We have moved to a new Sailfish OS Forum. Please start new discussions there.
19

malware in third-party-android-stores

asked 2015-11-06 11:29:35 +0200

Moo-Crumpus gravatar image

How secure is jolla's aptoide appstore?

edit retag flag offensive close delete

Comments

2

Nice find. All the more reason to dodge using anything Android!

Spam Hunter ( 2015-11-06 11:40:27 +0200 )edit
6

Additional questions:

  1. What does such malware possibly do on Jolla?
  2. In Aptoide, some apps are marked as Trusted. This is checked by comparing the apk size to the apk size in Play. How secure is this?
  3. How can an app get root access unbeknown to the user? Most phones do not allow root access so easily. What does it mean on Jolla?
bilgy_no1 ( 2015-11-06 19:45:25 +0200 )edit
1

i find this article with a lot of lacks. a lots of thing are well documented, but how does it present themselves? or how they will be installed? from which market they comes?
an android app ask for permissions before installing. how does it happened with the interaction with the user? can't imagine that user was really aware for this permission against what the functions that the software do. seems for the first side, to scare the people. analyse is not enough deep, for me is not serious

cemoi71 ( 2015-11-12 11:03:27 +0200 )edit

5 Answers

Sort by » oldest newest most voted
8

answered 2015-11-06 11:37:47 +0200

tokaru gravatar image

Rather insecure, AFAIK the majority of apks is just uploaded by anyone, not by the apps' official creators. So there is a good chance of malware being bundled.

Obviously, one should never install anything from untrusted sources.

But please note: it is not "Jolla's aptoide".

edit flag offensive delete publish link more

Comments

1

+1 for the remark that Jolla isn't responsible for any Android app or store.

Okw ( 2015-11-07 02:13:40 +0200 )edit
5

answered 2015-11-12 05:04:25 +0200

mynameisnotimportant gravatar image

Interesting question. While I disagree with some things in the report, here are my thoughts on the questions you asked (tl;dr at the bottom):

Initially, I was under the impression that Alien does not provide Android applications with access to real hardware and things such as text messages etc. While I think that Android has no access to already received SMS (I expect the format and location of stored SMS to be different to that of Android) I was rather surprised to find out that, given root permissions, the Jolla can actually be rebooted from within android (I have Superuser from OpenRepos to get root and Lucky Patcher, which prompted me to reboot the device). I did a little test, and it seems that by default, Android has read permissions to Jolla's file system, but cannot modify anything belonging to user 'nemo'. A rooted alien dalvik can however edit files belonging to 'nemo' (not sure about system files). In theory, that means that any Android application can read your files, and a rooted alien dalvik can edit theoretically all your files (the entire system is a bunch of symlink, however I was able to rename the rpm binary belonging to Sailfish from within android).

Now, while that is quite bad (and rather shocking, for me at least, I kinda assumed everything was in a sandbox), I am wondering what would happen if you already have root. Would the '$APPLICATION has requested Superuser Permissions' dialogue pop up? Or would it somehow just overwrite the already-existing root binary..

As for Aptoide, is kind of a double-edged sword. While on one hand it is great for finding pretty much anything, it might be a bit difficult to find out which applications are the real deal. It is important to remember however that Aptoide is not one store per-se, but rather a collection of repositories. I imagine that Jolla's repository is quite safe, however adding any other repositories to aptoide will increase the risk of stumbling accross malware. As for the 'trusted' status some apps get, I don't know how that is done, but if it really is size alone, then that could be rather unsafe. (I was hoping they compared checksums or signatures or something..)

As for how they get root access, I guess its due to the huge amount of security vulnerabilities that exist within android. When you say 'most phones do not allow root access so easily', you are kind of right. While the software is good enough to prevent root access for a short time, most systems will be vulnerable to some exploit sooner or later. I guess the only exception to this is where there is another layer of security by things like S-On on HTC devices. The thing is, exploits dont really give you a message saying 'Hey! I am using a vulnerability in your phone to get elevated access'. Although you might sometimes see pictures of a dialogue box asking a user if he wants to grant superuser access to an app, that is not due to the Android System but rather a root management app (such as superuse or supersu). The way I understand it is, that during the rooting process, one installs a binary that gives root to applications, however granting this to literally any application that asks for it would be dangerous, so instead of installing a give-root-to-everything binary, a version that checks whether the user has given access to a particular app in a database (held by superuser or supersu) is installed instead.

tl;dr

  • Malware on its own can read your files (but might not necessarily know what to do with them, as most malware is probably looking in places it expects android to put its files, not Jolla. Malware with root access can do all that plus write/edit things belonging to Sailfish OS.
  • Should aptoide really only use the size to check whether an app is real (and I doubt that’s all they do), thats pretty unsecure. However I doubt that most developers with malicious intent would bother, as it would be quite a challenge to reduce the size of an app, add your own code and make sure the end product is EXACTLY the same size.
  • Exploits aren't really known for their confirmation messages are they? That is kind of the point of an exploit, to do whatever it is you want to do, even though you're not really supposed to. Thing you gotta remember is, Android is insecure as hell.

PS: I hope this makes any sense. Please comment if you have further information or something I said is plain wrong.

edit flag offensive delete publish link more

Comments

1

Hi,

The fact that android apps can get to data on the Jolla is a red line for me. Due to lack of native apps i'm currently forced to use android apps (whatsapp - because trying to get my contacts to use telegram just won't happen, here maps - real offline navigation).

if the device had onboard encryption that would have been a solution, but that's way way off.

I guess I'll have to jump ship unless anyone has any ideas ?

Am ( 2015-11-17 12:32:36 +0200 )edit

Well, the fact that they can only Write to ~/Android_Storage (or whatever its called, cannot remember) but can only read the rest of the OS, means that someone has given this some thought. I assume that, should you somehow be able to edit the permissions for the filesystem in such a way that android cannot even read them (but still had access to the emulated storage) that would be a solution. I have however no idea how to do that.

Another thing which I am personally interested in is XPOSED. I wonder if it's possible to somehow get it running with the dalvik VM. If so, you could use the XPRIVACY module to fine-tune the permissions of each application. As far as I remember this includes what it is allowed to connect to, and what directory it is allowed to browse (and much more. It is really good, if a little complex to understand at first).

mynameisnotimportant ( 2015-11-17 22:46:31 +0200 )edit

I totally agree that some thought has been given but i see no reason why it needs to be able to read anything from the Sailfish partition. I'm sure it's easy to write an android app that navigates to the root and the digs into the filesystem looking for files that match a particular pattern like *.txt, word, excel files etc and then upload them. Obviously you would have to install the app, but a modified APK could possibly do this.

Yes I guess i'm paranoid but this is one of the reasons i'm wanting to stay away from Android. I'm sure the Blackberry Android emulation does not allow this ?

Am ( 2015-11-18 09:37:15 +0200 )edit

Haha, strange that you should mention blackberry, as they are now apparently building backdoors into their software.

Anyways, back on topic, I agree that it is rather unnecessary (and completely pointless for the most part) to have android be able to read everything, and indeed one such app could probably upload your files. I assume this was done to make things easier for most users, should they wish to share files using android applications (for example, sharing pictures taken with the camera applications (stored in ~/Pictures/ or some subfolder of that afaik) in an Android application, such as a instant messanger. I guess one way they could have solved that is to only allow the ~/Pictures directory to be accessed, or even better, whitelist applications that should have permission to access the Sailfish OS files (similarly how we can tick a checkbox for apps to allow/disallow them to access contacts). Oh, and I am not familiar with BlackBerry's Filesystem Structure, so I don't know as to what Android applications can see. I would guess however that it would include the BBOS' equivalent of ~/ and /sdcard. It would probably not include OS partitions, as these would be rather useless for android anyways (wheres sailfish is at least linux based, so I guess they might have some use?).

mynameisnotimportant ( 2015-11-19 04:42:02 +0200 )edit

This bit is mostly my opinion (and hopefully not too off-topic), but out of curiosity, what would you move to? If you want a smartphone, your options would be rather limited. I'm just gonna rule out Android for obvious reasons, but iOS isn't that much better. Last time I checked iOS has backdoors, and while reasonably secure as far as third party applications go, Jailbreaking is possible due to security vulnerabilities. Windows Phone, while it probably is just as bad as Windows 10 now (telematry and all that stuff), is rather secure against malicious applications (should these even exist). The OS has no real 'jailbreaks' or anything as far as I know, and applications are isolated. If applications want to access the SD card, they even have to ask permission (that was in 8.1, not sure what has changed since). I think Sailfish OS is pretty good. Although we are still waiting for the option to encrypt the file system, I don't think it has any backdoors and I haven't heard of any malicious applications. Oh. and you do know that you can just remove android support, right? Finally there is Ubuntu, I don't know too much about it though.

mynameisnotimportant ( 2015-11-19 04:52:42 +0200 )edit
5

answered 2015-11-12 08:38:12 +0200

molan gravatar image

I'm not trying to defend Aptoide nor saying that their security arrangements are trustworthy or effective against such malware, but would like to share their explanations I've found. This is an answer by Paulo Trezentos (Aptoide co-founder) via https://android.stackexchange.com/questions/74618/how-safe-is-it-to-use-aptoide:

1. Malware is something that we take very seriously. Currently, we have 3 different systems to detect the malware threads as they arrive to any Aptoide-powered App Store: - we run 3 different anti-virus in emulators in run-time - we have an in-house system of signatures to detect recurring threats - we have implemented a chain of trust based in the signature of the developer

2. The task of creating a safe environment to the end user is a moving target. We are working with several Universities and Research centres and in a recent article (not yet published) we compare well with the other App Stores. We also proposed a european research project with 2 anti-virus companies and 3 universities / research centres to deal with this topic. There is a lot of work to be done and the feedback of the community is important.

3. F-Droid is in fact very similar to Aptoide. They are a fork of Aptoide and they maintain all the concepts we developed, like multiple stores. They have a more centralised approach and a central signature which if of course different from our approach.

4. At Aptoide we have the "Trusted" stamp. If you see the Trusted stamp in an App, we have 99.99% that the app doesn't contain a threat to the end-user.


Whenever you click the green "trusted icon" next to an application in Aptoide store it says:

"Application signature match with signature related to the application developer. Aptoide Anti-Malware platform analyses applications in run-time and disables potential threats across the store. This system scans all the new applications files from stores and certificates them by comparison against other Android Marketplaces."

edit flag offensive delete publish link more
4

answered 2018-01-17 23:05:29 +0200

stef gravatar image

Are there updates on this? Any more thoughts? This has been a major concern for me, switching to Sailfish (and yes, I know Android is not safe, iOS is not safe etc.), but safety, security and privacy are major reasons for switching to Sailfish and therefore, knowing where and how to find Android apps, without malware is very high on the list, I assume, for most people..

Now, I know that for reasons of privacy etc. it is probably best not to use Android apps at all, but for communicating with friends/family etc., all on Android or iOS, things like Whatsapp are kind of essential... Thanks everyone!

edit flag offensive delete publish link more

Comments

It's absolutely no problem to find Android apps without malware.

The Jolla branded Aptoide store doesn't come preinstalled - same with the Android emulation. In case you decide to use the Android emulation and don't trust Aptoide, you can for example install F-Droid (open-source apps) and Yalp store. Yalp store is an open-source app which lets you download Android apps directly from the Google Play store source, without having to install any Google software (see here https://f-droid.org/en/packages/com.github.yeriomin.yalpstore/).

Using Android apps in the emulated runtime is certainly better regarding safety and privacy than actually using them on an Android device. On Sailfish OS, Android apps have a very limited access to any system information. It's also possible to stop the emulation at any moment without having to uninstall it.

Whatsapp is also available directly from their website: https://www.whatsapp.com/android/

Like with any app - if you care about your privacy, be aware of what you install and what you want to share.

Btw: It's also possible to install Google Play Store and Google services on the Android emulation. I don't suggest that though, since Google doesn't care about your privacy.

molan ( 2018-01-31 21:36:27 +0200 )edit
1

@molan any Android app could read or create files in SailfishOS folders, see the answer https://together.jolla.com/question/120006/malware-in-third-party-android-stores/?answer=121308#post-id-121308 and the example in my comment to this question: https://together.jolla.com/question/107023/running-android-in-lxc-container/. For better security, SailfishOS should run Android in LXC with Anbox: https://together.jolla.com/question/162876/anbox-on-sailfish-os/

baptx ( 2019-10-14 12:49:33 +0200 )edit

@baptx: I totally agree and also don't trust Android apps. Thanks for those links. In my old answer above I tried to explain that Sailfish users don't have to get Android apps from shady places.

molan ( 2019-10-25 21:44:10 +0200 )edit
3

answered 2015-11-06 12:03:26 +0200

AkiBerlin gravatar image

I guess there are more followers of heise.de amongst us ;-)

Yesterday, I followed a suggestion in another thread (HERE maps for Android on Jolla) and thus was visiting APKpure. That is what I found:

I tried this link. The phone behaved strangely thereafter and rebooted - even before installing the file. Is it clean? Or could it be a trojan: Trojanized Adware

So I have a suspicion.

I posted a comment to said lookout blog and asked whether or not user like us can recognize the malicious code if we accedentially got "infected". However, the comment is not yet moderated or answered and thus not yet published.

Maybe over here somebody has an idea how to recognize exploits such as

•Memexploit •Framaroot •ExynosAbuse

Maybe we should open a wiki directed to any detected malware on any of our Jollas. Perhaps the instant thread could be converted to such wiki? The idea would be to report detected malware and hopefully some hints as how to get writ of it.

edit flag offensive delete publish link more

Comments

or don't download any apks and run it without well thinking. i'm sceptic that APKpure make a strong verification as aptoide.
and even if yes, the most of the problem is not the software, but the user. because in spite ob being informed, most of the time he takes the decision not to follow the warning, don't read in which rule he allows the apps, and bring himself in bad issue.
i limit my activity to aptoide and yandex, no install of foreign apk (my decision), and really important, i read always which permission it need and think about it if it make sense. otherwise ... OUT!. the biggest problem is the user himself.

Furthermore, i would do here a blacklist of download websites. Black-list means that white-list should be done too. And next question, who will maintain it?

cemoi71 ( 2015-11-12 10:55:04 +0200 )edit
Login/Signup to Answer

Question tools

Follow
4 followers

Stats

Asked: 2015-11-06 11:29:35 +0200

Seen: 2,466 times

Last updated: Jan 17 '18