Comment on Shopping app Temu is “dangerous malware,” spying on your texts, U.S. lawsuit claims
smeg@feddit.uk 5 months ago
Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place
If this is actually possible then isn’t that a huge security vulnerability in Android and/or iOS? I feel if this was the case we’d be hearing about it from security researchers rather than a lawyer.
Thevenin@beehaw.org 5 months ago
I’d believe it because I remember the same being true for TikTok.
I don’t have the links on me right now, but I remember clearly that when tiktok was new, engineers trying to figure out what data it collected found that the app could recognize when it was being observed, and would “rewite” itself to evade detection.
They noted that they’d never seen this outside of sophisticated malware, and doubted that a social media company had the resources to write such a program.
jarfil@beehaw.org 5 months ago
Em… writing a different manifest and asking the OS to reinstall itself, is not rocket science. Detecting that it’s running in a testing environment and not asking for permission to access some types of data, is also quite easy. Downloading a different update or modules depending on which device and environment it gets installed to, is basic functionality.
It’s still sneaky behavior and a dark pattern, but come on.
t3rmit3@beehaw.org 5 months ago
Uh, as someone who does malware analysis, sandbox detection is not easy, and is certainly not something that a non-malware-developer/analyst knows how to do. This isn’t 2005 where sandboxes are listing their names in the registry/ system config files.
jarfil@beehaw.org 5 months ago
I haven’t done sandbox detection for some years now, but around 2020, it was already “difficult” as in hard to write from scratch… yet already skid easy as in “copy+paste” from something that does it already. Surely newer sandboxes take more stuff into account, but at the same time more detection examples get published, simply advancing the starting point.
So maybe TikTok has a few people focused on it, possibly with some CI tests for several sandboxes. I don’t think it’s particularly hard to do 🤷
Thevenin@beehaw.org 5 months ago
I found at least one of the posts, and you’re right, that’s not really what impressed them. It just stuck with me because I’m a hardware girl.
jarfil@beehaw.org 5 months ago
There is some irony to be had, in discussing this stuff on a page that starts by asking me to login, then to be good and disable my ad blocker, only to proceed with keeping half the text of the article as images so you can’t copy+paste it… and even all the comments!
Anyhow…
Thanks for telling us where you got the link from, I didn’t care really.
Static backup (possibly): archive.is/UD2SA
Check out: amiunique.org/fingerprint
No app needed!
Using that as a baseline… the CPU type, memory usage, disk space, etc. are some extra data points freely available to all apps.
A developer can distribute an app with multiple versions, some targeting more modern and capable devices, some older and more limited.
It’s a feature, not a bug.
This is overreaching for an app that has nothing to do with managing other apps. Still, you may want some app with those capabilities… so let’s call it “sus”.
Your IP is… well, you’re using it to connect, they will see it, duh.
The rest is overreaching and comes into PI violation terrain, but can be used for geo location… the OS does it, that’s the data it uses to fine-tune the GPS’s location.
Typical feature for banking ad DRM protected apps. Nothing to see here.
Best answered by a comment [1] (SEE BELOW).
TL;DR: more DRM stuff.
This is somewhat sus, but a local proxy by itself, doesn’t mean any sort of risk, or that it could be exploited.
For example, Tor can be accessed using a local proxy (although VPN mode is safer).
Not exactly. It’s how feature flags, and remote testing/debugging works too.
This is worse (why do the use a custom OLLVM fork?), and obfuscation usually means they have something to hide. It’s the opposite of security for the user.
Not good, but unfortunately allowed. That behavior is shared by both DRM protected software, and malware.
False. There are two legitimate reasons: plugins, and DLCs.
It can be used for shady stuff, but is also a “feature, not a bug”.
Well, that’s just stupid, there is zero reason to send data unencrypted.
Ehm… this is the correct behavior. See previous point.
Sus… but see the introductory part of this comment. Should boredpanda also be banned?
This is bad, and a reason to use FLOSS apps… but since it’s been an accepted behavior for Privative Software, along with DRM… don’t blame the player, blame the game.
No, seriously, blame the DMCA and friends. There is no way to at the same time “enforce DRM, keep the keys at a trusted party, and keep users secure”… so the current situation is “you get none of those”.
[1]