No wonder Google is struggling to keep up with the app store. As of Monday, researchers reported that hundreds of Android apps and Chrome extensions with millions of installs from the company’s official marketplaces contain features for sniffing user files, manipulating the contents of clipboards, and injecting deliberately unknown code into web pages.
Google removed many, but not all, of the malicious entries, the researchers said, but only after they were reported, and by then they were on millions of devices — and possibly hundreds of millions. The researchers are not satisfied.
A very sad place
“I’m not a fan of Google’s approach,” extension developer and researcher Wladimir Palant wrote in an email. In the days before Chrome, when Firefox had a larger share of the browser share, real people reviewed extensions before they were made available on the Mozilla marketplace. Google took a different approach by using an automated review process, which Firefox then copied.
“Since automated reviews often miss malicious extensions and Google is very slow to respond to reports (in fact, they rarely respond at all), this leaves users in a very sad place,” said Palant.
Researchers and security advocates have long criticized Google’s process for reviewing Android apps before making them available on the Play marketplace. The past week provides a grim reason for the displeasure.
On Monday, security firm Dr.Web reported finding 101 apps with a reported 421 million downloads from Play containing code that enabled a variety of spyware activities, including:
- Obtaining a list of files in specified directories
- Verify the presence of specific files or folders on the device
- Send a file from the device to the developer
- Copy or replace the contents of clipboards.
ESET researcher Lukas Stefanko analyzed the apps reported by Dr.Web and confirmed the findings. In an email, he said that for file sniffing to work, users must first approve a permission known as READ_EXTERNAL_STORAGE, which, as the name implies, allows apps to read files stored on a device. While that’s one of the more sensitive permissions a user can grant, it’s required to perform many of the apps’ purported purposes, such as photo editing, managing downloads, and working with multimedia, browser apps, or the camera .
Dr. Web said the spyware features were provided by a software developer kit (SDK) used to create each app. The SDKs help streamline the development process by automating certain types of common tasks. Dr.Web identified the SDK that enables snooping as SpinOK. Attempts to contact the SpinOK developer for comment were unsuccessful.
On Friday, security firm CloudSEK expanded the list of apps using SpinOK to 193 and said 43 of those remained available in Play. In an email, a CloudSEK researcher wrote:
The Android.Spy.SpinOk spyware is a very concerning threat to Android devices as it has the ability to collect files from infected devices and transfer them to malicious attackers. This unauthorized collection of files risks revealing or misusing sensitive and personal information. In addition, the spyware’s ability to manipulate the contents of the clipboard further increases the threat, potentially allowing attackers to access sensitive data such as passwords, credit card numbers, or other confidential information. The implications of such actions can be serious and lead to identity theft, financial fraud, and various privacy issues.
The week was no better for Chrome users who get extensions through Google’s Chrome Web Store. On Wednesday, Palant reported 18 extensions containing deliberately obfuscated code that contacted a server on serasearchtop[.]com. Once there, the extensions mysteriously injected JavaScript into every web page a user viewed. In total, the 18 extensions had about 55 million downloads.
On Friday, security firm Avast confirmed Palant’s findings, identifying 32 extensions with 75 million reported downloads, though Avast said the number of downloads may have been artificially inflated.
It’s not known exactly what the injected JavaScript did, because Palant or Avast couldn’t see the code. While both suspect the purpose was to hijack search results and spam users with advertisements, they say the extensions went far beyond spyware and turned into malware instead.
“The ability to inject arbitrary JavaScript code into any web page has enormous abuse potential,” he explains. “Search page redirects are the only *confirmed* way this power has been abused.”