It was (still is?) a common practice to grant all permissions when installing an app from Google Play. Most people don't even look at the "annoying" popup that lists permissions to be granted and just press "accept" without ever reading it.
Well it's not like there's any option to deny them. You can only not install the app, unless the app chooses to build for the Android 6 permission system.
That's what I actually do. I refuse to install apps that require broad permissions not related to their primary purpose. Though I do realize that I belong to that insignificant minority group of users.
Does not always work because shady apps often check for permissions on boot and refuse to start if i.e. some fart app can't access that contact list of yours "it desperately needs to function properly". Denying permissions only mitigates cases when all permissions are asked due to the lack of proficiency or laziness of app developers not an intended malicious behavior.
> Well it's not like there's any option to deny them. You can only not install the app, unless the app chooses to build for the Android 6 permission system.
On Android 6 or newer you can always deny permissions, even if the app targets older Androids. (Settings -> Apps -> <app> -> Permissions).
I mostly have apple devices but have a Nexus 7 at home. I'm not sure which version it's running.
Every time I install something I have a sinking feeling as it asks me to allow it to do things that sound wildly beyond anything I would ever want an app to do. Things like an app for my kids that asks for something along the lines of "access to the files". Hopefully things have improved with the newer OS but man I feel uncomfortable installing apps on Android in a way I've never felt with Apple.
The requirement to prompt for individual permissions in iOS significantly predates android's implementation of the same. Besides, am I mistaken or is the 'Force close' dialog ('xyz keeps crashing') only offered _after_ android first quietly attempts to restart the activity as if nothing went wrong?
This site is a great comfort to me after losing my job [Check Details Here⇒> http://cutt.us/7N2sG ]. I have sought for a new job without success, until a friend suggested online jobs for me, and after making some research I stumbled upon this site and since then I no longer feel the loss of my former job. I even earn more than I do before.
Show less
"Hacked Up Pokemon Go needs thse permissions" (all of them) (deny, allow), user has been trained that if they deny a permission the app won't work so they click allow?
Observation: I suppose it's some kind of meme in this industry that in this kind of posts they take screenshots from MS-DOS editors opening the malware.
Why is this being called a backdoor? Is there any indication that that's what it is? Except for the headline, the only claim even remotely as serious made in the article is that it can root some devices, and figuring out which ones is left as an exercise for the reader...
C&C servers, evasion techniques like masquerading as system package, bootstrapping the encrypted payload malware with a wrapper APK, ransomware features, piles of exfiltrated informaiton, intercepting calls and text messages, ransomware functionality... it's like a crook with a record the size of a phonebook.
Not knowingly. Sounds like there is a phony app as a phishing style infection vector:
"The malware masquerades as a legitimate or popular app that uses the names App, MMS, whatsapp, and even Pokemon GO. When the app is launched, it base64-decodes a string from the resource file and writes it down, which is actually the malicious Android Application Package (APK)."
The user has a legitimate expectation that the app sandbox containment provided by the OS works and nothing bad should happen if s/he tries out the aforementioned apps.
That link says right at the top, "The difference between this type of malware and a legitimate application with similar functionality is that the installation is done without the user’s knowledge."
I agree with @debatem1, this is not what "backdoor" commonly means, phishing does not count as "without the user's knowledge". Phishing is a trick to get in the front door.
I'm not sure if you're serious, but in this case the user obviously was not intending to install a "legitimate application with similar functionality".
The user wanted to install a WhatsApp, Pokemon, etc type of application but was phished or otherwise deceived into completing the app installation interaction, and was left with no knowledge about the backdoor.
Right, you are correct, the user didn't want it. But the user's intent is not the line that distinguishes between phishing and a back door. Yes I'm serious. Phishing is a way to get people to do things they don't intend to do. Phishing involves a user interaction that is masquerading as legitimate, but is in fact malicious against the user's intent. Both phishing and back door attacks are always attempting to do something unwanted, and always intending to do it without the user knowing what's really happening. But the language "without the user's knowledge" referring to back doors means without any user interaction.
I'm sure there are gray areas and situations where it's hard to distinguish, but a backdoor is most commonly defined as not involving any user interaction. A phishing attack involves user interaction. The phishing attack can be used to install a backdoor for future attacks, but that's not what happened here. This phishing attack asked the user for permission to do the things it wants to do. That's the front door.
It's a guy pretending to be the mailman ringing the doorbell and asking if he can come in, then stealing stuff while he's there. The backdoor is a thief in a mask sneaking in a slightly open window at night when nobody's home. The difference is the fake mailman asked for permission. Even though he was fake. It wasn't my intent to let a thief in the house, it was my intent to let the mailman in, but I still got robbed.
Make sense now?
This distinction is important because there are things you can do to avoid phishing, as there are in this case, but there is nothing you can do to avoid a real back door, because it happens without any signaling at all, it happens without your knowledge. So back to @debatem1's point, this should have been called a sophisticated phishing attack, rather than being called, inaccurately, a back door attack.
Yes, right, that's correct. The infection vector itself is precisely what is known as the "back door". That's the point. Back doors are the vector, whereas with phishing the user is the vector.
The definition of a backdoor is an attack that bypasses security and doesn't require user input. The definition of phishing is an attack that requires user input, by tricking the user into using their own credentials to authorize access.
Back doors can be opened intentionally or unintentionally by whoever designed or setup the system, but they allow an attacker to get in without involving any input or action from a legitimate user of the system.
Phishing is a way to infect a device with malware by tricking the user into installing the malware. That's exactly what happened here. GhostCtrl is malware that infects via phishing, because it requires the user to authorize it, and it does not have an attack vector it can use without the user's authorization.
It sounds like we're all straightened out and in agreement?
No, the infection vector, eg phishing or browser exploit or trojan or whatever, is what enables a back door to be installed. The back door is not an infection vector, it is the payload.
Yes, there is a type of back door that is factory installed as part of the dev process of an otherwise legitimate product. But in the context of malware, the backdoor is a payload that enables malicious remote access. Like the glossary entry I linked explains.
Yes it is possible to install a back door, after you've gained access. I'm fine with calling GhostCtrl a phishing attack that installs a back door. The big question here is which part of the attack elevates access to user or root level?
The miscommunication here between us is that you're looking at what GhostCtrl does after it already gained access. Because the first point of contact, the initial entry point, is using the security systems as they were designed to be used, and tricking the user into granting access to the malicious software, the attack as a whole is a phishing attack. As I understand it, the payload is not by itself elevating access, it is using access the user granted to do bad things, not achieving a higher access level.
The payload of an attack of any sort is not commonly understood to be the "back door", I think you're slightly off the mark there. You're not wrong, but you're going to have trouble talking to other people if you keep insisting on this, because the common understanding of a back door is that it's a way of getting in, by bypassing security. It's normally defined as a way of initiating an attack, not the malicious result of an already complete attack.
The only way to define a back door as you have is to have another attack in front of it. If the back door is the payload, then you have to deliver and execute the payload somehow. In the case of GhostCtrl, that mechanism is phishing.
If you scroll back, this started with "Why is this being called a backdoor? Is there any indication that that's what it is?". I linked to a glossary entry I think reflects the common usage in malware context.
Any payload is not a back door, payloads can be also ransomware, ddos bots, etc.
Okay, I think we're agreeing on the definition. You do agree that this particular backdoor depends on a successful phishing attack, right?
FWIW, I don't think that glossary entry you linked is very good. It calls a backdoor an application, but a backdoor is not always an application -- which I think you already know & mentioned in this thread. A RAT (remote access tool) is definitely not synonymous with backdoor in the common understanding. A backdoor can also be an open port, a bad password, or a variety of other entry methods. Wikipedia's entry on backdoor is better than the one you linked. https://en.m.wikipedia.org/wiki/Backdoor_(computing)
If a backdoor were always an application, and that was the common definition, then I think the question above wouldn't have been asked. One problem is that backdoor sometimes implies a vulnerability exists before any malware is installed. To call something a backdoor can send the wrong message about what someone concerned about this should do to mitigate the risks. Knowing it's a phishing attack is pretty important because it means you can and should be suspicious of apps asking for credentials and permissions. If you think it's primarily a back door, you might wrongly assume that you need to update a security patch, or that there's nothing you can do to reduce your risks.
This is why I believe @debatem1's question is reasonable and agree with it - to title this a backdoor is technically true, but it seems misleading.
I think this is going around in circles: we already covered the backdoor term in malware vs product name in contexts, and the payload vs phishing thing. If you Google for backdoor payloads, you see that it is common usage.
Any platform which allows users to install arbitrary software of their own choosing "allows" this. GNU/Linux for example, also allows this. As do Mac, Windows, and jailbroken iOS.
This is the choice everyone makes: safety in a walled garden, or freedom outside of it. For my phone I much prefer the safety trade-off, so I would never choose android, but for my work laptop I wouldn't want to be locked down in a similar way.
The link does not describe malware served by the iOS App Store at all. XcodeGhost was indeed worrisome as it is unwanted code, but it did not actually perform malicious actions beyond those found in a standard analytics library included by many developers in their apps.
Try ACR by NLL, it has worked great for me. Though if you change inputs in the middle of the call it keeps recording the wrong path and you end up with only half the conversation.
IDK how NLL's ACR works, but Android API doesn't expose audio output devices because it could lead to piracy issues, such as recording whatever is playing on Spotify. I don't think there's a way to bypass that, and if there were it would probably be banned from Google Play Store.
65 comments
[ 3.7 ms ] story [ 127 ms ] threadOK, so the attack vector here is installing dodgy stuff off the Play store? Or not the play store but from another source, such as an ad?
It is still more dangerous, but known signatures are detected.
Each individual permission is prompted for and can individually be denies.
I personally consider this an improvement, though I realize many (probably most) users will just click through anyway.
The permissions system was introduced on 6.0.
That's what I actually do. I refuse to install apps that require broad permissions not related to their primary purpose. Though I do realize that I belong to that insignificant minority group of users.
On Android 6 or newer you can always deny permissions, even if the app targets older Androids. (Settings -> Apps -> <app> -> Permissions).
Every time I install something I have a sinking feeling as it asks me to allow it to do things that sound wildly beyond anything I would ever want an app to do. Things like an app for my kids that asks for something along the lines of "access to the files". Hopefully things have improved with the newer OS but man I feel uncomfortable installing apps on Android in a way I've never felt with Apple.
Android prompts info about whats happening, iOS just ignores them and keeps going.
With this simple difference, people tend to think iOS works better! I cannot trust an OS that doesn't ask me stuff, or takes things for granted.
Best example is the "Force close" dialog on Android vs just crashing the app on iOS.
>GhostCtrl is also actually a variant (or at least based on) of the commercially sold, multiplatform OmniRAT that made headlines in November 2015.
"Hacked Up Pokemon Go needs thse permissions" (all of them) (deny, allow), user has been trained that if they deny a permission the app won't work so they click allow?
http://cdn.wccftech.com/wp-content/uploads/2017/03/icloud-sc...
http://www.jordantimes.com/sites/default/files/styles/news_i...
etc
Usually show men in black clothes trying to climb in windows, etc.
I wonder how many people would believe that works.
0. http://www.hiew.ru
"The malware masquerades as a legitimate or popular app that uses the names App, MMS, whatsapp, and even Pokemon GO. When the app is launched, it base64-decodes a string from the resource file and writes it down, which is actually the malicious Android Application Package (APK)."
The user has a legitimate expectation that the app sandbox containment provided by the OS works and nothing bad should happen if s/he tries out the aforementioned apps.
This type of malware are commonly called backdoors, see eg. http://www.virusradar.com/en/glossary/backdoor
I agree with @debatem1, this is not what "backdoor" commonly means, phishing does not count as "without the user's knowledge". Phishing is a trick to get in the front door.
The user wanted to install a WhatsApp, Pokemon, etc type of application but was phished or otherwise deceived into completing the app installation interaction, and was left with no knowledge about the backdoor.
I'm sure there are gray areas and situations where it's hard to distinguish, but a backdoor is most commonly defined as not involving any user interaction. A phishing attack involves user interaction. The phishing attack can be used to install a backdoor for future attacks, but that's not what happened here. This phishing attack asked the user for permission to do the things it wants to do. That's the front door.
It's a guy pretending to be the mailman ringing the doorbell and asking if he can come in, then stealing stuff while he's there. The backdoor is a thief in a mask sneaking in a slightly open window at night when nobody's home. The difference is the fake mailman asked for permission. Even though he was fake. It wasn't my intent to let a thief in the house, it was my intent to let the mailman in, but I still got robbed.
Make sense now?
This distinction is important because there are things you can do to avoid phishing, as there are in this case, but there is nothing you can do to avoid a real back door, because it happens without any signaling at all, it happens without your knowledge. So back to @debatem1's point, this should have been called a sophisticated phishing attack, rather than being called, inaccurately, a back door attack.
There is always some infection vector associated with a backdoor.
The definition of a backdoor is an attack that bypasses security and doesn't require user input. The definition of phishing is an attack that requires user input, by tricking the user into using their own credentials to authorize access.
Back doors can be opened intentionally or unintentionally by whoever designed or setup the system, but they allow an attacker to get in without involving any input or action from a legitimate user of the system.
Phishing is a way to infect a device with malware by tricking the user into installing the malware. That's exactly what happened here. GhostCtrl is malware that infects via phishing, because it requires the user to authorize it, and it does not have an attack vector it can use without the user's authorization.
It sounds like we're all straightened out and in agreement?
Yes, there is a type of back door that is factory installed as part of the dev process of an otherwise legitimate product. But in the context of malware, the backdoor is a payload that enables malicious remote access. Like the glossary entry I linked explains.
The miscommunication here between us is that you're looking at what GhostCtrl does after it already gained access. Because the first point of contact, the initial entry point, is using the security systems as they were designed to be used, and tricking the user into granting access to the malicious software, the attack as a whole is a phishing attack. As I understand it, the payload is not by itself elevating access, it is using access the user granted to do bad things, not achieving a higher access level.
The payload of an attack of any sort is not commonly understood to be the "back door", I think you're slightly off the mark there. You're not wrong, but you're going to have trouble talking to other people if you keep insisting on this, because the common understanding of a back door is that it's a way of getting in, by bypassing security. It's normally defined as a way of initiating an attack, not the malicious result of an already complete attack.
The only way to define a back door as you have is to have another attack in front of it. If the back door is the payload, then you have to deliver and execute the payload somehow. In the case of GhostCtrl, that mechanism is phishing.
Any payload is not a back door, payloads can be also ransomware, ddos bots, etc.
FWIW, I don't think that glossary entry you linked is very good. It calls a backdoor an application, but a backdoor is not always an application -- which I think you already know & mentioned in this thread. A RAT (remote access tool) is definitely not synonymous with backdoor in the common understanding. A backdoor can also be an open port, a bad password, or a variety of other entry methods. Wikipedia's entry on backdoor is better than the one you linked. https://en.m.wikipedia.org/wiki/Backdoor_(computing)
If a backdoor were always an application, and that was the common definition, then I think the question above wouldn't have been asked. One problem is that backdoor sometimes implies a vulnerability exists before any malware is installed. To call something a backdoor can send the wrong message about what someone concerned about this should do to mitigate the risks. Knowing it's a phishing attack is pretty important because it means you can and should be suspicious of apps asking for credentials and permissions. If you think it's primarily a back door, you might wrongly assume that you need to update a security patch, or that there's nothing you can do to reduce your risks.
This is why I believe @debatem1's question is reasonable and agree with it - to title this a backdoor is technically true, but it seems misleading.
They tend to litter all their discoveries with FUD in order to maximize their sales.
https://sputniknews.com/science/201509211027280404/