Android malware.

sahx

Hey i have a few questions about malware on android and grapheneos.
Can malware be "not an app" (like for example scripts on windows) or does it have to be something installed.
Can malicious apps install themselves as system apps (to avoid detection and removal)
Does vanadium and gOS itself prevent remote interactionless downloads of apps and so on?

de0u

sahx Can malware be "not an app" (like for example scripts on windows) or does it have to be something installed.

If there is a "remote code execution" (RCE) bug in cellular, Wi-Fi, or Bluetooth firmware, malware can literally arrive over the air. GrapheneOS has extra precautions against this.

sahx Can malicious apps install themselves as system apps (to avoid detection and removal)

This is theoretically possible, but not easy. GrapheneOS has extra precautions against this.

sahx Does vanadium and gOS itself prevent remote interactionless downloads of apps and so on?

That's the plan! Bugs are always possible, though.

Here is a good place to start: https://grapheneos.org/features

[deleted]

Yes, but only through your installed apps. Lets see an example: In case you open a malicious PDF that targets Android, with a PDF viewer that has vulnerabilites, the PDF could use those permissions that the Viewer has, Eg. storage.

The default PDF viewer resists these attempts, as it has no permissions. But it could happen with other apps that you have.

sahx

[deleted]
I see, so as a normal guy i just shouldnt install untrustworthy apps and should be fine yea?

GrapheneOS

[deleted] Not having permissions is a very insignificant part of how our PDF Viewer app protects against attacks.

https://github.com/GrapheneOS/PdfViewer/blob/main/README.md

[deleted]

Malicious apps can only install as system, if they have a root privilage escalation expliot. Very rare, only fiesable via targetted attacks, and your phone would warn you during next boot, that something has been tampered with via verified boot.

[deleted]

Vanadium warns you on commonly malicious filetypes when downloaded, like apk and exe.
Apps can NOT be installed automatically by Vanadium, even if downloaded. You have to also manually proceed with installing the apk. You can't do it by mistake/accident.

Eirikr70

sahx Probably. The only point is how can you determine if an app is trustworthy.

andrej567

sahx generally yes, what can happen,

that you search for an app in app store and there is a very similarly looking app like the one you search for but a malicious one. Always check the name of the publisher of the app, at least. Click on the publisher to check what else did they publish, if it makes sense (you may know the other apps they should have)
second thing is that it can happen that bad people contributing to open source library projects contribute, but at the same time implant some malicious functionality into it and the maintainer of the library does not notice it. Then such library can be distributed as a part of trustworthy apps.

For both cases, app isolation and as few access rights as possible can minimize the impact once you have it...

[deleted]

sahx Yes.

sahx

andrej567
yea i always do checks that apps are real ones, using appverifier, and well just looking at the downloads/ratings as well as cross-refference the link with official media

the other one is out of my control sadly its just something you gotta pray never happens lol.

but yea good to know that the chances from getting malware without installing anything (like from visiting a dodgy website) are basicially 0 (as a normal non political/activist/journalist person)

[deleted]

GrapheneOS Yes, im aware that its hardened in many other ways. However this is a very simple example to illustrate its security.