Skip to main content

Don't use that APK site!

 A whileback, Brock and I were impatiently waiting for WiGLE's beta app update. It was was WiGLE just added bluetooth to their platform and it was a big move for us (was that like, 2 years ago?). I went to get the app from WiGLE, but Brock simply google'd the app and downloaded it. I was unsure how this page was already a google result, and he showed me he downloaded it from another apk site. When I objected, he didn't understand. I explained the dangers Rogue Apps present, but also, I then downloaded it anyway to see if my concerns were justified on an old-lab-phone. 

Rogue applications are those which are not created and published by the developer. In general, rogue apps are an Android centered issues (and FireOS - ketchup; fancy ketchup). Back in 2018, RSA published a white paper in which 28% of online fraud were rogue apps, and has seen a 300% surge in 2019. 

Before discussing what's wrong with rogue apps, let's use an example:

Instagram's legitimate Android app: 

  • https://play.google.com/store/apps/details?id=com.instagram.android&hl=en_US

Instagram rogue apps - for the sake of my argument I made sure I linked ones that as of Aug 13th were all the same version 153.0.0.34.96

  • https://instagram.en.uptodown.com/android/download
  • https://apkpure.com/instagram/com.instagram.android/variant/153.0.0.34.96-APK
  • https://www.apkmirror.com/apk/instagram/instagram-instagram/instagram-instagram-153-0-0-34-96-release/instagram-153-0-0-34-96-android-apk-download/download/
  • https://www.androidapksbox.com/apk/instagram-153-0-0-34-96-236572319-old-apk/
    • this website even has the verified hashes published, but we'll get back to that
      • published MD5: eda1e31e06ef33befe363baf4d933712
      • actual MD5 hash of file downloaded: AF63391C984586B94C0628E9110EB0B1
      • published SHA-1: 554405e32a708c29adbd04b8a3914c255380ba79
      • actual SHA-1 hash of file downloaded: 8BF651DA9CE9A052C52A38F7DE978C4C13935221
What's wrong with Rogue Apps:

  1. The app has been modified since the developers' publication. I assume - if this was an desktop application people would take it more seriously. But for some reason, the risk of having an app with privileged access to your device does not trouble many people
    I'm not sure why the apk site in the fourth example above published the hashes of the legitimate application, when their hashes would not match? I'm sure it's to give a false sense of security on the site, suspecting that no one would actually checking the hashes. 
    • Future research on this can be done by reverse engineering the app. 
  2. Many times, these apk sites add ads on top of the app to make money for themselves. As mentioned, I downloaded an apk and an add occurs every time I relaunch the app, or after keeping the app up on my screen for extended periods of time. The advertisements are making the apk sites money - that's why there are so many different apk sites. These sites simply mirror the original app, add their own content, and make the modified app the one for download. 
    1. Personally, I find advertising to be annoying, although that's not a malicious interaction. Why have an app with ads, when the legitimate app does not? 
    2. Someone else is making ad profit off others' work. Of course, this is copyright infringement against the legitimate app developer. While content theft is wrong, I find it extra venomous that the apk site makes money of the legitimate developers' work. 
    3. Malvertising. The ad services the apk sites use are bottom of the barrel, common ads. The barrier for entry to advertise with these services is very low, and it's very easy to slip in malicious advertising. 
  3. Worse case scenario, it's phishing. The first two objections are almost always present when downloading from apk sites or other sources of rogue apps. Of course, that would lead to pharming that data out on forums and markets which trade credentials and identities. The idea that "I don't have any money to steal, whatever" is a little bit toxic because more often than not, it is your credentials, personal information, and identity that is being stolen, not your money. Of course, we can lump in all forms of malware under this section as well. Mobile malware is more common than you think, my absolute favorite is the Cerberus Android malware (but more on that later). 

anyway, just wait for the update on Google Play.

Comments

Popular posts from this blog

The big list of remote job openings

From a conversation in my Discord ; one member brought up a lot of the best remote jobs and job boards come from Twitter. This is a decentralized way of distributing information, which is better than not sharing the information but can be hard to find.  This list is not a replacement for that, but it's pretty close. Here's the master remote vacancy list for remote jobs in the United States. This job board is in no way just for IT jobs, there are all sorts of jobs from sales, teaching, upper management, data entry, design, customer service, and more. Take a look if you're looking for a new job.  Some Tips: Try searching the full row for the job in Google. There are better job boards where the job posting is more up to date; instead of using the link provided. Don't spam one company, make sure if you're using the shotgun approach, you aren't letting the companies you're applying for know that There's a lot of advice on how to get a job online. Some of you

Overwriting Deleted Files in Windows

 Once a file is deleted, most operating systems will still hold on to the file. The link between the operating system and the file is removed, but the data is still on the disk waiting to be overwritten or used for something else. A common utility seen in the wild is Eraser  but it's a bloated utility that takes a long time. It's a good utility if you really need to overwrite a Windows machine more than 3 times - but the use case for this is minimal.  pause: this article surrounds mostly HDD, as files are recoverable on these drives if not overwritten. For SSDs, this is just going to cause more wear to your drive! An underutilized tool is cipher . In Windows, it displays or alters the encryption of directories and files on NTFS volumes. But, with the option w  it overwrites deleted files and empty space of a drive. You can use it on the same drive the OS is located, external drives, and removable media. It's easy to use! If your OS is installed on C: and you want to remove

Wardriving OSINT & SE

 Disclaimer: do NOT use this information to be a jerk. Don’t try to get the location of my examples, or you’re a big meanie. There's already a post out there about tracking people with wifi. It's helpful for those who use a hotspot or maybe a vehicle hotspot. I believe a personal device that broadcasts Bluetooth is more likely than a hotspot.  Tracking What wardriving can’t do = track people via Bluetooth devices Or shouldn’t be able to work. Most modern Bluetooth devices use MAC randomization, which changes the MAC address of the Bluetooth device at random. Even if you can track a device it may only be short-term, as it’ll change again.  But sometimes they don't turn over to a randomized MAC. Do what you will with that. If you want to see how easy it is to make a random MAC go here . But what if you only need a short-term answer? Better start stumblin’. Let’s forget the purpose of needing that MAC address long-term. With all MAC addresses, OUI can tell you what the