Skip to main content

Don't use that APK site!

 A whileback, Brock and I were impatiently waiting for WiGLE's beta app update. It was was WiGLE just added bluetooth to their platform and it was a big move for us (was that like, 2 years ago?). I went to get the app from WiGLE, but Brock simply google'd the app and downloaded it. I was unsure how this page was already a google result, and he showed me he downloaded it from another apk site. When I objected, he didn't understand. I explained the dangers Rogue Apps present, but also, I then downloaded it anyway to see if my concerns were justified on an old-lab-phone. 

Rogue applications are those which are not created and published by the developer. In general, rogue apps are an Android centered issues (and FireOS - ketchup; fancy ketchup). Back in 2018, RSA published a white paper in which 28% of online fraud were rogue apps, and has seen a 300% surge in 2019. 

Before discussing what's wrong with rogue apps, let's use an example:

Instagram's legitimate Android app: 

  • https://play.google.com/store/apps/details?id=com.instagram.android&hl=en_US

Instagram rogue apps - for the sake of my argument I made sure I linked ones that as of Aug 13th were all the same version 153.0.0.34.96

  • https://instagram.en.uptodown.com/android/download
  • https://apkpure.com/instagram/com.instagram.android/variant/153.0.0.34.96-APK
  • https://www.apkmirror.com/apk/instagram/instagram-instagram/instagram-instagram-153-0-0-34-96-release/instagram-153-0-0-34-96-android-apk-download/download/
  • https://www.androidapksbox.com/apk/instagram-153-0-0-34-96-236572319-old-apk/
    • this website even has the verified hashes published, but we'll get back to that
      • published MD5: eda1e31e06ef33befe363baf4d933712
      • actual MD5 hash of file downloaded: AF63391C984586B94C0628E9110EB0B1
      • published SHA-1: 554405e32a708c29adbd04b8a3914c255380ba79
      • actual SHA-1 hash of file downloaded: 8BF651DA9CE9A052C52A38F7DE978C4C13935221
What's wrong with Rogue Apps:

  1. The app has been modified since the developers' publication. I assume - if this was an desktop application people would take it more seriously. But for some reason, the risk of having an app with privileged access to your device does not trouble many people
    I'm not sure why the apk site in the fourth example above published the hashes of the legitimate application, when their hashes would not match? I'm sure it's to give a false sense of security on the site, suspecting that no one would actually checking the hashes. 
    • Future research on this can be done by reverse engineering the app. 
  2. Many times, these apk sites add ads on top of the app to make money for themselves. As mentioned, I downloaded an apk and an add occurs every time I relaunch the app, or after keeping the app up on my screen for extended periods of time. The advertisements are making the apk sites money - that's why there are so many different apk sites. These sites simply mirror the original app, add their own content, and make the modified app the one for download. 
    1. Personally, I find advertising to be annoying, although that's not a malicious interaction. Why have an app with ads, when the legitimate app does not? 
    2. Someone else is making ad profit off others' work. Of course, this is copyright infringement against the legitimate app developer. While content theft is wrong, I find it extra venomous that the apk site makes money of the legitimate developers' work. 
    3. Malvertising. The ad services the apk sites use are bottom of the barrel, common ads. The barrier for entry to advertise with these services is very low, and it's very easy to slip in malicious advertising. 
  3. Worse case scenario, it's phishing. The first two objections are almost always present when downloading from apk sites or other sources of rogue apps. Of course, that would lead to pharming that data out on forums and markets which trade credentials and identities. The idea that "I don't have any money to steal, whatever" is a little bit toxic because more often than not, it is your credentials, personal information, and identity that is being stolen, not your money. Of course, we can lump in all forms of malware under this section as well. Mobile malware is more common than you think, my absolute favorite is the Cerberus Android malware (but more on that later). 

anyway, just wait for the update on Google Play.

Comments

Popular posts from this blog

How to Wardrive: Know where to go

Inspired by others, and my goal of getting a golden WiGLE badge, I went wardriving for my birthday. I was hoping for 50k, and I ended up with just over 61k. I'm less than 80k away from my goal! But how do you pick a place to wardrive, and how do you actually do  it? The easiest way is to download WiGLE on an android phone, get some transportation, and be set on your way. But if you want more detail or some tips, keep reading.  Avon Lady Method : Find a city within reasonable distance of travel Examine the results for the past few years of the area; do not use the overall coverage of all time.  Verify if the city is desirable for wardriving Little coverage in the past few years Most residential areas are not covered Use maps to search and define high density residential areas (i.e. apartments, town homes).  Create an order that allows for little overlapping and in a convenient driving pattern. Use landmarks around the city to define the internal roads Wardrive Profit ("internet

2021 & 2022 Resolutions

 I am not into the whole "New Year, New Me" thing 2022 is going to make 2020 look like a baby. Last year, I made a post about my resolutions and goals for the year, and I thought now would be a great time to update on that. Let's revisit my resolutions from last year: 2021 1) Meatless Mondays 2) No Candy Wednesdays 3) Submit to WiGLE every month (almost!) 4) ... and the Grand Finale: Make an optimized trip half-way across the country in my truck! So I didn't do a great job. I had some other resolutions that I didn't post, and I also didn't do so great on those. I almost summitted to WiGLE every month, but I missed October and November. Similarly, I had a resolution to post to my blog once a month, and I almost made it, except I missed the last two posts. Hopefully, I will make this up by writing posts and back-dating them, so I would at least have completed the goal.  Resolutions I think my goals failed for various reasons. I didn't make realistic goals fo

The problem with sensing finger magnets

 Okay, I have to make this post quick, but the second part will be way worth the payoff. October 3rd I'm having one of my sensing magnets taken out that I've had for about 5 years; since Nov 2016. It's clearly rejected and when I tried to make the situation better, I made it worse.  In previous posts or tweets, I've mentioned I had a method to re-stimulate the magnet. Do not attempt. It's likely the reason it's now rejected after so many years.  Biohacking comes with a lot of risk, especially if you're afraid of needles and knives, but the benefits outweight the risks. I loved having a strong magnetic sense with both of the magnets. I love the honor I've had to have them all this time. But now it's painful to use my finger and there's a large black bulge where the magnet wants to exit my finger.  Some questions I have before cutting open: 1. How am I going to numb my finger? What method will work? 2. Is the coating or silicone broken? Any risk of