Home > Opinion article >
The title of this article contains a question that has been asked in various forms millions of times over the years. The reason the same question is still asked countless times today is simple: the answer, if there is one, is never true for long, even if we assume it was true to begin with. So what’s wrong with asking?
By receiving and sharing advice, people can benefit from the experiences of others without ever having to suffer the consequences of mistakes they themselves make.
While that’s a great theory and a nice thought, it’s no substitute for knowing that today’s disaster is your fault. What’s even worse is letting strangers on the internet make important decisions for you and then having to live with the consequences of their bad advice, knowing that you’re the one to blame.
Stay safe, trust no one
A typical example is “online safety.” According to Google’s autocomplete, this is a common question when people want to download anything, from music to PC games to general software and Android APKs.
Anyone who chose the “safest site” to “download MP3s for free” today, but ignored copyright concerns and the first few results with links to legal services, may have landed on a site with links to some YouTube download sites. However, the “recommended” option at the top of the list is to install free software that “supposedly” downloads from Spotify.
The EXE file did not trigger any alerts when scanned with Windows Defender, MalwareBytes and BitDefender. However, a remote scan with a handful of online security tools revealed a different picture.
A decision was made not to install the software and that turned out to be a good one. Normally, installing any kind of software from unknown websites should be avoided and here any benefit would have been negated tenfold by what came next.
Beware of deception
While the Baader-Meinhof phenomenon might explain the “unusually” large number of people asking about the “safest site” this week, they were certainly there: on X, Reddit, and other platforms, searching for everything from manga to mainstream movies.
As usual, the answers to this impossible question varied. Usually, one or another website that is currently trending is mentioned. That happened once this week, and that was the end of the chat.
On rare occasions, someone will take the time to point out that research is recommended, but to many people, that sounds like a tedious way to avoid getting instant content. Unfortunately, we didn’t hear any of that this week.
Since this is frowned upon these days, occasionally someone will post a link to a site. In one case last week, someone posted a direct link to an Android APK.
In response to this post, a seemingly unaffiliated user agreed that this particular app has access to everything and helpfully provided a link to a site where all of these details were available. This included the name of the app, a nice logo, its file size (around 30MB), version number, package name, and operating system version compatibility details.
As the author pointed out, the page also listed all relevant file hashes and a signature, so potential users could perform all relevant checks to confirm that the page is 100% safe. How many people actually check these things is unknown, but in this case, the hash was linked to the details of an app on VirusTotal that worked perfectly fine. However, the APK provided by the site had a completely different hash.
Pirated copies still available… Good?
Many people believe that if an app works, it’s always a good sign. However, the reality is that if an app doesn’t work, people will uninstall it, and that’s the last thing nefarious app distributors want.
In this case, the app worked, albeit in a secure environment. However, normally it would have been installed on an Android phone, where it would have worked very well.
F-Secure explains: An SMS worm is a type of worm that distributes copies of itself to new victims – in this case, mobile phones – via the Short Messaging System (SMS) of cellular networks. An SMS worm may be able to automatically send a copy of itself to every contact listed in the mobile phone’s contact list.
Alternatively, the SMS may contain a link to a website. By clicking on this link, the user may inadvertently download the worm’s executable code to their mobile phone, thus infecting themselves. For this method to work, the mobile phone must have Internet access.
Other light Worrying behavior included an attempt to collect all hostnames from the local network, presumably just to check what other services might be available. Just out of curiosity? Probably not
At some point, the app attempted to connect to an IP address and domain name that was recorded as being associated with Hola/Luminati, suggesting that devices could later become part of a network where the user’s connection could be used by someone else.
There is no indication that these services are aware of malicious software. This is a trait they probably share with people who install any Android software without knowing beforehand what it does, although it is free to find out.
Androguard: Reverse engineering and pentesting for Android
ANY.RUN: Free Malware Reports and Database
APKHunt: Comprehensive static code analysis for Android
APKLab: Android reverse engineering workbench
APKLeaks: Scan APK file for URIs, endpoints and secrets
APKtool: A tool for reverse engineering Android APK files
Hybrid Analysis: Free automated malware analysis
Frida: A world-class dynamic instrumentation toolkit
Genymobile/scrcpy: Display and control your Android device
MobSF: Security research platform for mobile applications
Oracle VM VirtualBox
Sixo Online APK Analyzer
URLscan: Website scanner for suspicious and malicious URLs
VirusTotal: Analyze suspicious files, domains, IPs and URLs to detect malware
Wireshark: The world’s most popular network protocol analyzer