Skip to main content

Don't use that APK site!

 A whileback, Brock and I were impatiently waiting for WiGLE's beta app update. It was was WiGLE just added bluetooth to their platform and it was a big move for us (was that like, 2 years ago?). I went to get the app from WiGLE, but Brock simply google'd the app and downloaded it. I was unsure how this page was already a google result, and he showed me he downloaded it from another apk site. When I objected, he didn't understand. I explained the dangers Rogue Apps present, but also, I then downloaded it anyway to see if my concerns were justified on an old-lab-phone. 

Rogue applications are those which are not created and published by the developer. In general, rogue apps are an Android centered issues (and FireOS - ketchup; fancy ketchup). Back in 2018, RSA published a white paper in which 28% of online fraud were rogue apps, and has seen a 300% surge in 2019. 

Before discussing what's wrong with rogue apps, let's use an example:

Instagram's legitimate Android app: 

  • https://play.google.com/store/apps/details?id=com.instagram.android&hl=en_US

Instagram rogue apps - for the sake of my argument I made sure I linked ones that as of Aug 13th were all the same version 153.0.0.34.96

  • https://instagram.en.uptodown.com/android/download
  • https://apkpure.com/instagram/com.instagram.android/variant/153.0.0.34.96-APK
  • https://www.apkmirror.com/apk/instagram/instagram-instagram/instagram-instagram-153-0-0-34-96-release/instagram-153-0-0-34-96-android-apk-download/download/
  • https://www.androidapksbox.com/apk/instagram-153-0-0-34-96-236572319-old-apk/
    • this website even has the verified hashes published, but we'll get back to that
      • published MD5: eda1e31e06ef33befe363baf4d933712
      • actual MD5 hash of file downloaded: AF63391C984586B94C0628E9110EB0B1
      • published SHA-1: 554405e32a708c29adbd04b8a3914c255380ba79
      • actual SHA-1 hash of file downloaded: 8BF651DA9CE9A052C52A38F7DE978C4C13935221
What's wrong with Rogue Apps:

  1. The app has been modified since the developers' publication. I assume - if this was an desktop application people would take it more seriously. But for some reason, the risk of having an app with privileged access to your device does not trouble many people
    I'm not sure why the apk site in the fourth example above published the hashes of the legitimate application, when their hashes would not match? I'm sure it's to give a false sense of security on the site, suspecting that no one would actually checking the hashes. 
    • Future research on this can be done by reverse engineering the app. 
  2. Many times, these apk sites add ads on top of the app to make money for themselves. As mentioned, I downloaded an apk and an add occurs every time I relaunch the app, or after keeping the app up on my screen for extended periods of time. The advertisements are making the apk sites money - that's why there are so many different apk sites. These sites simply mirror the original app, add their own content, and make the modified app the one for download. 
    1. Personally, I find advertising to be annoying, although that's not a malicious interaction. Why have an app with ads, when the legitimate app does not? 
    2. Someone else is making ad profit off others' work. Of course, this is copyright infringement against the legitimate app developer. While content theft is wrong, I find it extra venomous that the apk site makes money of the legitimate developers' work. 
    3. Malvertising. The ad services the apk sites use are bottom of the barrel, common ads. The barrier for entry to advertise with these services is very low, and it's very easy to slip in malicious advertising. 
  3. Worse case scenario, it's phishing. The first two objections are almost always present when downloading from apk sites or other sources of rogue apps. Of course, that would lead to pharming that data out on forums and markets which trade credentials and identities. The idea that "I don't have any money to steal, whatever" is a little bit toxic because more often than not, it is your credentials, personal information, and identity that is being stolen, not your money. Of course, we can lump in all forms of malware under this section as well. Mobile malware is more common than you think, my absolute favorite is the Cerberus Android malware (but more on that later). 

anyway, just wait for the update on Google Play.

Comments

Popular posts from this blog

Can I re-magnetize my sensory magnets?

Magnets.
I've had sensory magnets installed since November 2016. I bought the magnets and had them installed by Steve Haworth. As of July 2020, you can now buy his magnets for installation elsewhere. https://store.stevehaworth.com/collections/magnets
Since then I have been able to notice some key differences, and in 2018 started to notice sensory loss. I have a very large magnet at home, which before was impossible to touch, and now I can rest my right magnet on it. 
While this is a brief post, I am posting my intention to remagnetise the magnets. I've attempted and gave this up previously, because the process is uncomfortable. However, I must do it in order to keep the magnetic sense. 
I'm using different sized magnets to move the sensory magnets in my finger to strengthen them and break down some of the scar tissue in my finger to let them move freely. 
Reps. This is the big magnet I'm using. I found there's two different things I'm trying 1. Running my finger acro…

Why I really want a walkthrough metal detector

So if you saw my GrrCon 2019 talk, you know that I've been looking for a walkthrough metal detector. I will be working a summer position that will pay me enough to purchase a walkthrough metal detector. Currently, I have a Twitter poll asking if this was a good idea. 
What are you going to do with the metal detector? I used to have access to a walkthrough metal detector (WTMD) through my research lab. My friend Katie and I nicknamed the metal detector Mr. Den City. I had access to the WTMD but of course, within limits. We made certain agreements with those we borrowed the detector from, and it technically wasn't ours, but our leader's. Still, I have some POCs which demonstrated interference and modification of WTMD results, and I want to recreate, improve, and document these findings. 
Is there a specific walkthrough metal detector that you need? I'm looking for a Garrett 6500i or another model in that family. I'm also looking for the networking modules for the device.…

Can you hack a security checkpoint metal detector? Yeah, we already did.

To get straight to the point - walkthrough metal detectors are a security technology to attempt to detect and thus remove weapons and dangerous items from individuals to make a safe space. What if they were much more fallible than expected? 
I'm not here to fear-monger either - these problems are preventable with proper use and changed in guidelines. Like many security controls, their exploitation is commonly due to those who implement and monitor them. However, in order to create these changes, more proof-of-concepts and solutions need to be tested. We already have a few to start. 
The walkthrough metal detector (WTMD) research was not my original idea. It started out of research projects from PHSI and another Garrett 6500i was donated to our lab. This machine was not ours and we did not have permission to modify or conduct digital attacks on the detector. We were supposed to use physical modifications to hide or modify the results of the screening. 
One colleague in particular Pat …