Native Browser Malware/Virus

abranson · 8 April 2021 08:44

Copying what I said in the meeting here, as it was right at the end:

When the background running is disabled, then that package isn’t allowed to receive broadcast intents (such as boot_completed, which is the standard way for apps to launch themselves at startup), and when its window is closed then the app is force stopped. that stops the ‘normal’ ways for apps to start, but a lot of them put a lot of effort into launching themselves any way they can. Certainly an app or its services can be launched from another app, or via some background push notification service if you have one of those running though MicroG or something. The trouble with hacking around with that stuff too much is if we deviate too much from how android normally works, then innocent apps will stop working properly.

Steve_Everett · 8 April 2021 09:22

Thanks for the explanation - I think I understand it and that, what you are essentially saying is because certain android devs “cheat” their way around the normal process this problem isn’t really fixable (i.e. you’d have to keep up with every new way they find to cheat - and that in itself might break other standard stuff. If you can’t stop an Android app from starting in the Aliendalvik world maybe you still can stop an android app from starting a native sailfish app in the Sailfish world?

Steve_Everett · 8 April 2021 09:23

Without permission of course.

Steve_Everett · 8 April 2021 10:28

Indeed, the German language seems to have ‘en’ on the end of a lot of words - and not just nouns but adjectives as well (e.g. grossen). I’m sure this must mean something but my German is not good enough to understand what

babo · 9 April 2021 07:42

Android apps not respecting the option in settings is of nothing new to me personally. This was the case in the old Jolla phone’s dalvik as it is now in the XA2’s. Some really insist on relaunching themselves up. Not just only fishy apps like apkpure. Some main and big ones I’ve noticed; Outlook, Chrome, Anghami(spotify like app), Twitter.
Ok these are naturally suspicious but anyway…

Tobi · 9 April 2021 11:50

I’ve just installed a security update of APKPure. Let’s see what happens now.

Steve_Everett · 9 April 2021 12:40

This sounds like a terrible security model - basically just trusting an app to respect an option setting without any enforcement by the OS, rather than the option setting in the OS forcing an app to behave, or not, in a specific manner. If this is really how it works then OS architecture/design has gone backwards

pasik · 9 April 2021 18:53

meolic · 9 April 2021 21:26

-en is plural in German, no secrets here…

4carlos · 10 April 2021 05:43

The security or quality of the software is no worse today than it was 10 years ago if you compare the number of bugs with the number of lines of code I think. Software has become more complex and confusing. It is only human work and remains imperfect.

Because of this, there are more people today who are interested in bugs in order to use them for their own purposes. When working on modules in teams, fewer bugs are found because everyone only knows their task and not all of the dependencies. Working without a quality check is no longer possible, but finding and fixing bugs costs time and money. Is that realistic for an app for € 1.50 and a maximum lifetime of 1 year? I do not think so. Programmers of a useless fart app can get the idea of integrating malware and trackers as well. Everyone wants quick money. Unfortunately, programmers of trusted software, such as for banks, have the same idea in the meantime. That concerns the money and the security of the customers.

It is important to understand that almost all current Android apps contain trackers and / or adware.
The system is the fault!

pasik · 10 April 2021 09:03

“APKPure, one of the largest alternative app stores outside of the Google Play Store, was infected with malware this week, allowing threat actors to distribute Trojans to Android devices.”

“This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing and uninstalling software without users’ permission,” Doctor Web researchers said.

4carlos · 10 April 2021 12:56

It’s not the first time that alternative stores have been affected. Last year, Aptoide lost the data of 20 million users. It always comes through the third party adware modules. Apparently nobody checks them before they are integrated into their own app. One more reason not to use this Google system.

Tobi · 10 April 2021 17:27

This solved the problem on my devices.

4carlos · 11 April 2021 05:07

@Tobi Yes, that will help until next time. And what about the other apps that run in the background and go unnoticed? One symptom is gone (Apkpure) and the gap remains. When does Jolla patch the Aliendalvik? In a few weeks, months, years or never? Triada is circulating and in vogue right now.

The bug in Android OS has been known under the name “Zygote” since 2011 (CVE-2011-3918). In 2018 phones were delivered with the preinstalled Trojan “Triada”, which exploits this bug, and currently in 2021 it is still there (CVE-2021-0316). The bug is directly in the Android system and simply allows complete takeover (see Apkpure). Infected phones are very difficult to clean because Triada gets stuck in the boot sequence.

Maybe it helps to reinstall Aliendalvik and hope for a patch from Jolla. At the moment Aliendalvik is probably not recommended. This is a very serious problem and the bug is also in AOSP. This is an effective backdoor par excellence.