[harikb]

Installing an app that silently intercepts SMS/MMS data is a persistent technical compromise. Once the app is there, the attacker has ongoing access.

In contrast, convincing someone to read an OTP over the phone is a one-time manual bypass. To use your logic..

A insalled app - Like a hidden camera in a room.

Social engineering over phone - Like convincing someone to leave the door unlocked once.

[JoshTriplett]

> Installing an app that silently intercepts SMS/MMS data is a persistent technical compromise. Once the app is there, the attacker has ongoing access.

The motivating example as described involves "giving the scammer everything they need to drain the account". Once they've drained the account, they don't need ongoing access.

[jyoung8607]

Persistence allows the scammer free license to attempt password recoveries for every account the victim could possibly have. Other banks, retirement accounts, the victim's email account.

[TeMPOraL]

Scammer that thrive are greedy, but not too greedy. Easier to break into one type of account for 10 victims, than to break into 10 different account of one victim. Persistence is risk.

[sdenton4]

When the victim's relatives send them money because they need to eat and pay rent after handing everything over to the scammer, the persistent backdoor lets that money be drained as well... You're underestimating the persistence and ruthlessness of the scammers.

[array_key_first]

This is still not a root cause solution, it's just a mitigation. Because you do not require side loading to install malware. The play store and apple app store both contain malware, as well as apps which can be used for nefarious purposes, such as remote desktop.

A root cause solution is proper sandboxing. Google and apple will not do this, because they rely on applications have far too much access to make their money.

One of the fundamentals of security is that applications should use the minimum data and access they need to operate. Apple and Google break this with every piece of software they make. The disease is spreading from the inside out. Putting a shitty lotion on top won't fix this.

[TeMPOraL]

> A root cause solution is proper sandboxing. Google and apple will not do this, because they rely on applications have far too much access to make their money.

Oh they do this quite well. Thing is, these sandboxes are meant to protect apps from you, not the other way around. That's why some apps - not just platform vendor apps but also select third-party apps - get special access and elevated privileges, while you can't even see what data they store in `/storage/emulated/0/android/data` even with ADB trickery.

[NewsaHackO]

>The play store and apple app store both contain malware

Wow, that a major claim. What apps are malware, exactly?

>This is still not a root cause solution, it's just a mitigation.

Requiring signed apps solves the issue though, as it provides identification of whoever is running the scam and a method for remuneration or prosecution.

[deaux]

https://peabee.substack.com/p/everyone-knows-what-apps-you-u...

This has been going on for years, Google knows about it, and intentionally leaves it unfixed.

> Out of 47 Indian apps I randomly analyzed, 31 of them used the "ACTION_MAIN" filter - giving them access to see all the apps on your phone without any disclosure. That's 2 out of 3 apps.

Of course there's hundreds of other variants of malware, this is just one of the most prevalent.

[NewsaHackO]

>giving them access to see all the apps on your phone without any disclosure.

That is not true, as those apps declare that they collect app activity data in their Play Store page though.

[deaux]

No they don't? The whole article is about the fact that they're using a loophole. I just checked Zomato's Play Store page, it doesn't say it collects "other installed apps", which is what it should be saying. For example, one of the other listed apps does have this. That's what it should be listing: "Installed apps".

[NewsaHackO]

I'm sorry, I gave you too much credit. Is your argument that the "ACTION_MAIN" intent filter somehow gives you access to all installed apps? Do you have any reasoning or Google API documentation to support this?

[array_key_first]

> Wow, that a major claim. What apps are malware, exactly?

I don't understand how this is a major claim at all, it should be obvious. All repositories of large enough sizes contain malware because malware doesn't declare itself as malware.

This is exacerbated by the fact the Google Play Store and Apple App Store allow closed-source applications. It's much easier to validate behavior on things like the Debian repos, where maintainers can, and do, audit the source code.

Google does not have a magic "is this malware" algorithm, that doesn't exist. They rely on heuristics and things like asking the authors "hey is this malware". As you can imagine, this isn't very effective. They don't even install and test the apps fully. Not that it matters much, obviously malware can easily change it's behavior to not be detectable from the end-user just running the app.

> Requiring signed apps solves the issue though, as it provides identification of whoever is running the scam and a method for remuneration or prosecution.

It doesn't, for three reasons:

1. Identifying an app doesn't magically make it not malware. I can tell you "hey I made this app" and you still have zero idea if it's malware. This is still a post mitigation. Meaning, if we somehow know an app is malware, we can find out who wrote it. It doesn't do the "is this malware" part of the mitigation, which is the most important part.

2. Bad actors typically have little allegiance to ethics, meaning they typically will not be honest about their identity. There are criminal organizations which operate in meatspace and fake their identities, which is 1000x harder than doing it online. Most malware will not have a legitimate identity tacked to it.

3. Bad actors typically come from countries which don't prosecute them as hard. So, even if you find out if something is malware, and then find out the actual people behind it, you typically can't prosecute them. Even large online services like the Silk Road lasted for a long time, and most likely still do exist, even despite the literal US federal government trying to stop them.

[NewsaHackO]

A lot of what you said in the second portion isn't at all true (for instance, Google definitely doesn't just ask the author if what they are uploading is malware as a sole check if an app is malware). But I don't think we can even continue the discussion until you prove the "obvious" assertion that there are apps in the Play Store that are malware. So I am going to ask again: give a single name of an app currently in the Play Store that is malware. We are not talking about Apple, but I will extend it so that you can give an app in the Apple App Store that is malware as well.

Let me know when you can provide a single specific name.

[array_key_first]

I never said it was a sole check, I said it was a check. The reality is that app is not thoroughly tested and, even if it was, this would not catch all malware because, again, it's trivial to write malware that can pass a review period and flip on later.

First Google search https://www.malwarebytes.com/blog/news/2025/08/77-malicious-...

Here's 77 found by researchers and then removed. Relying on researchers to find malware isn't a very good bet.

If I were a betting man, I would say there are thousands of apps on the play store that you can classify as malware.

We will never know the true number because one of the primary goals of malware is to be as difficult to detect as possible. They're not going to declare they're malware, duh.

If you know of some algorithm to detect malware, I'd love to hear it. Evidently even trillion dollar companies cannot come up with one. To this day, the best way to detect malware is source code analysis and thorough behavior testing.

Google and Apple do neither. Those are just the facts. Do with that what you will, I don't care.

[NewsaHackO]

That is actually hilarious, did you actually read the MO of those Apps?

>The core payload has been updated to incorporate a new keylogger variant of Anatsa. Additionally, the malware utilizes a well-known Android APK ZIP obfuscator for enhanced evasion. The DEX payload is concealed within a JSON file, which is dynamically dropped at runtime and promptly deleted after being loaded.

I wonder if there is anything that Google can do to prevent this specific attack. :)

[hulitu]

> Installing an app that silently intercepts SMS/MMS data is a persistent technical compromise.

Why would an app silently intercepts SMS/MMS data ? Why does an app needs network access ?

Running untrusted code in your browser is also "a persistent technical compromise" but nobody seems to care.