How many Android users are aware that Google explicitly GRANTS internet permission to all apps ?
Google justifies restricting storage, call/sms and other features of Android in the name of privacy, security, yet keeps unrestricted internet access open. To top it off, it was a major weakness that was wilfully introduced.
The continued allowance for that internet conduit is being used to kill off major features of the Android OS - storage, call/sms backup apps - yet internet conduit remains open.
When Google moved permission model to run-time permissions - it justified the extra work for developers by saying this was for greater security.
Yet for all the talk of privacy and security, internet permissions was omitted from run-time permissions!
Internet permissions are granted to ALL apps, even if the app developer has no need for internet access. Apps and developers are burdened by a presumption that they are using the internet - even when certain apps have no need for internet.
Whenever someone points out this "gaffe", some justify it for ads, others going so far as to accept Google wants to keep internet open which is why they have to crack down on all the other permissions (Call/SMS fiasco where devs were forced to remove features), and now storage.
This malware is an example of how the implicitly granted internet permissions are used by malware:
https://androidreverse.wordpress.com/2020/06/30/reverse-engineering-of-the-anubis-malware%e2%80%8a-%e2%80%8apandemistek-intended-for-the-turkish-market/ Anubis Malware attacks Turkish banks - Technical Reverse Engineering report - March 2020
Also most of malware applications are collecting data and transfer them to somewhere. Mostly this is done via a Web server that collects data and provides resources the malware can fetch at runtime. Potentially the malware can fetch multiple of potential target URLs using an initial URL. This URL is very sensitive information because it tells a lot about the attacker and it could be forced to be shutdown by the government. Now this malware as well as most others is trying to obfuscate the default url(s). The function naqsl.ebxcb.exu.ifdf.ifdf() is intended to deobfuscate those at runtime (see Listing 6).
5.3.9 PUSH INJECTION As described in chapter 5.2.2 the function naqsl.ebxcb.exu.ServiceCommands.fddo() is able to start malware features. Also the naqsl.ebxcb.exu.ServiceModuleNotification Service will be configured and launched there ( see Listing 26 ). This service is intended to perform the push injection attack wich is able to create a malicious Android notification and meme it like it would come from a installed banking app.
The intent service naqsl.ebxcb.exu.ServiceModuleNotification implements an AsyncTask that fetches an icon resource from a Web server. The Service implemnts the onHandleIntent function which (see Listing 27) reads the url to gather the image from SharedPreferences via the naqsl.ebxcb.exu.Cint.fddo() (see Listing 28) function and ”url” as key (see chapter 5.1.4 and the ServiceModuleNotification.onHandleIntent).
Now the naqsl.ebxcb.exu.ServiceModuleNotification.doInBackground function fetches the resource icon for the taret App using the java.net.HttpURLConnection class. The result will be directly decoded into a bitmap.
Background
When Google moved from permissions-on-install to run-time permissions (which were introduced with much spin about their effectiveness and superiority - but which complicated things for developers) - at that time internet permission was left out of the run-time permissions list.
As a result internet access is implicitly granted for all apps - that greatest conduit for siphoning off of contacts, file info is the internet channel left wide open - purely because it is essential for the delivery of ads - and possibly because Android is making decisions based on needs of it's parent search company.
This means the Google Play Store and the structure of Android is held hostage to the wider machinations of Google the ad/search company, and not Android the OS platform/app-store.
True that apps can leak info without an app requiring internet access - via other files, via SMS etc. However internet access remains the single biggest conduit for info leaks, and Google deliberately left it wide open.
Instead it has sought to shut down everything else - Call recorders' access to phone number info, offline SMS backup apps' access to SMS messages. This was a slap on the face of developers. These apps would willingly forgo internet access, if it meant their app functionality could stay.
Google should do it's part and make internet access a user-facing run-time permission (instead of an app setting embedded somewhere in settings that a user will almost never be reminded to turn off).
[link] [comments]
from /r/Technology https://ift.tt/2O0wuJR
No comments:
Post a Comment