This angers me a lot. Why did google and Sky not automatically pull / uninstall the app. They need to give everyone as much information as they have on what this potentially malicious app may have leaked, or whether we also need to consider a full password reset on all accounts used on your phone.
Well the apps are pulled now. As ever though Sky's communication is lacking. No updates on twitter, only mention on Facebook was in response to customers asking....
the app appears to have been removed from google play.
My suspicion would be the the syrian electronic army do not have the skills to push through a malicious android app. and all they've done is got sky's login for their dev account and made merry.
the app appears to have been removed from google play.
My suspicion would be the the syrian electronic army do not have the skills to push through a malicious android app. and all they've done is got sky's login for their dev account.
I'm not sure about pushing a *malicious* app, but several sky apps were showing as having been recently updated late last night.
At least in this case it isn't about slipping in some trojan when they are so open about it. This is a price to pay for openness of Android, it's not unlike Windows in that respect. Although here's an entity one think they could trust and there's no way for a downloader to say something is wrong. A stronger control of Google Play accounts would be nice, two step authentification, for example, login, password, and security code. Or apps signed by author's certificate.
This angers me a lot. Why did google and Sky not automatically pull / uninstall the app. They need to give everyone as much information as they have on what this potentially malicious app may have leaked, or whether we also need to consider a full password reset on all accounts used on your phone.
They do need to give people more information than just a tweet, that I never would have known about unless I'd read about it on this forum and even them most people wouldn't come to the tech forums anyway!
A stronger control of Google Play accounts would be nice, two step authentification, for example, login, password, and security code. Or apps signed by author's certificate.
I believe that developers have these options available, but e.g. 2-step isn't compulsory. Signing is I think?
They do need to give people more information than just a tweet, that I never would have known about unless I'd read about it on this forum and even them most people wouldn't come to the tech forums anyway!
agreed. Sky communication is abysmal, especially as people have since questioned the authenticity of the tweet.
It seems they've hacked the Sky Help Team Twitter account, which was meant to be available for queries as usual from 9am, but at present has nothing since the strange messages from last night.
The applications have since been withdrawn from the Google Play store, with the @SkyHelpTeam Twitter account now seemingly urging its customers to uninstall the apps on their devices, although it's possible that the Twitter account has also been compromised. "All Sky's Android apps were hacked and replaced... please uninstall it, And we will let you know when it [sic] will be available," reads the latest tweet from the account at the time of writing.
Security experts say the broken English in the tweet and lack of official confirmation on Sky's website are suspicious. "I’m not saying that Sky didn’t have its Google Play account hacked, or that the entries for its Android apps were not defaced," writes Sophos security expert Graham Cluley. "At the time of writing, many Sky Android apps are unavailable to access via Google Play which indicates that something unusual has happened. Frustratingly, that also means that they cannot be downloaded to check for signs of malware or tampering.
"But we should retain a healthy skepticism about implicitly trusting warnings that have only been shared via Twitter, especially when the reported attack relates to a group with a history of hacking the Twitter accounts of media organisations."
If they had hacked into Apple you might just get the exact same too.
Heck, they also might even have been Apple's Microsoft servers hacked, if they have them.
If you upload to Microsoft via your account the certification process starts. It never took less than 24 hours for my app to go live. Not sure how Apple works. So no, it would not be the same if they hacked into Sky's MS account.
Fortunately my phone was off last night and I read this before turning it on! so I disabled mobile data the second it booted and then immediately uninstalled the app.
Android apps are sandboxed, so should have access to any other app's data, only services available via the phone's API. The worst that could happen is the app having the ability to send messages, make calls or too many permissions I guess.
As others have said it sounds like the app listing on the site was hacked, we don't know if they tried to push out an updated app.
They need 2FA for uploads and store changes only to be done from a locked down, limited access machine from now on, how it should have been done in the first place! The limited access machine should have no internet access except the store and software updates from trusted sources. The developer private keys should not be on any other machine, when they want to push out an update or modify the store they use that secure machine(s).
I think that makes it obvious that their main account has been hacked, with the poorly written messages about the hacked apps not coming from Sky.
No not necessarily. The poorly written messages were just saying the same thing Sky has been repeating on Facebook today. Still reckon they were just written in a hurry at half one in the morning.
e.g. Facebook today
"Hi Jemma, we are advising all our customers who has (sic) a Sky App on an Android device to delete it. Once we have more information we will update everyone. Kat"
What is more likely is they're doing a big security overhaul and trying to figure out what parts may have been compromised, and as a precaution they've changed the password on the first twitter and not got it back up yet.
It is disgusting that Sky haven't been looking after the Android Sky Apps, not only do they not give support to larger Android devices due to them jumping into bed with Apple, but also allow the apps to get hacked.
UPDATE: All Sky's Android apps were hacked and replaced... please uninstall it, And we will let you know when it will be available
It should have been "please uninstall them, and we will let you know when they will be available"
I wonder if they really came from Sky given the bad English and unnecessary capitalisation etc. It is also not clear if the apps were replaced.
I really hope the police catch up with these people, I'm sick of script kiddies thinking they are fighting some "cause" by hacking accounts and inconveniencing loads of people.
If someone hacks into a developer's account on any platform, then they can do all sorts of malicious things.
People don't realise how programs work. Do you REALLY know what's happening behind the scenes in your web browser right now? You have to trust that wherever you got it from isn't trying to con you.
Many things have slipped past Apple's approval processes, simply because they can't check for people misusing the APIs Apple provides. The automated checks they run are to filter out Apps that do things Apple does not permit.
I think the bigger worry should be how the Syrian Electronic Army managed to infiltrate Google Play, a website with 128-bit encryption which also handles transactions for digital media in order to hack both Sky's apps and description pages.
I have already seen a few Apple fans gloat at this news, because I suspect they know the consequences of the above.
Well, they'd be shown to be absolute morons then! It's far easier to just hack someone's password.
It's looking quite likely that their Twitter account got hacked too!
This angers me a lot. Why did google and Sky not automatically pull / uninstall the app. They need to give everyone as much information as they have on what this potentially malicious app may have leaked, or whether we also need to consider a full password reset on all accounts used on your phone.
Presumably, they couldn't - their account was hacked!
Android apps are sandboxed, so should have access to any other app's data, only services available via the phone's API. The worst that could happen is the app having the ability to send messages, make calls or too many permissions I guess.
Android Apps can access data stored on the "SD card" (or if your phone doesn't have one, the large amount of internal flash storage).
Some Apps store data there, so it could be copied, deleted or modified.
Comments
Well the apps are pulled now. As ever though Sky's communication is lacking. No updates on twitter, only mention on Facebook was in response to customers asking....
My suspicion would be the the syrian electronic army do not have the skills to push through a malicious android app. and all they've done is got sky's login for their dev account and made merry.
tbh, deleting the sky apps is a precaution, I don't think any more than that is necessary at this stage.
I'm not sure about pushing a *malicious* app, but several sky apps were showing as having been recently updated late last night.
You can see in the screenshots (e.g. http://thenextweb.com/insider/2013/05/26/british-broadcaster-sky-news-has-all-of-its-android-apps-hacked-by-the-syrian-electronic-army/ ) that the updated date is yesterday
They do need to give people more information than just a tweet, that I never would have known about unless I'd read about it on this forum and even them most people wouldn't come to the tech forums anyway!
I believe that developers have these options available, but e.g. 2-step isn't compulsory. Signing is I think?
agreed. Sky communication is abysmal, especially as people have since questioned the authenticity of the tweet.
It seems they've hacked the Sky Help Team Twitter account, which was meant to be available for queries as usual from 9am, but at present has nothing since the strange messages from last night.
https://twitter.com/skyhelpteam
http://www.pcpro.co.uk/news/security/382063/sky-android-apps-attacked
Heck, they also might even have been Apple's Microsoft servers hacked, if they have them.
If you upload to Microsoft via your account the certification process starts. It never took less than 24 hours for my app to go live. Not sure how Apple works. So no, it would not be the same if they hacked into Sky's MS account.
Sky Status
Android apps are sandboxed, so should have access to any other app's data, only services available via the phone's API. The worst that could happen is the app having the ability to send messages, make calls or too many permissions I guess.
As others have said it sounds like the app listing on the site was hacked, we don't know if they tried to push out an updated app.
They need 2FA for uploads and store changes only to be done from a locked down, limited access machine from now on, how it should have been done in the first place! The limited access machine should have no internet access except the store and software updates from trusted sources. The developer private keys should not be on any other machine, when they want to push out an update or modify the store they use that secure machine(s).
That's the way it should be done really.
https://twitter.com/skyhelpteam1
no further information.
I think that makes it obvious that their main account has been hacked, with the poorly written messages about the hacked apps not coming from Sky.
No not necessarily. The poorly written messages were just saying the same thing Sky has been repeating on Facebook today. Still reckon they were just written in a hurry at half one in the morning.
e.g. Facebook today
"Hi Jemma, we are advising all our customers who has (sic) a Sky App on an Android device to delete it. Once we have more information we will update everyone. Kat"
What is more likely is they're doing a big security overhaul and trying to figure out what parts may have been compromised, and as a precaution they've changed the password on the first twitter and not got it back up yet.
It should have been "please uninstall them, and we will let you know when they will be available"
I wonder if they really came from Sky given the bad English and unnecessary capitalisation etc. It is also not clear if the apps were replaced.
I really hope the police catch up with these people, I'm sick of script kiddies thinking they are fighting some "cause" by hacking accounts and inconveniencing loads of people.
Some of Sky's operators are based in India. So maybe they wrote it???
That would explain it.
It's shocking the lack of communication.
unfortunately it's well know that sky don't give a toss about android
What does that mean?
If someone hacks into a developer's account on any platform, then they can do all sorts of malicious things.
People don't realise how programs work. Do you REALLY know what's happening behind the scenes in your web browser right now? You have to trust that wherever you got it from isn't trying to con you.
Many things have slipped past Apple's approval processes, simply because they can't check for people misusing the APIs Apple provides. The automated checks they run are to filter out Apps that do things Apple does not permit.
Well, they'd be shown to be absolute morons then! It's far easier to just hack someone's password.
It's looking quite likely that their Twitter account got hacked too!
Presumably, they couldn't - their account was hacked!
Android Apps can access data stored on the "SD card" (or if your phone doesn't have one, the large amount of internal flash storage).
Some Apps store data there, so it could be copied, deleted or modified.