Security firm, Symantec, has discovered a counterfeit version of the encrypted messaging app Telegram, with malware built on the open source code. The fake app, Teligram, which was freely available on the Google Play Store, features similar branding and app store listings to trick users to install malware on their device and hijack their data. More information can be found here.
Commenting on this, John Kozyrakis, applied research lead at Synopsys, said “The issue here is ‘impostor apps’ uploaded to Google Play; lookalike apps that have some extra, and possibly malicious, functionality added. Whether an application is open source or not has very little relevance. Impostor apps are regularly created and uploaded for closed source apps as well. It is quite easy to create an impostor app of any closed-source mobile application and upload it to Google Play. If the source is openly available, the process is just slightly easier.
Removing impostor apps is a tricky problem for Google, as they need to have ways to identify if a lookalike is actually an impostor or a different legitimate application. While it is a hard problem, Google can certainly do more to catch these earlier on, for example via code similarity measurements.
Applications that want to protect themselves against such attacks can do a few things, which are however not related to how secure the actual code of the application is:
- Open source projects could create verifiable builds and publish their hashes.
- They could train users to only download their application from the correct Google Play listing under their official developer account.
- They could monitor the application store using specialized services to quickly identify lookalikes and report them to Google for removal.
- They could try to implement some application integrity checks and monitor the applications using their APIs in an attempt to identify unofficial applications using them. One way to do this is via Google’s SafetyNet Attestation service. Synopsys has helped several clients implement such checks into their applications.”