Android security question (visited hacked website...)

[tbessie]

Hey folks, question for you...

A website I use from time to time appears to have been compromised by hackers (it redirected to a Russian website and started downloading an APK). I have told the website owners and they've fixed it.

A glutton for punishment (and because I couldn't believe the site had been hacked), I visited the site several times using my Nexus 5, to make sure this was actually happening. The download seems to have started a few times, but may have completed at one point (I think the phone asked me "Are you sure you want to download this file? It potentially contains malware" or something along those lines - this was a few weeks ago, so I don't remember everything I did).

My question is this - I had enabled installation of APKs that I didn't get from the Android store (since re-disabled). In a situation like what I described, can a download from a website *force* an installation of a malicious APK? I believe I answered "no" to Android's question about if I wanted to download the file, but if I had said "yes" by accident, would I still see some kind of installation method?

I ran a couple of anti-malware checkers on the phone afterwards, and they found nothing.

I'm just getting paranoid, so wanted to check here to see if anyone's experienced this before, and what I should expect my phone to have told me in a case like this.

- Tim

 

[Sandgoose]

I don't think a site can force you to run an apk? do you have sideloading enabled? if not as far as it would get anyway would be the prompt "enable sideloading blab blah in options"

if you are really still not sure about it just nuke the site from orbit, the only way to be sure (by which I mean backup your stuff and do a factory reset)

 

[tbessie]

I don't think a site can force you to run an apk? do you have sideloading enabled? if not as far as it would get anyway would be the prompt "enable sideloading blab blah in options"

if you are really still not sure about it just nuke the site from orbit, the only way to be sure (by which I mean backup your stuff and do a factory reset)

I had "Unknown Sources" enabled at the time - if that's what you mean by sideloading, then yes (tho' I've since turned it off).

I'm hoping to avoid a factory reset, since it took me a million years to set up the damn thing originally.

That's why I was wondering if antimalware apps would likely detect it, or if I should see anything in the browser Downloads folder, or see a new installed app in the app list, etc. I guess sufficiently advanced malware could hide all traces of its exploits, eh?

- Tim

 

[funkylogik]

You would have to accept installation for it to do any harm so unless you might have hit "yes" at the installation screen theres nothing to worry about.
you could have a look through the application manager to see if theres anything that looks like it shouldnt be there and google the app name

 

[codesplice]

You would have to accept installation for it to do any harm so unless you might have hit "yes" at the installation screen theres nothing to worry about.
you could have a look through the application manager to see if theres anything that looks like it shouldnt be there and google the app name

This. Even if a site can automatically download an APK, you still have to click the Install button - and that's only after you've allowed installing apps from unknown sources.

 

[funkylogik]

Android is really safe in that respect
Just had a thought. If youre worried about the apk, it should be in your sdcard/download folder so use a file explorer to go in there and delete it

 

[tbessie]

Android is really safe in that respect
Just had a thought. If youre worried about the apk, it should be in your sdcard/download folder so use a file explorer to go in there and delete it

Definitely nothing there. I asked over at Brighthand, tho' (where many old-timers like me hang out), and the moderator suggested that even if it doesn't seem like anything has been installed, for all I know there could be some "harmless-seeming" app that "activates" code sitting in the browser cache or something like that. This kind of thing has been discussed online (I've read some articles about it); some have recommended being better-safe-than-sorry and factory resetting, but I shudder to think of starting from scratch (I have a LOT of apps and settings, many of which I can't back-up).

- Tim

 

[Rxpert83]

Is the phone rooted?

FDR is my first suggestion as well if you're really worried about malware. Better yet, a fresh install of a factory image.

 

[funkylogik]

To me that sounds like misinformed scaremongering Tim. Android is very different to windows but then im very relaxed when it comes to security.
The way i see it, on an unrooted phone, malware has nowhere to hide :thumbup:

 

[Rxpert83]

The way i see it, on an unrooted phone, malware has nowhere to hide :thumbup:

That assumes it doesn't use an exploit to gain root, but I agree.

 

[funkylogik]

^ what he said lol

 

[tbessie]

Is the phone rooted?

FDR is my first suggestion as well if you're really worried about malware. Better yet, a fresh install of a factory image.

Not rooted, no. Probably not being rooted is better in a case like this, eh? (no chance of malware getting into system files etc?).

 

[tbessie]

That assumes it doesn't use an exploit to gain root, but I agree.

Hmm - are there exploits to gain root on an unrooted phone with a locked bootloader? I thought that was impossible (even on a Nexus 5).

 

[funkylogik]

I think root can still be gained on a locked device but I also think rxpert was just playin with us and the odds of that happening are negligible

 

[Rxpert83]

I think root can still be gained on a locked device but I also think rxpert was just playin with us and the odds of that happening are negligible

There are certainly software level root exploits.

That's how all the one click root apps work(ed). Most known exploits are patched as time goes on, but it depends on how up to date your phone is.

In reality, the chances of that are pretty low.