New Android malware buys apps for you

Ever wanted a few more apps on your Android phone, but can't decide what you'd like? Now you don't have to, thanks to a new malware which can buy apps for you. Convenience! The Play Store, despite its size, has always been fairly secure. With Android's open nature, there are more available app sites, and they might not be as secure.

MMarketPay, as this new species of malware has been named, does not need user permission to download applications. The malware was discovered by security company TrustGo, who found it lurking on several Chinese app stores. According to their estimates it could have been downloaded to as many as 100,000 phones by this point. This could be potentially disastrous for those who are unaware, since a massive phone bill could simply arrive in the future with no explanation. The malware downloads apps from China Mobile's own app store, so if you find a bundle of Chinese-language apps on your phone, you probably should be suspicious.

China Mobile is a state-owned mobile carrier and telecommunications company in the country, so it makes sense that the authors of the malware would target it. China Mobile is the world's largest telecommunications company, with about 655 million subscribers. Hardly surprising when they really do have the market cornered in the most populated country on earth. The fact that malware is able to exploit such a large company is not exactly encouraging; if one piece of malware can, what if others can do the same? According to the report, it is able to spoof verification to purchase the app.

It seems likely that China's app store operates differently to the official Google Play app hub, since the report mentions an SMS for verification and a CAPTCHA code being used. Clearly, the malware is quite an advanced strain if it is the only known one of its kind. Most malware tends to collect information from your phone. This could be personal information, like contact details, or general device information. Others might spam premium-rate numbers with messages, potentially costing you a fortune. MMarketPay doesn't. Hopefully the amount of costly malware existing for Android phones can be controlled, since it really could be damaging for the platform otherwise.

The obvious solution is to avoid downloading apps from Chinese app stores unless you know exactly what you're getting into. Plenty of legitimate, secure stores exist for the platform so it makes a lot more sense to stick to them.

Source: Net-Security

Report a problem with article
Previous Story

UK court: Galaxy Tab isn't "cool"; doesn't copy iPad

Next Story

Microsoft's Imagine Cup by the numbers, awesomeness

62 Comments

Commenting is disabled on this article.

The chinese have knowledge of the hack, they are trying to infect the western users - Multiple holes in this news source.

ALPHANZ said,
The chinese have knowledge of the hack, they are trying to infect the western users - Multiple holes in this news source.

So far the "hack" requires using CMWAP as access point on your phone so the M-Market web site doesn't require authentication. I don't see how or why you would be using a China Mobile access point with any western carrier.

This is such a dumb article. So 'Android' is not secure if you side load apps from a CHINESE app store? Who would have guessed that. First off, to side load apps in Android you have to manually enable that. Second off, this isn't Google Play - it's a Chinese app store. You don't use anything Chinese when it comes to tech. That's common knowledge.

For all those with an iPhone raving about how they are sooo secure. Tell me, can you side load apps? Yes you can. Also, does the iPhone have some secure process involved when downloading and installing an app? No it doesn't. It just does it once you accept (just like Android). So you are no more secure from this happening than Android is.

I am waiting for Google to say that this type of malware does not exist on Android. We must be mistaken. Remember the Android botnet denial from Google a few days ago??

NeoPogo said,
Remember the Android botnet denial from Google a few days ago??

Do you mean there's any actual proof of such botnet now? Because as far as I know the Microsoft guy acknowledged that it was all just a wild guess.

The next great breakthrough in Android phones will be an app that automatically orders dildos and butt-plugs from adult websites for you. Who would ever return them? "But I didn't order this nipple clamp. Honest, it wasn't me. It was my phone."

Brilliant.

Is there any technical details about that? I haven't seen any app that can even download a free app from the market on its own without root. I don't even think it's part of the api. And even if it is, doesn't the app shows these permissions on installation? The article implies that it doesn't need permission to do so.

The trojan doesn't download anything, according to the original Trustgo article. It just places orders of apps on the M-Market through their web page, which (go figure why) doesn't ask for authentication.

Once the purchase is complete it's the market app who downloads the application, as it would do if it was a legit order.

The original article doesn't mention anything about the trojan not requiring permisions, and it most likely does as it's reading the validation SMS from M-Market.

So it basically boils down to:
-Since you can enable sideloading on Android phones, once you do that no one is stopping you from installing downloaded apks and alternate markets such as M-Market.
-M-Market's security isn't exactly up to par (to put it mildly).

ichi said,
The trojan doesn't download anything, according to the original Trustgo article. It just places orders of apps on the M-Market through their web page, which (go figure why) doesn't ask for authentication.

Once the purchase is complete it's the market app who downloads the application, as it would do if it was a legit order.

The original article doesn't mention anything about the trojan not requiring permisions, and it most likely does as it's reading the validation SMS from M-Market.

So it basically boils down to:
-Since you can enable sideloading on Android phones, once you do that no one is stopping you from installing downloaded apks and alternate markets such as M-Market.
-M-Market's security isn't exactly up to par (to put it mildly).


I didn't know an app can place orders of apps on its own even with permissions, seems like a stupid thing to allow any app to do as I can't think of any context where this could be useful.

But anyway thank you for the details and the clear explanation, that what I was waiting for and expecting from Neowin's article. For such a supposedly highly-technical website like Neowin with an audience of mostly power users it's severely lacking in the important technological details and contains a lot of sensational fluff that usually plaques news websites with no technological expertise or background.

Mamoun said,

I didn't know an app can place orders of apps on its own even with permissions, seems like a stupid thing to allow any app to do as I can't think of any context where this could be useful.

They can't on the Play Store, but that chinese M-Market doesn't verify the user credentials on it's website when users access through a specific access point (security through obscurity? or just crappy design?) and relies on a SMS to verify that you did actually buy the app.

If you code an application that can access internet and read SMS and then the user installs it and grants the permissions it requires, M-Market's security falls flat on it's face.

The article also doesn't clarify if M-Market can actually install the application without user intervention. My guess is no, but it's not like that really matters here since your money would be gone already anyway.

ichi said,

They can't on the Play Store, but that chinese M-Market doesn't verify the user credentials on it's website when users access through a specific access point (security through obscurity? or just crappy design?) and relies on a SMS to verify that you did actually buy the app.

If you code an application that can access internet and read SMS and then the user installs it and grants the permissions it requires, M-Market's security falls flat on it's face.

The article also doesn't clarify if M-Market can actually install the application without user intervention. My guess is no, but it's not like that really matters here since your money would be gone already anyway.


Oh ok, that makes sense. Again the article has done a very poor job describing the issue and it's obvious its writer is not an android user or didn't even bother researching the subject. I mean I know it's unprofessional journalism but c'mon. You have a done a much better job explaining everything and you are not a professional editor, right?

So these are Chinese App stores separate from the Google Play store.

Anyone dumb enough to download random crap from different app stores are doing so at their own risk.

ManMountain said,
Simply stick to Google Play and don't allow installation from unknown sources of non-Market applications.

I thought the ability to sideload was supposed to be a major selling point for Android

jakem1 said,

I thought the ability to sideload was supposed to be a major selling point for Android

In a similar way as it's a selling point for desktop operating systems, but that doesn't mean you should go downloading and installing random crap.

In both cases if you want to play safe you stick with software that comes from verified vendors through verified channels.

NightCrawlerInfinity said,
I can honestly say I never had such a malware on my computer or phone. I guess I am not stupid?

thank god only tech-savvy people buy android... wait, uh-oh - but thank god its THEIR PROBLEM, not mine when getting 10.000 spam because of them... wait, uh-oh

the software manufacturers job to make its product safe... of course google was never primarily a software manufacturer and what can you expect from a data mining corp? if this is their best i'd hate to see them fail

i think it's time to activate a kind of "android doomsday clock" than get some popcorn and wait for this frankenstein to fall apart

Morden said,

thank god only tech-savvy people buy android... wait, uh-oh - but thank god its THEIR PROBLEM, not mine when getting 10.000 spam because of them... wait, uh-oh

the software manufacturers job to make its product safe... of course google was never primarily a software manufacturer and what can you expect from a data mining corp? if this is their best i'd hate to see them fail

i think it's time to activate a kind of "android doomsday clock" than get some popcorn and wait for this frankenstein to fall apart

Thank god I never said that. In a perfect world. Non-tech shouldn't be using Android, they should be on iOS. They also shouldn't be using a Windows desktop. They should be on OSX

NightCrawlerInfinity said,

Thank god I never said that. In a perfect world. Non-tech shouldn't be using Android, they should be on iOS. They also shouldn't be using a Windows desktop. They should be on OSX

well after some personal experience with my gfx designer ex macs are just as hard to maintain if you no-tech - apps leave crap lying around just the same

and yeah, you're right but low-end androids are cheap so plenty of users who just want a slice of the smartphone world or been conviced by a sales rep will buy it - so don't blame the "idiots", blame the business model that builds on them

and to be honest the concept of having multiple app stores without any security or quality management is the epic fail of the android concept - it's open as in open season; as far as i see the only ones profiting from the "openness" of android are exactly those tech-savvy guys who lurk on XDA... for the rest of the world it's just a helluva big security hole

Morden said,

thank god only tech-savvy people buy android... wait, uh-oh - but thank god its THEIR PROBLEM, not mine when getting 10.000 spam because of them... wait, uh-oh

So why would you be getting spam from Android?

Morden said,

the software manufacturers job to make its product safe... of course google was never primarily a software manufacturer and what can you expect from a data mining corp? if this is their best i'd hate to see them fail

i think it's time to activate a kind of "android doomsday clock" than get some popcorn and wait for this frankenstein to fall apart

Ah well, see: a trojan connects to a third party market through their web page (which doesn't ask for any kind of authentication) and places orders.

Sorry to disappoint you but this kind of stuff won't spell any kind of doom over Android

sexypepperoni said,
So I take it this is another feature? This is not good for Android, I expect it to get hammered because of security breaches like this.

Why dont you read instead of replying to all these threads without knowing what you are talking about. This is not from the Google Play store. These are from random Chinese App stores. Google/Android cannot help it if morons download crap from other places. They cannot protect against user stupidity.

techbeck said,

Why dont you read instead of replying to all these threads without knowing what you are talking about. This is not from the Google Play store. These are from random Chinese App stores. Google/Android cannot help it if morons download crap from other places. They cannot protect against user stupidity.

I think what you meant to say is that "They cannot protect against user stupidity like Apple does."

Aren't people who hack their iPhones also susceptible to the same madness? I mean, isn't this just part of using shady app stores?

Gnome said,
Aren't people who hack their iPhones also susceptible to the same madness? I mean, isn't this just part of using shady app stores?

To be honest, every smart phone os is susceptible, all the big ones worth creating the malware for anyway. Even iOS has some dodgy apps slip through the net sometimes and make it to the app store.

Shikaka said,
To be honest, every smart phone os is susceptible, all the big ones worth creating the malware for anyway. Even iOS has some dodgy apps slip through the net sometimes and make it to the app store.

True. The difference being the frequency. I mean, as big as iOS is, they've done pretty well in fending off against malicious apps. It's much easier for them to fix these problems though since they can control what apps are in the market, whereas Google is very limited in what they can do.

And Windows Phone I don't think has a big enough customer base to really make them a big target. At least, I don't recall hearing of any issues with malicious apps or what have you. Of course, that isn't to say it isn't susceptible either.

PmRd said,
Yay for Android security! Best phone OS my ass..
It is, by far. But if idiots do idiotic things, then they should go buy something with IOS which they can't do this with.

Exosphere said,
It is, by far. But if idiots do idiotic things, then they should go buy something with IOS which they can't do this with.

Lol.. The simple fact that this is even possible within the OS proves that's it's not the best. Being too open has it's up and downs but mostly downs. Google doesn't even check the crap people post on the market before it's available to the public, so it's not only "idiots" that can be infected.

Exosphere said,
It is, by far. But if idiots do idiotic things, then they should go buy something with IOS which they can't do this with.

When things like this happen it just shows how bad Android OS actually is. It is just a pile of junk always has been and unless Google rewrite this from the ground up completely it will just get worse and worse.

PotatoJ said,
I hope you don't use Windows or OSX.

What does Windows or OSX have to do with a phone OS? A quick visit to my profile will tell you I use Windows 8.

PmRd said,

Lol.. The simple fact that this is even possible within the OS proves that's it's not the best. Being too open has it's up and downs but mostly downs. Google doesn't even check the crap people post on the market before it's available to the public, so it's not only "idiots" that can be infected.

A lot of the time this is from other sources outside of the Play Store and outside of Google's control.

Then you have people who allow for the apps to install but checking to allow installs from unknown sources or not reading what the prompts say on the screen before selecting an option. Google has certain options disabled by default for a reason and warns you when enabling them.

And this is possible with ANY OS. iOS has even had malware on their App Store as well.

techbeck said,

And this is possible with ANY OS. iOS has even had malware on their App Store as well.

Not possible on Windows Phone. And before you say I'm wrong, I'm a programmer and I know very well how Windows Phone's ecosystem works.

PmRd said,

Not possible on Windows Phone. And before you say I'm wrong, I'm a programmer and I know very well how Windows Phone's ecosystem works.


If it's possible on iOS then it's possible on Windows Phone even if they work like the so called viruses on Android that aren't really real virus. Doesn't matter who you are.

SharpGreen said,

If it's possible on iOS then it's possible on Windows Phone even if they work like the so called viruses on Android that aren't really real virus. Doesn't matter who you are.

Are you a programmer? Did you ever touch Visual Studio? Do you even understand how apps work on Windows Phone? Probably not because you would not say that crap.

PmRd said,

Not possible on Windows Phone. And before you say I'm wrong, I'm a programmer and I know very well how Windows Phone's ecosystem works.

First off, thank you for assuming what I was going to say/think. I appreciate it. Secondly, any OS can be attacked and it doesnt have to be by downloading/installing an app. No OS is 100 percent secure and if anyone thinks otherwise, they are delusional.

techbeck said,

First off, thank you for assuming what I was going to say/think. I appreciate it. Secondly, any OS can be attacked and it doesnt have to be by downloading/installing an app. No OS is 100 percent secure and if anyone thinks otherwise, they are delusional.

I was saying that this particular case is impossible in Windows Phone. So looks like I'm right after all.

PmRd said,
Yay for Android security! Best phone OS my ass..

Do you seriously expect us to believe that your ass is the best phone OS?

Edited by Shiranui, Jul 10 2012, 2:36am :

Shiranui said,

Do you seriously expect us to believe that your ass is the best phone OS_

Lol of course Butt I can't guaranty there's no crapware. See what I did there? lol

PmRd said,

Not possible on Windows Phone. And before you say I'm wrong, I'm a programmer and I know very well how Windows Phone's ecosystem works.

Malware is possible on any OS, even Windows Phone too. How easy that malware infects is a question of how users get their apps. Stores like Google Play, ITunes etc make it much harder for malware to exist, but it's still not impossible, as evidenced by the recent malware discovered on Apple's store.

If you were a real programmer, you'd know this.

As far as Windows Phone goes, it probably hasn't got any malware yet because of security in obscurity. It's so small that it's not even worth writing malware for it.

simplezz said,

Malware is possible on any OS, even Windows Phone too. How easy that malware infects is a question of how users get their apps. Stores like Google Play, ITunes etc make it much harder for malware to exist, but it's still not impossible, as evidenced by the recent malware discovered on Apple's store.

If you were a real programmer, you'd know this.

As far as Windows Phone goes, it probably hasn't got any malware yet because of security in obscurity. It's so small that it's not even worth writing malware for it.

I know malware is technically possible on Windows Phone if it wasn't there wouldn't be much you could do as programmer with the API. The worst that could happen is an app could get a list of all you're contact's info and use it for evil stuff. I was saying that this particular Android case is absolutely impossible on Windows Phone, there is no way an app could download and install other apps, there is no way an app could intercept text messages or send one (without user consent). It all boils down to the fact that Android is pretty much free for all with most of it's APIs allowing malware authors to do some pretty sneaky ****

When you submit your app to the apphub, Microsoft has your WP7 app's source code and can use heuristics to determine if the app is malware before making it public. And since there's no other way to install apps than the store it's pretty safe to say you'll never find malware on it.

Edited by PmRd, Jul 10 2012, 3:41pm :

PmRd said,

I was saying that this particular Android case is absolutely impossible on Windows Phone, there is no way an app could download and install other apps, there is no way an app could intercept text messages or send one (without user consent).

The trojan isn't downloading anything itself, and I'm not seeing anywhere in the original article (that is, not the one that's linked here but the source of that one) about whether there's user consent or not when reading text messages.

I reckon this is the start of things to come, anti virus for smart phones is going to become a big big business.

Shikaka said,
I reckon this is the start of things to come, anti virus for smart phones is going to become a big big business.

antivirus for androids. WP and IOS don't seem to be plagued with viruses like the android

Chica Ami said,
Worlds first malware that buys apps for you. Great, what's next?

We will be able to re-position satellites and control NASA from our phones.

In other news, if you buy a 'Rolex' from a guy on the street instead of a jewelry store, and you use your credit card number, you're gonna have a bad time.