Home > Cloud Computing, Cloud Security, Virtualization, Virtualization Security > App Stores: From Mobile Platforms To VMs – Ripe For Abuse

App Stores: From Mobile Platforms To VMs – Ripe For Abuse

Android Market

Image via Wikipedia

This CNN article titled “Google pulls 21 apps in Android malware scare” describes an alarming trend in which malicious code is embedded in applications which are made available for download and use on mobile platforms:

Google has just pulled 21 popular free apps from the Android Market. According to the company, the apps are malware aimed at getting root access to the user’s device, gathering a wide range of available data, and downloading more code to it without the user’s knowledge.

Although Google has swiftly removed the apps after being notified (by the ever-vigilant “Android Police” bloggers), the apps in question have already been downloaded by at least 50,000 Android users.

The apps are particularly insidious because they look just like knockoff versions of already popular apps. For example, there’s an app called simply “Chess.” The user would download what he’d assume to be a chess game, only to be presented with a very different sort of app.

Wow, 50,000 downloads.  Most of those folks are likely blissfully unaware they are owned.

In my Cloudifornication presentation, I highlighted that the same potential for abuse exists for “virtual appliances” which can be uploaded for public consumption to app stores and VM repositories such as those from VMware and Amazon Web Services:

The feasibility for this vector was deftly demonstrated shortly afterward by the guys at SensePost (Clobbering the Cloud, Blackhat) who showed the experiment of uploading a non-malicious “phone home” VM to AWS which was promptly downloaded and launched…

This is going to be a big problem in the mobile space and potentially just as impacting in cloud/virtual datacenters as people routinely download and put into production virtual machines/virtual appliances, the provenance and integrity of which are questionable.  Who’s going to police these stores?

(update: I loved Christian Reilly’s comment on Twitter regarding this: “Using a public AMI is the equivalent of sharing a syringe”)


Enhanced by Zemanta
  1. March 2nd, 2011 at 08:11 | #1

    It took about 10 years to teach people not to download and install .exe files on their desktops, and people still do it. Installing a public virtual appliance or Android app is going to be just as risky and it will probably take users only half as long to fix their behavior.

    For public virtual appliances, the only answer is to either download signed virtual appliances from vendors directly, or perhaps to sandbox and use behavioral approaches to spotting bad behavior. But if you have to do that, what's the point of using the VA vs building your own in the first place?

    Time to pub ebay reputation-style mechanics in play for publishers of VAs, maybe.

    Nice post.

  2. Jeremy Jarvis
    March 2nd, 2011 at 09:42 | #2

    Interesting post, thanks Chris. Stimulated some good debate on twitter. IMV chain of trust plays a big part and we'll see innovation along those lines, whether signing images with certs and/or community rating mechanisms.

  3. March 2nd, 2011 at 10:57 | #3

    To expand on Jeremy's comment, I would like to point out that a basic form of chain of trust already exists in major public IaaS clouds that have a notion of catalog of customer-contributed and shareable VM templates – for example, when run against a given EC2 region, "ec2dim -o 099720109477" command will return a list of images created by Canonical, creator of Ubuntu Linux distro, in this particular region.

    Of course the current system is not yet perfect, at times not automated end-to-end (for example, I needed to go to Ubuntu website to find their AWS account ID) and does not yet sufficiently deal with all potential risks, but it's a start.

  4. March 6th, 2011 at 19:09 | #4

    I'm absolutely in favor of what is trying to be put across in this blog post. People will never learn unless they face the same problem. I feel fortunate to have stumbled across this post. The idea is put forward in a nice way easy for people from all walks of life to understand. Thanks for this wonderful share.

  1. No trackbacks yet.