The Source of All Major Android Banking Trojans Just Got Updated To V2 (softpedia.com) 38
An anonymous reader writes: Apparently, during the past months it has started coming to the surface the fact that most top-tier Android malware was actually related, coming from a common malware variant called GM Bot, and sold for only $5,000 on underground hacking forums. Taking advantage of his new found glory, the coder behind that malware has now released a second version, three times the price of the first, complete with 3 exploits that can guarantee root access on older versions of Android (which are plenty thanks to [ignorant] OEMs and carriers). Some of the malware that originated from GM Bot includes: SimpleLocker (first crypto-ransomware for Android), AceCard (considered the most sophisticated Android malware to date), Bankosy and SlemBunk (banking trojan and backdoor), and Mazar Bot (banking trojan, backdoor and ransomware). To make things worse, GM Bot v1's source code also got leaked online, making it available to any halfwit developer that wants a crack at a cybercrime career.
How can I update? (Score:3)
Re: (Score:1)
Couldn't find it on the App Store, either...Weird. (Score:2)
Sent from my iPhone
Criminals gonna crime. (Score:5, Informative)
I don't really get the outrage at this. Criminals are going to commit crimes. I think the outrage would be better directed at Google for promulgating a "security-last" OS to manufacturers who, for the most part, can't be bothered with updates after a few months. When you suck at security almost infinitely more than Microsoft, that's saying something...
Re: (Score:1)
"security last" except when it comes to the customer, then it's "complete lockdown first and foremost", where if you sidestep that you've waved bye-bye to your warranty and manufacturer support. Probably also putting yourself on a list of people handed off to Google's double secret NSA side council that guarantees you will have trojans on your phone.
Re:Criminals gonna crime. (Score:4, Interesting)
I think you are stating the obvious there... this is one of the fundamental flaws of the Android ecosystem.
Are we going to have to start being nutjob-paranoid and placing a dedicated browser in a virtual machine with only a single trusted certificate and using a pin-protected RSA key for every transaction?
I almost want a dumb phone and a Filofax now.
Re: (Score:1)
Re:Criminals gonna crime. (Score:4, Interesting)
Re: (Score:2)
When is Google going to wake up? (Score:2, Insightful)
And give Android two things:
1) The Linux Netfilter firewall as standard (not requiring rooting first) plus all the necessary user-level power tools as well as simple user-friendly apps to control it.
2) User-control of app permissions post-install , not just the choice of "either don't install an app, or else install it and grant every permission that its developer requests for as long as it's installed". This idiotic design is a travesty of insecurity and anti-privacy, and Google should be ashamed of them
Re: (Score:2)
Re:When is Google going to wake up? (Score:4, Interesting)
Netfilter might be too powerful for the majority of users. They would likely lock themselves down and eventually turn it off.
As for permissions, I cannot agree more. Let the app stop working when the permissions are denied but let me change them. There are a few apps i use rarely enough that currently I uninstall between uses. If I could enable or disable permission i could just keep them on the phone. There are also some apps like the one for my blood pressure monitor that i refuse to install because it wants access to my call log, contacts, photos, and something else i cannot figure out why. I even contacted the manufacturer (omron) asking them to explain why but got no response.
Re: (Score:2)
The permissions thing came in with Android M. It's a pain for apps not specifically compiled for it though, because every time you update the apps you have to grant them all the permissions they want and then go and remove them again. But the feature is now there. If your phone vendor/carrier has given you M of course.
Re: (Score:1)
This is just more Android team incompetence.
An app should have no business knowing whether permissions have been granted or denied to it, but should merely work in the expectation that it has them. The data it wants could even have been manufactured by the user uniquely for this app, and it's no business of the app's to know about such a user choice.
It's private information whether permissions have b
Re: (Score:2)
Try downloading the apk, unpack it with apktool, strip those permissions from AndroidManifest.xml, pack it back and then install it via adb.
In fact, the baksmali 'assembly' format is very readable and easy to understand; you can study and modify the java part of an app almost as if you had the source code.
fail++ (Score:1)
1. Who is dumb enough to do banking on something so insecure as a mobile phone? It's a seive.
2. Since people are dumb enough to do something so critical and private as banking on their phone, doesn't this bolster Apple's argument against the FBI?
Re:fail++ (Score:4, Insightful)
Who is dumb enough to do banking on something so insecure as a desktop browser? It's a seive.
Re:fail++ (Score:4, Insightful)
Yup... It used to be that the smartphone was more secure without Java, Flash, Acrobat, and a "trusted" cellular internet connection.
Kids used to walk to school alone too!
Not sure how much is perception and how much is a real problem in either case.
How exactly is it (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
What kind of money would GanjaMan make on this? (Score:2)
I'm simply curious (not because I want to get into the business) as $15k plus $2k per month (or $8k plus $1.2k per month for the exploitless version) is not chicken feed.
Are there that many "halfwit developers" out there that are willing to make this a viable option? Or, is this a case of the developer selling the malware to (would be) criminals, to make money on the work but minimize the risk?
I'd be interested in seeing the contract in the case of the customer being caught and going to jail.
"halfwit" (Score:2)
any halfwit developer that wants a crack at a cybercrime career
I don't know where on the developer scale "halfwit" falls, but, in my experience the median programmer is fairly incompetent, and half of them are less talented than this - including the ones who can't copy/paste/modify stackoverflow examples and end up with working code.
Without even looking at the codebase, I would expect that anyone capable of understanding the code and modifying it enough to make something different is well above the median. In the wealthier nations I think that they could probably ma
Foreign Hackers (Score:2)
Re: (Score:2)
Are going to start WW3.
And this is a damn shame! Has no one any pride left in their work in this country?!? It should be AMERICAN hackers who start WW3! GO USA!
"thanks to [ignorant] OEMs and carriers" (Score:2)
"thanks to [ignorant] OEMs and carriers"
That's an incorrect position.
For the OEMs, they take a snapshot of the Android development tree at some stable point, and then they put in a hell of a lot of work to productize it for a given specific platform. And then they don't touch it, ever again. Each new phone is a new port, and each update to the OS on a phone would also be a new port.
Maintaining version updates on an ongoing basis is not possible with this development model, and having Google do the product