I am *very* surprised that the list of requested permissions on Google Play does *not* have to match the actual permissions which the app gets when installed.
I would have thought that the list on Google Play is computed from the binary so it cannot be fake.
Is it really true that you can just leave out permissions in this list and then just get them once people install your app?
As far as I know (and I have quite a few apps on google play) the list is compiled from the apk itself. On android you need to specify all permissions in the manifest (a file in the app that describes what the app requires). If you don't and try to use it, the device rejects it. The play store description is a "human version" of the list. Some permissions are grouped and other ignored.
The app from the post had a list of permissions declared in the manifest, and on first look it seem to match what play store shows.
In any case: no, you can't leave out permissions and use them later. If you don't declare them, you can't use them. (At least not by normal means, it is possible with adb and root, and also by installing extra apps).
Thanks, but why does the post show two screenshots juxtaposed:
- one labeled as "2FA Authenticator permissions disclosed on Google Play"
- and the other as "2FA Authenticator permissions requested"
They even made "disclosed" and "requested" bold to stress that there'd be a difference, and in fact the former list of permissions is shorter than the latter?
You said that some permissions are "ignored". Is that the explanation?
Where is a list of all Android permissions which are "ignored", i.e. not told to the user when installing apps?
From the screenshots it looks like the permission to install software is part of whats lacking to be disclosed.
That has a rather big security impact, why does Google ignore it?
They are ignored from the standpoint of Google Play displaying them to you in the listing but not ignored by Android itself. Google 'streamlined' the permissions displayed to users in the store years ago but you can still see them (mostly?) via Settings->Apps and notifications-><select an app>->Permissions. This was most likely partly because apps used to need to request some rather strange looking permissions from a user standpoint (i.e. a flashlight app needed camera permission since the phone's LED was tied to the camera API, for example[1]) and partly because Google itself normalized the 'kitchen sink' approach to permissions with its own apps in the store when they switched from baking them into the ROM to distributing updates via the store and now most large companies do something similar with their own Android apps.
Unfortunately, every spammy/scammy app came along for the ride and now you're fairly dependent on Google's scanning of the apps to catch the bad actors which has been shown time and time again to be insufficient.
[1] However, they never needed access to things like your contacts or networking... but for Google to flag apps that did things like that, their own apps would likely either be flagged or called out for hypocrisy given their own 'kitchen sink' app permissions.
Camera is camera, that's obvious.
Disable keyward is disable lock screen.
Foreground service is probably ignored, maybe the word "service" is hard to explain?
Internet is full network access.
Query all packages is ignored. This is a relatively new permission that allows you to see what apps are installed, on android 10 and below it wasn't necessary to declare it, you could always get the list.
Receive boot completed is run at startup.
Request install packages seems ignored, which is odd but maybe because you can only request, the user must accept to install it in any case (no app can install anything on their own, unless root or system app).
System alert window is draw over apps.
Biometric and fingerprint are ignored, odd too.
Wakelock is prevent from sleeping.
So, the "hidden" ones are foreground service, request install packages, biometric and fingerprint, as I said I tried to find a description of how the play store is grouped, but failed to do so :( sorry.
This article is IMO very exaggerating issues there (please note that Google store shows that the app targets only Android >= 8.0, this has a huge impact for what's to follow)
List of perms from the article:
> Collect and send users’ application list and localization to its perpetrators, so they can leverage the information to perform attacks targeted towards individuals in specific countries that use specific mobile applications, instead of massive untargeted attack campaigns that would risk exposing them,
Yeah okay, giving access to the internet to an app enables the app to know what is the country of the user. Even knowing the language of the app know that. I'm sorry, but seriously, what are we supposed to do against that?
> Disable the keylock and any associated password security,
Listed on play store
> Download third-party applications under the shape of alleged updates
This doesn't allow to download apps silently. Every time you install or update a new app, this makes a huge annoying confusing popup, where you need to know where to click, and there are three such places! I even hate Google for how complicated it is. Criticizing Android for this is stupid.
> Freely perform activities even when the app is shut off,
I honestly don't know what they are talking about, that's pretty much always the case for all apps, there is no permission for that...? This is of course an issue wrt power drain, and Android is taking new counter measures against that power drain regularly. But that's just a power drain nothing else.
> Overlay other mobile applications’ interface using a critical permission called SYSTEM_ALERT_WINDOW for which Google specifies “Very few apps should use this permission; these windows are intended for system-level interaction with the user.”
This has indeed be very controversial. There are many great features that can be built with this. But the handling of this at Google has precisely been that apps need to be whitelisted manually Google-side to be allowed this permission, or go through a super complicated menu to enable it.
Overall, I have a very hard time believing this malware is anything but a PoC made by the anti-virus seller itself.
Edit:
One thing I forgot to mention. Many permissions in Android (like in iPhone) are DYNAMIC. Which means that user NEED to EXPLICITLY approve the usage of those permissions.
Google Play Store lists only the permissions that are granted without user's explicit approval.
I think it used to be back in the day, but many normal apps use tons of permissions so people skipped over them. Google revamped their UI to only show a select bunch of them at some point. Perhaps in this step they managed to mess up and miss a bunch of permissions that these apps use.
You can't get a permission that's not in your app manifest without root access.
Seeing as the app appears to install apps silently, it probably manages to exploit devices with outdated security to elevate its system permissions. Altering the installed binary and system permission table are probably the easiest way to use the standard Android API to install software in the background, because doing so programmatically is a pain.
I expected it to work that what is listed in the marketplace is the design and when signing the app it includes the permissions as mentioned in the marketplace. If the binary requests different permissions they are rejected by the OS without prompting the users.
The thread does not seem to answer the most interesting question:
Is it really possible for app developers to leave out permissions in the list of requested permissions on Google Play and then get them nevertheless when the app is actually installed?
Another question would be: If google gives me an app from their official playstore, on their OS, should they be considered responsible for any loss that it causes to bank accounts, or we have given up accountability for big corps, hope regulators are sleeping well
You're saying they should be responsible. Ethically? Legally? I'm not sure which you mean, but probably both.
That's not the question I was answering though. That question didn't specify the flavor of responsibility, and I chose to answer it from a mostly legal perspective, which is that as things stand they are probably, mostly, not liable.
Traditional retail liability is probably the best place to look in this case. A store can be liable for the products it sells, but if it makes reasonable efforts to determine product safety then those are difficult cases to win unless you can show that the retailer knew, or should have known, that the product was defective or unsafe. One black & white example of that liability would be selling alcohol to underage kids who did not present any ID, or gave a fake ID.
I think "reasonable precautions" is probably the best rule from a practical standpoint. But I'm not otherwise going to address where the line should be drawn on "reasonable" precautions. That's a complex question, individual examples and product classes would vary, and there are plenty of expensive court cases that have not yet produced a universal "bright line" standard for defining "reasonable" precautions.
Your thinking is kinda bizarre - why do you demand accountability from the store, not the author/creator of the malware app?
For other products the accountability is always on the manufacturer/creator of the product - why, in software, do you all demand that big tech censors and polices what you're allowed to consume instead of actually punishing the wrongdoers who created malicious and dangerous software? Why can they just get away with zero accountability and you don't even spare a millisecond of thought?
Well, for one thing it's because I am forced to keep the play store on my phone without being able to uninstall it, along with Google play services, and also they are vetting all apps that gets to the google play store, and also the fact that they contiously bust balls justifying the existence of their ecosystem to safety and security of devices, are they allowed to have it both ways? So we need to keep them because of safety but like not really safety? More like safety of income stream for their shareholders?
In the UK, consumer product liability is with the vendor. They will usually recover the costs from the manufacturer, giving them an incentive to deal with reputable companies. As a consumer I don't have to care about the vendor's suppliers.
Because it's a different relationship model? With a regular product the thing the consumer interacts with never changes. With software the user is able to make it do wildly different things, stuff neither the manufacturer (Samsung, HTC, etc) nor the software vendor (Google) could envision, including running exploits in the software to do things the user didn't even intent.
No they don’t. Physical stores pay volume rates to the manufacturers. They own the inventory and resell it at a markup or a loss. The app stores do something totally different. They allow “manufacturers” to list the item directly to the consumer and charge 30% in money transmission (legal term) fees. They are basically offering the same service (and licenses) as Western Union (or stripe connect), just on a larger scale and more integrated.
Whether they are actually legally set up that way (or not) I don’t know. I did go down this rabbit hole 10-15 years ago to do something similar with a lawyer.
What could be interesting is if some states/countries have limits on the fees a money transmitter can charge and an app company sued for them operating illegally.
From a consumer POV it's the same as physical stores, regardless of how they acquire the product. Walmart has an average 32% markup and Target 46%[0]. Is target now liable for anything they vend to you that does something malicious?
Google is complicit in this by their refusal to ban larger app developers that create malicious apps.
Google may kick the malicious app off the play store for a couple weeks and make the developer remove the malware (or obfuscate it better) but then allows the app(s) back to the play store.
Windows is not vetting all apps, and is not forcing you to bribe them 30% of your sales to be on a store fully controlled by them
But yeah, I think making corps accountable would be of great benefit to IT, if we start hitting them in the wallet I guess that's the only way to make security escape conferences and make it to software companies HQs
I get to pay a corp to get a shitty product that makes me subject all sort of security issue, without being able to blame it on anyone, and in the end I have also to pay with my time because manager X didn't think that it was important to deliver a safe product. So yeah, I want to be paid for the time I have to spend to fix corps shits
Actually, I'm pretty sure there has been some stuff that Microsoft signed, for which MS is paid (not 30% sure), that were malwares. But I'm too lazy to find it
Then again, taking the thought experiment of your comment as written, can a malware dev sue M$ for Windows Defender blocking and/or removing their software?
Also, "being sued" isn't a very strong litmus test on its own. Anyone can be sued for anything at anytime.
So many such issues could be easily mitigated if we just moved away from apps to PWAs/Web apps with better support from mobile vendors for the push api, camera, etc - but the powers that be (Apple, Google, Microsoft) and also the sites (Reddit, Amazon, etc) want to move in the opposite direction because who cares about security and users when apps bring in the moolah.
As a matter of fact sometimes the websites are so much better too, like Amazon, which doesn't even have a "Find.." function in the app. I really wish we could done be with these apps and everything just ran in the browser, except maybe apps that need some low level api or something.
Such issues could be mitigated if Android didn't let it happen.
It was pretty much impossible for this to happen with Symbian so there's really no excuse (maybe that's part of the reason it died)
You're telling me a for-profit, closed source, proprietary application store where anyone can submit software and call it anything they want has perverse incentives? I'm shocked. Shocked, I tell you.
I would have thought that the list on Google Play is computed from the binary so it cannot be fake.
Is it really true that you can just leave out permissions in this list and then just get them once people install your app?