×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SMS Trojan Steals From Android Owners

CmdrTaco posted more than 3 years ago | from the no-way-i-wanted-hott-sexx dept.

Security 168

siliconbits writes "A Trojan posing as a media player for Android smartphones automatically sends text messages to premium rate numbers, according to Kaspersky Lab. Company officials say the Trojan, dubbed Trojan-SMS.AndroidOS.FakePlayer.a, is the first of its kind for the Android platform, even though SMS Trojans are currently the most widespread type of malware on mobile phones."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

168 comments

Is this really a trojan? (3, Informative)

schon (31600) | more than 3 years ago | (#33206196)

Or does it tell you what it's gonna do beforehand?

If you install something that says "THIS WILL COST YOU MONEY", and it sends SMS that costs you money, how exactly is that a "trojan"?

Re:Is this really a trojan? (5, Insightful)

MozeeToby (1163751) | more than 3 years ago | (#33206254)

Yes, the user must approve giving the 'Trojan' access to sending text messages, which is included under a big banner that says "Things that can cost you money". Of course, after the 40th or 50th app installed, no one reads them anymore and just clicks the OK button, but Android does notify you of what it's capable of, and even that requires you to check the install apps from other sources button.

Re:Is this really a trojan? (1)

ThinkWeak (958195) | more than 3 years ago | (#33206302)

I'm interested to know if anyone's deployed a trojan on an app you actually purchase.

I'm sure this CAN be done, but has it been? I like a free app as much as the next person, but if you're not going to take the time to read what the program is capable of and paid apps are safer - then why not just purchase the full version of something similar?

Re:Is this really a trojan? (2, Insightful)

MozeeToby (1163751) | more than 3 years ago | (#33206380)

Why not just take the literally 20 seconds to read what parts of the phone an app wants access to? Or at least the 5 seconds to make sure that there's nothing under the 'will cost you money' heading, unless it's an app where that makes sense (I think the only apps I have with entries under those headings are Google maps and Google voice, and both because they're allowed to initiate phone calls).

Re:Is this really a trojan? (2, Informative)

SCPaPaJoe (767952) | more than 3 years ago | (#33206540)

I Agree. When I first got my Droid, I was going to install a free game until I saw it wanted access to by contacts list. The notification screen during app install is quite clear and easy to understand. There is no excuse for not reading it.

Re:Is this really a trojan? (1)

geekoid (135745) | more than 3 years ago | (#33206744)

What if you want to install a music tool that sends SMS?

It would tell you it's going to send SMS, not that they will cost you money. SO while it's sending SMS info of the songs you listening to share playlists, it also sens SMS to places that charge?

I have never used SMS to do anything financial. I had it turned off after I got a bogus charge for ringtones. For th record, I create and put all my personalized ringtone directly on the phone. So for me, I was able to easily detect that charge.

In fact, that's a feature I think should only be activated on request after the user has taken the phone home.

Re:Is this really a trojan? (2, Insightful)

Sancho (17056) | more than 3 years ago | (#33206954)

It would tell you it's going to send SMS, not that they will cost you money. SO while it's sending SMS info of the songs you listening to share playlists, it also sens SMS to places that charge?

On my phone, the category in the manifest is "Services that cost you money" (in big bold letters) and then under that, as an explanation, it says "directly call phone numbers, send SMS messages."

An application which has the ability to send SMS has the ability to cost you money because it could send SMS to premium-rate numbers or out of the country. Many people wouldn't think about this, and there's probably no easy way for Android to differentiate between regular SMS and premium-rate SMS.

Re:Is this really a trojan? (1)

TheRaven64 (641858) | more than 3 years ago | (#33207064)

there's probably no easy way for Android to differentiate between regular SMS and premium-rate SMS.

How about an option to only send SMS messages to numbers in your address book? Or an option to require approval for each new number that the app is allowed to send messages to? Or even just a restriction based on area codes? I'm not sure how it works in the USA, but in the UK you can easily tell from a phone number whether it's a premium rate number or and overseas number...

Re:Is this really a trojan? (1)

Sancho (17056) | more than 3 years ago | (#33207118)

Sounds a lot like UAC, though. Good in theory, but might turn into people just approving messages to get on with whatever they were doing.

Re:Is this really a trojan? (1)

camperslo (704715) | more than 3 years ago | (#33207710)

Or even just a restriction based on area codes?

In this era of number portability, an area code can no-longer be trusted to tell you where you are calling.

Re:Is this really a trojan? (1)

maxume (22995) | more than 3 years ago | (#33208028)

In the U.S., premium numbers are area code 900 and international calls require dialing 011 before the phone number, so it is also quite obvious here.

Re:Is this really a trojan? (1)

jcrousedotcom (999175) | more than 3 years ago | (#33208614)

I think they're referring to premium SMS messages, not phone calls. Those are not always a phone number - often shorter (like These folks [texttopledge.com] ).

I have seen ads to text 90999 with the word Haiti in the body to donate the the Red Cross for example. I never have actually used one of those donation methods, but the "phone number," if you will, is only 5 digits rather than a full 10 (for North America). And the program could potentially send that message (if embedded into is programming) without additional user intervention if the user chose to allow it to do so upon installation.

Re:Is this really a trojan? (1)

slater.jay (1839748) | more than 3 years ago | (#33207158)

I work on Android for a living, and one of the things I've been doing of late is the radio interface layer for a device we haven't done Android GSM for before (see www.sdgsystems.com; the device is the Trimble Nomad).

It's not even possible at the modem level to see if it's a premium number or not, or at least not on any of the modems I've worked with.

Re:Is this really a trojan? (1)

shmlco (594907) | more than 3 years ago | (#33207860)

Exactly. The permissions system isn't some sort of panacea.

I mean, you could download an app that legitimately purports to send SMS or email messages as one of its functions. Like, say, a "social" RSS newsreader that exists to notify family and friends of interesting articles or stories.

You then approve it, give it access to your contacts and email and SMS, only to find out later on that it sends special "paid" messages like the one in the article.

Or spammed your entire contact list.

By approving the legitimate functionality, you approved the illegitimate functionality as well.

So, just writing this off by saying that the user needs to "understand permissions" isn't really an answer.

Re:Is this really a trojan? (3, Insightful)

DJRumpy (1345787) | more than 3 years ago | (#33208184)

It's amazing how far folks are falling over themselves to defend this type of activity on the Android platform ("well it's their own fault" and "they should have read the warning"). I hate to break it to everyone, but most Android users are not geeks, nerds, or techies. They will do just as windows users have been doing for decades and click 'OK' when prompted. Such behavior should be expected and accounted for, or provisions made to protect end users in spite of themselves.

The difference here? There is no virus scan or malware blocker to save them.

Re:Is this really a trojan? (1)

nacturation (646836) | more than 3 years ago | (#33206618)

Is it possible for an app to request access to the filesystem, then modify another existing app with a payload that makes it do all the dirty work? For example, take a legitimate and popular alternate phone/SMS app and modify it to call/SMS rogue numbers.

Re:Is this really a trojan? (5, Informative)

metamatic (202216) | more than 3 years ago | (#33206650)

Is it possible for an app to request access to the filesystem, then modify another existing app with a payload that makes it do all the dirty work?

No. Each Android app runs as a separate Linux userid [android.com] . Even if you give the app filesystem access, it can't write to files that belong to other apps, let alone rewrite the apps themselves.

Re:Is this really a trojan? (1)

unix1 (1667411) | more than 3 years ago | (#33206920)

No. Each Android app runs as a separate Linux userid [android.com] . Even if you give the app filesystem access, it can't write to files that belong to other apps, let alone rewrite the apps themselves.

That would all be fine and dandy if there were no SD cards formatted with FAT32 with no filesystem security, and things like "move apps to SD card" features on top of that. These are simply bad choices for security.

Re:Is this really a trojan? (1)

element-o.p. (939033) | more than 3 years ago | (#33207318)

As a Linux user, I would prefer to see the SD cards on Android phones using something like ext3 rather than FAT32. However, as someone firmly in touch with the real world, I understand why they chose FAT32. Since most desktops still run Windows, most of those that don't run Windows run OS-X, and it's still (unfortunately) a relative minority like me that runs a Linux OS on their (lap|desk)tops, FAT32 is still the logical choice, despite its security issues. I do agree that the "move apps to SD card" option is a really poor choice, in light of FAT32's security model, however.

NO NO NO (1)

SuperKendall (25149) | more than 3 years ago | (#33207592)

FAT32 is still the logical choice, despite its security issues

Bill gates? Is that you?

Because at this point we all have seen when you design from the start for convenience OF THE DEVELOPER instead of security. The Windows world has been living with the consequences of that choice for decades now.

So now at the brink of a whole new wave of OS's, is not the time to repeat the mistakes of our virtual forefathers. Android could move apps into a smaller embedded filesystem in a file, but in no way should it open up users to app modifications like this.

Re:NO NO NO (1)

bickerdyke (670000) | more than 3 years ago | (#33207880)

Because at this point we all have seen when you design from the start for convenience OF THE DEVELOPER instead of security.

It's rather the convenience of the user, but as he is the one who actually has to buy a gadget this might be the right thing to do, even as you're right with the consequences.

To the user it's the same (1)

SuperKendall (25149) | more than 3 years ago | (#33208224)

It's rather the convenience of the user

That's not so.

Because I already described how you would have the same exact functionality with an embedded file system in one large file on the DOS partition, where apps would go. That would be mounted and have proper security.

To the user everything works as it does now, it's just that underneath you can't have apps stored on an external partition infected by another app nearly as easily.

If you wanted to let users drag apps onto the removable storage you could still let them do that and add them to the safe partition on attachment of the card, not letting anything in the system write to the card until the app extraction was complete.

Re:NO NO NO (1)

element-o.p. (939033) | more than 3 years ago | (#33208214)

Wow, that's really funny. I think this is the first time *I* have ever been called Bill Gates. Did you happen to notice my sig by any chance?

My point, which I thought was pretty clear and even though it pains me greatly to say so, was that there isn't another file system that is as widely supported out of the box as FAT32. UFS? Nope. Ext2/3/4? Nope. ReiserFS? Nope. NTFS? Nope. ZFS? Nope. There is a *reason* FAT32 is the standard for removable mass storage, even though it really sucks (especially from a security standpoint).

So, yes, Android *could* move apps into a different file system (or even, as you suggest, into an embedded file system inside a single file), but then you would completely lose the ability to pull your SD card from your phone and access the data on the card from your PC (which, incidentally, I did just the other day on my microSD card in my Android phone).

Re:Is this really a trojan? (1)

Teun (17872) | more than 3 years ago | (#33207742)

I noticed TomTom (of the navigators and the MS FAT legal challenge) has added the ext2fs 'plug-in' to their Windows application.

So I assume their navigators will in future use ext2/3 instead of FAT.

This option is open to any developer.

Re:Is this really a trojan? (1)

element-o.p. (939033) | more than 3 years ago | (#33208308)

True, and if the Android were to move to a better file system than FAT32, that's probably the best way to do it. But it does introduce the complexity of requiring software to access the device's file system from a Windows PC. While that may not be a big deal for TomTom (since they are the manufacturer for all TomTom devices), it becomes a somewhat bigger challenge for manufacturers of Android devices, since Motorola, HTC, etc., etc. would *all* have to include a Windows driver for the SD card. While I, for one, would certainly appreciate the irony if the SD card worked natively in my Linux boxes, but wouldn't work without a driver on Windows machines, I'm not sure that would help the Android platform gain widespread acceptance.

Out of curiosity, how does a Windows user gain access to the iPhone's file system? Is there even a removable storage card on an iPhone, or is the entire phone a USB mass storage device?

Re:Is this really a trojan? (1)

geekoid (135745) | more than 3 years ago | (#33206698)

Do apps say that? I think an installed app would tell you what it access. Blue tooth, wifi, gps, music, sms. I dont' think it tells you it will secretly send SMSs to place that cost you money.

Re:Is this really a trojan? (2, Informative)

Sancho (17056) | more than 3 years ago | (#33206978)

The manifest says, in big bold letters, that the app may cost you money by placing phone calls and sending SMS.

Re:Is this really a trojan? (1)

dyingtolive (1393037) | more than 3 years ago | (#33207766)

Because sometimes it's not that easy. I'm paranoid about what I've installed on mine, but say I make a GPS app that will show WIFI hotspot overlays on maps (cause I always wanted something like that). I now have an app that when downloaded, shows up as needing:

* GPS Location (fine)
* Network access

I also want to make it switch off during phone calls, and maybe keep the phone from sleeping:

* System tools
* Phone state and identity


Finally, wouldn't it be neato if it could save the overlays to the filesystem?

* SD card access

You might say, "Hey, I'd expect that app to want all that, and it's cool, so I'll take my chances." Great, I might too, and it would probably be legit. However, say I realize this line of thinking, and I catch asshat-itis. I now build a trojan in it that scrapes whatever it can off your filesystem and can tell me who you're calling and when, and where you are when you do it. I'm sure I could find SOMETHING to do with that data. Honestly, I think that if they got more specific about how the apps were accessing each of those categories, I'd feel better about it, but it's not always so clear cut. Admittedly, I've never seen a texting one, but if it's anything like the others, "Text messages" could just be a read type thing, or it could be read/write/whatever.

Re:Is this really a trojan? (4, Informative)

flibuste (523578) | more than 3 years ago | (#33206576)

In all honesty, the way Android reports what an application uses is way too weak and not granular enough. Basically, you require access to 1 URL, your application needs "Full Internet Access". Want to access the GPS data? Your application needs "Location access", "Services that may cost money", etc.

The way an application declares its "needs" is through an element in the Android Manifest file. However, the choices are really limited to the existing Android services, and most of them have a 1 to 1 relation with the services they relate to, and nothing more granular such as "Requires GPS access using only satellites (costs nothing)", "Requires GPS access using cell towers", "Requires GPS access through paying services".

In the end, the user downloading an app sees warning that are mostly meaningless, and which appear in many other applications. It's close to impossible to spot a possibly-offensive application such as this Trojan.

Re:Is this really a trojan? (1)

hattig (47930) | more than 3 years ago | (#33206718)

Sounds like the required functionality is something that will stop sending texts when the phone has exceeded its contract allowance.

In addition it may be possible to identify premium rate numbers (maybe via a web service at the very least) before they are texted/phoned, allowing the android sandbox to be more granular with its permissions. Or to only allow SMS/phone calls to numbers in the user's phone book. Or to only allow web access to a limited list of specified websites.

Re:Is this really a trojan? (2, Informative)

Anonymous Coward | more than 3 years ago | (#33207120)

In all honesty, the way Android reports what an application uses is way too weak and not granular enough. Basically, you require access to 1 URL, your application needs "Full Internet Access". Want to access the GPS data? Your application needs "Location access", "Services that may cost money", etc.

Do you use Android? It is more granular than that. Location access can specify coarse (cell location) and fine (GPS). "Services that may cost money" can specify SMS or phone calls. Many apps use a "Phone" permission that's called "Read phone state" so that it can know when you're receiving a call. Apps like Google Voice that use the "Phone" permissions also include things like "Make outgoing calls" and "Intercept calls".

Your fine-grained permissions are right there.

Re:Is this really a trojan? (2, Funny)

nschubach (922175) | more than 3 years ago | (#33208154)

Personally, I'd like to see an OS driven prompt to have access to things like contacts, messaging and phone access.

If your app needs a contact to send a message, it would have to pass that message to the OS and the OS would prompt the user for the contact to send it to. This way, no apps need access to contacts to send messages for some reason. The same applies to phone numbers, etc.

Re:Is this really a trojan? (1)

toadlife (301863) | more than 3 years ago | (#33208092)

Of course, after the 40th or 50th app installed, no one reads them anymore and just clicks the OK button...

That reminds me of the criticism of UAC in Windows.

(Not arguing with you here. Just an observation)

Re:Is this really a trojan? (0, Insightful)

Anonymous Coward | more than 3 years ago | (#33206282)

Or does it tell you what it's gonna do beforehand?

If you install something that says "THIS WILL COST YOU MONEY", and it sends SMS that costs you money, how exactly is that a "trojan"?

Look, CmdrTaco JUST posted another Apple-praising fluff article about some bullshit connection between the iPad and Star Trek. Did you simply fail to see that? Thus, we can clearly infer that the answer is it's a "trojan" inasmuch as it's not on an iPhone, and what's better, it's a "trojan" in the sense that it is on one of Apple's competitors, making Apple look better. Duh.

Re:Is this really a trojan? (1)

The MAZZTer (911996) | more than 3 years ago | (#33206288)

"Kaspersky officials suggest that Android users pay close attention to the services requested by an application at the time of installation"

So yeah. But it hardly makes it not a trojan; by definition trojans masquerade as legitimate apps and this one seems to be no exception. But it doesn't spread or install automatically or give itself privileges the user doesn't grant it, so it's not a big concern. Just another example of users installing that app they MUST have no matter how loudly their anti-virus screams at them about it.

Re:Is this really a trojan? (1)

camperslo (704715) | more than 3 years ago | (#33207948)

As an end user, I'd like to see an app store where liability insurance is mandatory to cover damages that users may experience from misleading or malicious closed-source apps. The insurance companies should still require source. For totally open source apps, the store should indicate if/what independent volunteer group (or one funded by a small per-app fee) has reviewed the app.

I think that OS / software vendors that take the entire burden of security debugging on themselves by failing to provide source code to all should be liable for all direct or indirect damages that result from vulnerabilities others might have found and fixed (or reported for fixing).

Re:Is this really a trojan? (1)

GooberToo (74388) | more than 3 years ago | (#33208190)

If you install something that says "THIS WILL COST YOU MONEY", and it sends SMS that costs you money, how exactly is that a "trojan"?

Because it says it does one things and actually does another. That's what a trojan is.

The fact that the installation tells you it can cost you money and people still install it means people are idiots. This is like anti-virus popping up and saying, application has been detected to do something which doesn't correspond to the type of application you are installing. Wish to continue? The fact this is news worthy implies headline, "User willingly and knowingly accepts virus - anti-virus and Windows is to blame." WTF?

You just can't fix stupid.

media player? (0)

Anonymous Coward | more than 3 years ago | (#33206212)

Well, what is the name of the malicious media player?

Re:media player? (0)

Anonymous Coward | more than 3 years ago | (#33206858)

It reminds me of those studies that find "Out of 12 popular vitamin supplements tested, 8 contained ingredients deemed to be harmful to people's health."

So... (0)

Anonymous Coward | more than 3 years ago | (#33206232)

A Trojan posing as a media player for Android smartphones

So, uhh, what's the name of the infected media player app? It's not in TFA, either.

Re:So... (1)

schon (31600) | more than 3 years ago | (#33207038)

<sarcasm>
Well duh - for security purposes, they're not gonna tell you. If you don't know what it's called, you can't go looking for it to install it!
</sarcasm>

Seriously - it's an antivirus company. If they told you what it was called, you wouldn't need to buy their services.

doesn this... (0)

Anonymous Coward | more than 3 years ago | (#33206236)

require you to
1. enable "install from other places", since by default only market apps can be installed
2. be infinitely stupid??

regards,
Anonymous Coward

Hahaha (5, Funny)

Anonymous Coward | more than 3 years ago | (#33206240)

Hahaha! Good thing I have an iPhon.....*signal lost*

Re:Hahaha (0, Troll)

BitZtream (692029) | more than 3 years ago | (#33206846)

hahaha that was almost as funny as it wasn't 2 months ago since its likely that even with your fingers in the wrong place the iPhone works better than whatever you're carrying.

Re:Hahaha (0)

Anonymous Coward | more than 3 years ago | (#33206932)

iPhanboy

Re:Hahaha (0)

Anonymous Coward | more than 3 years ago | (#33207012)

butthurt much?

Re:Hahaha (1)

TheRaven64 (641858) | more than 3 years ago | (#33207092)

Besides, with an iPhone, you don't need to download a trojan, you just need to visit a web site and the person with the server can get remote root access to your iPhone. Apple wins on usability again!

What Signal? (1)

ciroknight (601098) | more than 3 years ago | (#33207242)

This is the iPhone we're talking about, how'd you manage to get a signal in the first place!?

(Must have one of those Vulcan pinch phone holders...)

So... (1)

ground.zero.612 (1563557) | more than 3 years ago | (#33206242)

If mercenaries can find work in the middle east, why can't we hire them to find and dispose of the people making withdrawals from the bank accounts of the "premium rate" numbers?

This just really seems like one of those problems that some good old fashioned violence would be great for solving/deterring.

Re:So... (1)

John Hasler (414242) | more than 3 years ago | (#33206378)

If mercenaries can find work in the middle east, why can't we hire them to find and dispose of the people making withdrawals from the bank accounts of the "premium rate" numbers?

At a guess, either because you are not looking in the right places or because you are not offering enough money. What have you tried so far?

This just really seems like one of those problems that some good old fashioned violence would be great for solving/deterring.

Right. After all, it's working so well in the Middle East, and it's not like your "mercenaries" have a record of killing the wrong people or anything.

Re:So... (1)

ground.zero.612 (1563557) | more than 3 years ago | (#33206716)

If mercenaries can find work in the middle east, why can't we hire them to find and dispose of the people making withdrawals from the bank accounts of the "premium rate" numbers?

At a guess, either because you are not looking in the right places or because you are not offering enough money. What have you tried so far?

This just really seems like one of those problems that some good old fashioned violence would be great for solving/deterring.

Right. After all, it's working so well in the Middle East, and it's not like your "mercenaries" have a record of killing the wrong people or anything.

Wait, what? You answer a rhetorical question by telling me that the mercenaries are mine? And that you have a record of their kill statistics?

Oh and why do you capitalize the 'middle east'? Is it a country now, worthy of promotion to a proper noun?

If you could just open your mouth for a second, I'd like to introduce it to your foot. :)

Re:So... (4, Informative)

shmlco (594907) | more than 3 years ago | (#33207050)

"Oh and why do you capitalize the 'middle east'? Is it a country now, worthy of promotion to a proper noun?"

Doesn't need to be a country. Region names are capitalized when they stand alone and are widely understood to designate a specific geographic (or geopolitical) area. e.g. Southern California, the Bay Area, the Middle East.

http://www.utexas.edu/visualguidelines/capitalization.html [utexas.edu]

Re:So... (1)

ground.zero.612 (1563557) | more than 3 years ago | (#33208538)

"Oh and why do you capitalize the 'middle east'? Is it a country now, worthy of promotion to a proper noun?"

Doesn't need to be a country. Region names are capitalized when they stand alone and are widely understood to designate a specific geographic (or geopolitical) area. e.g. Southern California, the Bay Area, the Middle East.

http://www.utexas.edu/visualguidelines/capitalization.html [utexas.edu]

Should have been modded +4 Whoosh

Re:So... (1)

John Hasler (414242) | more than 3 years ago | (#33208620)

Wait, what? You answer a rhetorical question by telling me that the mercenaries are mine?

"We" includes you. In this case it most certainly does not include me. But, no, I didn't tell you that the mercenaries were yours: you said that you were having trouble hiring any. I offered some suggestions.

And that you have a record of their kill statistics?

While the details are secret (well, until recently...) according to news reports totals run to 200,000 or so in the Middle East recently (mostly civilians, of course).

Re:So... (1)

mcgrew (92797) | more than 3 years ago | (#33207182)

"Violence is the last refuge of the incompetent". - Salvor Hardin [wikipedia.org]

Re:So... (0)

Anonymous Coward | more than 3 years ago | (#33208002)

"Violence has resolved more conflicts than anything else. The contrary opinion that violence doesn't solve anything is merely wishful thinking at its worst." - Starship Troopers

Re:So... (0)

Anonymous Coward | more than 3 years ago | (#33208294)

Quoting people doesn't make things true, or make a point. - YOUR MOM

To android owner... (0)

Anonymous Coward | more than 3 years ago | (#33206258)

All your text are belong to us!!

uhhhhl (1)

Essequemodeia (1030028) | more than 3 years ago | (#33206262)

You know, I really wish articles like this would lead with THE NAME OF THE APP THAT HURTS SO BADLY. "A SMS trojan" is hardly specific. I'd like to know if that thing in my pocket is gonna rape my privacy.

Cuz there be Winders in there someware (0)

Anonymous Coward | more than 3 years ago | (#33206264)

It only goes to show, Winders is in there. No ways there be only Linux in there.

Public service or just self serving? (1)

FrkyD (545855) | more than 3 years ago | (#33206276)

So, we know that the company will be releasing security software for android, we know that they have included a signature for thetrojan in their software...

But we don't know the name of the firkkin app that is actually doing it. Good thing those security software vendors are so concerned about our well being.

Re:Public service or just self serving? (1)

Monchanger (637670) | more than 3 years ago | (#33206428)

Sounds about right. And it's not just bad reporting as usual- the press release [kaspersky.com] had few details on the application, not including a name.

I found it strange it said they can "fix" the problem with a security system which hasn't been released yet.

Re:Public service or just self serving? (1)

natehoy (1608657) | more than 3 years ago | (#33206478)

I don't own an Android, but I'm struggling with what a security app could do about something like this on a phone with a permissions-based architecture. I was under the impression that the Android security model was somewhat similar to the Blackberry one, but feel free to correct me if I'm wrong.

On the Blackberry, when you install software, each software package has "permissions" you can assign to it. Those permissions include things like "Address Book", "Email", "Corporate Network", "Calendar", "Internet", "GPS", "Bluetooth", "Telephony/SMS", and each one can have "Allow", "Deny", and (usually "Ask me").

My default permissions are "ask me" (or "deny" where "ask me" is not available). That way, every time a package starts up, it has to ask if it can access each resource it wants. If the request is reasonable, I check the "remember this" box and click "allow" and the app never bugs me again. If the app fails for lack of permission, I can always go into the app settings and turn specific permissions on for that app. This adds almost zero effort to installing and running applications. I get the occasional pop-up, but when Google Maps wants access to my GPS or the Internet, I figure it's pretty OK, and I never get asked again.

It sucks when something like Google Maps 4 demands "Allow" on every goddamned permission or it refuses to run at all, but a revert back to Google Maps 3 fixed that problem up just fine.

You can be pretty sure I'd notice if a media player asked for access to "Telephony/SMS" I'd be clicking the "FUCK NO" button (aka check "remember this" and click "deny"), followed immediately by a rapid trip to the uninstaller to obliterate it from my phone.

Surely the Android has similar tools, right? And, if it does, what is a security application going to do except watch for after-the-fact attacks from apps with specific signatures?

Read the TFA? (5, Insightful)

NiteShaed (315799) | more than 3 years ago | (#33206284)

Why bother? I read it, and I still don't know silly details like what the name of this app is, or whether it's been pulled from the Android Market. Actually, now that I think about it, I don't even know *if* it was in the Android Market, or if it's a side-load app. For all I know, Kaspersky "discovered" a proof-of-concept app that they developed themselves. Yeah, that last bit is pretty unlikely, but reading TFA is no help at all in ruling it out.....

Content fail for TFA.

Re:Read the TFA? (2, Informative)

unix1 (1667411) | more than 3 years ago | (#33206360)

Found the original announcement [kaspersky.com] . No name of an app there either.

While there could definitely be such an app, the article definitely sounds like an advertisement for their product rather than a security notification.

Re:Read the TFA? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33206462)

Until the app is named, this sounds like "anonymous sources" BS that some news sites like to do which can't be independently verified.

Unless the app and its developer is specified, this reeks of fear-mongering akin to the lines of "OMG, 1/3 of Android apps have access and *could* expose your personal data".

My take: Name and shame, or don't bother publishing. Even though the Weekly World News is out of print, the US still has more than its share of sensationalistic topics.

Re:Read the TFA? (1)

shawn(at)fsu (447153) | more than 3 years ago | (#33206722)

This was the same problem with the screen saver app that also did something malicious. Couldn't find the name of the app just said that it was out there. This is starting to bother me; tell me what the app, where it was installed from is and who the developer is.

Re:Read the TFA? (1)

machxor (1226486) | more than 3 years ago | (#33206798)

However we don't need to know any of that because it's clear that the application asks for permission to send SMS, the user accepts and then the app does exactly what it said it was going to do. This is no trojan this is a case of user's not wanting to be responsible for the security of their devices.

Re:Read the TFA? (1)

NiteShaed (315799) | more than 3 years ago | (#33207290)

I really can't agree there. I'd still be inclined to categorize it as a trojan since it's disguised as a music player (even a flawed disguise is still a disguise). In any case, I don't think there's any argument to be made that it isn't malware, and I'd still like to know what name it's being distributed under and who it's coming from....

Also, since we don't really know anything about the app, it's entirely possible that its description explains the SMS access away as having the ability to text your friends what music you're listening to or something. Yeah, it's a dumb feature to want, but I could see some people thinking to themselves that they'd just use the player without using the SMS feature or something.

The question is when to agree... (1)

SuperKendall (25149) | more than 3 years ago | (#33207534)

However we don't need to know any of that because it's clear that the application asks for permission to send SMS, the user accepts and then the app does exactly what it said it was going to do.

This is where I'm not sure the Android security model is doing you many favors.

You download a media player, go to install it, and you get a list of things it wants to do - access media library, perhaps access contacts for sharing, and so on... and way down at the end, a little notice about accessing SMS. You might not even think about it much being close to permissions for contacts.

So you agree.... and then it proceeds.

That's why I think a model where the system asks for permission as the phone accesses each protected resource is probably somewhat healthier. Then you can see in context just what it plans to do. Then you would be wondering at any point in time using the media player, why is it sending an SMS to this number I do not recognize?

It doesn't have to ask you every time, just the first few times and then it can be sure you really are OK with it accessing a specific resource.

Prosecution? (3, Insightful)

AdamThor (995520) | more than 3 years ago | (#33206316)

So this should lead to police activity quickly enough, right? One can't (at this time) prove where the trojan came from, but it's easy enough to see who benefits and what accounts the money gets paid into. That should all get frozen, cops should kick down some doors, machines should get confiscated?

Will this happen?

Re:Prosecution? (2, Insightful)

John Hasler (414242) | more than 3 years ago | (#33206452)

> Will this happen?

It could. It is quite possible that some mules will find themselves in serious trouble.

Re:Prosecution? (1)

geekoid (135745) | more than 3 years ago | (#33206662)

" but it's easy enough to see who benefits and what accounts the money gets paid into. "
maybe not.
The person who owns the account might be a legitimate business and just claim he doesn't know what the write chose him. Or the writer just picked something and random to cause random, confusion and to make a point.

Lets say you sold personalize adult SMS message for 5 bucks a pop. You're business really starts to rise. How are you to know that someone chose you at random for a PoC of malware? Or a rival isn't setting you up?

What about when it's in another country?

The writer could be an idiot and have the money going to a company he set up. Online scams are getting a lot more sophisticated then that..

In addition to the usual cross-border problems... (1)

alispguru (72689) | more than 3 years ago | (#33207100)

If someone you don't like makes money off of SMS messages, write a Trojan that sends them stuff, get people to download it, and viola! The SMS guys get raided!

Bad summary (5, Informative)

esocid (946821) | more than 3 years ago | (#33206392)

After trudging through several articles, not one mentions the application's name. It does however mention that the trojan can be packed into basically anything. It also doesn't mention that only users in Russia are affected by the SMS charges.

According to Denis Maslennikov, Senior Malware Researcher at Kaspersky Lab, there's not an exact number of infected devices available at present, but the outbreak is currently regional. For now, only Russian Android users can actually lose money after installing the Trojan, but anyone can be infected.

http://www.readwriteweb.com/archives/first_trojan_for_android_phones_goes_wild.php [readwriteweb.com]

Re:Bad summary (3, Informative)

esocid (946821) | more than 3 years ago | (#33206410)

Also forgot to mention, it isn't in the market. It has to be manually installed, with that little box checked to allow non-market apps to be installed.

Re:Bad summary (1)

unix1 (1667411) | more than 3 years ago | (#33207162)

Here's some more info [securelist.com] . Still no link/name/source of the app. They could have paid someone to write a proof of concept/hypothetical app that did that, so they could do a press release and plug in their upcoming product.

Protection (2, Funny)

Ukab the Great (87152) | more than 3 years ago | (#33206394)

With Trojan-SMS.AndroidOS.FakePlayer.a, you can now have two different trojans in your pocket to offer the ladies.

Re:Protection (1)

hydromike2 (1457879) | more than 3 years ago | (#33206766)

I don't see any point to carrying around the latter, nobody on /. will ever get a chance to use it

Re:Protection (1)

VortexCortex (1117377) | more than 3 years ago | (#33207430)

I don't see any point to carrying around the latter, nobody on /. will ever get a chance to use it

Hey! Sure I will, (I don't want to get my Realdoll messy [realdoll.com] ).

Re:Protection (1)

mujadaddy (1238164) | more than 3 years ago | (#33207714)

I read on the internet that the holes can get really stinky if you don't wash them out.

That sounds like just as much work as a real girl! NO THANKS

Duh (0)

Anonymous Coward | more than 3 years ago | (#33206432)

If your phone was in a protective case, like an iPhone 4, you would be infected with such trojans!!! Stupid Android users!!!

Phone companies' response? (1)

Galestar (1473827) | more than 3 years ago | (#33206554)

This type of malware was obvious from the beginning. My question is what would be the phone companies' response to this?

Will they;
a) just charge the user for the messages saying that they are SOL
b) void the charges

Re:Phone companies' response? (1)

natehoy (1608657) | more than 3 years ago | (#33206630)

If it's AT&T, they'd take option (b) until they got sick of issuing credits, followed shortly by a system-wide option (c).

"In order to avoid surprise charges, any phone you use on the AT&T network that is capable of sending or receiving SMS messages must include at least our $5 a month 100-message plan. For your convenience and peace of mind, this plan has been added to your monthly bill starting last month, and is a required component of your account and may not be canceled."

Laugh all you want. That's exactly what they did to a lot of smartphones and data plans last year. Why would SMS messages be any different?

There is still no substitute for common sense (1)

gweihir (88907) | more than 3 years ago | (#33206596)

Those installing applications from questionable sources get what they deserve.

Re:There is still no substitute for common sense (1)

Sancho (17056) | more than 3 years ago | (#33207020)

Do women who walk down dark alleys at 3 in the morning get what they deserve?

Stop blaming the victim.

Re:There is still no substitute for common sense (0)

Anonymous Coward | more than 3 years ago | (#33207108)

If she's that dumb, then yes she probably did get what she deserved.

Re:There is still no substitute for common sense (1)

cdrguru (88047) | more than 3 years ago | (#33207660)

What is clearly needed here is insurance against this type of loss. Then nobody will be a victim anymore ... well, as long as they have insurance.

The problem is that we started out giving hammers to 6 year-old boys without any instruction. This was the DOS command line in 1982. The result was predictable and painful for some but for the most part it is possible to use a PC now, 25 years later. But we still have huge volumes of phishing and botnet emails because people do fall for this stuff.

With Android phones we have more like a situation where we have given hydraulicly powered hammers to 6 year-old boys and are suprised when the neighbor's car (and dog) have been "hammered". The actual damage is much worse, the potential damage is virtually unlimited and some technical people are standing around saying how nice these huge hydraulic hammers are and how capable they are of smashing anything. All without any thought as to the consequences of handing these powerful tools to 6 year-old boys without any understanding of the tools they are using.

Yes, I am equating the general public's familiarity with technology with the common sense of a six year-old boy. Absolutely. And I may be overestimating somewhat.

Don't blame the victim only goes so far. We need to blame the victim's lack of education and common sense and we also should think before handing out powerful tools to people that cannot make use of the without damaging the world.

Re:There is still no substitute for common sense (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33207726)

Do women who walk down dark alleys at 3 in the morning get what they deserve?

Stop blaming the victim.

If the alley has a bright neon sign that says you will be violated repeated if you continue to walk down this alley, then yes.

Just like the people who run from the cops deserve the eventual beating.

Some people are victims by choice.

Re:There is still no substitute for common sense (0)

Anonymous Coward | more than 3 years ago | (#33207356)

It's not just a problem for the stupid.

My phone is rooted and I use a firewall. I white-list apps that I know need internet--this has the nice side effect of blocking ads. I don't install any apps that allow "Services that cost you money", unless they come from Google, or from other companies that I trust, or are open source. My concern is that even though I've taken reasonable steps to protect myself, I have no way of stopping my friends from being stupid. Do I deserve to have my contact information sent to thieves because I happen to be on the contact list of somebody who was stupid enough to install such an app?

Re:There is still no substitute for common sense (1)

pandrijeczko (588093) | more than 3 years ago | (#33208288)

I apply precisely the same opinion about those buying from iTunes which I consider a questionable source also.

hmmm (1)

geekoid (135745) | more than 3 years ago | (#33206598)

A company that makes money selling anti-virus software claims there is a Trojan that there android release will fix.

Ok, I'm willing, for the moment, to say that
s true and has happened.
The article doesn't give any information. Was this spread through the market, or did some select the option to install apps from anywhere and then get hit?

OTOH, this does follow my belief that online and smart phone financial transactions will end. The sheer number and easy or scamming people can't be stopped.

I hope I am wrong. I would love to make my smart phone my wallet.

BIgger picture. (0)

Anonymous Coward | more than 3 years ago | (#33207376)

Ever notice that most (not all, but most) of the AV firms are from Russian/Baltic regions? From the guys who write the most virum and hacking?

SMS Trojan ... seriously? (1)

BitZtream (692029) | more than 3 years ago | (#33206822)

How the fuck can you get ripped off by an 'SMS Trojan'?

Okay, so it sends SMS messages to 'preimum numbers' ... so its a safe bet that the guy who wrote it is the guy who owns those 'premium numbers'.

It should take all of about 8 seconds for someone to turn off the SMS number so the messages no longer get charged to anyone and arrest the fink who started it.

Could it be someone using a trojan directed at an innocent 3rd party? Sure. Is that whats happening? No, stop being so naive.

Suggestions for Quick audit app? (1)

Brit_in_the_USA (936704) | more than 3 years ago | (#33207878)

Any suggestions for an andriod app that can quickly do a security audit (assuming the API's allow it)?

I'm thinking that it would list in table form all the installed applications (the rows) with all the security access types (columns) with all the cells checked or unchecked. This would allow an "at a glance" review of all the apps without having to navigate into the management of each one.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...