• mtchristo@lemm.ee
    link
    fedilink
    English
    arrow-up
    55
    arrow-down
    3
    ·
    5 months ago

    Aren’t apps on android hermetically sealed from other apps and malware. How could this be achieved ?

    • whyrat@lemmy.world
      link
      fedilink
      English
      arrow-up
      37
      ·
      5 months ago

      Since the other reply was unhelpful: apps are supposed to have limited privileges and isolation from each other, yes… But the whole point of malware like this is that they figure out ways to break those restrictions and get escalated privileged.

      You can get more technical detail from reading the report, in this case it looks like the app does not contain malware, but instead requests an update after install that contains the bad code and then breaks the app limitations and scans for the target banking applications and copies the security certificates.

    • dev_null@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      5 months ago

      Yes, the app doesn’t steal any information from other apps. The report says the malware just displays a fake bank login page, in the hope the user gives it their details willingly.

      • catnip@lemmy.zip
        link
        fedilink
        English
        arrow-up
        64
        ·
        5 months ago

        Why? They’re absolutely right. The article doesn’t say anything about a root exploit or phishing either so were left wondering…

        • Tyfud@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          ·
          5 months ago

          He’s being condescending because he believes as a developer nothing is actually fully secure. If I spend 100 hours building and securing something, that’s not going to stack up very favorably vs the 1,000’s or even 1,000,000’s of hours attackers and communities can spend trying to break my security layers.

          Basically, he’s a dick in how he answered the question, but the truth every software engineer learns, is that there is no fully secure system. There’s always an angle/attack vector you didn’t think of and secure.

          • Miaou@jlai.lu
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 months ago

            Of course there are (or there can be) fully secure systems. The problems come when you assume something is.

            • eskimofry@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              5 months ago

              Hey but that wouldn’t make money to companies like google ot samsung.

              Your smartphone is itself a security hole. It has 10+ sensors on it nowadays and who knows how many apps lying about their privacy promises.

          • eskimofry@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            5 months ago

            Hey I was just trying to make a joke… but looks like I didn’t consider the wording too carefully.

        • dev_null@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          They actual report does say it just displays a fake login page. It’s just phishing.

        • eskimofry@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          Android as a system has too many moving parts. You not only have to worry about various device manufacturers compiling their own versions of AOSP, you have to worry about how manufacturers package unremovable apps like facebook, candy crush, etc.

          The backdoor is actually the front door… and it is app vendors who are actually the customers… not the phone owners.

          The main reason smartphones took off is that business people were salivating at an always on, always listening device with 10+ sensors collecting data on this whole world. And we pay for the privilege.

          Android has to be designed to collect data and show you ads. Is it really surprising that security here is just security against free access to this data from outsiders… and not caring about your security?

        • eskimofry@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          There’s no such thing as perfect security… unless your application is trivial and doesn’t do very much. Android is designed to collect data from the dozen plus sensors on your phone in order to get money from app vendors to push ads.