Google missed malware added to extensions, would it catch PlayStore apps?

ThisOldGuy

https://blog.koi.security/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5

de0u

ThisOldGuy Google missed malware added to extensions, would it catch PlayStore apps?

This particular wave of malware subverted browser extensions, not regular apps. There isn't any direct way to transform the one kind into the other kind.

Meanwhile, the Play Store has had its own waves of malware -- here is a randomly-selected piece about some Play Store malware: Hundreds of Malicious Google Play-Hosted Apps Bypassed Android 13 Security With Ease.

Unfortunately, there's no simple measure that can completely protect one from malware. That said, in general, running fewer apps (fewer extensions, etc.), choosing apps carefully based on developer reputation, keeping apps and the OS up to date, and avoiding modified/"unlocked" apps from anonymous sources, are all good ways to reduce risk.

ThisOldGuy

de0u
I think I'm more asking, if google doesn't evaluate app/ext updates for malware, how can they be the most trusted option to download from?
I see a lot of support from the forum to use PlayStore over github or foss repos. Why do we trust them tho if they don't evaluate updates for malware?

de0u

ThisOldGuy If google doesn't evaluate app/ext updates for malware, how can they be the most trusted option to download from?

If airplanes crash sometimes, how can air travel be the safest way to travel?

privacyisconsent

ThisOldGuy I think I'm more asking, if google doesn't evaluate app/ext updates for malware, how can they be the most trusted option to download from?

ThisOldGuy Why is it held in esteem if it's not doing what it says it does?

Do you mean held in high esteem? If so please note the statement from the GrapheneOS team below:

Apps coming from the Play Store doesn't make them trustworthy, safe or secure. Most malware apps on Google Mobile Services devices are installed from the Play Store.

https://xcancel.com/GrapheneOS/status/1923746765049598112#m
https://x.com/GrapheneOS/status/1923746765049598112

The Play Store isn't one of the least worst places to get a specific app because Google somehow succeed at the impossible task of checking millions of updates and published apps for exploitability or any malicious behaviour. It is one of the least worst places to source an app because it mitigates the TOFU problem, mitigates MITM attacks on the apps secure TLS connection to designated servers, implements unattended updates, etc.

de0u

ThisOldGuy I think I'm more asking, if google doesn't evaluate app/ext updates for malware, how can they be the most trusted option to download from?

I think it's also worth pointing out that this particular set of exploits were browser extension exploits. I believe that the GrapheneOS project has refused many requests for Vanadium to support Chrome extensions, on the grounds that the ecosystem is full of malware. So I don't think the GrapheneOS project has encouraged people to use the Chrome extension store (let alone the Edge extension store!).

I think the GrapheneOS project has commented favorably on Google's security hardware, their verified boot implementation, being the first Android phone to ship MTE, etc. Overall I think the opinions expressed depend on which specific thing is being evaluated, and I think the project's evaluation of the Chrome extension store is that it's below the bar.

As privacyisconsent documents via the social-media thread, the evaluation of the app store seems to be decidedly mixed.

But that's not the same as concluding that Google isn't checking any updates to any extensions. Perhaps they do check some updates, but perhaps they focus on the ones with the most users.

ThisOldGuy

de0u
Hopefully because the pilot was drunk and not due to a missed hardware/software issue by the mechanics!
If an entity says they're checking things, expecting them to be checked seems reasonable?
Maybe the better question is why did they slip through? I trusted when the app said they just don't check after updates but I always thought they had. Lax security vs bug.

de0u

ThisOldGuy Hopefully because the pilot was drunk and not due to a missed hardware/software issue by the mechanics!

If one adds together all the reasons why planes crash, the result is still safer than adding together all the reasons why motorcycles crash.

ThisOldGuy If an entity says they're checking things, expecting them to be checked seems reasonable?

If a border patrol officer says he's checking for illegal gun imports, and in one month he catches 100 and misses 1, does that mean he's not checking?

ThisOldGuy

de0u
I'm not really following the analogies that attributes to why Google protection services would miss malware and traffic being redirected.

There isn't an expectation of perfection, but there is an expectation of quality especially in the face of something it explicitly says its doing. Why is it held in esteem if it's not doing what it says it does?

I'm genuinely trying to understand the preference if it doesn't actually re-check updates. Since I'm not a developer, maybe there is a technical answer that you're aware of that would be helpful.

de0u

ThisOldGuy I'm genuinely trying to understand the preference if it doesn't actually re-check updates.

Was a claim made that the Chrome extension store does not ever check updates for any extension?

We know malicious "upgrades" were missed for those 18 extensions. That is unfortunate. But without knowing how many malicious "upgrades" the Chrome store did reject over the same time period, the fact that something was missed means only that their process is imperfect, which all processes are.

I'd say the most actionable advice for users is to install fewer apps and fewer extensions.

newbie24689

de0u

I'd say the most actionable advice for users is to install fewer apps and fewer extensions.

YES!!
Many web sites love to push their own "app", which is simply a customized browser; possibly well written, possibly poorly written. But certainly not as hardened/"safe" as Vanadium.

Instead of loading up with a bunch of questionable little apps, use vanadium with bookmarks.

(heh... I've met folks who take pride in having dozens of "apps" - covering their screens...........)

beans

newbie24689 problem with this is more and more websites implement a check that forces you to use their app so they can harvest more data from you to sell.

For example my banking website no longer allows mobile browsers and forces the app (for security they say, but why is it safe to use the website from my laptop then). Thankfully theirs can still be subverted by enabling desktop mode in ironfox but then the scaling and layout is terrible and hard to use on a phone. Other websites with a similar check increasingly don't work whether desktop mode or not.