Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Soundminder Android Trojan Hears Credit Cards

CmdrTaco posted more than 3 years ago | from the i-heard-that dept.

Open Source 164

Blacklaw writes "A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers — typed or spoken — and relaying them back to the application's creator. Once installed, Soundminder sits in the background and waits for a call to be placed — hence the access to the 'Phone calls' category. When triggered by a call, the application listens out for the user entering credit card information or a PIN and silently records the information, performing the necessary analysis to turn it from a sound recording into a number."

cancel ×

164 comments

Of course (0)

Anonymous Coward | more than 3 years ago | (#34940284)

...didn't see THAT coming.

Re:Of course (0)

Anonymous Coward | more than 3 years ago | (#34941920)

...didn't see THAT coming.

Nope, but I heard it from a mile away.

But hey (1, Insightful)

Pojut (1027544) | more than 3 years ago | (#34940302)

It's Linux-based, so naturally it's secure! /sarcasm

Note: I have a Droid Eris running Nonsensikal 15.2...so I'm certainly no Android hater.

Re:But hey (1)

Tharsman (1364603) | more than 3 years ago | (#34941030)

When there is no limit to what Droid Gets, well.... there is no limit to what Droid Gets. [gogadgetnews.com]

Re:But hey (0)

Anonymous Coward | more than 3 years ago | (#34941442)

Actually the fault lies with java and it's insecurities..

And Google, allowing apps to have access to any of the hardware at all.

Re:But hey (2)

FunkyELF (609131) | more than 3 years ago | (#34941766)

Is there really insecurity when the user has to click "accept" when prompted with a list of everything that application has access to?

Re:But hey (1)

s73v3r (963317) | more than 3 years ago | (#34941840)

Not really. The only way to make it more secure would be to also prompt when the app actually attempts to use the permission. Although that could get annoying kinda fast. The other thing might be for the app developers to actually have to list why they need the permission in question. Why do you need access to my phone calls? I'm sure most spam apps might just make something up, but if they are doing something other than what they say, it should be easier to catch them.

Re:But hey (0)

Anonymous Coward | more than 3 years ago | (#34941856)

"Hi, I'm a random application that's just popped up on your 'phone. Can I listen into your calls?"

*Pojut accepts

*Pojut gets his credit card details stolen

*Pojut bitches about how insecure Linux is

*Rest of world points and laughs

Re:But hey (2)

0xdeadbeef (28836) | more than 3 years ago | (#34941896)

How is this insecure? The behavior is "as designed".

If it isn't the behavior you thought it should be, well, perhaps you shouldn't install unsigned applications from sketchy websites that want to both access your mic and your phone log.

How many people will this actually affect? (1)

Scott64 (1181495) | more than 3 years ago | (#34940310)

Do people actually still give credit card numbers over the phone? I can't think of one time in the last 8 years that I've had a credit card that I've ever given it out over the phone. And not out of fear, either. The situation has just never come up.

Re:How many people will this actually affect? (0)

Anonymous Coward | more than 3 years ago | (#34940338)

Do people actually still give credit card numbers over the phone?

My girlfriend reads her CC# over the phone all the time when ordering takeout.

Re:How many people will this actually affect? (3, Interesting)

Tubal-Cain (1289912) | more than 3 years ago | (#34940350)

When my cards expire my bank mails me a new card, with a phone number to call in order to activate it. The process involves telling the machine what card is being activated.

Re:How many people will this actually affect? (1)

Wannabe Code Monkey (638617) | more than 3 years ago | (#34940878)

When my cards expire my bank mails me a new card, with a phone number to call in order to activate it. The process involves telling the machine what card is being activated.

I believe I just activated a credit card recently and I think they only ask for a portion of the credit card digits, last four digits or something. And then also maybe the last four digits of my social security number. The credit card company only has so many cards out for activation at any one time, so they don't need all the digits to know which card it is.

There's a 1 in a 100million chance that someone has the same last four digits on their credit card as I do AND the same last four digits of their social as I do. What are the chances that they're also waiting on a replacement credit card as I? If there is a collision in their database, they could just send the first one of us to call to an operator who would ask a few more identifying questions verify which person they're talking to.

Re:How many people will this actually affect? (1)

Tubal-Cain (1289912) | more than 3 years ago | (#34941000)

They asked me for the full card number, but no social.

Re:How many people will this actually affect? (1)

krazytekn0 (1069802) | more than 3 years ago | (#34941646)

Your credit card company has your phone number on file, if you call from that number they generally won't ask for the credit card number or the full number, if you call from a different phone then they will ask for more info. That's why the little stickers say to call from your "home phone" or did in the past few years.

Re:How many people will this actually affect? (1)

jeffmeden (135043) | more than 3 years ago | (#34941970)

That's not how they avoided collision. Banks have fully integrated CID data into their AVR systems for a long time now. You called in with the phone registered to that account, they immediately knew the card number that was up for activation but had you confirm it regardless. Likewise, for a bit more security they had you confirm part of your SSN. This is all well and good, until the registered number associated with your account is a cellphone with compromised software that can relay a call from an attacker, an attacker who happens to have already picked off your SSN via other communications, and is now sitting on a fully activated, high-limit card with your name on it.

Re:How many people will this actually affect? (2)

Jahava (946858) | more than 3 years ago | (#34940410)

Do people actually still give credit card numbers over the phone? I can't think of one time in the last 8 years that I've had a credit card that I've ever given it out over the phone. And not out of fear, either. The situation has just never come up.

I suspect they're talking about strings of touch-tone numbers that are dialed during a phone call. If the string is long enough, an application can infer that it's a credit card number.

This happens all the time with over-the-phone payment systems. True, many of these systems are being supplanted by online payment methods, but many niche services (debt collection, carry-out order, etc.) still use smaller automated phone-based systems.

Re:How many people will this actually affect? (1)

gorzek (647352) | more than 3 years ago | (#34940544)

There's no reason this can't be done for spoken numbers, either. Android's built-in voice recognition system could easily be used to monitor whether you've just uttered a string of numbers.

Re:How many people will this actually affect? (1)

Anonymous Coward | more than 3 years ago | (#34940628)

TFS says "typed or spoken", are you guys reading it?

Re:How many people will this actually affect? (1)

GungaDan (195739) | more than 3 years ago | (#34940670)

Every time I receive a replacement for an expired credit card I have to phone in to activate it. First thing asked for? Card number.

Are there credit cards that do not require a call to activate?

Re:How many people will this actually affect? (1)

cmiller173 (641510) | more than 3 years ago | (#34940930)

I have had a few that use the caller ID of the phone I'm calling from first. If I call from the home phone the CC company has on file (yeah I still have a landline) it just replied with "your new card is activated".

Re:How many people will this actually affect? (1)

Lumpy (12016) | more than 3 years ago | (#34941506)

Yes. My last 3 were online activation.

I went to the website printed on the card, entered the last 4 digits and followed the prompts. No phone call required.

Plus the BS of "you must call from our home phone" is a crock. I do it from random phones and it works fine.

Re:How many people will this actually affect? (3, Insightful)

joebok (457904) | more than 3 years ago | (#34940682)

Article and summary say "typed or spoken" - so it is not simply looking for a sequence of tones - which broadens the impact significantly even from official over-the-phone payment systems.

Still, the fact that CC companies have to eat fraudulent transactions over $50 means that even if this were in the wild, it probably would not have major impact. CC companies are pretty good at detecting fraud. Debit cards/banks, however, are not held to the same standard - highly recommend never, ever, using a debit card under any circumstances regardless of this kind of exploit.

Re:How many people will this actually affect? (3, Informative)

cmiller173 (641510) | more than 3 years ago | (#34940954)

That $50 limit was extended to debit cards some time ago

"That $50 liability limit also applies to ATM and debit cards, though holders of these cards might be liable for up to $500 if they fail to report the card's disappearance within two business days after they learn of the loss or theft of the card. (Debit and ATM card owners can be held responsible for all losses if they fail to report the theft within 60 days of when a bank statement showing unauthorized charges is mailed.) " -- http://www.scambusters.org/creditcard3.html [scambusters.org]

Re:How many people will this actually affect? (1)

CDefense7 (1912430) | more than 3 years ago | (#34941124)

The CC companies don't have to eat this. They take the money back from the merchant who accepted this fraudulent charge. I know this from the Taxi company I worked for (stolen card was used), and the current mail-order company I work for.

Re:How many people will this actually affect? (1)

tgd (2822) | more than 3 years ago | (#34941262)

Debit cards/banks, however, are not held to the same standard

Correct, most are capped at $0 liability.

Re:How many people will this actually affect? (1)

OzPeter (195038) | more than 3 years ago | (#34940434)

Do people actually still give credit card numbers over the phone?

When I pay my CC I can call up the companies automated phone line to authorise a transfer from a known bank account. In doing so they want me to give them the CC number. So thats another reason you could give your CC number over the phone.

Re:How many people will this actually affect? (1)

gurps_npc (621217) | more than 3 years ago | (#34940558)

Never had to call the credit card company to dispute a bill? They ask for the credit card #. I also guess you don't use a good reward program. I like my reward program (1% cash - same as all the rest - except they put the cash reward directly into a savings account one month after you pay the bill as opposed to year end.) Because if you have a reward program you like, you tend to use it for everything - even buying pizza on the phone.

Re:How many people will this actually affect? (1)

Lumpy (12016) | more than 3 years ago | (#34941534)

Do you pay 100% of your balance every month BEFORE the grace period? if not then your 1% cash back is worthless.

IT's dumb to pay 18% interest on something so you can get 1% back.

Re:How many people will this actually affect? (1)

Skater (41976) | more than 3 years ago | (#34940714)

I do it frequently. Some places I deal with (campgrounds, mostly) do not have online ordering or whatever.

Re:How many people will this actually affect? (1)

BagOBones (574735) | more than 3 years ago | (#34940830)

- Credit card activation
- Bill payment by credit card or first time set-up of automatic payments
- Checking your credit card balance
- Calling in to dispute a charge
- Calling in to find out why a card has been declined (happens to me often when on vacation due to over sensitive fraud protection)
- Calling in to get a lost or stolen card replaced
- Ordering take-out or delivery

Re:How many people will this actually affect? (1)

I8TheWorm (645702) | more than 3 years ago | (#34941876)

Not to worry, I gave your credit card number over the phone just last week!

Does it even need to do that...? (1)

Joce640k (829181) | more than 3 years ago | (#34940330)

It could watch for people dialing the numbers of (eg.) online ticket sellers then just record the conversations. There's bound to be a credit card in there.

Re:Does it even need to do that...? (1)

Tharsman (1364603) | more than 3 years ago | (#34941216)

Why limit your spyware to only specific lists of phone numbers? May as well go for the virulent gold and catch any credit-card number you catch, no matter who you are giving it too. A predetermined list also would mean the virus would be forced to carry extra overhead with a database of phone numbers. Given business closing up, opening up, and plainly changing numbers, things that happen every day, the list would be obsolete very fast. An online based database would require the virus to do constant checks and expose itself more often to discovery.

different than a Mac/PC keylogger how? (0)

Anonymous Coward | more than 3 years ago | (#34940354)

...

Re:different than a Mac/PC keylogger how? (1)

MikeDirnt69 (1105185) | more than 3 years ago | (#34940508)

It works on Android. Next question?

People don't expect their phone to be tapped (1)

perpenso (1613749) | more than 3 years ago | (#34941966)

different than a Mac/PC keylogger how?

While people are somewhat open to the idea of their computer getting a virus they don't expect their phones to be tapped by thieves. Its a legacy of the analog world, many consider voice to be more secure than submitting a web-based form.

Wouldn't you have to be root for this to work? (1)

filesiteguy (695431) | more than 3 years ago | (#34940360)

I'm thinking this through and thinking of my android-based device. For anything to gain access like this wouldn't the user need to be root?

Or can the app simply request permission?

(Disclaimer: I'm root and have cyanogen on my phone.)

Re:Wouldn't you have to be root for this to work? (1)

Imagix (695350) | more than 3 years ago | (#34940402)

The app simply requests permission. More accurately, the app asks for permission during install time when the installer notifies the user that this app requires permissions to intercept calls.

Re:Wouldn't you have to be root for this to work? (2)

rjstanford (69735) | more than 3 years ago | (#34940704)

So it could be bundled in with a "voice changer" app or, probably more successfully, one that randomly inserts background noise (train station, jungle, room-o-farts) into your call. For freez!

Re:Wouldn't you have to be root for this to work? (5, Informative)

Jahava (946858) | more than 3 years ago | (#34940568)

I'm thinking this through and thinking of my android-based device. For anything to gain access like this wouldn't the user need to be root? Or can the app simply request permission? (Disclaimer: I'm root and have cyanogen on my phone.)

The article says the application requests the following permissions:

  • Read Phone State and Identity: Used to know when your phone is calling
  • Your Personal Information: Not really used in the attack.
  • Hardware Controls (probably specifically microphone): Lets the application record audio

There's an additional app that requests Network Capabilities; it's used to relay the data. Since the original application doesn't request those capabilities, it's less obvious (although now a second application has to be installed).

Basically, the application masquerades as an overly-permissive "voice recorder". It registers to receive notifications when the "phone state" changes, and when you place a call it starts recording. It processes the audio and pulls out voice and touch-tone number sounds. It then passes that information to the "Deliverer" application, which forwards it to the bad guy. Two applications written by the same developer can share data, so they probably use that channel.

The scenario is that a user will install the recorder app because they want a voice recorder, and will install the "Deliverer" app for some unrelated reason. Neither app's permissions set off any warning bells, but, together, they can steal your data.

So no, no rooting necessary. Goes to underline the general idea - given any security fence and enough time to understand it, someone will find a way around it. It's not particularly creative or innovative - just one of those proofs-of-concept of the obvious that will get media attention. Android's permissions are a nice heads-up to the user, but you really need to know and trust the publisher before you give any of the more deadly set of permissions (e.g., hardware controls, network communication) to an app.

Re:Wouldn't you have to be root for this to work? (0)

Anonymous Coward | more than 3 years ago | (#34940726)

If apps couldn't run in the background that wouldn't be nearly as much of a problem.

Just sayin'

Re:Wouldn't you have to be root for this to work? (2)

Klync (152475) | more than 3 years ago | (#34940804)

While "Hardware Controls" seems intuitive for the stated purpose, "Read Phone State and Identity" is fairly common, too. Almost every application will do things differently - whether operating in the foreground or background - depending on whether you are using the phone at the time. E.g. whether to play a sound or ring an alarm. This is one permission I (and I hate to admit it) would barely think twice before granting to just about any app.

Re:Wouldn't you have to be root for this to work? (1)

icebraining (1313345) | more than 3 years ago | (#34940816)

Personally, I think Google should change the permissions. Hardware Controls should not get access to the microphone during a call - instead, it should ask for a new permission, like "Recording calls". Make it more clear for the user.

If people install a trojan that specifically says it'll record calls, then there's not much one can do.

Re:Wouldn't you have to be root for this to work? (1)

shadowrat (1069614) | more than 3 years ago | (#34941120)

I'm sure many of us raise an eyebrow at the premissions requests, but most people do not. The biggest security flaw is the user. Most will grant any app permission to do anything.

Re:Wouldn't you have to be root for this to work? (1)

leonardluen (211265) | more than 3 years ago | (#34941398)

i believe if you read the full article you will also notice that google stated that they have thought of such a scenario of apps sharing data, so they purposefully made it difficult for them to pass data back and forth to each other. so the recording app and the deliverer app secretly share data by updating various global phone settings such as the ring volume and backlight timeout.

Okay we use it to fund the bat-gear this once... (0)

aapold (753705) | more than 3 years ago | (#34940362)

But once we stop the Joker, you have to destroy this app or I, Morgan Freeman, will not be in the next movie.

Can't make smarter users... (4, Funny)

kellyb9 (954229) | more than 3 years ago | (#34940376)

... so you better start making smarter phones and more rigorous guidelines for app store approval. Problem solved.

Re:Can't make smarter users... (0)

Anonymous Coward | more than 3 years ago | (#34940476)

No way, even the the slightest suggestion of checking apps and possibly rejecting them means you're a fascist nazi douche that hates freedom.

There is no in-between. An app store must either let anyone post anything they want, in which case they love freedom and choice and open source and are the best company ever, or they are fascists that literally want to enslave you.

Re:Can't make smarter users... (2)

Ginger Unicorn (952287) | more than 3 years ago | (#34940688)

Or perhaps give you the choice to opt between using a secure app store or installing what you like, thus solving your false dichotomy.

Re:Can't make smarter users... (0)

Anonymous Coward | more than 3 years ago | (#34941608)

Perhaps you don't recognize sarcasm, or recognize that the poster was making fun of the Slashdot hyperbole on here related to app stores that use approval/rejection, such as Microsoft and Apple. If it's the latter, I suggest going and scanning any article on this site about the iPhone or Android, where you can witness constant intelligent insight such as "OMG steve job$ personally rejected an app, he is a Nazi and Apple hates freedom. You can't run ANYTHING on an iPhone. It should be OPEN like Android because open source and freedom"

Re:Can't make smarter users... (1)

Anonymous Coward | more than 3 years ago | (#34940710)

Well I'm unsure whether Apple actually check for covert malware (or the extent to which they check), the cost to them to do so would be prohibitive, and I'll bet if you read the terms and conditions of the App store you'll find wording to the effect that they're not responsible if malware does get through, but to suggest that the Android Marketplace lets people post anything they want is a little misleading. There's still a process by which harmful content can be removed, and Google have not been shy about employing it in the past. Indeed, apart from the upfront costs there's probably little difference in sneaking malware onto either store - the key difference is that Android tells you which functionality of the phone your apps are allowed to access.

Re:Can't make smarter users... (2)

Tharsman (1364603) | more than 3 years ago | (#34941496)

Things that Apple consider can intrude user privacy are either not allowed to be done at all or request user permission every time they are going to execute. Location requests must be re-approved every day and things like call recording are just not allowed.

During approval, Apple does check for calls to APIs that can access these services, and rejects the application if it finds any. Thats the reason for their "No Use of Non-Public APIs" restriction. This is no manual review, they have automated processes to make sure such hooks don't exist in the application.

Re:Can't make smarter users... (0)

Anonymous Coward | more than 3 years ago | (#34940718)

You know, I don't have an Android or other smart phone yet, so I don't know. I do have an Ipod touch (was a gift), and I've bought stuff from the Apple app store.

I think the real question isn't so much that the Apple App store is checking and rejecting apps, its that you *can't* (easily) get apps from other sources no matter how much you trust them.

My understanding is that the Android phones are potentially more flexible in that regard, which I think is great (and one reason why my next phone will probably be an Android phone, even if I only go through their default app store). I don't care if the default store is reasonably restrictive, hell, I would like them to be. I just don't want to be *stuck* with only that one restrictive source if I think that it has made a mistake.

Re:Can't make smarter users... (0)

Anonymous Coward | more than 3 years ago | (#34941078)

I'm sorry, but this comment is just ignorant.

Re:Can't make smarter users... (1)

I8TheWorm (645702) | more than 3 years ago | (#34941992)

And this comment lacks sarcasm detection.

Re:Can't make smarter users... (1)

I8TheWorm (645702) | more than 3 years ago | (#34941948)

Even then, we've seen with the Apple app store that the system in place to check apps isn't very good. With the number of submittals they would need an army of people to vet the apps properly anyway.

Google has a more lax approach with their store, but the net result is the same... some bad apples get through the process and onto people's phones.

The good news is the dev registration process requires you put up some $$ with a credit card which gives Apple/Google/RIM/MS at least a small chance of tracking the person down.

It's not perfect but it's something.

Re:Can't make smarter users... (0)

Anonymous Coward | more than 3 years ago | (#34940820)

You mean like the Apple App Store?

Re:Can't make smarter users... (1)

kellyb9 (954229) | more than 3 years ago | (#34940880)

Yeah, I guess it'll be exactly like the app store without all the blatant censorship of "distasteful content". If you want to download malware, go outside android's official app store... I suppose its nice being able to decide.

Triple Android dis... (1)

Rob Kaper (5960) | more than 3 years ago | (#34940390)

Three articles in a row casting doubt on Android in one way or the other... really, Rob?

They have now cast doubt thrice! (1)

aapold (753705) | more than 3 years ago | (#34940574)

THRICE!

Re:Triple Android dis... (1)

Anonymous Coward | more than 3 years ago | (#34940668)

Yes, clearly Android must be above all criticism.

Back in real life, Slashdot is about page views, not some juvenile war against the "bad guys".

Re:Triple Android dis... (1)

socz (1057222) | more than 3 years ago | (#34940886)

So for the last world cup, I made for the teams we were rooting for (here in the office) Android banners! It took about a day to figure out what I was doing, but after that it went well. At first I just used backgrounds to match the colors and text for the slogan. But then I found it better/easier to use a graphic. So when our teams were playing we'd open the program and display our support on our android phones. +1 for Android!

I was thinking it listened to the environment (0)

Anonymous Coward | more than 3 years ago | (#34940406)

Not just phone calls. I thought it was sitting in the background, voice activated, listening for strings of numbers. But I imagine that would consume too much power.

Other applications (2)

kellyb9 (954229) | more than 3 years ago | (#34940486)

This is just one practical application. *Puts on tin foil hat* What about a comparable government system mining for certain terrorism related keywords? I can think of 100's of more dangerous applications to this type of software, and I don’t even have to be the person who has it installed. I find that particularly frightening.

Re:Other applications (1)

delinear (991444) | more than 3 years ago | (#34940732)

Why would the government go to the cost and effort of trying to get a few people to install this on their phones when they are almost certainly already listening to everyone's calls at the exchange.

Re:Other applications (1)

kellyb9 (954229) | more than 3 years ago | (#34940796)

Who says I meant our government?

Re:Other applications (0)

Anonymous Coward | more than 3 years ago | (#34940882)

Because then they're using the phones computing resource, reducing their own resource-requirement means increasing their eavesdropping capacity.

Re:Other applications (1)

cpghost (719344) | more than 3 years ago | (#34940914)

What about a comparable government system mining for certain terrorism related keywords?

Governments don't need it: they already tap the backbones... But look at it the other way: how about an app that would listen on Gov't employees, and relay everything to sites like WikiLeaks et. al?

Soundminder Trojan once installed (1)

doperative (1958782) | more than 3 years ago | (#34940596)

"A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers -- typed or spoken -- and relaying them back to the application's creator. Once installed, Soundminder sits in the background"

How does this 'trojan' get onto the handsets in th first place?

Re:Soundminder Trojan once installed (0)

Anonymous Coward | more than 3 years ago | (#34940636)

GET THESE THREE APPS THAT COST MONEY FOR FREE!!!one1!

Why do people get viruses from those painfully obvious screen saver ads?

Re:Soundminder Trojan once installed (1)

The Moof (859402) | more than 3 years ago | (#34940744)

The same way other malware gets distributed - offer some trivial software with this bundled into it. Users have a tendency to blindly give permissions without caring just to get dialogs out of their face.

The iPhone and its "Walled Garden"... (0, Troll)

Chris Tucker (302549) | more than 3 years ago | (#34940648)

...App Store starting to look a little better?

Of course, when the latest Android 2.2 phone OS gets pushed to the phones, everything will be better.

Oh, right. The PhoneCos are refusing to push that upgrade [google.com] .

Re:The iPhone and its "Walled Garden"... (1)

Anonymous Coward | more than 3 years ago | (#34941332)

i'm mildly surprised this is modded up here. not the 2.2 push, that probably should go out, it's in the nature of open source to require such upgrades for security reasons, it's already a known procedure on linux desktops/servers.

what I am surprised it is I'm seeing a modded up post on Slashdot booing open platforms and making positive light of one of IT's most closed source systems.

would you prefer it locked down and not open source, would that make the droid a better phone to you? what is your desktop/server OS preference and would it be considered in the same light?

not trying to flame in any way, but my personal preference is open, as soon as I heard of the droid I knew someone would make something, you can say that about any linux install as well.

Re:The iPhone and its "Walled Garden"... (2)

magus_melchior (262681) | more than 3 years ago | (#34941778)

To be honest, I'm pretty sure Google can pull trojans off its Market. The victim would have to be stupid enough to (a) download an app from an untrusted source, and (b) click through the "This app has access to this stuff" warning without reading it.

In other words, it's not much more different than PCs.

Another Hack! (0)

Anonymous Coward | more than 3 years ago | (#34940654)

So now every Tom, Dick and Harry want-to-be hacker has got this new great idea of another way of making life difficult for everyone one else. Thanks for publishing it.

Re:Another Hack! (1)

delinear (991444) | more than 3 years ago | (#34941068)

Or maybe every Tom, Dick and Harry want-to-be hacker already knew about this (it's hardly a great leap from a voice recognition-enabled phone to scanning calls for important information) and these guys have brought it to the public's attention by publishing this.

Complain about Apples 'closed' ethos all you want, (0)

tonywestonuk (261622) | more than 3 years ago | (#34940666)

But... this type of hack will never get into the wild on the iPhone.... ..or, if it was ever missed by their app vetting procedure, Apple could remotely shut it down anyhow.

Remind me not to get an Android phone, if this is the type of stuff hackers are going to be distributing soon.

--
Possessed - my first Facebook game. Come play!. [facebook.com]

Re:Complain about Apples 'closed' ethos all you wa (1)

Klync (152475) | more than 3 years ago | (#34940850)

Article: "People have been known to cut themselves when using these really sharp knives. Maybe they should have additional safety features."

You: "Yeah, but those knives wouldn't even get through the door of the prison I live in. Why doesn't everybody just live in a prison like me?"

Re:Complain about Apples 'closed' ethos all you wa (1)

tonywestonuk (261622) | more than 3 years ago | (#34941056)

The thing about a sharp knife, it looks like a sharp knife...

The thing about a trojan running on a phone, it looks like whatever the app maker wants it to look like, probably fluffy and cute and not at all like something that's going to hurt.

--

Possessed - my first Facebook game. Come play! [facebook.com]

Re:Complain about Apples 'closed' ethos all you wa (0)

Anonymous Coward | more than 3 years ago | (#34941544)

So if people started giving away things on the street you'd just take a bunch of it? And if it had a dangerous object-- sharp stone, badly processed food, whatever-- inside, you'd willingly admit yourself so some sort of institution to protect yourself from bad street peddlers?

The problem isn't with the system. The problem is that people want to be able to trust the random guy on the internet freely giving them "OMG ELF DANCE PENGUIN BASEBALL.SWF.EXE" since it's the best thing ever.

Of course, the root cause is that people are bastards and try to fool people to begin with. But as a population we should be pretty aware that there is (unfortunately) no such thing as a free lunch.

Re:Complain about Apples 'closed' ethos all you wa (1)

Sentrion (964745) | more than 3 years ago | (#34941580)

Knives, trojans, and hacking...reminds me of my college days when I stuck a phone ringer in my roommates iron. Every time he was ironing his shirts I would remotely activate the ringer. He ended up burning both of his ears before he realized what was going on.

Re:Complain about Apples 'closed' ethos all you wa (1)

unimacs (597299) | more than 3 years ago | (#34941202)

There are more choices than the two extremes of rigid control or the wild west. Both Apple and Google could have an optional approval process which would certify that an app is safe for use on your phone. Maybe there would be some cost to the developer. Other apps could be submitted without certification. The marketplace or store would have to clearly identify which apps have been certified and which haven't. A user should be warned if they're downloading an app that hasn't been certified and given the option to permanently turn that warning off if they choose. I much prefer that model than having to install some virus checker on my phone which takes up resources, costs money, has to be kept up to date and may misidentify a critical OS file as a virus and inadvertantly brick the phone.

Re:Complain about Apples 'closed' ethos all you wa (1)

jgtg32a (1173373) | more than 3 years ago | (#34941796)

Actually a sharp knife is a safe knife, most knife injuries are from having a dull knife slip.

Re:Complain about Apples 'closed' ethos all you wa (0)

Anonymous Coward | more than 3 years ago | (#34941012)

Complain about Android's "open" ethos all you want, but at least responsible users can install what they want rather than what their phone provider tells them they're allowed. There are up- and downsides to both the open and closed approaches. Open is less secure but allows greater freedom, closed is more secure at the cost of freedom. There's no right or wrong, there's only right or wrong for you - for me, I've lived for 15 years with Windows and never had an issue with malware because I exercise responsibility. I intend to use my phone the same way and don't envisage any issues. If this was some kind of rampant worm that could spread and replicate without my agreement then I'd agree. If it's an attack vector that only works on people who don't exercise caution over what they're installing then I totally agree those people would be better off with Apple's protection. That's not an inherent flaw with either OS, it's an inherent flaw with people.

Still, if you're not the kind of person who can't use a computer responsibly without installing malware, then consider yourself reminded not to get an Android phone :) I'd also recomment turning off your PC before you click on an ad for free screensavers or respond to that email from the nice Nigerian prince.

Re:Complain about Apples 'closed' ethos all you wa (1)

Anonymous Coward | more than 3 years ago | (#34941028)

First, Apple's vetting procedure is inconsistent at best. I have a flashlight app from the store that doubles as a wifi hotspot.

Second, Android also has a remote shut down capability for apps.

Re:Complain about Apples 'closed' ethos all you wa (1)

SCHecklerX (229973) | more than 3 years ago | (#34941102)

Only a threat if you are dumb enough to install it in the first place. Dumb users == owned equipment. That's always been the case. No technology is going to fix stupid behavior. This is why antivirus is useless. If antivirus is detecting things, then IT'S ALREADY TOO LATE! We want to PREVENT the infection, and proper hygiene and common sense in synergy with proper technological controls is the only way that is going to happen.

Re:Complain about Apples 'closed' ethos all you wa (1)

jisatsusha (755173) | more than 3 years ago | (#34941278)

You are aware that Android has a kill switch too, right?

cell scanners? (1)

Culture20 (968837) | more than 3 years ago | (#34940800)

Aren't there still cell-phone scanners? Why would anyone enter a CC number via cell phone if anyone within cell range could be listening in or recording CC info?

O_EXCL Microphone. (1)

codegen (103601) | more than 3 years ago | (#34940844)

So why isn't access to the microphone mutually exclusive? If the phone is using the microphone for an ongoing conversation, then apps shouldn't be able to use it at the same time. I can understand having the the OS accessibility routines having concurrent access with an app, but when you are on an actual voice connection, that should probably be exclusive access. Similarly, applications like skype should also be able to request exclusive access to the microphone.

Re:O_EXCL Microphone. (1)

OverlordQ (264228) | more than 3 years ago | (#34941002)

If the phone is using the microphone for an ongoing conversation, then apps shouldn't be able to use it at the same time.

But how else can you get the completely awesome t-pain autotune app!

Proposed solution: secure call mode (2)

Klync (152475) | more than 3 years ago | (#34940902)

Perhaps one solution to consider would be the ability to put the device into a state where nothing but the phone is running - i.e. all other apps are just blocked until the call is released. Alternatively, the phone data in / out could be sandboxed from the rest of the OS. This would be a special mode since there are legitimate uses for this (tone dialing, call recording, etc.), but should be available to switch on when needed (or take the reverse approach and have it on by default, switched off when desired).

I'm not sure if the Android API would allow building an app for this, or if something at a lower-level would be required.... Anyway, feel free to implement this and send me the royalty cheques if you can. Just google for my banking info.

Should have two Android Marketplaces (1)

unimacs (597299) | more than 3 years ago | (#34940906)

I don't own an Android phone so I may not be the best person to comment but it seems to me they need two Marketplaces, - or at least 2 separate areas. One area would contain apps that have gone through some testing and approval process and another that's just wide open, - all bets are off. Probably wouldn't prevent people from blaming the phone if their CC number gets stolen but at least people would know that there's an identifiable subset of apps that are malware free.

WAN TOO FREE (4, Funny)

neon-fx (777448) | more than 3 years ago | (#34941024)

Once again being unintelligibly Scottish comes in useful.

Headphone Jack Credit Card Readers (0)

Anonymous Coward | more than 3 years ago | (#34941060)

When I first read this I thought that headphone jack credit card readers, like Square, had been compromised. Is that possible?

Send them Bogus Numbers! (0)

Anonymous Coward | more than 3 years ago | (#34941112)

I think that everyone that knows about the app should download it and start feeding the 'owner' strings of bogus numbers. Let them wade through a few million numbers for a real hit.

Article Summary Misleading (0)

Anonymous Coward | more than 3 years ago | (#34941322)

From the article:
Soundminer takes a novel approach to these restrictions, by only requesting access to 'Phone calls,' to read phone state and identity, 'Your personal information,' to read contact data, and 'Hardware controls' to record audio - none of which will ring alarm bells if the app is marketed as a voice recording tool.

So, it is using way more than just "Phone calls", and by no means is this "novel"

If you downloaded a "voice recording tool" with this permission list your deserved to get robbed blind.

All smartphone owners (iPhone included, Apple wont protect you from everything) need to start being way more paranoid about their phones. It is your wallet, it is your email, it is your life.

All phones are at risk. Protect yourself. (1)

Anonymous Coward | more than 3 years ago | (#34941440)

Regardless the phone you are using, you must assume that someone can be listening to your phone conversation. On a home wireless phone, all it takes is a scanner from radio shack. On your cell, it requires slightly more sophisticated hardware, but can be done. Heck, Apple has a patent out for the iPhone built-in listening techniques.
My advice? If you use a credit card, make sure it has consumer fraud protection. And NEVER under any circumstances use a bank card over the phone. Yes bank cards usually have fraud protection, but any disputes will tie up your funds for longer than you think. Better to tie up your credit during a dispute, than your bank account.

What about eavesdropping... (1)

Sentrion (964745) | more than 3 years ago | (#34941696)

Who's to say this software couldn't be easily adapted to pick up on credit card numbers that are spoken out loud in any location. A hidden wireless microphone could be placed at a target location and monitored for weeks if necessary just waiting to pick up on those digits. Why not add a plug-in for dates-of-birth, drivers license numbers, and other personal identifying info? For identity theives such passive monitoring software could reap in millions from unsuspecting victims with little effort at all.

Possible applications for law enforcement - program it to pick up on conversations only about drugs or money laundering rather than waste countless man-hours listening to every call some mobster makes to his grandmother or ordering pizza.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...