In case you missed it: Bank info-stealing malware found in 90+ Android apps with 5.5M installs

no list of apps anywhere

Jup. It just says that "the malware was disguised as PDF and QR code readers".

Not helpful, Mashable. Not helpful at all.
- In fairness to Mashable, this isn't their fault. The people that made the report didn't make the list public.
- I think I may know a few of those. But not through play store. They usually scam someone by saying they got a packet on their way and their tracking number must be opened on an app that they send via messaging apps.

These articles are useless without a damn list

Right

Am I just missing it, or is there no list of of these infected apps on the posted article or the reference the article links to. To me, that is the most important information.

It is about halfway down the article, but you have to dodge a few adds to get to that part.

"The two apps mentioned in the report were called "PDF Reader and File Manager" by Tsarka Watchfaces and "QR Reader and File Manager" by risovanul."
- Well, I did miss that, I was skimming for something like a large list or table. That still leaves 86/90+ unlisted.
Agreed. If this article didn’t contain a way to check the apps, that would be irritating

Aren't apps on android hermetically sealed from other apps and malware. How could this be achieved ?

Since the other reply was unhelpful: apps are supposed to have limited privileges and isolation from each other, yes... But the whole point of malware like this is that they figure out ways to break those restrictions and get escalated privileged.

You can get more technical detail from reading the report, in this case it looks like the app does not contain malware, but instead requests an update after install that contains the bad code and then breaks the app limitations and scans for the target banking applications and copies the security certificates.
Yes, the app doesn't steal any information from other apps. The report says the malware just displays a fake bank login page, in the hope the user gives it their details willingly.
As a developer this question is hilarious to me
- As a curious Android user this comment is useless to me
- Why? They're absolutely right. The article doesn't say anything about a root exploit or phishing either so were left wondering...
- please enlighten the rest of us
- and one day you'll say why, right?
- Explain yourself

And this right here is why you use open source apps.

This only would work if you check every line of source code, even the dependencies and build chain, and then build it yourself. See xz utils backdoor or heartbleed, etc.
- The whole point is that at some point somebody can check, and you can have a higher level of trust in that than proprietary software.
  
  And if someone does something like this then it has to be disguised as an innocuous bug, like heartbleed, they can't just install full on malware.
  
  It's a different beast entirely.
- The thing is we only know about these vulnerabilities in such great detail because the projects are open source. God knows what kund of vulnerabilities are hidden in closed source software.
- Yes, of course. However, when it's open source, at least somebody is capable of checking those things, even if it is not you. Somebody in the community is capable of doing so.
- check every line ... yourself.
  
  🚩🚩🚩
  
  A very classic lie, disinformation, used to spread anti-libre software. Anti-libre software bans us, not only me but everyone else, from removing malicious source code.
- If you download apps from fdroid, at the very least you can be sure that the binary is 100% generated from the provided source code, the devs can't pull a switcheroo like submitting an altered version of app (e.g. inserting malware) that doesn't match the published source code.
- Exactly. Neckbeards love to pretend open source magically has no security vulnerabilities, and that the ability to inspect the source means you'll never install anything nefarious.
  
  I expect all of them to have read the source for every single package they've ever installed. Oh and the Linux source too, of course
'Open source' misses the point of libre software.
- You're right, I should clarify better. When I say open source, what I mean is totally open and totally free to contribute to, like the MIT or patchy licenses. Source viewable is a whole different can of worms and not what I mean, so I should be more specific in future.
- They used to be synonymous. Of course now we have conbtributor licenses

As somebody who occasionally had to develop for android: the churn of improvements to app security was a huge pita. And as a user I know many of the abandoned apps that I liked that lost compatibility was for that reason.

So the fact that in spite of this pain, Android security still allows apps to do horrible crap like that is infuriating.

If you read the original report, it says that it basically just displays a fake banking login page. It also says that it requested accessibility service permissions, which makes me think maybe it brought up the fake login pages "in the right moment" (as in as users opened their banking apps) to make it more convincing, even though the article doesn't specify that.

Either way, IMO the problem here is clearly with the Play Store allowing this app in, and not with Android's security itself. These apps are misusing the accessibility service system, which is obviously necessary for a ton of important use cases (and of course also requires the user to grant very explicit permission). The fact that the accessibility services are a thing doesn't delegitimize Android's security improvements over the years.
- If a user can open their baking app, and this app can sense that and open instead, then that is 100% an Android issue. That behaviour shouldn’t be possible.
The app doesn't contain malware when it's uploaded to the play store. It forced an update after it's installed that contains the malware.
- That's not what I mean. I'm not thinking about Play Store security, but Android OS security. Like, your app physically has to ask for permission (or even require the user manually change settings) to do most unsafe things.
- So I could write an app that is okay on the Google store, then change it to steal people's information? Hmmm 🤔 that gives me an idea....hahh! Too many projects at the moment.
According to the report, the app just displays a fake login page. I don't see a good way to prevent this.

From the actual report:

"Over the past few months, we identified and analyzed more than 90 malicious applications uploaded to the Google Play store. These malware-infected applications have collectively garnered over 5.5 million installs.

Recently, we noticed an increase in instances of the Anatsa malware (a.k.a. TeaBot). "

So not 5.5M installs of this specific malware, FWIW

I got many apps installed. I don't keep in my memory what I have. How do I check that I don't have any from those compromised?

Go to Settings and search for Google Play Protect. Tap Scan, and if it results in No harmful apps found, you're safe.

AI probably "wrote" that

Hello EVERYONE here's a list of 50 unbelieveable products that will change your life and grant you immortality:

Anatsa uses advanced techniques to avoid >detection and gain access to banking >information.

Anyone who knows what those advanced techniques are?

I' recommend to just read the report https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google

Can't steal my bank info if I use cash only...

How though. Over here cash isn't accepted anymore at most places. I only use cash for buying drugs. Most stores and groceries only accept card. Same with bars and clubs. I honestly have no idea besides drugs what to use cash for.
- I cannot imagine such a dystopian, nightmarish place where you can only pay with something that personally identifies you. Congrats for living in a nightmare. I'd leave.
That is correct, but you do lose out on all investments that have generated the wealth to make people wealthy these days.

So let's say inflation was 4 percent for the year and you could have made 10 percent invested in stocks for the year, you would have made 6% profit on your money for the year. Instead you lost 4% that year.

That difference could make or break someone long term, completely different retirement options.
- Everything's going to collapse in the next 10-20 years anyway.
You’re only robbing yourself if you go cash only. $1 will be worth less tomorrow than it is today.
- The $1 in your scam account is worth the same as a real $1 bill. Maybe less when the entire financial system inevitably collapses in on itself as the rest of the world does and people will actually value real money again.

iOS user: That’s a shame.

But seriously, this sucks and is why Google needs more rigorous vetting of apps that go into the store. Sure, you sideload, that’s your problem. But if on the Play Store, the general Android user would think there’s some good level of governance.

Of course there’s a measure of caveat emptor here. So hopefully it’ll teach people to be wary of what information they freely give out.

LOL, well I guess the Reddit masses are on Lemmy full swing now. Enjoy the malware, I'll continue laughing about it.