Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Infected Androids Run Up Big Texting Bills

Roblimo posted more than 3 years ago | from the watch-out-for-unsanctioned-app-stores dept.

Android 279

Hugh Pickens writes "Computerworld reports that a rogue Android app is hijacking smartphones and running up big texting bills to premium rate numbers before the owner knows it. Chinese hackers grabbed a copy of Steamy Windows, a free program, added a backdoor Trojan horse to the app's code, then placed the reworked app on unsanctioned third-party "app stores" where unsuspecting or careless Android smartphones find it, download it and install it."

Sorry! There are no comments related to the filter you selected.

Holy AI, Batman (4, Insightful)

Calibax (151875) | more than 3 years ago | (#35343888)

"[...] where unsuspecting or careless Android smartphones find it, download it and install it."

I really dislike careless phones. Perhaps reviewers can test and report which are careful.

I'd also like to know how to make my phone less naive about unauthorised app stores.

Perhaps I should take away my phone's download privileges...

Why text anyway? (0)

Anonymous Coward | more than 3 years ago | (#35343922)

I don't see the point. Turn off the service.

Re:Why text anyway? (0)

Anonymous Coward | more than 3 years ago | (#35343942)

lol, I see someone is humorously challenged

Re:Why text anyway? (0)

MoonBuggy (611105) | more than 3 years ago | (#35343988)

Just because you don't need a feature doesn't mean that's always the solution [theonion.com] .

That's strange (0)

linuxisforbigfatfags (2005994) | more than 3 years ago | (#35344770)

I though open-source was infinitely more secure than "Micro$oft Windoze omglolwut!". Funny I haven't heard about any viruses affecting windows phones.

Oh noes! (3, Insightful)

Microlith (54737) | more than 3 years ago | (#35343908)

Obviously this means we should abdicate (forcibly, if necessary) all control over our computing devices to large corporations with a vested interest in denying us the ability to use them as we see fit.

Re:Oh noes! (1)

MoonBuggy (611105) | more than 3 years ago | (#35343968)

Or perhaps, y'know, just extend the same protections to the 'credit' you're accessing in the time before you pay your phone bill as you get with credit cards. Very limited liability for unauthorised use & a call to confirm if your usage strays far outside your normal pattern should be plenty.

We've seen with roaming data charges, that they're happy to let you run up a bill in the thousands, cut it by 70% when you complain, and act like they've done you a favour, but I don't know that they'll manage to keep up the same attitude when it's that bit harder to blame on the user.

Re:Oh noes! (4, Insightful)

icebike (68054) | more than 3 years ago | (#35343980)

Obviously this means we should abdicate (forcibly, if necessary) all control over our computing devices to large corporations with a vested interest in denying us the ability to use them as we see fit.

You buy stuff from trusted sources. There are a few trusted ones, and none of them have addresses in China.
The people getting these infected apps knew damn well what they were doing. They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way. Looking for Porn is my guess. I have very little sympathy.

The point is no one falls into this trap using the Google market or the upcoming Amazon market, or a couple others.

Re:Oh noes! (0)

Microlith (54737) | more than 3 years ago | (#35344014)

You're not thinking of this from the corporate fearmonger perspective. This can be solved completely by abdicating all control!

You buy stuff from trusted sources.

Of course! So you just ensure it's trusted and bar other sources! Like Apple, Microsoft, and Android devices on AT&T!

Re:Oh noes! (1, Insightful)

bonch (38532) | more than 3 years ago | (#35344488)

Are you like some kind of leftover hippie? You even throw around the word "corporate" as if it's automatically a bad thing. The very computer you used to type your post was spawned from the evil corporate world you hate so much.

You won't ever admit it, of course, but the fact is that there is a trade-off between controlled and open that involves security, reliability, and speed, and the world is moving toward the paradigm of appliance computing. Most people don't give a shit about "openness" or being able to install software from any third-party. This is little different from the system already in place on game consoles, for example, which has beaten out PC gaming. In other words, you're part of a niche, but you didn't know it, because, until recently, everyone else was forced to use Wild West platforms like Windows. Now, so-called "walled gardens" are taking over, and app stores are the new way to get software. Even Windows is getting one.

That people are willingly choosing this new way of computing drives you crazy.

Re:Oh noes! (4, Interesting)

Jane Q. Public (1010737) | more than 3 years ago | (#35344610)

"Most people don't give a shit about "openness" or being able to install software from any third-party."

Perhaps not, but that is rapidly changing. Even governments are recommending open source and open standards, and those ideas are making it into the mainstream, because their advantages have become too large and obvious to ignore.

Re:Oh noes! (2)

mjwx (966435) | more than 3 years ago | (#35344068)

The people getting these infected apps knew damn well what they were doing. They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way

Worse yet, they actually went out of their way to find pirated software and install it with little regard for actual consequences.

Not really for or against piracy but... If you do do it and dont know how to check for things like this then you get what you deserve.

Re:Oh noes! (4, Informative)

compro01 (777531) | more than 3 years ago | (#35344680)

Where are you getting pirated software out of this? They're referring to non-Google markets, like Amazon's Appstore, Archos' Appslib, and others.

Re:Oh noes! (4, Informative)

Kitkoan (1719118) | more than 3 years ago | (#35344762)

The apps weren't pirated since the original App was free. This is one of the catches of freedom. You have the freedom to choose and make it yours, but that freedom can also be the freedom to screw yourself over by malicious people. This is why Android phones by default don't allow you to install non-market apps. You can of course turn that off and install any and everything under the sun that works on Android and that it your choice and freedom but it warns you when trying to do it that you can be taking a risk and be careful what you install. (my phone lists it as "Your phone and personal data are more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these applications") This is a very good popup (and you have to click OK for it to let you do this) that gives a nice, clear, non-legalese warning. Now if your ignore this clearly spelled out warning and still get screwed over, then its your fault and your problem.

permissions (4, Insightful)

t2t10 (1909766) | more than 3 years ago | (#35344268)

They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way

More importantly, they had to give the app permission to send texts. Very few apps need that permission.

Re:Oh noes! (1)

wvmarle (1070040) | more than 3 years ago | (#35344368)

Considering the ease with which one can release software in the Android Market I'm not that sure. Of course they have some measures in place to verify identity (the small, one-off registration fee particularly), this is not much to stop malicious software from entering that market.

Reg fees can be paid with stolen credit card numbers, for example. And good chance it takes a month for the owner to realise this has happened (as in next billing cycle), so it may take a while before such fraudulent accounts are taken off-line.

Secondly apps are released without vetting whatsoever by Google. Upload, click "Publish", and it's out there, so it's quite easy to get fraudulent apps out on the market.

That said Googles official market has a reason to keep their house clean, so I do expect they will follow up on user complaints and remove offending apps when reported. That after all is in their own interest.

Finally there's also due diligence from downloaders of course. Apps ask for permissions - and why should say a wallpaper app need access to phone control and messaging? Android has quite some security measures built in, but if a user decides to grant those illogical requests then of course anything may happen.

What makes a source trusted, preempt or react? (3, Insightful)

perpenso (1613749) | more than 3 years ago | (#35344548)

You buy stuff from trusted sources.

What makes a source trusted? Do they screen apps for inappropriate behavior before putting an app on the store (preempt) or do they just remove inappropriately behaving apps after they are discovered in the field (react)? I don't think trust is a binary state, its a range of levels. A reputable source that preempts may be more trustworthy, a reputable source that merely reacts may be less trustworthy but more convenient.

Re:Oh noes! (1)

DerekLyons (302214) | more than 3 years ago | (#35344682)

The people getting these infected apps knew damn well what they were doing. They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way.

The funny part is - this is exactly what many Slashdotters have been howling for ever since, well, forever. That users be able to get apps from whoever they want without being tethered, forced, or locked in. But as soon as that freedom exists, and (quite predictably) something goes wrong - the cry goes out "it's the users fault - they should have gotten their apps from $MEGACORP rather than exercising their freedom!".
 
Actually, it's not funny. It's pathetic.

Re:Oh noes! (1)

bmo (77928) | more than 3 years ago | (#35344096)

No, it means that people should stick to trusted software, and sites. You can have a software repository with a ton of third party applications without having a huge corporation behind it.

Debian, for instance.

Google and iPhone stores are only a half step. The ability to have third party repositories should be added.

--
BMO

Re:Oh noes! (1)

peragrin (659227) | more than 3 years ago | (#35344168)

It is the third party repositories and side loading apps that are causing this to happen to being with.

users can't be trusted to do the smart, right thing. they don't understand why their app needs internet access, or text access. so they click on yes all the time. they have been trained to just give the application what it requests because that is the ONLY answer the application will accept. If your new game doesn't run without internet access then it gets it no questions asked. even if it doesn't actually need that but for the trojan that also gets installed as well.

Giving the average user control, is like giving them a plane and believing that since they have an autopilot they can land safely.

Apple's walled garden has limited this kind of behavior so far despite having 10's of million of more phones sold.

Re:Oh noes! (3, Interesting)

ArcherB (796902) | more than 3 years ago | (#35344612)

Giving the average user control, is like giving them a plane and believing that since they have an autopilot they can land safely.

Apple's walled garden has limited this kind of behavior so far despite having 10's of million of more phones sold.

Well, if you are an "average user", and I presume you are, then I guess you need someone holding your hand in a walled garden.

Personally, I'm NOT an average user. To use your airplane analogy, I'm a pilot who wants the auto-pilot turned off! I demand the ability to do whatever I wish to MY phone and I am fully aware that I am responsible for the consequences. Look, I don't mind a walled garden. All the stuff I install comes from the Android Market exclusively. But within my walled garden, I want to choose the plants that are in there. I want to choose the color of the wall and decide what bricks it's made of. I want to decide if my garden is organic or so full of pesticides that the birds die from flying over it. So, with a simple rooting of my phone, I have my walled garden and the ability to remove/disable all the crapware I don't want on my phone. I'm now fully able to put any GUI I wish on MY phone. I chose the one that came with it, but dammit I MADE THAT CHOICE, not some turtleneck wearing, Hollywood social elite who thinks he knows what I want better than I do.

Re:Oh noes! (1)

t2t10 (1909766) | more than 3 years ago | (#35344250)

Google and iPhone stores are only a half step. The ability to have third party repositories should be added.

Android has third party repositories.

And they are generally safe, since apps need to request permission to text--third party app store or not.

Re:Oh noes! (0)

Anonymous Coward | more than 3 years ago | (#35344330)

/sarcasm

There fixed that for you.

Re:Oh noes! (1)

bonch (38532) | more than 3 years ago | (#35344422)

Obviously this means we should abdicate (forcibly, if necessary) all control over our computing devices to large corporations with a vested interest in denying us the ability to use them as we see fit.

You mean like the carriers who control Android [techcrunch.com] ?

OpenTexting (0)

Anonymous Coward | more than 3 years ago | (#35343910)

Android gives you the freedom to get charged a ton of money.

Who wrote this virus? (2, Funny)

MrEricSir (398214) | more than 3 years ago | (#35343928)

AT&T, Verizon, or Sprint?

Re:Who wrote this virus? (2)

olsmeister (1488789) | more than 3 years ago | (#35343982)

Apple.

Re:Who wrote this virus? (1)

Boycott BMG (1147385) | more than 3 years ago | (#35344328)

I know you are being facetious, but if you have an Android phone on Sprint, then you have a data plan, and those data plans come with unlimited texting by default.

Re:Who wrote this virus? (0)

Anonymous Coward | more than 3 years ago | (#35344532)

but not including premium numbers (you know the ones where you text "something" to a 5 or 6 digit number, and get charged some fee (typically $9.99)

Re:Who wrote this virus? (0)

Anonymous Coward | more than 3 years ago | (#35344802)

The trojan texts premium numbers. It doesn't matter what texting plan you have.

That's like saying you have unlimited minutes thus calling Ms. Cleo is free.

Re:Who wrote this virus? (1)

Lehk228 (705449) | more than 3 years ago | (#35344766)

Steve jobs wrote it himself

Hate to say it (0)

Armon (932023) | more than 3 years ago | (#35343930)

I hate when that happens on my iPhone. Oh wait...

welcome to mobile security, same as it ever was (0)

Anonymous Coward | more than 3 years ago | (#35343946)

Same thing happens to old WinMo phones, RIM and even jailbroken iPhones.

You leave the walled gardens and you assume security risk is on you--of course unless the OS notifies you of SMS charges about to occur--but that's a system/carrier issue.

Mobile security is different from the desktop, and requires collaboration with carriers (which IMO, sucks) if they are going to get this right.

Google generated news? (1)

Blymie (231220) | more than 3 years ago | (#35343952)

Hmm.

The cynic in me would suspect Google of throwing these stories out there, via proxy, so that people would not stray from their app store.

Realistically though, I don't think I've seen a large surge in non-Google app stores.. although, perhaps in countries / areas where providers haven't paid Google for access, there is a growing trend?

Re:Google generated news? (1)

Nerdfest (867930) | more than 3 years ago | (#35344076)

You're not being quite cynical enough. There's others out there with much more to gain by spreading stories about Android viruses, especially just before big product releases, as an example .. not that I'd point fingers.

Re:Google generated news? (1)

Solandri (704621) | more than 3 years ago | (#35344340)

Realistically though, I don't think I've seen a large surge in non-Google app stores.. although, perhaps in countries / areas where providers haven't paid Google for access, there is a growing trend?

A friend of mine showed me one he had on his phone. It was basically a warez site. All those apps you have to pay for in Android Market? The pay-versions were available for download for free there.

Re:Google generated news? (0)

Anonymous Coward | more than 3 years ago | (#35344382)

It takes less than five minutes to personally disassemble and crack Google's default copyright protection library built into the majority of protected Android apps. I don't know why anyone would want to use an unknown market to do it.

Re:Google generated news? (0)

Anonymous Coward | more than 3 years ago | (#35344848)

The "warez site" you are referring to is Blackdroid. It's pretty much crap and has gone the way of blapkmarket.

Applanet is the largest (and best) one. It's the equivalent to iPhone's Installous. Two weeks ago, there was a rogue developer submitting apps to Applanet that did this. They "slipstreamed" the virus into popular apps. Since then, the service has heavy filtering on who can and can't publish apps. All apps are screened before posting. IP bans are in place (not a permanent solution) and there is a rating system on their forum for bad apps. Things get taken down pretty quickly if they're deemed malicious. Developers who wish for their app to not show up on Applanet are respected. The automatic filtering updates based on author name, native Android package name, AND checksum, so IMHO they're pretty compliant.

Re:Google generated news? (0)

Anonymous Coward | more than 3 years ago | (#35344344)

That's idiotic. For one thing, the Android Market isn't immune to this kind of attack (neither is the App Store). Secondly, Google included the capability into the OS. If Google didn't like it, they would remove the ability.

The only reason why stupid-destructive trojans like this exist primarily on free third-party markets is because no one profits off them.

Common Sense (2, Insightful)

timeOday (582209) | more than 3 years ago | (#35343956)

Android apps should operate within a jail that limits anomalous behavior like this - that is, the OS itself should have a form of common sense, and they should make it easy to install useful apps without giving them enough access to overwrite that part of the OS.

If not within the OS itself, cellphone accounts should come with voluntary (user-adjustable) quotas to mitigate such things. It might be just as useful for parents to control runaway texting teenagers.

Re:Common Sense (3, Insightful)

Locke2005 (849178) | more than 3 years ago | (#35343978)

When you install any Android app, it explicitly asks for permissions to perform various categories of activities. If you granted the app permission to perform activities it doesn't need, e.g. SEND TEXT MESSAGES, then shame on you, not on the OS!

Re:Common Sense (1)

timeOday (582209) | more than 3 years ago | (#35343994)

A binary rule is not good enough. There is nothing odd or strange about an app sending an SMS here or there. But sending enough to run up a huge bill is clearly a different thing, at least to a human being. That common sense should be built into the system to avoid unwanted surprises.

Re:Common Sense (1)

timeOday (582209) | more than 3 years ago | (#35344022)

PS, the existing warning system clearly does not have enough teeth:

Android.Pjapps also has a built-in filter that blocks incoming texts from the user's carrier, a trick it uses to keep victims in the dark about the invisible texting.

"It monitors inbound SMS texts, and blocks alerts telling you that you've already exceeded your quota," Thakur said. Smartphone owners then wouldn't be aware of the charges they've racked up texting premium services until they receive their next statement.

At some point, it is reasonable to require a phonecall to the carrier to add or remove a self-imposed quota.

Re:Common Sense (1)

Locke2005 (849178) | more than 3 years ago | (#35344120)

The app not adding or removing quotas at all. It is adding itself as an activity interested in ALL incoming texts, then selectively consuming the texts it wishes to block while passing all other on to other activities.

Re:Common Sense (0)

Anonymous Coward | more than 3 years ago | (#35344128)

At some point, it is reasonable to require a phonecall to the carrier to add or remove a self-imposed quota.

And the malware couldn't do that? Surely you've heard of Watson by now.

Heck, the malware can get plenty of samples of your voice even. It could call for more quota Terminator-style, perfectly impersonating your voice.

Not to mention scamming all the people you ordinarily call, using YOUR voice to do it...

Re:Common Sense (1)

teh31337one (1590023) | more than 3 years ago | (#35344032)

Oh come on. The app in question (steamy window) should not be asking for permission to send texts. If you see that, and it doesn't raise flags...

Re:Common Sense (1)

Rich0 (548339) | more than 3 years ago | (#35344208)

Perhaps it would help if you could just hit the no button and still install the app.

There is no reason that users shouldn't be able to veto individual permissions.

Re:Common Sense (1)

h4rr4r (612664) | more than 3 years ago | (#35344228)

I agree with you, but this would mean people could install ad supported versions and never see the ads. This is why Google will not allow that.

Re:Common Sense (0)

Anonymous Coward | more than 3 years ago | (#35344540)

For some strange reason you engage in the assumption that the app would function correctly absent text-sending permissions. It would not.

If Google reworked the core OS to expressly not throw an exception under insufficient permission conditions, then the app would itself check the return status and bomb out when the calls fail.

Either you accept what the app requests, or you don't install it; there's no working around that for malicious apps.

Re:Common Sense (1)

timeOday (582209) | more than 3 years ago | (#35344322)

OK, in this case a binary send/no-send rule seems to make sense. So next week they'll just trojan some app that *does* need to send the occasional SMS, and abuse the privilege just the same.

I am just uncomfortable with any piece of automation that can generate unlimited costs. I wouldn't want a printer with a 10,000 page paper tray, either. Granted in some cases it is unavoidable, but at least minimize the number of trusted parties involved. Carriers naturally tend not to be aggressive enough about helping people control costs that, to the carrier, are profit.

Re:Common Sense (1)

Locke2005 (849178) | more than 3 years ago | (#35344102)

A binary rule is not good enough. There is nothing odd or strange about an app sending an SMS here or there

When you are installing an app whose only purpose is to make it look like your display is fogged up, and it says it needs permission to send SMS messages, that should be a definite clue-by-four that there might be something suspicious going on. And yes, I do ask myself every time I install a free app "why would this app need these privileges?" If it doesn't make sense, I don't install it, period.

Re:Common Sense (1)

msauve (701917) | more than 3 years ago | (#35344166)

Uh, Steamy Window is basically a fancy desktop background. It recently added the ability to email (not SMS text - you can't fit a jpg of an Android desktop in 160 bytes) the image. Yes, it would be odd and strange for such an app to require SMS permissions.

sending enough to run up a huge bill is clearly a different thing, at least to a human being. That common sense should be built into the system to avoid unwanted surprises.

Exactly how does the phone know that it's running up a huge texting bill, which would entail knowledge of the user's service plan? The only way to run up a huge texting bill is to not have an unlimited text plan (~$10, at least on my provider), or ignore the permissions one is giving to apps downloaded from dark alley markets.

Why a provider shouldn't cap a' la carte texting at 2x or 5x the unlimited cost is another matter.

Re:Common Sense (0)

Anonymous Coward | more than 3 years ago | (#35344384)

Some texts are premium - think 900 numbers. Here's a link to how Wikipedia does it:
http://www.mobilecommons.com/blog/2009/12/support-wikipedia-with-a-text-message/

Re:Common Sense (1)

icebike (68054) | more than 3 years ago | (#35344000)

What makes you so sure a hacker written app would follow those rules?

Re:Common Sense (2)

h4rr4r (612664) | more than 3 years ago | (#35344080)

Because the VM enforces those rules, not the application.

Re:Common Sense (0)

Anonymous Coward | more than 3 years ago | (#35344620)

Android's permission model doesn't work like the Windows 7 edition model, which checks a list of known capabilities listed in the registry, and performs privilege checks in the core applications requiring a specific capability.

Unlike Windows 7, you can't just patch the app to skip an unwanted check -- you have to exploit a flaw to elevate outside of the sandboxed Dalvik-app process, and probably elevate a second time because most core Android services are running as the 'system' user and can't be read/executed by other apps.

Re:Common Sense (0)

Anonymous Coward | more than 3 years ago | (#35344006)

As reported previously this has been circumvented and there are ways for the app to perform operations without having the permissions.

Re:Common Sense (1)

Anonymous Coward | more than 3 years ago | (#35344030)

Many users have been trained not to read those messages by lengthly EULAs. I know Google's are usually shortened, and the permissions list is actually shoved in your face, but some users might have been trained to ignore it.

Re:Common Sense (4, Insightful)

jayveekay (735967) | more than 3 years ago | (#35344060)

Who do you trust: The phone company, the phone, or the user?

If you trust the phone company, then having a cellphone contract option to limit data/text/etc. usage to some cap can mitigate the worst case bill you'll be surprised with.
If you trust the phone, then OS options to limit what an app can do can mitigate worse case damage done.
In either case, you have to trust the user to make the right choices with respect to cellphone contract or app permissions.

I think my problem is that I don't trust any of the above.

Re:Common Sense (1)

Locke2005 (849178) | more than 3 years ago | (#35344148)

How could it possibly be in the wireless provider's best interest to provide a method of limiting the amount of money they can make off of a customer???

Re:Common Sense (1)

ekhben (628371) | more than 3 years ago | (#35344324)

Off the top of my head...

  • The bill may be defaulted, in which case the provider is lucky to get much at all, possibly selling the debt to a collection agency, and losing a customer.
  • The bill may be reduced to a payable amount, in which case the provider is lucky to get much at all, and possibly loses a customer.
  • Bad PR, though let's face it, this doesn't mean much to multi-million customer organisations (at least, until it starts happening to tens of thousands of them).
  • Any consumer protection agencies (do those exist in the US?) may side with the customer on this type of problem.
  • The customer is likely to complain long and loud given their phone has no record of the messages and no record of incoming warnings, racking up a large support call cost.

If I were a wireless provider, I'd be all over telling my competitor's customers that we're the SAFE provider, and they should switch now.

Re:Common Sense (1)

Jane Q. Public (1010737) | more than 3 years ago | (#35344636)

"Bad PR, though let's face it, this doesn't mean much to multi-million customer organisations (at least, until it starts happening to tens of thousands of them)."

It should. Look how much a math mistake on one person's bill cost Verizon in PR, and how much their handling of one guitar cost an airline in PR and business.

Even the multimillion-dollar corporations are waking up. Look at how much Microsoft's well-earned reputation has cost them.

Re:Common Sense (1)

bonch (38532) | more than 3 years ago | (#35344508)

It's as if Slashdotters have completely forgotten the last 20 or so years of Windows history. "What? You mean people are confused by and ignore permission dialogs?"

Re:Common Sense (1)

teh31337one (1590023) | more than 3 years ago | (#35344002)

But that's how it is. When you install an app, it tells you which services the application has access to. Sending text messages, internet communication, making phone calls etc.

The apps don't have access to the underlying OS. The problem stems from people who don't read the permissions, or ignore them.

Re:Common Sense (0)

Anonymous Coward | more than 3 years ago | (#35344124)

It ALREADY DOES!

How did this get modded up to +4, anyway?

Re:Common Sense (0)

Anonymous Coward | more than 3 years ago | (#35344152)

With data plans why do text message costs exist anymore? This scam profit center should no longer exist. There is essentially no cost for them to serve text messages and if you are paying for data usage at worst put the text message use against that. And as far as text messages that = costs connected to them from the receiver you should be able to completely disable that functionality. Any honest cell carrier should honor this request. Carriers that do not are blatantly profiting from their customers being scammed and as such should be treated by the law as accomplices.

Re:Common Sense (1)

mjwx (966435) | more than 3 years ago | (#35344160)

Android apps should operate within a jail that limits anomalous behavior like this - that is, the OS itself should have a form of common sense, and they should make it easy to install useful apps without giving them enough access to overwrite that part of the OS.

First off, you have to try pretty hard to overwrite parts of the OS. You need to have "rooted" your phone to do that. The simplest and least destructive way is via the bootloader which requires human intervention.

Secondly, Android already has this kind of security measure in place. The user in question downloaded pirate software and accepted the "services that cost you money" permission. Android is a very security conscious OS but nothing can trump user stupidity.

Now I do agree that Service Providers should, by default not permit a user to go over a certain limit (say the amount of SMS's/Minutes paid for under your cap/plan) to prevent them from running up a huge bill by accident. This should be active by default but can be deactivated by request but unfortunately no Telco would do this of their own accord.

Re:Common Sense (0)

Anonymous Coward | more than 3 years ago | (#35344206)

It blows my mind how many people dog Apple for their somewhat controlling policies, when the obvious result of a free policy is crap like this. There is a reason that programmers are locked out of shit that will bring down a system - its to protect the user experience.

Re:Common Sense (1)

RzUpAnmsCwrds (262647) | more than 3 years ago | (#35344506)

Android apps should operate within a jail that limits anomalous behavior like this - that is, the OS itself should have a form of common sense, and they should make it easy to install useful apps without giving them enough access to overwrite that part of the OS.

This is exactly what Android does. Every app is isolated, and no app has enough access to "overwrite that part of the OS".

Android apps have to declare the permissions they request, users are informed what permissions are requested at install time, and these permissions are enforced at runtime. One of those permissions is the ability to send text messages.

The problem is that people don't pay attention to the permissions.

Re:Common Sense (1)

Lehk228 (705449) | more than 3 years ago | (#35344784)

My blackberry already asks me permission for specific actions and typed of data for apps. People rip on RIM for being old fashioned and slow to innovate and yet they are the only company with sane security and privacy management settings

Bad summary (2)

Mark19960 (539856) | more than 3 years ago | (#35344010)

"...where unsuspecting or careless Android smartphones find it, download it and install it."

You mean ..' unsuspecting or careless USERS find it'
The phone itself is not reaching out to download it, the user is doing it.

Re:Bad summary (0)

Anonymous Coward | more than 3 years ago | (#35344136)

The phone might have been rendered careless by a previous infection through user activity, and now loads up every QR code it comes across.

Re:Bad summary (1)

mjwx (966435) | more than 3 years ago | (#35344172)

You mean ..' stupid and careless USERS find it'

There, fixed that for you.

He was downloading a pirated .apk from China, what did he expect.

Note to self... (0)

Anonymous Coward | more than 3 years ago | (#35344044)

Don't download pirated apps because sometimes they have trojans. Gee, who woulda guessed?

I see what you did there (0)

Anonymous Coward | more than 3 years ago | (#35344084)

Nice try, Google plant posing as a Chinese hacker house.

health tips (-1)

Anonymous Coward | more than 3 years ago | (#35344088)

Thanks for the best information. It's really a best site to exchange news and views with other. Check out the Best 17 Health Benefits Of Sex and more health tips here [blogspot.com] .

corepirate nazi illuminati=growing cosmic debt (-1)

Anonymous Coward | more than 3 years ago | (#35344106)

the lights are coming up all over now. see you there? the debt will be paid.

infactdead zombie (heartless) creatures running US (-1)

Anonymous Coward | more than 3 years ago | (#35344132)

you can't make this stuff up.

Oh, well . . . (0)

Anonymous Coward | more than 3 years ago | (#35344122)

FTA:

"... then placed the reworked app on unsanctioned third-party "app stores" where unsuspecting or careless Android smartphones find it, download it and install it."

You can't fix stupid.

common sense (0)

Anonymous Coward | more than 3 years ago | (#35344130)

So when you download an app, from an unsanctioned store, which has nothing to do with sending SMS' and Android notifies you that this thing has authority to send SMS'...... instead of staying the hell away from it, you install it and complain when it starts doing dodgy things?

Startling... (2)

PopeRatzo (965947) | more than 3 years ago | (#35344156)

Infected Androids Run Up Big Texting Bills

I'm old enough to remember when "android" meant something besides a smartphone.

That's why I found this headline a bit disturbing for a few moments. I imagined Rutger Hauer and Darryl Hannah thumbing their Blackberries. And yes, I'm also old enough to remember when "Blackberry" meant something besides a corporate communicator or a designer fruit sold at Whole Foods for $9 for three ounces.

User-defined limits on apps (0)

Anonymous Coward | more than 3 years ago | (#35344218)

Where an app says I need this, that, and the other, and you say-- no. You don't get that. Install.

on most US carriers you don't need to hack text bi (1)

Joe The Dragon (967727) | more than 3 years ago | (#35344232)

on most US carriers you don't need to hack to run up the texting bill just text spam people and they pay for in coming.

Re:on most US carriers you don't need to hack text (1)

nedlohs (1335013) | more than 3 years ago | (#35344288)

But they pay the phone company not you, which makes that just a tad pointless.

Re:on most US carriers you don't need to hack text (1)

wvmarle (1070040) | more than 3 years ago | (#35344434)

The difference is that there is no gain to be made by the sender.

And if receiving texts has a benefit for the sender, then there are usually serious measures in place from the phone company's side to prevent such abuse.

Android security needs to be tweaked. (3)

pecosdave (536896) | more than 3 years ago | (#35344358)

Lots of apps wanting lots of info. Instead of "install or not" there needs to be an option to "deny access to this feature but install anyways".

Re:Android security needs to be tweaked. (0)

Anonymous Coward | more than 3 years ago | (#35344692)

User: [Denies text permissions.]
App: "I'm sorry Dave, I can't do that. [Quits.]"

User: [Allows text permissions.]
App: [Opens.]

World: "WHY R MI APPS FAILING?!! ANDROID SUX."

Pretty sure this can't happen to my phone. (1)

TheClarkster (1130495) | more than 3 years ago | (#35344362)

To be infected you have to go into settings and approve non-market installation, browse to a Chinese site, download their market installer, install it, find the Steamy Windows app, say okay to the permission window where it says it can send text messages that may cost you money, and then open it? I'd say Android is still pretty safe.

Google Market doesn't help either... (1)

elsurexiste (1758620) | more than 3 years ago | (#35344452)

I found the apps in Google Market quite lacking: they are either free and really lame, or very expensive compared to the price of an SMS or phone call.

To this, I'll add that I have to pay big cash in order to keep a Motoblur account and receive updates from Motorola for my Cliq XT aka bug-laden piece of sh*t. Let's say the alarm clock: it has some nasty bugs that are too expensive to fix with an update, and tech support offers to reflash everything and lose all of my data. All I want is a simple alarm clock with no fancy features, but it's so damn expensive/annoying in the end I may use a third party app store.

Luckily, I can write my own alarm clock for Android. Others may choose to risk it with the app store from China...

Are we really looking for the correct solution? (1)

Solandri (704621) | more than 3 years ago | (#35344456)

a rogue Android app is hijacking smartphones and running up big texting bills to premium rate numbers before the owner knows it.

Which is easier:

A. Make it impossible to install or execute "rogue" apps on a computer system.
B. Make it impossible to do anything on a phone which will cost money unless the phone owner has authorized it ahead of time with the phone's service provider, and set an upper limit of how much you're willing to pay for it per month (like $5 to spend on texts, apps, etc). Anything above that, the service provider should refuse to do.

B seems like the obvious winner to me. But I suspect the service providers are getting kickbacks from the pay-services so will fight tooth and nail to stop any blocks to accessing those numbers.

Re:Are we really looking for the correct solution? (1)

mysidia (191772) | more than 3 years ago | (#35344530)

A. Make it impossible to install or execute "rogue" apps on a computer system.

B. Make it impossible to do anything on a phone which will cost money unless the phone owner has authorized it ahead of time with the phone's service provider, and set an upper limit of how much you're willing to pay for it per month (like $5 to spend on texts, apps, etc). Anything above that, the service provider should refuse to do.

How about (C) A zero-liability law requiring that service providers hold consumers harmless for any fraudulent use of services made from their account; that is, any use of for-pay services that the owner of the device did explicitly approve of, AND require the consumer to be compensated fairly for any time, labor, energy, or legal services required on their behalf to rectify any provider billing error or to have unauthorized charges removed, at a minimum amount of $25 per hour of the consumers' time (and twice that for any time spent on the telephone with the provider, with the provider's IVR, on hold waiting to speak to a customer service representative, or time off the phone spent awaiting a callback to their message sent during standard business hours).

Then the problem will take care of itself -- service providers won't want to lose money to premium services due to fraudulent texts, so they'll come up with a better policy.

Re:Are we really looking for the correct solution? (1)

Lehk228 (705449) | more than 3 years ago | (#35344808)

Easier would be to make those premium text numbers illegal to enforce, by that I mean the phone company must refund any that are contested for any reason or no reason, without limit.

Gotta hand it to chinaman (0)

Anonymous Coward | more than 3 years ago | (#35344460)

Now lets nuke 'em til they cant be nuked nomore! Imaginge a world with 2 billion less gypsys. God save us and lets hope he hears this.

yes/no dialogue when restricted ability first used (1)

speedwaystar (1124435) | more than 3 years ago | (#35344464)

my biggest peeve with the Android security model from day #1 is that this kind of thing is even possible.

every Android application has to be specifically granted a set of permissions on installation, including "able to make phonecalls that cost you money", "able to access the internet", etc. the problem is that the user only ever see this list once, fleetingly, during installation, and as everyone knows, familiarity breeds contempt so after the first couple of apps, most people stop reading the list and just click "yes". even if they read the list, once it's been authorized the application can do anything on its permission list at any time, without user intervention. this opens the gate to applications that can take photos doing so silently while the screen is off, applications that can make phonecalls doing so invisibly and undetectably, applications that can use the internet and use gps phoning home at any time with your exact location, etc. it simply shouldn't be possible.

whenever an application attempts to perform a restricted task, the OS checks that it has been granted the permission to do so and either silently permits the task, or silently disallows it. that's great, but it shouldn't stop there. the first time it's attempted a dialog box should alert the user that "steamy windows is attempting to make a phone call to that can cost you money. do you want to authorize this? yes/no/ [ x ] remember my answer and don't ask me again".

clearly "steamy windows" is going to get a "no and don't let it do it in future response", whereas the user is likely to grant "mywonderSMSclient" indefinite permission.

if there's a reason why this isn't practical, i'd like to know about it.

Logical actions (1)

currently_awake (1248758) | more than 3 years ago | (#35344514)

If you see a lot of spam from a single IP address you block it. If you see rogue cellphone apps texting a number you block it, right? If you can show that a number is used for criminal activity you should be able to reverse the charges and have the number disconnected. It's too bad the phone companies have no interest in that outcome, as it limits their profits. If you could show that the phone company knows that number is criminal then they should be liable for the money.

I, for one, welcome our texting robot overlords. (1)

ace123 (758107) | more than 3 years ago | (#35344696)

Am I the only one who imagines infected humanoid robots walking around while constantly poking at their phones?

Heck, what's to stop these androids from crashing into walls if they are constantly staring at their phones.

“Backdoor?!” (1)

Mr. Picklesworth (931427) | more than 3 years ago | (#35344714)

Is it really a backdoor when the app is given explicit permission by the end user? Sounds more like social engineering to me.

I Thought Most Android Users Got a Virus Scanner? (1)

amuench (1675788) | more than 3 years ago | (#35344742)

I mean, I downloaded a virus scanner the first day I got mine, because I knew there were some viruses in the Android market, and I found one that also did remote location and backup. Plus, it showed up on the popular list in the Market as well. It scans every install, update, and even any out-of-market apps I install. I just thought most people would know better...I guess not.

Not to mention that most people are right--if a live wallpaper program wants to send out text messages--you probably shouldn't let it

This would never happen with an iPhone (1)

517714 (762276) | more than 3 years ago | (#35344850)

... As long as you hold it in your left hand. ; )
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?