New SMS Trojan Found In Android Markets 114
Trailrunner7 writes "The Android platform seems to have become the playground of choice for attackers and malware authors looking to make a quick buck. The latest example is a premium-rate SMS Trojan that not only automatically sends costly SMS messages, but also prevents users' carriers from notifying them of the new charges. The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China. This is just the latest in a series of similar incidents in which attackers and scammers have inserted either outright malicious apps or seemingly benign apps containing malware into app markets. Most of the attacks have targeted Android users, and several times Google has had to remove malicious apps from the official Android market."
Re:Well on the bright side (Score:5, Insightful)
WHAT? You mean freedom also provides the opportunity to freely injure one's self?!?! You don't say!
Re: (Score:2)
Re: (Score:2)
This developer community would be... the open source developer community?
Re: (Score:2)
I wonder if there's any scan on demand anti malware apps out there. If not, there soon will be I'm sure. There's definitely a market for it.
Re: (Score:2)
same here. I'm a good coder, but who has TIME to audit every damned thing?
we do need auditing services. it should be non-profit and community/trust based. ie, like most opensource things.
I don't like a VENDOR being in control. I want it to be 'we the people' so to speak. that way its not political and not under some profit (or even government) directive, one way or another.
Re: (Score:2)
You ARE in control. If you look at an app and see it requests permissions that you don't like, or don't want them to have, you simply don't install it. Yes, that might mean you don't get to play strip poker or whatever.
For example, the only android developer that I trust with my personal information is Google... and that's only because they already have it all anyway.
The other option is the new CM7 roms have the ability to remove permissions from apps. It has opened up a whole new world for me, as I'm no
Re: (Score:1)
I write code and I can't tell the difference between good software and bad software (in terms of whether or not it contains code that would be considered malicious from the user's viewpoint), without an extensive and thorough code analysis. I know you are talking about "punch the monkey and win a free app" type software, but the really serious malware is not going to be that obvious.
Re:Well on the bright side (Score:4, Insightful)
I can agree that appliances should be restricted in their functionality. My current phone doesn't have "apps", it just handles calls and SMS, and I like it that way.
My deliciously ironic gripe is that people complain no matter what they have. Apparently an app store policing submissions = evil gestapo, while an app store failing to police submissions well enough = why didn't you protect meeee *whine*
Re:Well on the bright side (Score:5, Insightful)
Re: (Score:3)
Well, that brings us neatly around to my original point: If you have the freedom to install apps from anywhere, you have the freedom to install malware. This freedom does not come with what should be the prerequisite dependencies of common sense nor investigative abilities. So in essence, you now have the freedom to hurt yourself, alongside the freedom to do anything you want. You can't have one without the other.
Re: (Score:3)
Re: (Score:1)
Who are these "fairly competent users" and how are they distinguished? I think Apple thought about this and decided that there was no manageable way to deal with such a concept. As a result they have just two groups, ordinary users and developers.
Re: (Score:1)
1) Want to use an unverified app or app store
and
2) Know how to do it.
That's one of the problems with Apple. They treat all their customers like idiots when it's possible that some of their customers may not be.
Re: (Score:1)
Your missing the point. The only way to to qualify that a person "Knows how to do it" and to only allow signed code is to require that you be a developer and have access to certs for signing the code. It's not acceptable under any conditions to have unsigned code on a device.
Re: (Score:1)
Re: (Score:2)
Heh.
"Malicious code on the Android platform is proof of how great it is!!"
Re: (Score:1)
Like any troll, the first thing he mentions is about the other guy. Just like any political "argument". If you're a Republican and you hear about something your party does wrong, the first thing you hear is "well the Democrats do this other thing that's bad, don't forget about that".
Yes, Apple has a "walled garden". I'm surprised you didn't mention the "Reality Distortion Field" too. Oh and in case you didn't hear, there was a major Trojan found in the Android Marketplace.
Re: (Score:3, Insightful)
Meh. This isn't news. The app is available on some third party app markets (read: not google's market) which are used on the other side of the planet. There was a time when a malicious text message could damage or brick an iphone.
Re: (Score:2)
Re: (Score:1)
Re: (Score:3)
Meh. This isn't news. The app is available on some third party app markets (read: not google's market) which are used on the other side of the planet. There was a time when a malicious text message could damage or brick an iphone.
There was a proof of concept that could execute arbitrary code on iphone by sending about 500 SMS and which worked about 20% of the time, as explained by the hacker here [youtube.com]. Of course serious bugs aren't really news on either platform. There was a time when Android would execute all text typed into the phone as root [zdnet.com], then there was the Android bug that sent your messages to random contacts [zdnet.com] or the one where an SMS corrupts Androids SQLite database [androidguys.com]. People in glass houses should throw stones you know.
Re: (Score:2)
http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html [forbes.com]
My point remains however. This isn't news. This is a non-google sanctioned market and they're responsible for what they post. Not google. Not android.
I'd much rather carefully pick my apps....and actually be able to carefully pick my apps, instead of being limited to only doing a small subset of the features my device would otherwise be capable of.
As you said, people in glass houses....
Information, please! (Score:5, Informative)
Why don't these articles ever tell you WHICH markets and apps are affected? Oh, that's right, they're too busy trying to generate page hits through scare-mongering to care about information.
(I'm not trying to say these aren't legitimate threats: quite the opposite. But, good reporting would help mitigate these threats by publicly shaming and informing.)
Re: (Score:1)
It did?
The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China.
Re:Information, please! (Score:4, Informative)
No, that's the name of the malware, not the apps. FTFA:
"The malware is embedded in a seemingly legitimate application in the market, and once users download and install that app, the fun begins."
It goes on to talk about "the host app" which the malware "piggybacks". Which app? They don't tell you. They'd rather tell you that "The Apple iPhone may still be the gold standard when it comes to smartphones".
Re: (Score:1)
It did?
The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China.
No it didn't dumbass. All it tells you is the name of the malware that has been found in the app, not the name of the app or apps themselves.
Re: (Score:2)
Why don't these articles ever tell you WHICH markets and apps are affected? Oh, that's right, they're too busy trying to generate page hits through scare-mongering to care about information.
(I'm not trying to say these aren't legitimate threats: quite the opposite. But, good reporting would help mitigate these threats by publicly shaming and informing.)
Exactly. Also, chances are, that there are HUNDREDS of malware in unofficial Chinese markets - will we get a new slashdot post for each and every one of them? Editors: wtf?
Re: (Score:2)
Why don't these articles ever tell you WHICH markets and apps are affected? Oh, that's right, they're too busy trying to generate page hits through scare-mongering to care about information.
Slashdot generates lots of ad revenue when we argue about walled gardens and malicious apps. We keep falling for it.
Unofficial (Score:2)
I'm having trouble worrying about people who install apps onto their phone without knowing that the market creator is paying attention for that sort of thing. Google and Amazon are alert and watching. Random markets in China? I feel less confident in them.
I feel exactly the same compassion for them that I feel for people who download things from any random website they find.
Re: (Score:1)
Price you pay.. (Score:5, Insightful)
If you want the freedom to install whatever you want from wherever you want, you have to accept that some of those things may not be good for you or your devices. To me, it's worth the trade off.
In the end, the best protection will always be common sense. To those that do not feel they possess enough knowledge to make their own decisions in this regard, there is always Apple who will gladly make the decision for you. To each their own.
Re: (Score:2)
Yeah, and "from wherever" for me NEVER includes apps from China.
Re: (Score:2)
Why?
First off, let's note that this /. article is about a Trojan that is not in the Android market. Publishing an article about that is just stupid scare-mongering. There could be millions of viruses/trojans outside the market and I wouldn't care. What matters is when they get into the market.
Now, back to your trade-off.
Google can and should make the Android market 99.99% free of trojans/viruses. Free enough that I can recommend the Android market to my proverbial mom or uncle and know they will be safe
Re: (Score:2)
Google already makes the Android market secure. They've yanked malware off the official market many times. Outside of technical issues such as things locking up, your mom or uncle is perfectly safe downloading from the official market, and most issues like that are easily discerned in reading the reviews of an app. Chances are, if it's got less than a 3 star rating, it's probably not worth the download, and even the most non-technical person should be able to read those reviews and make an intelligent de
Re: (Score:1)
You are assuming most users of smartphones have common sense to begin with in order to stay away from red-light-district App stores. That is simply not true. Most users (regardless of platform) are simply not savvy enough to know better.
Sure, you can label them as "ignorant", or "stupid". I've read countless of postings from tech-brats preaching that if a user doesn't know any better, they should not even buy a smartphone. If that were the case, then Android would have had a much more difficult time get
Re: (Score:2)
Users don't know (and should not have to know)...
I absolutely disagree, I think that those of us that do know the dangers of the internet should be beating it into the heads of every person we know that doesn't. People need to learn that the internet is not a fantasy land with unicorns and funny images. People get taken advantage of due to their ignorance all day long. It's never going to stop. There are no internet police. For every shady app or program or attachment or virus you eradicate in the wild another one is going to pop up.
Imagine how many
Re: (Score:1)
Best protection is not common sense. We're beyond that now. People should not have to babysit their phones. It should be treated as an appliance, not a PC. Google needs to address this or it will be their downfall. This is one area where Apple really has their act together.
Well, some of us want a smartphone that IS mare like PC, not restricted appliance - and google is giving us that. Too bad if they fail, I'm glad that someone is trying... and I disagree with you on that *everyone* should have some basic understanding of things they use - if they can learn how to install and use software and browse internet they should learn basic safety also, if they don't... well, boo-hoo, no sympathy for them.
Re: (Score:1)
This only affects chinese 3rd party markets... (Score:5, Insightful)
Unofficial Markets. So in other words, Google has nothing to do with this. If you want security on Android, just stick to the standard market. Obviously Third party markets are bad news bears.
Re: (Score:1)
I don't know. Are they giving me candy or a trip to Disneyland?
For a new Android user (Score:4, Insightful)
Reading the summary, it seems this is a 3rd party market that was infeted. Obviously the first thing is not to install everything you see, followed by don't use 3rd party markets. However there seem to be several 3rd party markets that do have worthwhile software. Is there a suggested list of marketplaces that are reliable?
There also appear to be several Android firewall apps. Is there a site where they are reviewed and compared?
Re: (Score:3)
Uggh ... terrible moderation here. This is flamebait, not insightful. As an ios developer, I recommend that you buy the device that best caters to your needs and if you do get off the beaten path with that device -- educate yourself on possible dangers. If you install 3rd apps on your android device, check its requested permissions. If you root your ios device, change the freakin' root password. The issue isn't the device, but the person using it.
Seriously ... I'm tired of this android / ios pissing ma
Re: (Score:1)
He is right on a fundamental level. Android is more geared towards tech-heads, geeks and nerds. Nothing wrong with that. iOS is geared towards eliminating the technicalities from the user. Again, nothing wrong with that.
I don't like the pissing-contest folks either. To each their own. However, I have noticed a distinct pattern that most of my non-tech-savvy friends hate their Android phones and end up going the iOS route simply because what makes it popular for the tech-community is exactly the reason
Re: (Score:1)
Mod parent up!
Re: (Score:1)
Can't help you with Android security, but there are probably a few million people willing ot sell you Android AntiVirus 2011 XP Premium Edition and the like as well, plus a few legit antivirus/antispyware and other stuff, and roots to install DroidWall and such.
The thing is it's a 3rd party market. They exist in China mostly because Android allows quick and easy pirating, and China being China, well, it's
Re: (Score:2)
A good practice is to find an app in which you are interested, then review the permissions to verify they make sense.
For instance, if you're downloading a new phonebook and the app asks for permission to your contacts, you can assume that it really needs it.
If you're downloading a new tic-tac-toe game that asks for full permission to read your ingoing and outgoing calls, you should really question why it needs that.
This isn't foolproof, but it is a really good place to start.
Re: (Score:3)
I'm pretty technical but I find the permissions too vague. they are still mostly 'opaque' and I have little actual idea what's going on.
maybe if they showed some of the data they GET, as an illustration? maybe they cache some of the 'captured' data the app 'takes' and show you that, on demand? that way I can say 'oh, you mean you're grabbing THAT from me! fuck you! delete.'
if there's no examples of the data they take, conceptual permissions just don't work for users. works for programmers who have the
Re: (Score:2)
Re: (Score:2)
roll a few sheets of tin foil on the top part of the device, slowly have it encircle itself near the top.
Your device is now protected from mind control rays and other nefarious parts of the EM spectrum.
Re: (Score:1)
Re: (Score:3)
You may want to read this earlier Slashdot story [slashdot.org], from which the suggestion that made the most sense to me was to install DroidWall and just not let applications access the network. Of course, they might not work then, and it can be difficult to single out a single app among, say, Google Services.
Re: (Score:2)
The biggest thing is check the permissions the app needs (it tells you) and don't install if you question why it needs that. A lot of free apps have Ad's so they require a network connection. If your installing some standard game and it asks for SMS sending capabilities - you probably shouldn't install it.
Re: (Score:1)
Re: (Score:2)
Do what everyone does. Don't install brand new apps for a month. Google the name at a later date and see if any other suckers have fallen for it first.
The real WTF... (Score:1)
After that, it registers one ContentObserver to monitor incoming SMS messages. Inside the ContentObserver, it will delete any SMS message if it starts with the number "10." Note that the numbers such as 10086/10010 represent legitimate mobile phone service providers in China and are typically used to notify users about the services they are ordering and the information of users' current balance of their mobile phone accounts.
Re: (Score:2)
One reason would be to write an app that ignored/deleted known SMS spammers?
I'd actually love one for my phone that would delete all the obnoxious AT&T spam text messages about new services and crap.
Re: (Score:2)
Having just got my first smart phone and being on AT&T, the *very first* message AT&T sent had "reply with stop to end automatic messages" at the end of it ... as have the other 3 I've gotten since (haven't told them to stop, so I'm good with that part).
Re: (Score:3)
App to block/sort/filter spam or unwanted senders? I'm sure there are more creative uses but that's just the most obvious one
Re:The real WTF... (Score:4, Insightful)
So you can replace the default SMS application?
Re: (Score:2)
Re: (Score:2)
Anti-spam SMS app. Or an app for managing SMS messages in general.
Re: (Score:1)
Non-story...China...enough said. (Score:1)
Non-story. "The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China." If you load apps from China directly you are asking for this sort of thing. It's nearly the equivalent of going to a "Warez" site for Windows programs.
Can I subscribe to "no premium SMS"? (Score:1)
How about if carriers offer a free service which simply blocks "premium" SMS calls altogether?
Sure, I won't be able to donate $10 to the Red Cross the next time there is an earthquake in a 3rd world country, but at least I'll be legally immune from paying for any that do get through.
Think of it as 976/900-block for SMS.
Re: (Score:1)
How about if carriers offer a free service which simply blocks "premium" SMS calls altogether?
Sure, I won't be able to donate $10 to the Red Cross the next time there is an earthquake in a 3rd world country, but at least I'll be legally immune from paying for any that do get through.
Think of it as 976/900-block for SMS.
You can opt out for free. Just call customer support, or talk to your local store. When I signed up for Verizon I asked about that and they blocked them right there.
Damn Apple's Walled Garden (Score:1, Flamebait)
This is exactly the kind of innovative feature that the iPhone users of the world will miss out on.
Yeah, I know, flame bait....
Re: (Score:2)
Re: (Score:2)
Wow, really? The single vulnerability known at the moment, hum... we should run for the hills or install an antivirus!
-dZ.
Re: (Score:2)
I know, we should lock down ALL computers. No software from anywhere except the hardware or OS vendor's approved locations!
This includes other OSes. Those terrible, evil Linux installations... you never know where they've been!
I'm on a pay-as-you-go plan (Score:2)
and SMS, if abuse, could drain my account!
a year or two ago, I was with t-mobile and their PAYG plan did not have the ability to turn off sms send or receive! my balance went to nothing and I gave up on that carrier. a few years later, I checked back and now, if you call CS, they can turn sms off even if you are monthly and non-contract.
sms is for kids. I'm a middle aged man. I have no need for this childish bullshit. I do email. if you want me, you call or you email me. email is more in my domain t
Re: (Score:2)
Texting is for people who don't have smartphones. Email, Pingchat, Y!, FB, Google+, Google Voice and many many others all use DATA, which costs much less per bit than Texting, especially if you're using WIFI (like I do).
Texting isn't for kids, it is for poor people, which has, as a subset, most kids in it.
BTW, I have a smartphone plan without text messaging included. It can be done, if you ask for it. They charge separately for it, they can remove the charge.
who would download something at market a in china (Score:2)
Those who downloaded some malware from china deserved every charge they got billed against them. Those who are crazy enough to trust the Chinese with software deserve to be hacked. Hopefully we can avoid Chinese software but sadly we can't avoid Chinese hardware....
Wow. (Score:2)
Just wow. And people are surprised it's a Trojan? Finding a *non*-Trojan app in a place like that, that'd be the trick!
Provider failure (Score:5, Insightful)
#SMS/day
Block "premium" SMS messages with exception list.
Block calls to foreign countries with an exception list
Block toll (900) calls.
IOW give me back control on how and how much they can shaft me.
Re: (Score:2)
Not goatse but damn close, don't click the link.
Re: (Score:1)
... don't click the link.
pretty sure that bit is the M.O. when browsing /. ;)