Soon after the discovery of the QuadRooter vulnerability, a remedy appeared on the Google Play
app store. Unfortunately, neither of the two apps named “Fix Patch QuadRooter”
by Kiwiapps Ltd. would patch the Android system. Already pulled from Google
Play on ESET’s notice, these apps were malicious, serving their victims with
unwanted ads. On top of that, one of them required payment (costing 0.99 EUR).
In connection with this discovery, we put a few
questions to Lukáš Štefanko, an ESET researcher specializing in Android
malware.
How big a deal are those two fake patch apps you
discovered?
In terms of the harm they’ve caused, it was
marginal. They only reached a limited number of downloads and even those who
ran them didn’t experience anything terrible. Those apps simply served their
victims with ads. That’s all the harm – apart from that one-euro charge for
those who opted for the paid version.
However, this is the first time we’ve seen this
type of cover specifically for mobile malware. To be clear, in the past we have
seen this technique used in the world of Windows. In that instance, hackers
tricked online stores into installing a fake security patch for a critical
vulnerability in the Magento ecommerce platform. That so-called “ShopLift bug”
allowed attackers to easily gain admin access to vulnerable e-stores. One of
the attacks – opened one full year after the vulnerability was patched – relied
on a fake patch that delivered malware, which then exploited the very bug that
it was supposed to be fixing.
Well then, mimicking a patch may be a believable
cover …
Yes, and that is what’s really interesting; it
targets a new audience – those who do care about the security of their system.
In the Android ecosystem, the most common covers
for malicious apps are connected to popular games: free versions, tutorials,
cheats … Quite frankly, security is not a top priority for those who fall
victim in such cases.
Do you expect the bad guys will start using fake
patches on a massive scale?
Hopefully not. However, we should make people aware
of this threat.
What worries me, for example, is that fake patches
– on top of having the potential to really attract users’ attention – have a
valid reason to require every possible permission.
“If an app promises to make
a fix within your system, it’s a scam. Period.”
And that’s true – if they are supposed to fix the
system, no one would complain about excessive rights … The problem is that
people don’t know that an app can’t act as a system patch.
If an app promises to make a fix within your
system, it’s a scam. Period.
Please, could you highlight this in your article?
Yes, it will scream from the page. Hopefully, it’ll
work. By the way, how can users fix QuadRooter vulnerabilities if fake patches
don’t work?
What’s important is that QuadRooter needs to be
delivered in the form of an app. It’s a threat only if you have “Unknown
Sources” enabled in your settings and manually install an app from some
untrusted source. On the other hand, if you have Android’s “Verify Apps”
feature enabled –enabled by default in all Android versions since 4.2 Jelly
Bean– you are protected. When trying to install an app using the QuadRooter
exploit, Android would display the “Installation has been blocked” message –
and leave you with no option to ignore the threat and install the app anyway.
That’s fine, but it’s kind of a last line of
defense while having the system vulnerable, at least technically, right?
You are right, but patching is not an easy thing in
the Android ecosystem.
A true patch has been prepared by Android
developers for three of those four vulnerabilities, the remaining one being
under current development. And as for patching your system, it depends on your
device’s manufacturer. For the foreseeable future, most users will have to rely
on the Verify Apps line of defense …
… and not fall victim to some contextual attack.
True. Look, you often face news about a staggering
number of endangered users. But the real importance of a threat often has
nothing to do with those numbers. If you stick with the very basic rules for
safe behavior, you are reasonably safe.
That said, over time you should observe and learn
new lessons. The actual one here is if an app promises to make any fix to your
system, it’s a scam.