
Researchers Find Google Play Store Apps Were Government Malware - 0xmohit
https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv
======
mmjaa
Man, I yearn for a return to computers we could trust - or at least, had the
tools onboard to establish, easily, whether that trust was warranted or not -
i.e. compiler, dev tools, open access, and so on.

The more I think about where we've arrived after the last 20 years the more I
realise the OS vendors betrayed us.

We got fat on the sugarcandy of framework-obsession - they got rich on the
meat of our data.

If only there were OS vendors out there who wanted to really innovate again
and bring the power back to the users...

~~~
im3w1l
You just have to do what you always had to do. Check the reputation of whoever
made the apps you install.

Blindly downloading things from the appstore isn't quite as bad as downloading
blindly from the internet, but it's not great either.

Oh and permissions. Sure they help a bit, but everything asks for everything
and their are ways to infer data you didn't ask for so it's not a complete
solution.

~~~
antpls
We could also use the web of trust. An app already downloaded by people you
trust is maybe-probably more secure.

Google Play Store could allow third party audit badges on the apps store page,
so different agencies could give an official rating or an approbation level
for the app. Basically a "verified" badge ala FB and Twitter, but more
organizations than just the app-store owner could give their checks.

You would have "Google-approved" badge, "Open-source-approved" badge,
"Mozilla-approved" badge, and even "Government-approved" badge.

Then you let the user makes his/her own decision based on what entities or
friends he/she trusts.

------
saagarjha
> an eSurv employee explained in a resume publicly available through his
> LinkedIn page that as part of his job at the company, he developed “an
> ‘agent’ application to gather data from Android devices and send it to a C&C
> server”

Yikes. Not something I’d want on my resume…

~~~
bryanrasmussen
Surely it's no worse than saying one worked at Uber, Facebook, or any number
of other companies.

~~~
foota
Except in those cases you agree to it? Seems pretty different to me...

~~~
TallGuyShort
Most people aren't consciously agreeing and Facebook seems happy to keep it
that way, so maybe not as different as you're implying.

------
hn20190331
Here the apps were "fake" random ones that users had to download from Google
Play.

But... the Official Carrier Apps (those signed with a key stored in the SIM
card [0]) are also definitely being used to push government malware.

There's an official price list set by the government for "services towards
authority" in the same country this eSurv is based in. [1]

That list includes mandatory things carriers must do when asked (hopefully
with a valid court order, but not always...), such as auto-installing
backdoored apps via provisioning text messages (handled by the Carrier App);
or increasing the data bundle allowance in order to avoid that a data-hungry
malware could be detected by the user...

Always try to avoid unnecessary apps; the Carrier App can usually be avoided
by using the carriers mobile website in the phone browser, or by using
USSD/SMS codes to get line info such as bundle counters, prepaid credit
amount, and so on.

Unfortunately sometimes a ROM change is needed; some phones in some conditions
(eg. official ROM with carrier branding) will have the Official Carrier App
pre-installed as system app...

Sometimes in other official ROMs (even unbranded ones) there's a pre-loaded
"Carrier Updater" that will auto-install the Official Carrier App for the
inserted SIM card (again, as system app)...

[0]
[https://source.android.com/devices/tech/config/uicc](https://source.android.com/devices/tech/config/uicc)

[1] [https://motherboard.vice.com/it/article/9k89j3/ecco-il-
listi...](https://motherboard.vice.com/it/article/9k89j3/ecco-il-listino-
prezzi-della-polizia-italiana-per-la-sorveglianza-telefonica)

------
ConcernedCoder
welp...back to flip phone for me

------
oksawe
But at least it's not a walled garden. lol

~~~
lern_too_spel
That walled garden is missing a few stones. Mr. Cook threw them in his glass
spaceship.

[https://www.computerworld.com/article/2989037/iphone-
malware...](https://www.computerworld.com/article/2989037/iphone-malware-
yispecter-apple-app-store-itbwcw.html)

[https://motherboard.vice.com/en_us/article/qvakb3/inside-
nso...](https://motherboard.vice.com/en_us/article/qvakb3/inside-nso-group-
spyware-demo)

