Just read this news: https://www.bleepingcomputer.com/news/security/fjordphantom-android-malware-uses-virtualization-to-evade-detection/
How does GrapheneOS handle this type of attack?
Android Malware uses virtualization to break the android sandbox
Looking over that, it does NOT appear to be anything special. They're essentially just tricking a user into installing a modified version of the original application in order to steal the user's credentials FOR THAT application. It does NOT give them access to any data from any OTHER application aside from data that is accessible based on granted permissions. The part that makes it a slightly novel approach is the fact that they're embedding the original unmodified version of that application into the modified application rather than putting in the work to reverse engineer parts of the original application in order to patch their new functionality into it.
The solution to this problem is simply to not install software from sketchy sources. Ideally, verify the apk signature with the vendor prior to installing.
The real solution is that Android needs a better system for package signature verification. Right now, original installation of packages relies on whether or not you trust the installation source (i.e., play store, f-droid, etc.) -- a lot can be done to make this system more robust, like publishing public keys for signature verification on DNS and verifying those signatures on installation by querying the package name from DNS to retrieve the public key. Obviously this introduces an additional point to verify (which IMO really should be verified ANYWAY), which is whether or not the package name is connected to a trustworthy domain. Fortunately, that is usually pretty easy to verify through a combination of public trustworthyness lists and simply presenting the domain name (package name) to the user. Trying to install CIBC bank application, package name com.cibc.android verifies against DNS for android.cibc.com --> checks out, BUT package name casino.freemoney.com.cibc.android against DNS for android.cibc.com.freemoney.casino --> Huh? Signature verifies correct, but Big red flags because that domain is a steaming pile of WTF.
- Edited
bookreader It does NOT give them access to any data from any OTHER application aside from data that is accessible based on granted permissions.
Are you sure? In the article the author states:
Promon notes that this virtualization trick breaks the 'Android Sandbox' security concept, which prevents apps from accessing each other's data or interfering with their operations, as apps inside a container share the same sandbox.
So this statement means that the malware has only access to the infected app's data (because they are in the same sandbox) but cannot access anything outside of it?
[deleted]
Phead Are you sure? In the article the author states:
The press is known to oversimplify tech, so...
Phead The problem with the way the article is written is in the way they distinguish between the malware and the application is it bundled with. You're thinking about them as if they were distinct, but the reality is that the original application is PART OF the malware.
- Edited
bookreader Right now, original installation of packages relies on whether or not you trust the installation source (i.e., play store, f-droid, etc.)
Yup. People use F-Droid because it installs and notifies you of an update and you can update apps with a click. F-Droid builds all apps from their source code and then signs them with its own key. The app developer does not sign the source code like you see on GitHub. If you trust F-Droid, that is fine, but a main point of FOSS is that is it supposed to be trustless (mind you, a lot of apps on GitHub are not getting outside code and security checks, but the popular/closely watched ones are). F-Droid repo is also full of apps that haven’t received security updates for years. This is also true on GitHub, but unfortunately some will trust F-Droid like they do Play Store without checking closely. I personally prefer going to the source on GitHub where you can use the GitHub APK for Obtainium to install GitHub apps on Obtainium via their APKs and be notified when an update is ready, and then it is just a click on the Obtainium app. All signed by the developer, and assuming popular apps like Signal or Proton Mail, you can be quite sure the code has not been changed in a obtuse or malicious manner.
As far as I know, most of the payment software without a free country will do so
Example China
https://reports.exodus-privacy.eu.org/en/reports/com.eg.android.AlipayGphone/latest/
https://reports.exodus-privacy.eu.org/en/reports/com.tencent.mm/latest/
[deleted]
- Edited
MoonshineMidnight Please also note that F-Droid also provides reproducibile builds, but using reproducibile builds increases the delay in releasing new app updates even more, so most app developers don't use it
bookreader
Sure, I got that. My question is, is the malware actual capable of breaking/escaping the sandbox (does not read that way) or is it only capable of accessing user data because it is part of the app or app container? If the latter is true (and as far as I understand the article, it is), I think the article is kind of misleading because the app's sandbox is not actually broken. Is that correct?
[deleted]
...so? What's you point? Oversimplifying is a valid tool to break down complex matters into understandable portions of text. As long as the information is still valid there's nothing wrong with it. If you believe the facts stated in the article are a false representation of the malware's capabilities then please, elaborate.
From the article:
Upon launch, the malware installs the APK of the banking app the user intended to download and executes malicious code within the same container, making it part of the trusted process.
As I understand it the malware runs in the same container as the original app. Because inter app communication is only possible with mutual consent, this technique circumvents the mutual consent restrictions and the banking freely gives its information to the malware. That about right? If so, the actual sandbox is not really broken ASI understand it.
Phead Nothing is escaping from ANYTHING. Nothing is bypassing consent. The user is tricked into installing malware. That's all there is to it.