It looks like they are doing it after app install with a malicious patch. This patch asks for SMS and accessibility access to gain privileges necessary to get into the banking apps. I haven’t thoroughly read it but just looking at the attack chain that’s what I gleaned.
He’s being condescending because he believes as a developer nothing is actually fully secure. If I spend 100 hours building and securing something, that’s not going to stack up very favorably vs the 1,000’s or even 1,000,000’s of hours attackers and communities can spend trying to break my security layers.
Basically, he’s a dick in how he answered the question, but the truth every software engineer learns, is that there is no fully secure system. There’s always an angle/attack vector you didn’t think of and secure.
As a developer this question is hilarious to me
As a curious Android user this comment is useless to me
For a real answer here’s the Zscaler blog write up: https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google
It looks like they are doing it after app install with a malicious patch. This patch asks for SMS and accessibility access to gain privileges necessary to get into the banking apps. I haven’t thoroughly read it but just looking at the attack chain that’s what I gleaned.
Ugh, TIL zscaler actually does more than just send my PII to the USA without my consent.
As an Android developer that comment makes me sad. Then I remind myself that Lemmy is full of people who migrated from Reddit.
We each have our specialties, and it would be unreasonable to ask that everyone share yours.
Dude, do you not want people on this platform? Reddit migrants come with baggage yes but I’d rather that than the husk that was Lemmy before.
I’m not gonna scream back at you,… I’m just going to walk back… very… very… slowly…errrrrrrr
Why? They’re absolutely right. The article doesn’t say anything about a root exploit or phishing either so were left wondering…
He’s being condescending because he believes as a developer nothing is actually fully secure. If I spend 100 hours building and securing something, that’s not going to stack up very favorably vs the 1,000’s or even 1,000,000’s of hours attackers and communities can spend trying to break my security layers.
Basically, he’s a dick in how he answered the question, but the truth every software engineer learns, is that there is no fully secure system. There’s always an angle/attack vector you didn’t think of and secure.
Of course there are (or there can be) fully secure systems. The problems come when you assume something is.
They actual report does say it just displays a fake login page. It’s just phishing.
please enlighten the rest of us
and one day you’ll say why, right?
Explain yourself