That malware with its own backdoor into Android’s framework? Don’t worry; Google’s on it. (Gulp!) | #android | #security

One of mobile security’s biggest fears has come to pass. Google last week (June 6) confirmed that cyberthieves had managed to pre-install malware into the Android framework backdoor. In short, the malware appeared to be blessed by Google at the deepest point within Android.

“In the Google Play app context, installation meant that [the malware] didn’t have to turn on installation from unknown sources and all app installs looked like they were from Google Play,” wrote Lukasz Siewierski, of the Android security and privacy team, in a blog post. “The apps were downloaded from the C&C server and the communication with the C&C was encrypted using the same custom encryption routine using double XOR and zip. The downloaded and installed apps used the package names of unpopular apps available on Google Play. They didn’t have any relation to the apps on Google Play apart from the same package name.”

Enterprise CISOs and CSOs, along with CIOs, are discovering that trusting the major mobile operating system companies today — Apple and Google — to handle their end of security protections is foolhardy. Due to the nature of the Apple ecosystem (a total of one handset maker, which allows for a much more closed system), iOS is slightly more secure, but only slightly.

Still, Google’s new admission certainly makes Apple look a little better in the security area. The issue isn’t with the operating systems per se — both iOS and Android have reasonably secure code. It’s with apps offered to enterprises and consumers through the officially sanctioned app depositories. Enterprise security pros already know that neither Apple nor Google does a heck of a lot to validate the security of the apps. At best, both are checking for policy and copyright issues far more than the presence of malware.

But that’s dealing with true third-party apps. Apps coming directly from Apple and Google can be trusted — or so was thought until Google’s disclosure.

The incident that Google admitted happened some two years ago, and the blog post didn’t say why Google didn’t announce it at the time, or why it chose to now. It might be that Google wanted to make sure it had sufficiently closed this hole before announcing it, but two years is an awfully long time to know about this serious a hole and be silent about it.

Copyright © 2019 IDG Communications, Inc.

Original Source link

Leave a Reply

Your email address will not be published.

eighty seven + = 97