The legitimate app, turned malware

There's a story floating around about an Android app, called CamScanner, that started distributing malware out of the blue—after getting more than 100 million installs on the store. The app had a legitimate purpose: helping scan documents, which actually worked for years as advertised, before it turned bad.

When it released the update with the new code, it dropped a trojan on user devices, spamming the phones with advertising and trying to sign up for paid subscriptions in the background. 

The story is probably what you'd expect; Kaspersky antivirus researchers reported this to Google, which swiftly pulled the app from the Play Store entirely. But, there's an obvious question: how does this get up there in the first place?

This spooky malware story is doing the rounds, but it's one of the most common playbooks used by malicious actors in 2019. Find a legitimate app with hundreds of thousands of users, try to buy it for an outrageous sum quietly, keep maintaining it, and slowly inject malicious code over time.

These types of attacks are impossible to detect, and likely extremely lucrative. It reminds me of a side-channel attack on an open source library called Event Stream in 2018, where its maintainer ran out of time and another GitHub user started making legitimate contributions, before injecting malicious code into the tool undetected. 

As it turned out in that case, Event Stream was then trying to steal code from other developers that used it in their systems. Hijacking a legitimate, successful app for nefarious purposes is a great way to quickly infect a bunch of people undetected—I doubt there's much in the way of automated checks that would have helped here.

This incident, however, highlights how poorly app stores—in particular the Play Store on Android—are managing their platforms. While Apple's manual review process tends to catch most malicious apps, Google doesn't require a manual review, and most of the time is caught out later when it needs to retroactively remove an app.

This will soon change for the first time, with Google Play changing to soon require a review process for new developers and those that "don't have a track record yet." Would it prevent this type of attack, later? Probably not—but it should bring the quality of apps on the platform much higher in the first place.

In the meantime, what's an Android user to do? Well, as with any platform, don't download random apps without doing a little research. A few minutes of looking around would quickly show that Google Drive can do what CamScanner does in the first place, anyway—or that there are many legitimate apps that are much higher rated.

TL;DR? Practice common sense online, and don't trust random apps.

Looking for a new computer?

It's a good time to buy, with new Intel processors finally starting to trickle out. Here's a few updates in just the last week:

Tab Dump

Apple's new 'certified repair' program will try to help expand independent genuine iPhone repairs
The company has been caught up in a fight to strip people of the right to repair their own devices for years, banning non-genuine parts from being used as replacements, and increasingly making it difficult to gain access to the inside of the iPhone. 

Now, to try and control that repair flow a little more, it's going to offer an 'independent repair provider program' that allows easier access to genuine parts. On one hand, this is a good step forward that might help make it easier (and cheaper) to get a phone fixed outside of Apple Stores, but it won't help make it cheaper. 

Huawei's next smartphone is still coming, despite the fact that it can't use Google services
The Mate 30, Huawei's next installment of its flagship smartphone, is coming to Europe in the next few weeks... even though it likely can't pre-load (or even access) Google services. That's thanks to U.S. sanctions on the company, which were lifted for existing products temporarily, but not new ones.

The Australian guy who claims he created Bitcoin must cough up $10B in court case
Craig Wright, a random guy in Australia, claimed to be the mysterious Satoshi Nakamoto—the creator of Bitcoin. It was never proven, but now, he's being ordered to pay billions to his deceased business partner's estate, which claims he stole their collective gains.