No wonder Google is trying to maintain control over the App Store. Hundreds of Android apps and Chrome extensions with millions of installs from the company's official marketplace have features to track users' files, manipulate memory contents and deliberately inject unknown code into websites, researchers said Monday.
Google removed many, but not all, of the malicious posts, the researchers said, but only after they were reported to have been on millions of devices, and possibly tens of thousands. The researchers are not satisfied with this.
A very sad place
"I'm not a fan of Google's approach," developer and extension researcher Vladimir Palant wrote in an email. In the pre-Chrome days, when Firefox owned the majority of browsers, real people reviewed add-ons before they became available on the Mozilla Marketplace. Google took a different approach, using an automated review process that Firefox then copied.
"Since automated reviews often miss malicious extensions and Google is very slow to respond to reports (in fact, they rarely respond), this leaves users in a very sad situation," says Pallant.
Security researchers and advocates have also criticized Google for reviewing Android apps before they are available on the Play Market. The last week gave rise to sharp complaints.
Security firm Dr.Web said on Monday that it found 101 apps with 421 million downloads from Play that contained code that allowed a variety of spyware actions, including:
- Get a list of files in the specified folder
- Check for certain files or folders on the device
- Send files from the device to the developer
- Copy or replace the contents of memory.
ESET researcher Lukas Stefanko analyzed the applications submitted by Dr.Web and confirmed the results. In the email, he said that for the file cleaner to work, users must first grant a permission known as READ_EXTERNAL_STORAGE, which, as the name suggests, allows the program to read files stored on the device. Although this is one of the most sensitive permissions given to users, apps require it for many purposes, such as editing photos, managing downloads, and working with multimedia, browser apps, or the camera.
Dr.Web says that spyware functionality is provided by the software developer kit (SDK) used to build each application. SDKs help simplify the development process by automating certain types of frequently performed tasks. Dr.Web identified the SDK that enabled the detection as SpinOK. Attempts to reach SpinOK developers for comment were unsuccessful.
On Friday, security firm Cloudsec expanded the list of apps using SpinOK to 193, saying 43 of them are available on Play. In the letter, a CloudSEK researcher wrote:
Spyware Android.Spy.SpinOk is a very worrying threat for Android devices as it has the ability to collect files from infected devices and transfer them to malicious attackers. This unauthorized collection of files puts confidential and private information at risk of disclosure or misuse. In addition, spyware's ability to manipulate clipboard contents increases the risk, giving attackers access to sensitive data such as passwords, credit card numbers, or other confidential information. The consequences of such actions can be serious, leading to identity theft, financial fraud, and various privacy breaches.
Chrome users who grabbed extensions from the Google Chrome Web Store didn't have a better week. On Wednesday, Palant reported 18 extensions containing deliberately obfuscated code released on serasearchtop[.]com servers. Once there, the extension injects hidden JavaScript into every web page the user views. In total, 18 extensions have about 55 million downloads.
Security company Avast confirmed Palant's findings on Friday, identifying 32 extensions with 75 million downloads, although Avast said the number of downloads was artificially inflated.
It is not known exactly what the injected JavaScript does, as neither Palant nor Avast can see the code. While both suspect its purpose is to hijack search results and bombard users with ads, they say the extension isn't just spyware and is actually malware.
"The ability to inject arbitrary JavaScript code into any web page has great potential for abuse," he explained. "Browsing to search pages is the only *safe* way to abuse this feature."
Am I infected?
With the many applications and extensions presented by different researchers, there is some overlap. However, there's no denying that hundreds of malicious offers have been discovered with millions of downloads from Google Marketplace over the past week.
Aside from canned statements that Google takes user security seriously, company representatives have been relatively quiet in responding to questions about fraudulent products on its market. Companies are usually quick to remove malicious offers after reporting them, but still struggle to detect them during the review process or check for newly added malware after allowing it.
After filing this story, a Google representative sent a statement.
“Security for users and developers is at the heart of Google Play. We've looked into recent reports about the SpinOK SDK and are taking appropriate action against apps that violate our rules. Users are protected by Google Play Protection, which notifies users about popular. applications. Google Play displays malicious behavior with services on Android devices, even when the app originates from a different source."
A Google representative wrote in an email that was sent before press time but was accidentally lost.
“The Chrome Web Store has a policy to keep users safe that all developers must comply with. We take security and privacy claims against add-ons seriously, and when we find an add-on that violates our rules, we take appropriate action. This report Remove the Chrome Web Store extension.
Google usually does not notify users after they encounter malicious offers after they have been installed. The remainder of this article contains identifiers that users can use to determine whether they are infected.
The complete list of applications reported by Dr. The internet is here.
The applications provided by CloudSEK are:
- com.hexagon.blocks.colorful.resixlink
- com.macaronmatch.fun.gp
- com.macaron.boommatch.gp
- com.blast.game.candy.candyblast
- com.tilermaster.gp
- com.crazymagicball.gp
- com.cq.merger.ww.bitmerger
- com. happy2048. fusion block
- holiday com.carnival.slot.treasure.slot:
- com.vacansie2048.gp
- com.richfive.money.see
- com.hotbuku.hotbuku
- com.crazyfruitcrush.gp
- com. twpgame. fun block puzzle
- com.sncgame.pixelbattle
- com.cute.macaron.gp
- com. electronic games. lucky Earn
- com. happy aquarium game
- com.blackjack.cash.poker
- vip.minigame.idledino
- com.circus.coinpusher.free
- com.diamantblok.gp
- com.boommatch.hex.gp
- guaniu: desert tree
- com. the big snail gstarw:
- com. cash instant game
- com.yqwl.det.purecash
- com.block.bang.blockbigbang
- com.chainblock.merge2048.gp
- com. the big snail gstarfeelw:
- com. cc game farm explosion
- com.bubble.connect.bitconnect
- com.acemegame.luckyslot
- com tianheruichuang channel3:
- com.kitty.blast.lucky.animal.game
- magic ball games
- com.bird.merge.bdrop
- com.acemegame.luckycashman
- free.vpn.nicevpn
- com.vegas.cash.casino
- com. drawback. chip metachip
- com guaniu.lightning
- vip mini-game: Rolling bubble puzzle
Meanwhile, the affected extensions reported by Palant are:
| Name: | Weekly active users | Extension ID: |
|---|---|---|
| Auto-skip for YouTube | 9,008,298 | lgjdgmdbfhobkdbcjnpnlmhnplnidkkp |
| Reinforcement of speech | 6,925,522 | chmfnmjfghgpdamlofhlonnnnokkpbao |
| Crystal advertising block | 6,869,278 | lklmhefoneonjalpjcnhaidnodopinib: |
| Fast VPN | 5,595,420 | ciifcakemmcbbdpmljdohdmbodagmala: |
| Writing memory helper | 3,499,233 | meljmedplehjlnnaempfdokukjenf |
| Maximum conditioning | 3,483,639 | lipmdblppejomolopniipdjlpfjcojob: |
| Quick translation | 2,797,773 | lmcboojgmmaafdmgacncdpjnpnnhpmei |
| EasyView reader view | 2,786,137 | icnekagcncdgpdnpoecofjinkplbnocm |
| PDF Toolbox | 2,782,790 | bahogceckgcanpcoabcdgmoidngedmfo: |
| Epsilon Ad Blocker | 2 571 050 | bqpdalonklochchahhipekbnedhklcdnp |
| Craft Cursor | 2,437,224 | magnkhldhgdlhikekhmhlhonpmlolk |
| Alpha Blocker is an ad blocker | 2,430,636 | edadmcnnkkkgmofibeehgaffppadbnbi: |
| Zoom Plus | 2,370,645 | ajneghihjbebmnljfhlpdmjjpifeaokts |
| Basic image downloader | 2,366,136 | ponderhojomjfdcppbhhncbfakfjiabp |
| Nice pointer click | 2,353,436 | pbdpfhmbdldfoiognphkiocpidecmbp |
| Cursor - Custom cursor | 2,237,147 | hdgdghnfcappcodemanhafioghjhlbpb |
| Awesome dark mode | 2,228,049 | fbjfihoienmhbjflbobnmimfijpngkpa |
| The best color changer for YouTube | 2,226,293 | kjeffohcijbnlkgoaibmdcfconakaajm: |
| Awesome auto update | 2,222,284 | djmpbcihmblfdlkcfncodakgopmpgpgh |
| Adblock Venus | 1,973,783 | obeokabcpoilgepbhlskoonmpgkhcp |
| Adblock Dragon: | 1,967,202 | mcmdolplhpeopapnlpbjceoofpgmkahc |
| Puzzle reader mode | 1,852,707 | dppnhoaonckcimpejpjodcdoenfjleme: |
| The sound is insane | 1,626,760 | idgncaddojejegdmkofblgplkgmeipk: |
| Image Download Center: | 1,493,741 | deebfeldnfhemlnidojiidadkgnglpi: |
| Customize fonts | 1,471,726 | gfbgiekoflllpkpaoadjhbbfnljbcimoh |
| Easily exit closed tabs | 1,460,691 | pbebadpeajadcmaoofljnnfgofehnpeo |
| Screen recorder | 1,459,488 | flmihfcdcgigpfcfjpdcniidbfnffdcf |
| OneCleaner: | 1,457,548 | pinnfpbbjancnbidnnhpemakncopaega |
| Repeat button | 1,456,013 | iicpikopjmmincpjkckdngpkmlcchold: |
| Go to video downloader | 1,454,917 | bjltspoqnpgaaoaolloyjdnbdojdklidkh |
| Click Image Downloader | 1,451,822 | okclicinnbnfkgchommiamjnkjcibfid |
| Qspeed video speed controller | 732 250 | pcjmcnhpobkjnhajhhleejfmpeoahclc |
| Hyper volume | 592 479 | hinhmojdkodmficpockledafoeodokmc |
| Bright picture-in-picture | 172 931 | gcnceeflimgggoamelclcbhcdggcmnglm |
A name without dashes indicates an extension that was not removed during the Palint installation. Google said on Friday that all reported extensions had been removed.
The extension identifier is provided by Avast.
- aecplbmglgjpfaikihdlkjhgegehbbf:
- afffieldplmegknlfkicedfpbbdbpaef:
- ajneghihjbebmnljfhlpdmjjpifeaokts
- ameggholdkgkdepolbiaekmhjiaiiichg
- bfbedjnnjkjgelgblfbddajjgkpndi
- bahogceckgcanpcoabcdgmoidngedmfo:
- bikjmmacnlceobeapchfnlcontrol
- bkbdedlenkomhjbfljaopfbmimhdgenl:
- bkflddlohelgdmjoehphbkfallnbompm
- bqpdalonklochchahhipekbnedhklcdnp
- bppfigghlfkpioihhhhpbpgcnnhpogki
- cajcbolfepkcgbgafllkjfnokncgibpd
- ciifcakemmcbbdpmljdohdmbodagmala:
- deebfeldnfhemlnidojiidadkgnglpi:
- diapmighkmmnpmdkfnmlbpkjkealjojg
- dlnanhjfdjgnnmbajgikikidobcbfpnblp
- dppnhoaonckcimpejpjodcdoenfjleme:
- edadmcnnkkkgmofibeehgaffppadbnbi:
- edaflgnfadlopeefcbdlcnnfkefkhio
- edaliddamlkedgjaoialogplotsmgg
- edmmaocllgjaikiiilohibgicdjndkljp:
- eibcbmdmfcgklpkghpkojpaedhloemhi:
- enofnamganfiidbpcihkihfmfpobo:
- epmmfnfpkjhgikijelhomnbeneepbe
- fcndjoibnbpijadgnjjkfmmjbgjmbadk
- feigiddmdpgdmhdjbofmflidmdpgdi
- fidddnnfloiehekhgfjpphceidalmmgd
- fgpeefdjgfeoioneknokbpficnpkddbl:
- fhnlapempodiikihjegggpacnefpdema:
- finepngcchiffimedhcfmmlkgjmeokpp:
- flmihfcdcgigpfcfjpdcniidbfnffdcf
- fpfmkkljdiofokoikgglafnfmmffmmhc
- gdlbpbalainhpfkltzkhciopjlbiepkn
- geokkpbkfpghbjdgbganjkgfhaafmhbo
- gfbgiekoflllpkpaoadjhbbfnljbcimoh
- ghabgolckcdgbbffijkkpamcphkfihgm
- glfondjanahgpmkgjggafhdnbbcidhgf
- gliolnahchemnmdjengkkdhcpdfehkhi
- gnmjmennllheofmojjffnidneaohheleln:
- hdgdghnfcappcodemanhafioghjhlbpb
- hdifogmldkmbjgbgffmkphfhpdfhjgmh
- hhhhbnnlkhiajhlfmedeifcninioppfaoo
- higffkddppmfcpkcolamkhcknhfhdlo
- hmakjfeknhkfmlckieeepnnldblejdbd
- icnekagcncdgpdnpoecofjinkplbnocm
- iejlgecgghdfnappmejmhkgkkakbefg
- igefbihdjmkhnofbmnaglkafpaansf
- igpfifinmdgadnepcpbdddpndnlkdela:
- iicpikopjmmincpjkckdngpkmlcchold:
- imfnolmlkamfqekhkhlpofldehsfghkhk
- jbolpidmijgjfkcpndcngibedciomlhd
- jjooglnnhofdiiccjbkjdcpplgdkbmo
- jlhmhmjkoklbnjjocicepjjpnnbhodj
- kafnldcilonjofangijbhknjhpffcd
- keecjmliebjajodgnbcegpmnalopnfcb
- kjeffohcijbnlkgoaibmdcfconakaajm:
- lcdafomaehnnhjgbgbdpgpagfcfgddg:
- lgjdgmdbfhobkdbcjnpnlmhnplnidkkp
- lhpbjmgkppampoeecnlfibfgodkfmapd
- likbpmomddfoeelgcmmgilhmefinonpo:
- lipmdblppejomolopniipdjlpfjcojob:
- lklmhefoneonjalpjcnhaidnodopinib:
- llcogfahhcbonemgkdjcjclaahplbldg
- lmcboojgmmaafdmgacncdpjnpnnhpmei
- lpejglcfpkpbjhmnnmpmmmlpblkcmdgmi
- magnkhldhgdlhikekhmhlhonpmlolk
- mcmdolplhpeopapnlpbjceoofpgmkahc
- meljmedplehjlnnaempfdokukjenf
- ponderhojomjfdcppbhhncbfakfjiabp
- nbocmbonjfbpnolapbknojklafhkmplk
- ngbglchnipjlikkfpfgickhnlpchdlco
- njglkaigokomaljoalkopeonkpbic
- obeokabcpoilgepbhlskoonmpgkhcp
- obfdmhekhgnjolghnhjhedaplpmpmpka
- oejfpkocfgochpkljdlmcnibecancpnl
- okclicinnbnfkgchommiamjnkjcibfid
- olkcbimhgpenhcboejacjpmohcincfdb
- ooaehdahoiljflijlaplnbeaeeimhbb
- pbdpfhmbdldfoiognphkiocpidecmbp
- pbebadpeajadcmaoofljnnfgofehnpeo
- pidecdgcabcolloikegacdjejomeodji:
- pinnfpbbjancnbidnnhpemakncopaega
Post a Comment