
Viking Horde: A New Type of Android Malware on Google Play - reimertz
http://blog.checkpoint.com/2016/05/09/viking-horde-a-new-type-of-android-malware-on-google-play/
======
DocG
I dont know why the change happened but I use play store only in every couple
of months when I need something really specific. Long gone are the days I was
intrested in searching for new apps and trying them out.

Similar with updates, I've been hurt couple of times by keeping apps updated,
so now it happens only when it stops working completely.

~~~
saganus
That's part of the over-saturation of apps I guess.

I also do the same regarding updates. More than once I've found that
functionality is crippled in a newer version or it's simply is less usable so
now I also avoid updating unless there's a feature I really want or as you
say, it stops working altogether.

~~~
haddr
Same here, I only update when necessary. Also having auto update is painful,
when you suddenly switch from 4G to WiFi your phone will try to update
everything making it sluggish, regardless of what you want to do on your
phone...

------
ams6110
Too bad Google isn't more aggressive at keeping malware out of the Play Store.
As it stands, I will not install anything that isn't from something very
mainstream such as Google, Amazon, Netflix, etc. No small/indy apps for me.

~~~
chickenbane
Check out Google's excellent Android security review [1]. Google is pretty
effective at keeping harmful apps out of the the Play Store; if you don't
sideload apps less than 0.15% devices had malware.

[1]
[http://static.googleusercontent.com/media/source.android.com...](http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf)

~~~
r00fus
How does that compare with iOS? I mean, Google may be doing yeoman's work, but
if that compares with near-zero (due to Apple's walled garden), it's still
looks bad in comparison (esp with the huge Android installed base).

~~~
ori_b
I don't have stats (and I'd be surprised if Apple released them), but it's not
like IOS malware is unheard of. For example:
[http://www.computerworld.com/article/2989037/malware-
vulnera...](http://www.computerworld.com/article/2989037/malware-
vulnerabilities/iphone-malware-yispecter-apple-app-store-itbwcw.html)

------
TheGuyWhoCodes
The article doesn't go into details of how the app manged to do all these
things, isn't there some sandboxing that was broken, know vulnerability or
some 0day that was used or anything like it? I've heard that android security
is broken but it's seems a little too easy.

~~~
deprave
Sandboxing isn't a magical solution. All it does is limit resources available
to an app. Usually, until a user authorizes access to such resources.

"Here's a list of thirty privileges this app needs to run. Do you approve?"

Given you just downloaded it, why wouldn't you?

After all, every other app requires a huge set of privileges to run, too.

Do you see the problem? :)

~~~
StavrosK
Not any more, Marshmallow permissions are on-demand.

~~~
nitrogen
It's not all that effective; some apps (like the Hue app) just crash if you
deny them anything. Why didn't Android add the option to provide blank data to
apps?

~~~
StavrosK
> It's not all that effective

I find it perfectly effective: If you deny an app a permission, it doesn't get
any information for that permission.

> some apps (like the Hue app) just crash if you deny them anything

That sounds like the app is badly implemented, really.

> Why didn't Android add the option to provide blank data to apps?

Because it's a completely new API and it shouldn't have to, apps should check
the return code to see if the permission was denied or not.

Are you talking about denying permissions to apps that don't support the new-
style permissions natively, perhaps?

~~~
nitrogen
_That sounds like the app is badly implemented, really._

Yeah, it really is badly implemented, but the blame for that lies in part with
Android for making it so easy to write apps that break. It would have been
perfectly easy to write the code so that it returned "GPS signal lost" for
location, "no contacts" for contacts, "SD card is empty" for storage, "no
phone call in progress" for phone, etc. In fact, modders of Android have been
doing that kind of thing for _years_. It's truly astonishing that Google got
this so wrong when there are so many better examples.

 _Because it 's a completely new API and it shouldn't have to, apps should
check the return code to see if the permission was denied or not._

Sometimes an app should believe the permission was granted when it actually
wasn't, because of the aforementioned bad (or even malicious) apps. Maybe you
have to use a particular app in order to control the lights in your house, or
your car, or to chat with someone who refuses to use anything that doesn't
have a permission list a mile long. Privacy controls are useless if the _true_
control is still in the hands of the app.

 _Are you talking about denying permissions to apps that don 't support the
new-style permissions natively, perhaps?_

No, I'm not, but clearly old-style permissions could have been reimplemented
as forwarding calls to a new-style API that returned blank data if the user
chose blank data for that app's permission, just as privacy mods for rooted
phones have already done.

~~~
JonnyaiR
They have two different privacy solutions implemented in Android 6
(marshmallow): The first one is comparable to iOS' model - the app must ask
for permission on first access. If the user denies said access, the app gets
this information.

Ghe second solution is aimed at apps designed for older Android versions, if
the user denies access, the app gets empty data back (e.g. Empty contact
lists, no GPS satellite etc).

An app designed for Android 6 should handle negative feedback (disable
functions, show a warning/explanation or something else), it shouldn't break.
If you don't want to handle this, design for Android <6 and let the system
take care of it. But it should be a difference between permission not granted
and no data available, apps should handle these issues differently. If I were
to deny my navigation app access to my location, it should ask me to revoke
this decision and not warn me about not finding GPS satellites (which would
make me run around with my phone hold up in the air hoping to get a GPS fix).

~~~
nitrogen
_If I were to deny my navigation app access to my location, it should ask me
to revoke this decision and not warn me about not finding GPS satellites
(which would make me run around with my phone hold up in the air hoping to get
a GPS fix)._

That kind of notification should be done by the permission system itself,
perhaps as an icon in the status bar.

------
hbz
Cached version:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://blog.checkpoint.com/2016/05/09/viking-
horde-a-new-type-of-android-malware-on-google-play/)

------
yompers888
I've been contemplating for a few weeks now rooting my phone. My justification
for this plan is the convenience and added security of system-wide ad block.
But I always wonder if I should be more concerned with the new vulnerabilities
I open than with the ones I'm closing. I guess I'm wondering what people here
think: is rooting something that makes sense if you're careful, or is it
something you do if you're smart enough to want to play with your phone while
not being smart enough to know better?

~~~
sudojudo
If you're a careless user, don't root your phone. If you pay attention, use
common sense, and don't have a thousand Play store apps installed; you'll
probably be okay. Another way to look at it is by comparing your phone to your
desktop or laptop computer. How often do you unintentionally break it with
malware? Often? Don't root your phone. Rarely or never? You'll be okay.

The best advice I can offer is to stay the hell away from Google Play. That
trash, and the rest of their services, are the first things I strip from my
phones. Instead, use properly licensed open source software, from the F-Droid
repository (or similar). If it's not a proprietary app
(Twitter/Facebook/Snapchat/etc.), there's likely a FOSS version that's better
than anything on the Play store. Flashlight apps don't need to access your
contact list, or read your call logs, or have an open port in your firewall.
The damned bastards.

On F-Droid you'll find (for your rooted phone):

 _AFWall+_ , an IPTables firewall GUI. Very nice looking and intuitive. Don't
think I've ever used a firewall so easy to configure.

 _Autostart_ , an app that prevents garbage from auto-starting. A bunch of
junkware usually loads up when you activate things like WiFi and GPS, or
reboot the phone. Autostart can be configured to block the bloat, and in turn,
make your phone run much more efficiently.

 _Disable Manager_ , to disable unsavory services (Play, Facebook, etc.). If
you're worried that deleting things will break the phone, this app will put
your mind at ease, because you can use it to turn things off and on, like a
switch, instead of outright deleting.

 _AdAway_ , generic name, but it does what it's supposed to; system-wide ad
blocking. It's FOSS, under GPL. If you avoid the Play store, configure your
firewall, and use an ad blocker addon on Firefox, you might not even need an
app like this one.

There's a bunch of other cool, trustworthy, stuff on F-Droid that's not going
to abuse your phone. When it comes down to it, if you stick with FOSS, you
won't need to root the phone; a non-root firewall will suffice.

Apologies for the rant, this was supposed to be a short reply, I don't know
what happened.

~~~
yompers888
Thank you for the thorough reply. I'll play with it some this weekend.

------
throwaway0209
so if I don't have Viking Horde or Viking Jump installed, my devices are not
infected by this?

~~~
reimertz
The article mentions 5 different apps by I would assume there are a lot more
apps in the store utilizing this scheme.

Here are the apps mentioned: \- Viking Jump \- Parrot Copter \- Wifi Plus \-
Memory Booster \- Simple 2048

~~~
sgarman
I would also add that they have not provided a comprehensive list of infected
apps or any way to stop them from being uploaded in the future.

It's possible you are still compromised from another app. Looks like next
steps are getting a tool out to check that.

------
m4dc4pXXX
Nasty. Great read though.

------
deprave
I feel like every time I read about something ad-related it's usually in a
negative context. This malware doesn't even care if it's not executed as
root... it just needs the device to falsify ad clicks/impressions. And I guess
nobody really cares, because the probably huge amount of bot action on ad
exchanges just makes the pie larger for everyone.

(With all of Google's talent and machine learning and AI, it can't detect this
junk? please...)

All the more reason to avoid hardware from this company.

~~~
chki
-Typing this on a Nexus-

I'm pretty sure that this is not what Google wants although they might -as you
correctly point out- profit from it in the first place. But the negative
publicity in combination with possibly loosing companies buying ad space on
Google because of fake clicks can not be worth it. Google is too big to profit
from a scam like this in the long-term.

~~~
deprave
I agree, and like you, I doubt fake clicks/impressions have an impact on
Google's revenue.

Still, one has to wonder how one arm of the company can be so successful at
creating artificial intelligence (smart cars, tensor flow, deep dream, just
OTOH), while the other - its primary revenue driver, at that - manages to
overlook things that are so simple.

Or am I really expecting it to be much more difficult than simple heuristics
like "game + SMS privileges = fishy"?

