Google’s latest steps will make it harder for malicious developers trying to exploit Chrome users via browser extensions.
Extensions are plugins for Google Chrome and allow developers to add extra functionality to the Web browser. Many Chrome extensions are supremely useful, such as Ghostery, which quickly and easily detects and blocks Web trackers tagging your movements across the Web, the goo.gl URL shortener, and ViewThru, which displays the full URL when mouse-overing a shortenend link. Others, like the “Change Your Facebook Color” extension pointed out by Webroot, are privacy-violating scams peeping at the browsing history and data from other Web sites. Spam-spewing extensions also exist.
While many of the extensions are accidentally installed by users who were tricked into downloading it, many were installed without the user’s knowledge by other dodgy applications using Chrome’s auto-install feature. To address that problem, Google has removed auto-installs in the latest version of Chrome.
No More Auto-Installs
Google originally included the auto-install feature to allow applications to install an additional Chrome extension during its own installation process. This was intended to simplify the installation process so that users didn’t have to add the extension manually afterwards.
“Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users,” Peter Ludwig, a product manager at Google, wrote on the Chrmoium blog.
Chrome (version 25 for those counting) will now block an application trying to auto-install an extension Google and display an alert informing the user about the new extension and list some of the things it can do (such as “Access your data on all Websites” and “Read and modify your bookmarks”).
Chrome 25 also automatically disables any extensions that were previously installed using the auto-install feature. If the user wants to re-enable the extension, the browser will display a one-time prompt explaining what each extension wants to do before allowing them to be turned back on.
Stopping Malicious Extensions
Google also appears to have a new service which analyzes “every extension that is uploaded to the Web Store and take down those we recognize to be malicious,” according to the support pages for the Chrome Web Store. There isn’t a lot of information about the service at this time, so it’s not known whether Google is using an automated scanner similar to Google Bouncer checking app in Google Play (or if Bouncer itself is handling both markets).
Google has recently cracked down on extensions. Back in July, Google changed Chrome so that users could only install extensions found in the Chrome Web Store, and not from third-party sites.
You might want to think twice about that Android app you’re about to
download. Even if Google’s built-in malware scanner gave it a green
light, there’s still a chance it could be a fake.
Google was applauded earlier this year for launching “Bouncer,”
a scanning service designed to identify malicious apps in its Play
Market (formerly known as the Android Market) before Android users
mistakenly download them. But, according to two notable security
researchers, the tech giant’s bodyguard feature can be easily tricked.
At this week’s SummerCon conference in New York, Charlie Miller and Jon
Oberheide will demonstrate the specifics of how Google Bouncer tests
potentially harmful apps, and how they were able to exploit their
newfound knowledge to sneak an app right past the doorman.
Google’s Bouncer service tests apps it deems hazardous in a “virtualized environment,” Andy Greenberg from Forbes reported.
Rather than testing the sketchy software on an actual device, Google
creates a simulated phone. But this, Greenberg said, is where the cracks
start to form.
“If malware can be designed to detect that it’s running on that
simulated gadget rather than the real thing, it can temporarily suppress
its evil urges, pass Google’s test and make its way onto a real phone
before wreaking havoc,” he wrote.
To press the bouncer-nightclub metaphor, Miller and Oberheide found out
a way to get a weapon-wielding minor in a bar by making him look,
temporarily, like a sweet old lady.
Miller and Oberheide took advantage of the simulated malware testing
environment by submitting a testing app to the Play Market that gave
them remote access to a device in order to analyze Bouncer’s scans. What
they found, Greenberg said, is that every virtualized Android device
used by Bouncer is registered to the same account,
Miles.Karlson@gmail.com, and, to pose as a real phone user, contains
just one contact, Michelle.email@example.com.
“The question for Google is, how do you make it so the malware doesn’t
know it’s running in a simulated environment,” Oberheide told Forbes.
“You want to pretend you’re running a real system. But a lot of tricks
can be played by malware to learn that it’s being monitored.”
To poke holes in Google’s facade, the researchers crafted a malicious Android app called HelloNeon to the Play Market June 3. The app made it through Bouncer’s scan untouched.
Google did not immediately return a request for comment from SecurityNewsDaily.
Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
Malware authors are using the popularity of the Angry Birds series of games as a way to infect the smartphones of users who download the exploit from unofficial Android app stores, according to a security software firm.
In an April 12 post on SophosLabs’ NakedSecurity blog, Graham Cluley said the Trojan horse masquerades itself as the Angry Birds Space game. When downloaded, the malware installs its malicious code onto the device.
“The Trojan horse, which Sophos detects as Andr/KongFu-L, appears to be a fully functional version of the popular smartphone game, but uses the GingerBreak exploit to gain root access to the device, and install malicious code,” Cluley wrote. “The Trojan communicates with a remote Website in an attempt to download and install further malware onto the compromised Android smartphone.”
Andr/KongFu-L is a known Android Trojan.
Once the malware is installed and the Android device compromised, cyber-criminals can then send instructions that will lead to more malicious code being downloaded or URLs to be displayed in the smartphone’s browser, he wrote.
“Effectively, your Android phone is now part of a botnet, under the control of malicious hackers,” Cluley wrote.
The Trojan that pretends to be the Angry Birds Space game from Rovio can be downloaded from third-party unofficial Android app stores, though SophosLabs did not name any of those stores. Cluley said the version of Angry Birds Space in the Google Play, Google’s official apps store—formerly called Android Market—is not affected by the malware.
Rovio also posted a warning on its Website about malware-infested versions of the game: “As you get ready to pop pigs in zero gravity, watch out for fake versions of Angry Birds Space, and make sure to download safe by getting the official game from Rovio.”
As smartphones increase in popularity with both enterprise users and consumers, they’re also becoming a growing target of cyber-criminals. According to a report released in February by Juniper Networks, malware specifically targeted at mobile operating systems more than doubled in 2011, growing by 155 percent across all platforms—including Apple’s iOS, Google’s Android, Research In Motion’s BlackBerry and Nokia’s Symbian.
Android saw the biggest leap in malware incidents, according to the Juniper report. Malware targeting Android grew 3,325 percent in the last seven months of 2011, and Android malware accounted for 46.7 percent of unique malware samples that targeted mobile platforms, followed by 41 percent for Java Mobile Edition.
According to Juniper, Android’s diverse and open marketplace—where developers can post their apps—and the platform’s growing market share made it an attractive target for cyber-criminals. It has almost half of the mobile operating system market, according to analysts.
“Hackers are incented to target Android, because there are simply more Android devices as compared to the competition,” Daniel Hoffman, chief mobile security evangelist at Juniper, said when his company’s report was released.
Hoffman said Google’s “Bouncer” service, which scans apps in the official Android market place and removes offenders, is making it more difficult for scammers to upload malicious apps. Bouncer, which began operating in the second half of the year, will “certainly help” reduce infection rates from downloads on the official market of known threats, he said.
Sophos’ Cluley said users of Android-based mobile devices need to take care when they decide to download an app.
“It feels like we have to keep reminding Android users to be on their guard against malware risks, and to be very careful—especially when downloading applications from unofficial Android markets,” he said.