
Exploiting Android Users - Rudism
http://www.codeword.xyz/2015/08/09/exploiting-android-users-for-fun-and-profit/
======
methou
As living in China, it doesn't seem they were crossing a line. Things gone mad
here.

If you want to type Chinese, you'll need an IME. Most of Chinese people relies
on them. It was indeed an exploitable point, that you slip a lot of stuff into
it:

\- News pop-ups of course; \- System information gatherer? Sure; \- Search
engine, convenient; \- Anti-Malware software, certainly; \- Anti-Virus
software, you'll have it; \- Homepage? Come on, let's make a bolder move \-
Browser! \- A PC Manager. It's a combination of AV/AM and a software catalog,
and the sweetest feature is to tell you how many seconds it took to boot up to
your desktop, and shows a % of population you've beat across the nation,
people can be bitchy over this.

Not just one major software vendor did this, everyone capable did, and still
doing. There's also large internet companies that used by people on daily
basis uses 0day exploits to push their desktop software. Like if you browse
the Chinese part of the internet for one day, you'll end up with bunch of cute
little Anti-Virus/cleanup/tweaking goodies rest in your notification area,
some times they fight each other and cause BSoD.

~~~
egeozcan
This sounds horrible. I always hear how Chinese internet access is under too
heavy regulation, isn't there any penalty for such behavior?

~~~
billyhoffman
I think the word you are looking for is "censorship" instead of regulation.
Though I suppose "heavy regulation" could a clever/funny euphemism for
"censorship"

~~~
thaumasiotes
The chinese euphemism for censoring something is "harmonize", from the slogan:
[https://en.wikipedia.org/wiki/Harmonious_Society](https://en.wikipedia.org/wiki/Harmonious_Society)

------
FilterSweep
Along the same vein, I highly recommend this read from Aral Balkan[0] on how
advertising and analytics data is now really just a fancy word for what we
considered _spyware_ back in the older (freer) days of the Internet.

[0]:
[https://aralbalkan.com/notes/spyware-2.0/](https://aralbalkan.com/notes/spyware-2.0/)

------
tracker1
I can't speak for anyone else, but there's only so far I would be able to go
in a job. I once turned down a job because a major client of the company was
the RIAA. It reminds me of what LinkedIn did with their iPhone app and Email..
I can't believe that either Android or iOS would allow any of their apps after
they did that.

I don't have either FB or FB messenger installed, since the split... mostly
because they ate my battery life, and breaking apart existing/working
functionality sucks. Not to mention they've been gimping their mobile website
ever since, I've been avoiding them much more lately. But FB is nowhere near
this level of sleaze.

~~~
icebraining
I don't use Facebook at all, but I've heard good things about their new Lite
app. It still asks for permission to spy on your whole device, though.

~~~
untog
The really disappointing thing is that if you root Android you can use "App
Opps" to selectively disable permissions, per app. It works great. But Google
won't enable it by default.

~~~
ufmace
I think Google is redoing the whole permission system in Android M.
Reportedly, instead of the approve everything once at install time model,
they're moving to the iOS way of default minimum permissions and asking the
user at use-time to approve additional things.

~~~
tdkl
They do, although in real life terms this will mean practically nothing for
John Doe, because he'll have to: \- buy a new device with M \- hope his
existing phone gets M before one year to date or ever.

~~~
wernercd
Yeah... Google should stop and close up shop. Working towards fixing things
tomorrow? HOW DARE THEY! _Shakes fist at them menacingly_

~~~
tdkl
That's not what I'm implying. But suggesting that user should suck it up
because something is coming in 6-12 months if he's lucky is not a valid
excuse, because he can take his money NOW elsewhere.

As an ex Android user of 5 years, I just got tired of this "coming soon"
attitude.

------
pests
There was a single mention of Paint.NET in the article with no other comment.
Is that the company involved in this? It was not clear to me nor do I
recognize the name of the author.

There are two technical holes in how this was achieved, disregarding the
initial drive-by update install:

* Unprotected browser cookie storage

* Android web-based App Install requires no user interaction past a request to a web endpoint

Are these holes still open?

~~~
RyanZAG
It would not be Paint.NET itself - lots of Windows freeware apps are
approached by advertising companies. The advertising company pays the freeware
company a lot of money to add a checkbox during install. It's this kind of
checkbox that the author is talking about. They probably gave Paint.NET (and
Java, winzip, winrar, etc etc) a ton of money to put that there.

~~~
tracker1
Paint.net has ads on their pages, right next to the download page... Their own
download link is non-obvious, and the advertisers create full-size ads with a
big green button saying "download" ... what the user gets isn't the installer
from paint.net proper. I think the fact that the paint.net guys are resorting
to allowing ad networks on their main page instead of an inline donate option
(like ubuntu) is pretty bad.

Another example, as recently as 3 months ago a search on google for "chrome"
would result in a few ads that were for malware like this.

The ones that are in the actual installers upset me a lot... more so in open-
source, and one of the reasons people are starting to avoid source-forge like
the plague.

~~~
pests
I thought SF rescinded their new policies? Regardless, I still won't be using
them unless I must.

I guess this might be one benefit of the Windows Store, as long as that hasn't
been taken over. I haven't checked it in awhile nor know their guidelines.

~~~
fapjacks
They're trying to sell SF right now (and slashdot), so who knows what's going
to happen next.

~~~
tracker1
I don't know if either have the funding, but Github or Atlassian would be
better stewards of sourceforge, at least in terms of migrating the whole thing
into the fold of Github or Bitbucket.

As it stands, I get a little sad when I see a project still on or using SF.

------
robin_reala
Site’s struggling for me. Google cache:
[https://webcache.googleusercontent.com/search?q=cache:http%3...](https://webcache.googleusercontent.com/search?q=cache:http%3A%2F%2Fwww.codeword.xyz%2F2015%2F08%2F09%2Fexploiting-
android-users-for-fun-and-profit%2F)

------
obisw4n
Its funny the author mentions all the Google Play stuff about installing apps
to users phones without them ever even knowing.. I actually found a company
exploiting this in the wild using browser extensions, I wrote about it on this
blog:

[http://extensiondefender.com/blog/](http://extensiondefender.com/blog/)

I'm not sure if the news I released had any effect, but they rapidly pivoted
from a "desktop to mobile" ad network:
[https://web.archive.org/web/20141209085229/http://vulcun.com...](https://web.archive.org/web/20141209085229/http://vulcun.com/)

To some kind of e-Sports betting site:
[https://vulcun.com/](https://vulcun.com/)

Oddly enough I submitted a bug report to google telling them they should set a
content-security-policy on play.google.com, and was basically told "wont-fix"
so the vulnerability to play store still exists.

~~~
TorKlingberg
Thanks. Btw, you forgot to put any link from your blog to the main site.

------
joshstrange
This raises an interesting point I've thought a lot on which is "Developer
Moral Responsibility" (Best way I can sum it it). I've started 2-3 blog posts
on this subject only to shelve them indefinitely as the "gray" things I've
been involved in were minor on the grand scale and the places I worked at when
those things occurred were 99% "good" and I wouldn't want to smear their names
over things that were minor at best (the "everyone else is doing it
argument/excuse"). I would love it if a "Developer Morality Manifesto" or
similar were created and accepted at both a developer and company level to
cover some of these "dark" practices

------
fapjacks
Way back when I was young and webvan.com was hot, I also worked on similar
stuff. I didn't know then who I was, or even slightly what I wanted in life.
Typical early-20s kind of thing. Anyways, I understand exactly what this guy
feels like, as I feel the same way about the things I did back then. And these
days I have turned down a couple of jobs that I felt were being too aggressive
about advertising. One company's product was to give you a kind of GMail
search, at the cost of collecting all kinds of information about you and
aggregating it on remote servers to use for advertising. The founders were
real cool guys, but this was just not something I am willing to contribute to.

------
gbin
But why?

Money? You said "thousands" of "users", even if you sell those owned
computers/phones at let's say $1 you don't make that much as a company.

Fame/street creds? Look how I got those lusers ?

Or you don't even care? you could optimise the deadliness of an atomic weapon
and you would feel the same: code done ! Awesome !

~~~
ufmace
You know, I think that optimizing the deadliness of atomic weapons is a lot
more defensible than this. The nukes have arguably prevented large-scale
industrial war since WWII. I'm having a tough time coming up with a defense
for building malware, though.

~~~
Rudism
There really is no defense. It's just a money grab. When I was working there I
dealt with it through compartmentalization and rationalization ("if I wasn't
doing this someone else would, so I might as well earn that paycheck anyway").
Others there probably just didn't care.

The culture was very money-centric... everyone's compensation included a bonus
component that was directly tied to how much revenue your products generated,
and there would be big celebrations whenever new milestones were met.

------
dpifke
For those wondering how to protect against a "malware-steals-cookie" attack,
see:

[http://www.browserauth.net/channel-bound-
cookies](http://www.browserauth.net/channel-bound-cookies)

I believe Google does this now for their auth cookies.

~~~
gcr
How can this fix prevent this class of attacks?

The malicious app has local access to the user's machine, which means it has
the ability to read and overwrite all files that the browser manages.

In the worst case, we could create malware that just reads the browser's
client public key and create our own session with the same one.

------
tomaskafka
Thanks for honesty!

------
avinoth
This. This is what pisses me off at the Android and it's ecosystem. I'm an
avid android user, and more and more witnessing how it's turning exactly what
windows was(is) and how crappy they are in protecting their users.

You can submit an app to the play store and get it approved within a day. I
mean, come one, phone data are some of the valuable possessions one has in
this century and they care less about it being abused. I wish there can be a
tightly knit app store similar to iOS with stringent reviews & regulation, but
I know it's never going to happen.

~~~
matthiasb
If it takes 2 weeks for Apple to approve your app, it doesn't mean they are
looking into it for 14 consecutive days.

~~~
avinoth
Ofcourse it doesn't mean they are looking into it continuously. but it's way
better than not looking at all.

All I'm saying is atleast a pair of eyes are looking into the app before it's
reaching their users.

~~~
makomk
Google started manually looking at and approving all Android apps submitted to
the Play Store a while ago, if I recall correctly. They just don't take 14
days to do it.

~~~
threeseed
Neither does Apple. It's currently 6 days.

[http://appreviewtimes.com](http://appreviewtimes.com)

