google play

google-has-no-duty-to-refund-gift-card-scam-victims,-judge-finds

Google has no duty to refund gift card scam victims, judge finds

But Freeman ruled that “May suffered economic harm because of third-party scammers’ fraudulent inducement, not Google’s omission or misrepresentation.”

Additionally, May failed to show that Google had any duty to refund customers after Google cited Target and Walmart policies to show that it’s common to refuse refunds.

Scam victims did not use gift card “as designed”

Freeman mostly sided with Google, deciding that the company engaged in no unfair practices, while noting that May had not used the gift cards “in their designed way.” The judge also agreed with Google that May’s funds were not considered stolen at the time she purchased the gift cards, because May still controlled the funds at that point in time.

Additionally, May’s attempt to argue that Google has the technology to detect scams failed, Freeman wrote, because May couldn’t prove that Google deployed that technology when her particular scam purchases were made. Even after May argued that she reported the theft to Google, Freeman wrote, May’s complaint failed because “there is no allegation that Google had a duty to investigate her report.”

Ultimately, May’s complaint “identifies no public policy suggesting Google has a duty to refund the scammed victims or that the harm of Google’s conduct outweighs any benefits,” Freeman concluded.

In her order, Freeman provided leave to amend some claims in the next 45 days, but Ars could not immediately reach May’s lawyer to confirm if the complaint would likely be amended. However, the judge notably dismissed a claim seeking triple damages because May’s complaint “failed to show a likelihood that May will be a victim of gift card scams again given her awareness of such scams,” which may deflate May’s interests to amend.

That particular part of the ruling may be especially frustrating for May, whose complaint was sparked by a claim that she never would have been victimized if Google had provided adequate warnings of scams.

Google did not immediately respond to Ars’ request to comment.

Google has no duty to refund gift card scam victims, judge finds Read More »

google-as-darth-vader:-why-ia-writer-quit-the-android-app-market

Google as Darth Vader: Why iA Writer quit the Android app market

“Picture a massive football stadium filled with fans month after month,” Reichenstein wrote to Ars. In that stadium, he writes:

  • 5 percent (max) have a two-week trial ticket
  • 2 percent have a yearly ticket
  • 0.5 percent have a monthly ticket
  • 0.5 percent are buying “all-time” tickets

But even if every lifetime ticket buyer showed up at once, that’s 10 percent of the stadium, Reichenstein said. Even without full visibility of every APK—”and what is happening in China at all,” he wrote—iA can assume 90 percent of users are “climbing over the fence.”

“Long story short, that’s how you can end up with 50,000 users and only 1,000 paying you,” Reichenstein wrote in the blog post.

Piracy doesn’t just mean lost revenue, Reichenstein wrote, but also increased demands for support, feature requests, and chances for bad ratings from people who never pay. And it builds over time. “You sell less apps through the [Play Store], but pirated users keep coming in because pirate sites don’t have such reviews. Reviews don’t matter much if the app is free.”

The iA numbers on macOS hint at a roughly 10 percent piracy rate. On iOS, it’s “not 0%,” but it’s “very, very hard to say what the numbers are”; there is also no “reset trick” or trials offered there.

A possible future unfreezing

Reichenstein wrote in the post and to Ars that sharing these kinds of numbers can invite critique from other app developers, both armchair and experienced. He’s seen that happening on Mastodon, Hacker News, and X (formerly Twitter). But “critical people are useful,” he noted, and he’s OK with people working backward to figure out how much iA might have made. (Google did not offer comment on aspects of iA’s post outside discussing Drive access policy.)

iA suggests that it might bring back Writer on Android, perhaps in a business-to-business scenario with direct payments. For now, it’s a slab of history, albeit far less valuable to the metaphorical Darth Vader that froze it.

Google as Darth Vader: Why iA Writer quit the Android app market Read More »

11-million-devices-infected-with-botnet-malware-hosted-in-google-play

11 million devices infected with botnet malware hosted in Google Play

NECRO —

Necro infiltrated Google Play in 2019. It recently returned.

A computer screen filled with ones and zeros also contains a Google logo and the word hacked.

Five years ago, researchers made a grim discovery—a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads.

Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible.

Clever tradecraft

Software developer kits, better known as SDKs, are apps that provide developers with frameworks that can greatly speed up the app-creation process by streamlining repetitive tasks. An unverified SDK module incorporated into the apps ostensibly supported the display of ads. Behind the scenes, it provided a host of advanced methods for stealthy communication with malicious servers, where the apps would upload user data and download malicious code that could be executed and updated at any time.

The stealthy malware family in both campaigns is known as Necro. This time, some variants use techniques such as steganography, an obfuscation method rarely seen in mobile malware. Some variants also deploy clever tradecraft to deliver malicious code that can run with heightened system rights. Once devices are infected with this variant, they contact an attacker-controlled command-and-control server and send web requests containing encrypted JSON data that reports information about each compromised device and application hosting the module.

The server, in turn, returns a JSON response that contains a link to a PNG image and associated metadata that includes the image hash. If the malicious module installed on the infected device confirms the hash is correct, it downloads the image.

The SDK module “uses a very simple steganographic algorithm,” Kaspersky researchers explained in a separate post. “If the MD5 check is successful, it extracts the contents of the PNG file—the pixel values in the ARGB channels—using standard Android tools. Then the getPixel method returns a value whose least significant byte contains the blue channel of the image, and processing begins in the code.”

The researchers continued:

If we consider the blue channel of the image as a byte array of dimension 1, then the first four bytes of the image are the size of the encoded payload in Little Endian format (from the least significant byte to the most significant). Next, the payload of the specified size is recorded: this is a JAR file encoded with Base64, which is loaded after decoding via DexClassLoader. Coral SDK loads the sdk.fkgh.mvp.SdkEntry class in a JAR file using the native library libcoral.so. This library has been obfuscated using the OLLVM tool. The starting point, or entry point, for execution within the loaded class is the run method.

Necro code implementing steganography.

Enlarge / Necro code implementing steganography.

Kaspersky

Follow-on payloads that get installed download malicious plugins that can be mixed and matched for each infected device to perform a variety of different actions. One of the plugins allows code to run with elevated system rights. By default, Android bars privileged processes from using WebView, an extension in the OS for displaying webpages in apps. To bypass this safety restriction, Necro uses a hacking technique known as a reflection attack to create a separate instance of the WebView factory.

This plugin can also download and run other executable files that will replace links rendered through WebView. When running with the elevated system rights, these executables have the ability to modify URLs to add confirmation codes for paid subscriptions and download and execute code loaded at links controlled by the attacker. The researchers listed five separate payloads they encountered in their analysis of Necro.

The modular design of Necro opens myriad ways for the malware to behave. Kaspersky provided the following image that provides an overview.

Necro Trojan infection diagram.

Enlarge / Necro Trojan infection diagram.

Kaspersy

The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads—known as Max Browser—was also infected. That app is no longer available in Google Play.

The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.

People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of this writeup.

11 million devices infected with botnet malware hosted in Google Play Read More »

google-sues-two-crypto-app-makers-over-allegedly-vast-“pig-butchering”-scheme

Google sues two crypto app makers over allegedly vast “pig butchering” scheme

Foul Play —

Crypto and other investment app scams promoted on YouTube targeted 100K users.

Google sues two crypto app makers over allegedly vast “pig butchering” scheme

Google has sued two app developers based in China over an alleged scheme targeting 100,000 users globally over four years with at least 87 fraudulent cryptocurrency and other investor apps distributed through the Play Store.

The tech giant alleged that scammers lured victims with “promises of high returns” from “seemingly legitimate” apps offering investment opportunities in cryptocurrencies and other products. Commonly known as “pig-butchering schemes,” these scams displayed fake returns on investments, but when users went to withdraw the funds, they discovered they could not.

In some cases, Google alleged, developers would “double down on the scheme by requesting various fees and other payments from victims that were supposedly necessary for the victims to recover their principal investments and purported gains.”

Google accused the app developers—Yunfeng Sun (also known as “Alphonse Sun”) and Hongnam Cheung (also known as “Zhang Hongnim” and “Stanford Fischer”)—of conspiring to commit “hundreds of acts of wire fraud” to further “an unlawful pattern of racketeering activity” that siphoned up to $75,000 from each user successfully scammed.

Google was able to piece together the elaborate alleged scheme because the developers used a wide array of Google products and services to target victims, Google said, including Google Play, Voice, Workspace, and YouTube, breaching each one’s terms of service. Perhaps most notably, the Google Play Store’s developer program policies “forbid developers to upload to Google Play ‘apps that expose users to deceptive or harmful financial products and services,’ including harmful products and services ‘related to the management or investment of money and cryptocurrencies.'”

In addition to harming Google consumers, Google claimed that each product and service’s reputation would continue to be harmed unless the US district court in New York ordered a permanent injunction stopping developers from using any Google products or services.

“By using Google Play to conduct their fraud scheme,” scammers “have threatened the integrity of Google Play and the user experience,” Google alleged. “By using other Google products to support their scheme,” the scammers “also threaten the safety and integrity of those other products, including YouTube, Workspace, and Google Voice.”

Google’s lawsuit is the company’s most recent attempt to block fraudsters from targeting Google products by suing individuals directly, Bloomberg noted. Last year, Google sued five people accused of distributing a fake Bard AI chatbot that instead downloaded malware to Google users’ devices, Bloomberg reported.

How did the alleged Google Play scams work?

Google said that the accused developers “varied their approach from app to app” when allegedly trying to scam users out of thousands of dollars but primarily relied on three methods to lure victims.

The first method relied on sending text messages using Google Voice—such as “I am Sophia, do you remember me?” or “I miss you all the time, how are your parents Mike?”—”to convince the targeted victims that they were sent to the wrong number.” From there, the scammers would apparently establish “friendships” or “romantic relationships” with victims before moving the conversation to apps like WhatsApp, where they would “offer to guide the victim through the investment process, often reassuring the victim of any doubts they had about the apps.” These supposed friends, Google claimed, would “then disappear once the victim tried to withdraw funds.”

Another strategy allegedly employed by scammers relied on videos posted to platforms like YouTube, where fake investment opportunities would be promoted, promising “rates of return” as high as “two percent daily.”

The third tactic, Google said, pushed bogus affiliate marketing campaigns, promising users commissions for “signing up additional users.” These apps, Google claimed, were advertised on social media as “a guaranteed and easy way to earn money.”

Once a victim was drawn into using one of the fraudulent apps, “user interfaces sought to convince victims that they were maintaining balances on the app and that they were earning ‘returns’ on their investments,” Google said.

Occasionally, users would be allowed to withdraw small amounts, convincing them that it was safe to invest more money, but “later attempts to withdraw purported returns simply did not work.” And sometimes the scammers would “bilk” victims out of “even more money,” Google said, by requesting additional funds be submitted to make a withdrawal.

“Some demands” for additional funds, Google found, asked for anywhere “from 10 to 30 percent to cover purported commissions and/or taxes.” Victims, of course, “still did not receive their withdrawal requests even after these additional fees were paid,” Google said.

Which apps were removed from the Play Store?

Google tried to remove apps as soon as they were discovered to be fraudulent, but Google claimed that scammers concocted new aliases and infrastructure to “obfuscate their connection to suspended fraudulent apps.” Because scammers relied on so many different Google services, Google was able to connect the scheme to the accused developers through various business records.

Fraudulent apps named in the complaint include fake cryptocurrency exchanges called TionRT and SkypeWallet. To make the exchanges appear legitimate, scammers put out press releases on newswire services and created YouTube videos likely relying on actors to portray company leadership.

In one YouTube video promoting SkypeWallet, the supposed co-founder of Skype Coin uses the name “Romser Bennett,” which is the same name used for the supposed founder of another fraudulent app called OTCAI2.0, Google said. In each video, a completely different presumed hired actor plays the part of “Romser Bennett.” In other videos, Google found the exact same actor plays an engineer named “Rodriguez” for one app and a technical leader named “William Bryant” for another app.

Another fraudulent app that was flagged by Google was called the Starlight app. Promoted on TikTok and Instagram, Google said, that app promised “that users could earn commissions by simply watching videos.”

The Starlight app was downloaded approximately 23,000 times and seemingly primarily targeted users in Ghana, allegedly scamming at least 6,000 Ghanian users out of initial investment capital that they were told was required before they could start earning money on the app.

Across all 87 fraudulent apps that Google has removed, Google estimated that approximately 100,000 users were victimized, including approximately 8,700 in the United States.

Currently, Google is not aware of any live apps in the Play Store connected to the alleged scheme, the complaint said, but scammers intent on furthering the scheme “will continue to harm Google and Google Play users” without a permanent injunction, Google warned.

Google sues two crypto app makers over allegedly vast “pig butchering” scheme Read More »

the-play-store-preps-remote-app-uninstall-feature

The Play Store preps remote app uninstall feature

The power of the internet —

Remote installs have been around forever; now you can go the other direction.

The Play Store preps remote app uninstall feature

One of the neatest features of the Play Store is remote app installation. If you have multiple devices signed in to the same Google account, the Play Store’s “install” button will let you pick any of those devices as an installation target. If you find an app you like, it’s great to queue up installs on your phone, watch, TV, tablet, laptop, and car, all from a single device. It makes sense, then, that you might want to be able to uninstall apps from all your devices, too.

The new feature coming to the Play Store will let you do exactly that: remote uninstalls from any device on your account. The first sign of the feature is in the latest Android patch notes, which list a “New feature to help you uninstall apps on connected devices.” It doesn’t seem like this has been activated yet, but news site TheSpAndroid has photos of the feature, showing what you would expect. Opening the Play Store and uninstalling an app will bring up a list of devices, just like installing does now.

  • After hitting the “uninstall” button, this list of devices will pop up.

    TheSpAndroid

It might not look like it, but under the hood, all installs from the Play Store happen via Android’s push notification system. By default, the press of the Play Store install button requests Google to send an app push to your current device, but there’s no need for the target device of a remote app install to be turned on and unlocked. Just like any other push notification, when the device connects to the Internet and sees the push, it will wake up and do whatever business it needs to do—usually, that’s “show a message and beep,” but in this case, that business is “install an app.” Google has slowly exposed its remote install functionality to the world, first with the Android Market (now Play Store) website in 2011. It took 11 years for a similar feature to come to the Play Store phone app.

Uninstalls can also work via the push notification system. Today’s news marks the first time this feature has been exposed to users, but remote uninstalls have been around for as long as remote installs. Google can trigger the remote uninstall feature without user consent, and it occasionally uses this feature to remotely mass-uninstall malware from all Play Store devices. Users are finally getting a button to do this themselves.

The Play Store preps remote app uninstall feature Read More »