Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday November 06 2016, @06:52PM   Printer-friendly
from the spammers-should-be-drawn-and-quartered dept.

In the last several weeks I've been getting spam via my Google Drive Account.

It seems someone can share a document with you knowing nothing more than that you have a Google Email Account.
They simply put some spam in a folder, and then share that widely to thousands of Google users.

The files sit in their google drive, not yours. And you don't have to click on them. But if you do, who knows what sort of malware can be hidden in there.

If you have the Google Drive App installed on your Android device, it wants to notify you about each new item shared with you.

So the app, running on your phone dutifully opens the shared item, and shows you a thumbnail. And if you tap the notification it takes you right into the Google Drive app, and opens that unknown shared item and shows text and images to you.

By the time you realize how dumb that tap was the damage could already be done.

[Continues...]

In the mean time you are greeted by this:

from: gr5rc/Digital signage/... (via Google Drive) ...drive-shares-noreply@google.com...
reply-to: "gr5rc/Digital signage/..." gr5rc@domain removed by frojack
Dear Sirs,

From internet we know you are leading on AV/TV product reseller field.

Sysview is a digital signage software, capable change your existing smart TV to a digital signage . Sysview features following :

Value add
Based on your existing smart TV, no need buy any hardware
Easy use
No need install any hardware or software ,everyone can do.
Setup your own brand easily
White label or your re-brand, depend on your choice
Easy management
Multi levels account and authority , make manage up to 1000 screens easily
Cost friendly
One time charge, No monthly/Annual Fees

90 days free trial account is available now.

Try this freely now.

Best Regards

Anna Wang
Manager | Sales department No.3 Section
Nanshan, Shenzhen, China

The only way to prevent the notification tap from launching the item is to disable notifications for the entire Google Drive app on your phone. There is apparently no way to block random people from sharing single documents or entire folders with your Google account

So far this had only been used for spam, as far as anyone knows.

There is a lengthy thread on Google's Product forum which Google is ignoring.

Have any other Soylentils seen these Google Drive "gifts" on their Android Devices?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0, Insightful) by Anonymous Coward on Sunday November 06 2016, @09:46PM

    by Anonymous Coward on Sunday November 06 2016, @09:46PM (#423275)

    this isn't an attack vector. [...] you would have to download a malicious file locally and open it, which would require deliberate effort on your part.

    You're acting like users downloading malicious files and opening them is not one of the biggest attack vectors in existence... funny_cat_screensaver.jpg.exe would like a word with your mother!

    Starting Score:    0  points
    Moderation   0  
       Insightful=1, Overrated=1, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   0  
  • (Score: 2) by stormwyrm on Monday November 07 2016, @02:25AM

    by stormwyrm (717) on Monday November 07 2016, @02:25AM (#423361) Journal

    Thankfully Android is not as stupid as Windows as always been in this regard. If someone sends you a random APK and you click on it, it won't execute right away. You'll be told to enable side-loading of APKs first, which is disabled by default on just about every Android device out there, and Android is not going to take you right away to the settings option that will let you do so when you click on an APK. You have to deliberately open Android Settings yourself, and then hunt for the option to enable APK sideloading, and that's a few levels deep. Most ordinary people when faced with that first dialogue box would probably just think that the file is useless garbage. The people who already know enough to have enabled APK sideloading themselves in the past probably know what they are doing and would have all sorts of alarm bells go off when the dialogue box to install a new app shows up with a permission list.

    No, the only way this could be really dangerous is if there is an Android or Google Drive app zero-day that can be exploited in this way. This cannot be discounted, and the irritation of having people share random junk with you is still irritating spam.

    --
    Numquam ponenda est pluralitas sine necessitate.
    • (Score: 2) by rob_on_earth on Monday November 07 2016, @09:55AM

      by rob_on_earth (5485) on Monday November 07 2016, @09:55AM (#423421) Homepage

      Except all the non google app stores require side loading being enable. I am not talking about dodgy pirate store but fDroid and Amazon.

      I try and get all my software from FDroid. Its usually ad free and if not it is very clear BEFORE you install.

      I do not have good things to say about the amazon store. The free promoted apps are usually scam/spam e.g. a Learn Python Book that has a cover layout of an o'reilly book and the contents of the online documentation. Presumably it just takes a few idiots to mark it as Good "I got a free ebook about Python" and the when the free promotion ends people end up paying money for it.

      • (Score: 3, Insightful) by stormwyrm on Monday November 07 2016, @11:35AM

        by stormwyrm (717) on Monday November 07 2016, @11:35AM (#423447) Journal
        And just how many ordinary Android users use any app store besides the Play Store? I'm not talking about people like you or me who would probably be alarmed by a random app being sideloaded.The only mainstream devices where the Amazon app store is default are Kindles, and I imagine they modded Android enough not to require sideloading to be enabled on their gear to use their own store. The point is random code execution by users who don't know better doesn't happen on Android as easily as it does on Windows.
        --
        Numquam ponenda est pluralitas sine necessitate.