最有看点的互联网金融门户

最有看点的互联网金融门户
全新的互联网金融模式国际资讯

Google Play加大恶意加密货币软件打击力度

近一段时间以来,Google Play上多次出现加密货币恶意软件,而谷歌似乎也在积极努力遏制这一势头。

此前,安全研究员Lukas Stafanko在Google Play上发现了一款加密货币应用程序MyEtherWallet的仿冒程序,该应用程序会窃取用户的私钥并秘密盗取资金。

值得注意的是,从这款app被发现到最终下架居然耗时四天,不过还好这四天内没有无辜用户下载或者“中招”。

其实,这已经不是恶意软件第一次越过谷歌的安全机制网络了。

比如,今年1月谷歌就曾强制下架过另一个MyEtherWallet高仿钓鱼程序;而最近,谷歌则清除了一个名叫Poloniex的恶意应用程序,该应用程序也会窃取用户的凭证和私钥。

不过,谷歌并不是唯一一个苦苦与恶意加密应用作斗争的应用程序平台。

去年12月,另一个MyEtherWallet高仿恶意程序进入了Apple App Store,甚至还一度成为了金融财务领域第三受欢迎的应用程序。有报道表明,在苹果公司最终下架这款应用程序之前,已经有超过3000人下载了这款移动应用程序。

最近,一款内置加密货币挖矿程序的app也蒙混过关登陆了App Store,而苹果公司此前并不允许此类程序上架。

然而真正的问题在于,Google Play上这类高仿恶意程序出现的比率和速度远高于其他平台。

来自网络安全公司RiskIQ的研究表明,目前主流的20多个应用平台(包括Google Play和平台App Store)上共有661个非法的加密货币应用程序。其中,有272个来自Google Play,而排名第二的APKFiles平台上只有54个这样的应用程序。

然而,恶意加密货币软件仅占Play Store上问题应用程序的一小部分。据报道,谷歌公司仅2017年就清除了70万个“有问题的应用程序。

为了与攻击者作战,去年谷歌推出了Play Protect安全功能,旨在确保从其软件商店下载的应用程序不出现上述安全问题。

虽然钓鱼网站确实在谷歌搜索上一直存在,但从谷歌官方软件平台下载的应用程序应该安全度会更高一些,因为我们相信谷歌会帮助我们对这些程序进行审查。

不过,目前的安全机制仍然不能满足对抗网络安全问题的速度,未来谷歌必须在这一方面加大努力。

 

Google is suffering from an epidemic of malicious cryptocurrency apps on the Play Store – and it seems the internet giant is struggling to curb the influx.

Security researcher Lukas Stafanko has come across another rogue copycat of popular cryptocurrency app MyEtherWallet designed to steal your private keys and surreptitiously drain your funds.

But here is the worst part: the malicious app purportedly remained available to download for four days before the Big G purged it from its software distribution platform, according to the researcher.

Fortunately, it appears that nobody downloaded the app during the four-day window it remained in the wild.

What is more problematic is that this is hardly the first time malware-infested software has slipped past Google’s security mechanisms.

In fact, this marks at least the third such occasion since the beginning of this year. Google was forced to remove another corrupted instance of MyEtherWallet back in January; more recently, the company purged a malicious Poloniex app designed to phish users’ credentials and private keys.

While data suggests that some of these malicious apps hardly got any traction, the MyEtherWallet copycat which made its way to the Play Store in January was downloaded between 100 and 500 times before it got taken down. One of the reasons it managed to garner some success was probably because it remained on the Play Store for almost a week.

Indeed, researcher Troy Mursch has since remarked Google has absolutely “no excuse” for failing to prevent malicious apps from popping up on the Play Store. “Slow abuse handling only provides more incentive for apps like this to be published,” Mursch said on Twitter.

For the sake of clarity, Google is not the only software distributor that has struggled to thwart the spread of malicious crypto apps on its platform.

Last December, another infected instance of MyEtherWallet made its way to the top of the Apple App Store; in fact, it was the third most popular app in the Finance section at one point.

Reports suggest that more than 3,000 people downloaded the shifty app before Apple eventually took it down.

More recently, Apple had a similar mishap after it allowed a sketchy Calendar app with a built-in cryptocurrency miner on the App Store – despite the fact its policy strictly deems such monetization strategies “unacceptable.”

The real problem is that such blunders fly past Google and its Play Store at rates disturbingly higher than on any other platform.

Research from cybersecurity firm RiskIQ indicates it found 661 illegitimate cryptocurrency apps distributed across some 20 official software stores – including the Play Store and the App Store.

Out of these, a staggering 272 appeared on Google Play. By comparison, the second store on this list, APKFiles, accounted for 54 such apps.

In all fairness, cryptocurrency software comprises only a small chunk of all infected apps hosted on the Play Store. To give you some context, the company reportedly purged 700,000 “problematic apps” in 2017 alone; statistics suggest that Google houses a total of more than 3.5 million apps on its store.

In an effort to battle attackers, last year Google introduced its Play Protect security feature, designed to ensure there is nothing funny going on with apps downloaded from its software store.

While it is true that phishing sites have long lingered on Google Search, there is a certain (added) expectation of security that comes with downloading apps from official software platforms. We trust such apps because we assume that Google – or whoever is responsible for distribution – has vetted them.

But as Stefanko’s recurrent findings show, the mechanism is incapable of keeping up with the attackers’ ever-evolving methods: and unless Google finds a more efficient measure of counter-acting such ill-intended efforts, it is only a matter of time before someone gets burnt.

用微信扫描可以分享至好友和朋友圈

扫描二维码或搜索微信号“iweiyangx”
关注未央网官方微信公众号,获取互联网金融领域前沿资讯。

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

新加坡:加密货币支付服务监管框架终尘埃落定

Kevin Helm... 5小时前

毕马威:比特币等加密货币目前还不具备储存价值

DIGITAL CO... | 巴比特资讯 1天前

为什么银行业没有跟风收购加密创企?

ROBERT HAC... | 巴比特资讯 11-14

IMF持续关注区块链和加密货币,有望建立政策框架

William Su... | 巴比特资讯 11-14

机构投资者将如何改变数字货币市场?

Andrew Arn... 11-12

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1