And this right here is why you use open source apps.
This only would work if you check every line of source code, even the dependencies and build chain, and then build it yourself. See xz utils backdoor or heartbleed, etc.
check every line … yourself.
🚩🚩🚩
A very classic lie, disinformation, used to spread anti-libre software. Anti-libre software bans us, not only me but everyone else, from removing malicious source code.
Very disingenuous of you to fight a strawman and proclaim victory by claiming that I said things which I never did. But if that’s what floats your boat. But for everyone else, try to find any mention of anti-libre software in the original claim.
Exactly. Neckbeards love to pretend open source magically has no security vulnerabilities, and that the ability to inspect the source means you’ll never install anything nefarious.
I expect all of them to have read the source for every single package they’ve ever installed. Oh and the Linux source too, of course
The whole point is that at some point somebody can check, and you can have a higher level of trust in that than proprietary software.
And if someone does something like this then it has to be disguised as an innocuous bug, like heartbleed, they can’t just install full on malware.
It’s a different beast entirely.
If we are talking about bigger projects with hundreds of thousands or millions of downloads, than this may be true. But smal scale projects have so few people actively looking through them that even to automatic scan done by the playstore has a higher chance of catching malware. It doesn’t even have to be bad intent, two years ago there was a virus propagating trough the Java class files in minecraft mods which reached the PCs of quite a few devs before it was caught.
I don’t dislike FOSS, a lot of the apps I use come straight from github, but all this talk about them beeing constantly monitored by third parties is just wishful thinking.
Yes, of course. However, when it’s open source, at least somebody is capable of checking those things, even if it is not you. Somebody in the community is capable of doing so.
Yes, that is true, but let’s not pretend that just because some one is theoretically able to, that all source code is constantly monitored by 3rd parties.
The thing is we only know about these vulnerabilities in such great detail because the projects are open source. God knows what kund of vulnerabilities are hidden in closed source software.
Yes, but we don’t know what we don’t know. There are many problems like that in open source too, and even if we can look nobody does.
Therefore I find it problematic to say that just because you use open source programs you’re safe like the parent tried to.
If you download apps from fdroid, at the very least you can be sure that the binary is 100% generated from the provided source code, the devs can’t pull a switcheroo like submitting an altered version of app (e.g. inserting malware) that doesn’t match the published source code.
You’re right, I should clarify better. When I say open source, what I mean is totally open and totally free to contribute to, like the MIT or patchy licenses. Source viewable is a whole different can of worms and not what I mean, so I should be more specific in future.
Can’t steal my bank info if I use cash only…
You’re only robbing yourself if you go cash only. $1 will be worth less tomorrow than it is today.
The $1 in your scam account is worth the same as a real $1 bill. Maybe less when the entire financial system inevitably collapses in on itself as the rest of the world does and people will actually value real money again.
If that actually happens money is literally just paper at that point.
The $1 in my account actually grows. Sorry you don’t understand basic finance.
That is correct, but you do lose out on all investments that have generated the wealth to make people wealthy these days.
So let’s say inflation was 4 percent for the year and you could have made 10 percent invested in stocks for the year, you would have made 6% profit on your money for the year. Instead you lost 4% that year.
That difference could make or break someone long term, completely different retirement options.
How though. Over here cash isn’t accepted anymore at most places. I only use cash for buying drugs. Most stores and groceries only accept card. Same with bars and clubs. I honestly have no idea besides drugs what to use cash for.
I cannot imagine such a dystopian, nightmarish place where you can only pay with something that personally identifies you. Congrats for living in a nightmare. I’d leave.
Yeah, sure, where to? I live in the Netherlands, one of the wealthiest countries. I’ve seen many parts of the world in my time in the navy. There aren’t many places better then here, honestly. Only Norway scores higher, they have a lot of things worked out much better then the rest of us. But paying with plastic is very common there too. Also, digitalization doesn’t have to be bad. Look at Estonia, I think many countries can benefit from their system. See here a video on it by Kraut. There’s a difference between digitalization and a system like China has. But my expenses should be private at least, so cash would be best. They just make it harder every day. We used to be able to say “I’m not interesting, no one cares what I do, no one is going to check me”. But now we have AI, now every one of us indeed IS interesting. And everyone is being checked to teach the algorithm. Countries with few laws to protect privacy and welfare of it’s inhabitants, like the US for example, can turn to a totalitarian control state in no time with just one crazy idiot as a leader. At least the US never had idiots as president 👀. At least the US doesn’t have a history of wanting to collect everyone’s data 👀. At least they are not actively doing anything with the data, like China or Russia does 👀.
But on your point of living in a dystopian world: Yeah, we fucking do. But it doesn’t matter where we live. It’s dystopian everywhere. We live in World War III while we have to fight to get the bare minimum of privacy, we must work our ass off for the bare minimum of living standards and we buy products we do not own. Difference between the rich and poor has never been as high as now and the military strongest countries are run by idiots and dictators. Mass amount of people see Elon Musk as our savior for a better future, the biggest narcissistic hypocritical scam artist our there. At least Trump isn’t president anymore. Oh wait… Seriously, the movie Idiocracy isn’t a comedy, it’s a documentary. I seriously think the US would benefit if it had Dwayne Elizondo Mountain Dew Herbert Camacho as president over Trump.
While the rest of the world turns more extremist every day (especially right wing) with rising world tensions.
So if I plan on moving it will be out of the world of the living at best.
iOS user: That’s a shame.
But seriously, this sucks and is why Google needs more rigorous vetting of apps that go into the store. Sure, you sideload, that’s your problem. But if on the Play Store, the general Android user would think there’s some good level of governance.
Of course there’s a measure of caveat emptor here. So hopefully it’ll teach people to be wary of what information they freely give out.
LOL, well I guess the Reddit masses are on Lemmy full swing now. Enjoy the malware, I’ll continue laughing about it.
Aren’t apps on android hermetically sealed from other apps and malware. How could this be achieved ?
Android as a system has too many moving parts. You not only have to worry about various device manufacturers compiling their own versions of AOSP, you have to worry about how manufacturers package unremovable apps like facebook, candy crush, etc.
The backdoor is actually the front door… and it is app vendors who are actually the customers… not the phone owners.
The main reason smartphones took off is that business people were salivating at an always on, always listening device with 10+ sensors collecting data on this whole world. And we pay for the privilege.
Android has to be designed to collect data and show you ads. Is it really surprising that security here is just security against free access to this data from outsiders… and not caring about your security?
As an Android developer that comment makes me sad. Then I remind myself that Lemmy is full of people who migrated from Reddit.
For a real answer here’s the Zscaler blog write up: https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google
It looks like they are doing it after app install with a malicious patch. This patch asks for SMS and accessibility access to gain privileges necessary to get into the banking apps. I haven’t thoroughly read it but just looking at the attack chain that’s what I gleaned.
Why? They’re absolutely right. The article doesn’t say anything about a root exploit or phishing either so were left wondering…
He’s being condescending because he believes as a developer nothing is actually fully secure. If I spend 100 hours building and securing something, that’s not going to stack up very favorably vs the 1,000’s or even 1,000,000’s of hours attackers and communities can spend trying to break my security layers.
Basically, he’s a dick in how he answered the question, but the truth every software engineer learns, is that there is no fully secure system. There’s always an angle/attack vector you didn’t think of and secure.
Since the other reply was unhelpful: apps are supposed to have limited privileges and isolation from each other, yes… But the whole point of malware like this is that they figure out ways to break those restrictions and get escalated privileged.
You can get more technical detail from reading the report, in this case it looks like the app does not contain malware, but instead requests an update after install that contains the bad code and then breaks the app limitations and scans for the target banking applications and copies the security certificates.
As somebody who occasionally had to develop for android: the churn of improvements to app security was a huge pita. And as a user I know many of the abandoned apps that I liked that lost compatibility was for that reason.
So the fact that in spite of this pain, Android security still allows apps to do horrible crap like that is infuriating.
The app doesn’t contain malware when it’s uploaded to the play store. It forced an update after it’s installed that contains the malware.
That’s not what I mean. I’m not thinking about Play Store security, but Android OS security. Like, your app physically has to ask for permission (or even require the user manually change settings) to do most unsafe things.
If you read the original report, it says that it basically just displays a fake banking login page. It also says that it requested accessibility service permissions, which makes me think maybe it brought up the fake login pages “in the right moment” (as in as users opened their banking apps) to make it more convincing, even though the article doesn’t specify that.
Either way, IMO the problem here is clearly with the Play Store allowing this app in, and not with Android’s security itself. These apps are misusing the accessibility service system, which is obviously necessary for a ton of important use cases (and of course also requires the user to grant very explicit permission). The fact that the accessibility services are a thing doesn’t delegitimize Android’s security improvements over the years.
If a user can open their baking app, and this app can sense that and open instead, then that is 100% an Android issue. That behaviour shouldn’t be possible.
“Accessibility service permissions” is a higher level of permissions than most apps get and Android will be all like “bro, are you sure you want to grant this app that kind of access and control? You really sure?” I’ve got a few apps on my phone with that level of permissions including one written by Google. They’d simply be unable to do their job without that level of access, jobs which have been straight-up good for my physical health. Ultimately there’s a balance between security and letting the user do what they want.
