Has the fake-aptoide issue breached security?

answered 2020-02-25 13:26:22 +0200

DrYak
9624 ●93 ●134 ●128

http://www.sympato.ch/

TL;DR:

• Your Sailfish OS installation is very likely (Myriad Aliendalvik and Anroid 4.2/4.4) or nearly guaranteed (Jolla's LXC Aliendalvik and Anrdoid 8/9) to be safe.
• Your user data shared with Android (pictures, contacts list) might have been compromised (just as any other spyware running inside any other app).

First a short recap of the security breach:

• Aptoid works by having multiple repositories offering each their collection of APKs (Jolla has one such repository).
• There is not much curation about the content of those repository, each owner is responsible for their repositories. It's a bit of a Wide Wild West.
• The search function of Aptoid can search any repository for the package you're looking for.
• One some repository, some malevolent people have managed to land package that sports the same class name (e.g.: "com.bla.bla.what.ever") as genuine apps, but contain malware, and have ludicrous version numbers (like: 999.99.9) with the hopes of showing higher and being picked up by unattentive users.
• com.aptoid.partners i.e. the store app itself, was among the affected. (I've also seen the french train transportation app being similarly affected, and maybe a couple of others).

Now :

• if you practice due checks of what you install, you're probably were not affected nor even at risk during the whole situation. You've probably just saw some weird unusual update like Aptoid Store wanting to be updated from version 6.5.3.1 to some weird version 99.9.7.3, with some not quite right icon. And you probably dismissed the update as some bogus stuff. ( <- that's litterally what I've seen).
• if you're clicking on random shit without giving much though, you might have accidentally have installed the malware. On the other hand, if that's your normal behaviour on today's internet, it also means that your Windows desktop computer is filled to the brim with viruses, and you currently have more pressing issue to fix. Come back here and read further once you've cleaned your PC and stopped unkowningly sending spam or other botnet activities.

Regarding the state of a phone post infection :

• It depends on the Android Compatibility Layer :

  • The old Dalvik VM based layer that Jolla was licensing from Myriad : (most phones up to Xperia X included)

    It's running as a separate process on your phone. Applications are theoretically only java-like bytecode that run inside the VM, but some application could be using native libraries, and they could have specially crafted libraries trying to do bad stuff. In addition most of the Android stuff run using it's own specific user IDs. It doesn't have the necessary privileges to access any random user file, nor does it have root privilege to hose your smartphone. Also your Sailfish OS differs a lot from regular Android phones, and breaking it security would require the custom step to break out to be rather different than what from any other Android user who installed Aptoide.

    So it means it's technically possible but chances are rather low that the attackers managed to break anywhere out of the android app realm. Your Sailfish OS is probably safe.

  • The new LXC-based aliendalvik that Jolla has developed (more recent phone from Xperia XA2 and above).

    Even if these more recent versions of Android apps are actually (pre-compiled) native binaries running directly, Sailfish OS own implementation runs entirely inside a container (in the grand-father of Docker, actually). This pretty much isolates whatever is happening inside the containers from the rest of the system (just look at all the people having trouble accessing their SD cards from Android Apps :-P ) So even if your Android is completely hosed up, it would still require very advanced kernel hacking to break out of the container. And again doing so requires code specifically writting to break your LXC, so not something that an attacker that blanket targets all Android smartphone running Aptoid would develop.

    So it means that it's technically nightmarishly-difficult and chances are almost non-existant that the attacker managed to break anywhere out of the android app realm. You can almost guarantee that your Sailfish OS is safe.

• And then there's the data shared to the Android world in general :

  • If you've enabled it so (and it was required for some apps like WhatsApp) Sailfish can be set to share some data with Android such as Calendar, Contacts list, etc.
  • Sailfish share user data file (Photos, etc.) with Android.
  • On LXC based android, user data file on removable media (SD card, USB sticks, etc.) can be shared with Android if aliendalvik-control is installed.

  Note that all of the above is data that could be slurped and leaked by any app on your android application layer, not only a hacked aptoid. The advertisement spyware in most of your freemium apps is probably doing the same already.

  It's not specific to the current Store-fiasco and could be currently happenning with any of the built-in advertisement/marketting spyware in any of the legitimate app that's you've gotten from Google Play Store itself.