In the last several weeks I've been getting spam via my Google Drive Account.
It seems someone can share a document with you knowing nothing more than that you have a Google Email Account.
They simply put some spam in a folder, and then share that widely to thousands of Google users.
The files sit in their google drive, not yours. And you don't have to click on them. But if you do, who knows what sort of malware can be hidden in there.
If you have the Google Drive App installed on your Android device, it wants to notify you about each new item shared with you.
So the app, running on your phone dutifully opens the shared item, and shows you a thumbnail. And if you tap the notification it takes you right into the Google Drive app, and opens that unknown shared item and shows text and images to you.
By the time you realize how dumb that tap was the damage could already be done.
[Continues...]
In the mean time you are greeted by this:
from: gr5rc/Digital signage/... (via Google Drive) ...drive-shares-noreply@google.com...
reply-to: "gr5rc/Digital signage/..." gr5rc@domain removed by frojack
Dear Sirs,
From internet we know you are leading on AV/TV product reseller field.
Sysview is a digital signage software, capable change your existing smart TV to a digital signage . Sysview features following :
Value add
Based on your existing smart TV, no need buy any hardware
Easy use
No need install any hardware or software ,everyone can do.
Setup your own brand easily
White label or your re-brand, depend on your choice
Easy management
Multi levels account and authority , make manage up to 1000 screens easily
Cost friendly
One time charge, No monthly/Annual Fees
90 days free trial account is available now.
Try this freely now.
Best Regards
Anna Wang
Manager | Sales department No.3 Section
Nanshan, Shenzhen, China
The only way to prevent the notification tap from launching the item is to disable notifications for the entire Google Drive app on your phone. There is apparently no way to block random people from sharing single documents or entire folders with your Google account
So far this had only been used for spam, as far as anyone knows.
There is a lengthy thread on Google's Product forum which Google is ignoring.
Have any other Soylentils seen these Google Drive "gifts" on their Android Devices?
(Score: 4, Insightful) by darkfeline on Sunday November 06 2016, @08:44PM
Let's get it out of the way first: this isn't an attack vector. In theory someone could upload a file that exploits a Google Drive web/app bug that exploits a Chrome/Android bug to attack, but in practice you would have to download a malicious file locally and open it, which would require deliberate effort on your part.
With that said, this is pretty bad, it's basically unblockable email spam. I'll take a look and see if anything's being done, but no promises. (I'm doing this out of personal interest and not as Soylentil-Google intermediary.)
Join the SDF Public Access UNIX System today!
(Score: 0, Insightful) by Anonymous Coward on Sunday November 06 2016, @09:46PM
this isn't an attack vector. [...] you would have to download a malicious file locally and open it, which would require deliberate effort on your part.
You're acting like users downloading malicious files and opening them is not one of the biggest attack vectors in existence... funny_cat_screensaver.jpg.exe would like a word with your mother!
(Score: 2) by stormwyrm on Monday November 07 2016, @02:25AM
Thankfully Android is not as stupid as Windows as always been in this regard. If someone sends you a random APK and you click on it, it won't execute right away. You'll be told to enable side-loading of APKs first, which is disabled by default on just about every Android device out there, and Android is not going to take you right away to the settings option that will let you do so when you click on an APK. You have to deliberately open Android Settings yourself, and then hunt for the option to enable APK sideloading, and that's a few levels deep. Most ordinary people when faced with that first dialogue box would probably just think that the file is useless garbage. The people who already know enough to have enabled APK sideloading themselves in the past probably know what they are doing and would have all sorts of alarm bells go off when the dialogue box to install a new app shows up with a permission list.
No, the only way this could be really dangerous is if there is an Android or Google Drive app zero-day that can be exploited in this way. This cannot be discounted, and the irritation of having people share random junk with you is still irritating spam.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by rob_on_earth on Monday November 07 2016, @09:55AM
Except all the non google app stores require side loading being enable. I am not talking about dodgy pirate store but fDroid and Amazon.
I try and get all my software from FDroid. Its usually ad free and if not it is very clear BEFORE you install.
I do not have good things to say about the amazon store. The free promoted apps are usually scam/spam e.g. a Learn Python Book that has a cover layout of an o'reilly book and the contents of the online documentation. Presumably it just takes a few idiots to mark it as Good "I got a free ebook about Python" and the when the free promotion ends people end up paying money for it.
(Score: 3, Insightful) by stormwyrm on Monday November 07 2016, @11:35AM
Numquam ponenda est pluralitas sine necessitate.