Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Android Malware Using Blog As C&C Server

samzenpus posted more than 2 years ago | from the command-and-comment dept.

Android 89

wiredmikey writes "Security researchers have discovered a unique feature circulating in some Android-based malware. The malicious application is using a blog in China to act as a Command and Control (C&C) server. On Tuesday, Trend Micro discovered a malicious Android application out of China using the new trick to receive instructions, and appears to be the first time Android malware implemented this kind of technique to communicate with its server."

cancel ×

89 comments

woot! (-1)

Anonymous Coward | more than 2 years ago | (#37621408)

once again, android beats the iFone. Abble ought to shut down and return the money back to it's shareholders.

Re:woot! (-1)

Anonymous Coward | more than 2 years ago | (#37621516)

iFone

iPhone. [apple.com] FTFY

Abble

Apple [apple.com] FTFY

Re:woot! (-1)

Anonymous Coward | more than 2 years ago | (#37621594)

iFone

iPhone. [apple.com] FTFY

Abble

Apple [apple.com] FTFY

i just heard a loud triple whoosh sound FTFY

Re:woot! (-1)

Anonymous Coward | more than 2 years ago | (#37621836)

WARNING :GOATSEALERT!

so, blogs can contain keywords to trigger malware? (2)

wierd_w (1375923) | more than 2 years ago | (#37621542)

The obvious solution is to use something that is at once ubiquitous and innately evil, like twitter or facebook.

Imagine the new 'activates malware' hashtag!

the only way to besure... (-1)

Anonymous Coward | more than 2 years ago | (#37621950)

I say we nuke China from orbit.

Re:the only way to besure... (1)

NatasRevol (731260) | more than 2 years ago | (#37622022)

Or Google?

Re:the only way to besure... (0)

Anonymous Coward | more than 2 years ago | (#37622248)

google doesnt have nukes...

Re:the only way to besure... (2)

sFurbo (1361249) | more than 2 years ago | (#37623014)

No, no, he thinks we should google china from orbit. The ISS has an internet connection, doesn't it? Though I don't know what the astronauts should do with fine ceramic dinner plates.

Re:the only way to besure... (1)

DrXym (126579) | more than 2 years ago | (#37624268)

It ain't google's fault if people are stupid enough to download apps from some dodgy warez site and infect themselves in the process.

Re:the only way to besure... (0)

Anonymous Coward | more than 2 years ago | (#37624586)

This is an Android phone. It doesn't have to be a "warez" site. It can be a legitimate 3rd party download site that all the Androids gush about. Nothing is stopping these attacks from a legitimate store. Don't blame users for doing exactly what Android anti-"walled garden" advocacy tells them to do.

Re:the only way to besure... (0)

scot4875 (542869) | more than 2 years ago | (#37627972)

It can be a legitimate 3rd party download site that all the Androids gush about.

I'll still happily live with the risks, and tell anyone who thinks I should subject myself to a walled garden to fuck right off.

--Jeremy

Re:the only way to besure... (0)

DrXym (126579) | more than 2 years ago | (#37629278)

It could be but it most likely isn't. It is warez sites and dubious markets that would be the main threat by a long margin.

As for the non walled garden approach, clearly most people prefer it given the popularity of Android.

C&C (2, Funny)

Anonymous Coward | more than 2 years ago | (#37621616)

Hehe, I thought for a moment it was being used as a Command & Conquer server...

Re:C&C (2)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37621658)

"I'm Seth. Just... Seth. From God, to Kain, to Seth. I am his right hand and I have a task for you."

Re:C&C (0)

Anonymous Coward | more than 2 years ago | (#37624228)

Unit Ready! Building... Unable to comply, building in progress. Unable to comply, building in progress. Unable to comply, building in progress. Unit Ready! Building...

Re:C&C (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#37622108)

Well, a lot of people did request an Engineer...

Re:C&C (1)

Columcille (88542) | more than 2 years ago | (#37622176)

Glad to know I'm not the only one!

Re:C&C (1)

IceNinjaNine (2026774) | more than 2 years ago | (#37624178)

Chinese super hacker, ready for link up!

Re:C&C (1)

neverelax (2471308) | more than 2 years ago | (#37622504)

Hah! Bought and played a C&C game the other day, except I didn't read the little writing on the box that said 'must have continuous internet connection to play'. Pretty disappointed with it, as I used to love playing Command & Conquer (Played the Original C&C Demo over and over for so long, then bought the Domination Pack.) Played not all, but most C&C games (including Renegade). The worst part was actually not being able to base-build, since C&C was always (for me anyways) about satisfying my more obsessive compulsive tendencies.

Re:C&C (1)

Neil Boekend (1854906) | more than 2 years ago | (#37623296)

"My command is your wish"

Re:C&C (0)

Anonymous Coward | more than 2 years ago | (#37624162)

> Hehe, I thought for a moment it was being used as a Command & Conquer server...

Me too... then I saw your comment and stopped caring about the whole article.

Thanks.. you saved my time.

should have gone the HURD (2)

ThorGod (456163) | more than 2 years ago | (#37621656)

Android wouldn't be having this problem if it ran a HURD kernel...

> : )

Re:should have gone the HURD (1)

Anonymous Coward | more than 2 years ago | (#37621864)

I apologize profusely in advance for this obvious joke.

Android wouldn't be having this problem if it ran a HURD kernel...

Mainly because your phone would still be in the early alpha stages for another fifteen years.

Is this new or innovative? (1)

kvvbassboy (2010962) | more than 2 years ago | (#37621664)

Why aren't all malware creators doing this?

Re:Is this new or innovative? (2)

vlueboy (1799360) | more than 2 years ago | (#37622160)

Why aren't all malware creators doing this?

Short answer: Higher barriers to entry on malware^W Windows environment programming.

Things get tricky when you're a beginner coder who must do native Windows programming, and need network connectivity. After decades of 'progress' those Windows viruses you're hinting that we create in our sleep are still almost exclusively nasty DOS-using compilations and/or assembly-based. As such, they require some very low level coding since VBS has stopped being the malware tool of choice due to e-mail policies in newer programs.

So, what does Android offer? Because Android isn't windows... Android programs run on Java. Java provides well-understood APIs and has a slew of shared libraries out there. Apparently even virus writers don't want to acquire a masters in the arcaneness of [embedded] C to succeed in rooting your machine^Wproprietary-android-phone via a network.

And to add to the answer above, a Windows creator would try phones because of this next one: "Lack of phone antiviruses." The kind of stuff that you create on Windows would easily get blacklisted and REMOVED by every tool in existence under Windows given enough days. But Android is linux. And linux doesn't "Sell" antiviruses (with capital S.) And Apps won't have root access under your carrier to help you clean the phone properly anyway. And lastly, most phones' Android builds are NEVER auto-updated by the carriers.

Re:Is this new or innovative? (0)

gtall (79522) | more than 2 years ago | (#37624512)

Android doesn't run on Java (which isn't wrong in the Pauli sense), it reimplements a subset of Java, so you cannot count on a Java exploit on, say, Windoze to work on an Android phone.

Re:Is this new or innovative? (1)

TheLink (130905) | more than 2 years ago | (#37622264)

Because not enough people have moved to Linux and OSX.

The malware authors are thus stuck with crap like vbscript or building executables that can't be too big for bandwidth reasons.

Think of what malware authors could do if they could use perl, python and all the cool stuff.

They could have innocuous scripts that through "bugs" end up becoming malware that use search engines and other sites to search the internet for new instructions (checking the signatures to ensure the instructions are from the right source).

Re:Is this new or innovative? (0)

Anonymous Coward | more than 2 years ago | (#37623294)

"Because not enough people have moved to Linux and OSX."

Really? Linux is everywhere. Hundreds of millions of devices are produced each year that run Linux. It is the most important embedded OS ever.

Linux won the OS dominance battle years ago already. It is just guys like you that haven't realized it yet.

Re:Is this new or innovative? (1)

TheLink (130905) | more than 2 years ago | (#37627682)

Then I don't know why more hackers haven't done the fancy C&C stuff. Maybe they didn't need to yet?

Anyway it definitely isn't hard to do. Even I could do it. At work, one of our products has windows, linux/OSX/AIX/Solaris agents that communicate with a central server, but we're in the legit business so we are unlikely to need such C&C stuff. From my experience creating and fixing such agents (I didn't create the windows ones) it's much easier to do such stuff in perl than vbscript or C/C++. I'd gladly replace the windows agent with a bundled perl version if I could get it to be smaller than 1MB (it'll be at least 4MB).

Pwning linux devices/servers isn't that hard in practice. LAMP servers get pwned/defaced very often too (some say most often: http://antiphishing.com/reports/apwg_web_vulberabilities_survey_june_2011.pdf [antiphishing.com] ). linux embedded routers do get pwned ( http://www.theregister.co.uk/2011/03/10/router_rooting_malware/ [theregister.co.uk] ). This sort of thing just doesn't become big news.

Android is more a "java" sort of environment (no perl by default), until the user "roots" it. IIRC some rooted phones end up with an "open" sshd. Some users didn't set passwords and then complained that hackers were slowing their phones down. I think the automated hacks and payload worked on the assumption the victim machine would be more powerful than a phone (and had better internet connections). Doubt that worked so well ;).

Android phones do seem to have more malware than iPhones. Example: http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware-has-arrived-stolen-apps-released-to-the-market-that-root-your-phone-steal-your-data-and-open-backdoor/ [androidpolice.com]
http://www.msnbc.msn.com/id/41867328/ns/technology_and_science-security/t/malware-infects-more-android-apps/ [msn.com]
http://www.informationweek.com/news/security/mobile/231300257 [informationweek.com]

This new malware might be a sign that the hackers are starting to need to do more fancy stuff, or someone got bored and decided to do the fancy stuff :).

Re:Is this new or innovative? (1)

DaVince21 (1342819) | more than 2 years ago | (#37661370)

Desktops. Not embedded OSes. You can find the largest amount of malware on the desktop side of that.

Re:Is this new or innovative? (1)

DrXym (126579) | more than 2 years ago | (#37624282)

Android allows people to develop apps in C/C++ and there are ports of perl, python etc. It's probably more likely done this way because mobile phone operators are less likely to impede a device for making an http request vs one which is trying to talk with an IRC server or whatever.

Re:Is this new or innovative? (1)

maxume (22995) | more than 2 years ago | (#37624262)

You have two rambling replies about the authors not being sophisticated enough, I'm not sure those guys understand what a rootkit is, or that lots of windows malware installs stuff as services, or stuff that completely subverts a browser, or whatever.

Anyway, I'm pretty sure it isn't new, the malware author probably used the technique because it was easy, maybe because they thought it would be less obvious in the telecom's proxy logs or whatever.

I wouldn't say it is all that innovative, the phone companies can just block access to the blog to shut off control of the subverted phones.

Android C&C in China? (2, Interesting)

Anonymous Coward | more than 2 years ago | (#37621720)

This actually makes sense considering that so many "computers" being manufactured for the Chinese market are now Android based. Yes, Microsoft is freaking out and trying to get their OS on ARM because of all the ARM based Android tablets, micro-books, or net-books that are on the market in China are eating their market share for "real" computers. Why spend almost a months disposable income on a machine capable of running a pirated copy of Windows XP when you can spend 1/5 to 1/3 that amount on a fully featured Android tablet/palm-top/micro-book/whatever? The idea of malicious keywords also makes some of the webforum spam I have seen recently. Interesting.

Re:Android C&C in China? (1)

couchslug (175151) | more than 2 years ago | (#37622042)

"Why spend almost a months disposable income on a machine capable of running a pirated copy of Windows XP when you can spend 1/5 to 1/3 that amount on a fully featured Android tablet/palm-top/micro-book/whatever?"

You shouldn't have posted AC, because this is highly Insightful. The way to undercut MSFT isn't just to take x86 space, but route around their obstacle by running on other devices.

The tip of this iceberg are cheap shit devices like the Sylvania and other ARM netbooks, because they will improve and THAT is the way to make buying a computer as trivial as buying a pocket calculator.

Re:Android C&C in China? (3, Insightful)

hairyfeet (841228) | more than 2 years ago | (#37622280)

Riiiight. Might work in the east, where the masses have never had a computer in the first place, won't work in the west and here is why: Just last year one of the local vendors in my area sold "Windows netbooks for $100" with in tiny writing "Compact Edition" but hell, people don't know what that means. it looked like XP, that was all that they saw.

Within a few weeks the local CL was filled to the brim with folks practically GIVING the things away. Why was that? Was there something wrong with them? Nope I tried one for a few weeks before giving it away and it was just fine for basic net surfing but it wouldn't run Windows programs so everyone (including me) got rid of them.

The reason why MSFT rules the desktop is the same reason why MSFT has to royally bust their ass maintaining backwards compatibility and that is the millions of x86 apps written that folks use every day, from the software that came with their cameras and printers to the software they use at the office. it is ALL x86 and while Linux guys can scream "We got stuff just as good!" frankly that's bullshit. Where is the custom medical and shipping apps? software equal to Quicken/Quickbooks? it doesn't exist in Linux and it sure as hell doesn't exist in ARM Linux, which has even less apps than x86 Linux.

The reason Apple can get away with the numbers they do is because everyone considers their cell phones throw away items. folks use it until their contract is up and then get another one and they have been trained that their programs won't work because what worked with phone foo don't with phone bar. Hell everyone I know has drawers filled with the things as they don't know WTF to do with all their old phones. from what I've seen the masses treat the tablet as "a big cell phone" and therefor phone rules apply. but when you start talking netbooks and the like? those are "baby laptops" and they damned well WILL expect it to run everything their desktop runs, just slower because "its a baby". Believe me as a retailer I've seen it first hand.

Re:Android C&C in China? (0)

Anonymous Coward | more than 2 years ago | (#37622672)

I want one of each. Android is better for inertial sensors, gps, & cameras, while Microsoft has the application market.

I can't live without Solidworks or Photoshop, but I'm not going to use my netbook for google maps or augmented reality. At the prices I'm willing to pay for netbooks & tablets, I can afford to have one of each.

I don't really understand why you need 1 & ONLY one computer. The google cloud services have significantly reduced or eliminated the borders between computers.

Re:Android C&C in China? (1)

ozmanjusri (601766) | more than 2 years ago | (#37623150)

In the end, all those apps may run on a hardware-assisted QEMU host. ICT already has 80% X86 native speeds on a modified MIPS architecture, so there's no reason ARM can't do the same. It would be amusing if an Android/QEMU/Wine combination beat MS to legacy app comparability...

Hardware-assisted x86 emulation
Loongson 3 adds over 200 new instructions to speed up x86 instruction execution at a cost of 5% of the total die area. The new instructions help QEMU translate x86 instructions by lowering the overhead of executing x86/CISC-style instructions in the MIPS pipeline. With added improvements in QEMU from ICT, Loongson-3 achieves an average of 70% the performance of executing native binaries when running x86 binaries from nine benchmarks.[11]

http://en.wikipedia.org/wiki/Loongson [wikipedia.org]

Re:Android C&C in China? (1)

hairyfeet (841228) | more than 2 years ago | (#37636288)

And you can just go to the corner store and pick up a loongson! Oh wait a tick, you can't because they don't have an x86 license therefor their little trick is about as legit as those "300 Nintendo games!" consoles you see sold off the back of trucks.

You see you can get away with ignoring patents and copyrights in China as long as they belong to foreigners because in China there is one law for outsiders and one law for insiders. that is why you can pick up fake DVDs of any software you want right there in the middle of town with no law hassling them, even thought its burnt discs.

So sorry to burst your bubble, but there are currently only 3 companies that can legally use x86 instructions, and that is Intel, AMD and until 2015 Via. Which means you will NEVER see the loongson in the west, or any country that signed the Berne convention for that matter.

Re:Android C&C in China? (-1)

Anonymous Coward | more than 2 years ago | (#37623552)

You really should give your fanaticism a rest. You're getting more loopy with every post.

POSTS like yours make me ill (-1)

Anonymous Coward | more than 2 years ago | (#37623772)

1st -You're off topic! 2nd - You're just here to try to insult him.

(Yes, hairyfeet "gets into it", but @ least he tells it how it is WITH EXAMPLES from his own experience @ least. That's more than you're up to...)

* It's obvious that a good 1/2 of the "trolls" around here are corporate marketing shills, & if the best they have is "putdowns of others" due to their statements, rather than contrary facts (with backing documentations preferably from reputable & reliable sources)? They're wasting their time...

APK

P.S.=> IF anyone's "loopy" here, it's yourself... apk

Re:Android C&C in China? (0)

Anonymous Coward | more than 2 years ago | (#37624198)

Riiiight. Might work in the east, where the masses have never had a computer in the first place...

Wroooooong. You've not been to Thailand, Malaysia, or China anytime in the last 10 years, have you?

Donate your old cellphones to charity. (1)

melstav (174456) | more than 2 years ago | (#37624744)

US law requires that cellphone network carriers accept emergency calls, even from non-active cellphones. So if you turn the thing on and it can see a tower, you can use it to make a 911 call. No account, no contract, no cost.

Some charity organizations, like domestic abuse shelters, are giving out donated inactivated cellphones to people who don't have one of their own so that no matter where they are, if they get into trouble, they can at least dial 911.

A little quality time with your search engine of choice should turn up any number of places that you can take your old phones (preferably WITH chargers) to be donated. Hell, you carrier's local storefront probably has a dropbox. -- Just make sure you ask first whether they donate the working phones or just send the whole shebang out to the scrappers.

Re:Donate your old cellphones to charity. (1)

hairyfeet (841228) | more than 2 years ago | (#37638706)

The problem with that idea is thus: Everyone is afraid some of their data may still be in the phone (especially with smart phones) and there is currently no reliable way to wipe them and since folks live on their phones? not will to risk it, and I don't blame them.

As much as i bitch about guys wasting HDDs that could be given away (nobody has yet to recover a single bit from a modern drive that has been zero passed) the flash memory in a cell phone is a different story and frankly there is no good way to see what data remains after removing a sim card unless you have a blank sim card to use to test it, which most people don't. And of course with wear leveling who the fuck knows what is in the flash memory, so into the drawers they go. If they want cell phones to be donated they need to have a device there ready to show the person the phone being wiped.

Re:Android C&C in China? (1)

metalgamer84 (1916754) | more than 2 years ago | (#37625900)

Why would you give away a netbook? Throw your favorite Linux distro on there and be on your way. That's what I would have done anyways.

Re:Android C&C in China? (1)

hairyfeet (841228) | more than 2 years ago | (#37635390)

Wouldn't work as there was no way in hell to get the thing to boot off of USB so you were stuck with WinCE. which frankly for just web surfing WinCE wasn't bad, it was just I already had an Athlon Mobile MSI wind at the time (just recently got the Brazos EEE, man that thing rocks HARD) and so I honestly didn't have a use for the thing. my wind already got nearly 5 hours and i could run the net on it PLUS my x86 software. Hell with both the Wind and the EEE I could even fire up Audacity and do rough mixes right off the multitrack in the practice space.

And it is THAT, that right there, that dooms ARM to cell phones and tablets. Because everyone has some piece of software they consider "mission critical" and it is ALL x86. For me it was Audacity, for my dad it would be Quickbooks, for my mom the software that came with her camera, for my boys their games...you get the picture. As I said folks have been conditioned that their software won't work on a cell phone but a netbook? Well those are baby laptops and they damned well expect those to run like a big laptop only slower" because its a baby".

How do you think I got the thing? A customer brought it in wanting to have me 'force it" to run her camera software, which of course it wouldn't. When she found out there was no way it would ever run it she sold it to me for $25. I ended up giving it to a neighbor simply because I never used it, the netbook was more handy. And when you can buy an Atom netbook for $199 or a really nice AMD Brazos FOR $340 with 8Gb of RAM? why bother.

It's a Turing machine, people... (1)

rocket rancher (447670) | more than 2 years ago | (#37641834)

Riiiight. Might work in the east, where the masses have never had a computer in the first place, won't work in the west and here is why: Just last year one of the local vendors in my area sold "Windows netbooks for $100" with in tiny writing "Compact Edition" but hell, people don't know what that means. it looked like XP, that was all that they saw.

Within a few weeks the local CL was filled to the brim with folks practically GIVING the things away. Why was that? Was there something wrong with them? Nope I tried one for a few weeks before giving it away and it was just fine for basic net surfing but it wouldn't run Windows programs so everyone (including me) got rid of them.

The reason why MSFT rules the desktop is the same reason why MSFT has to royally bust their ass maintaining backwards compatibility and that is the millions of x86 apps written that folks use every day, from the software that came with their cameras and printers to the software they use at the office. it is ALL x86 and while Linux guys can scream "We got stuff just as good!" frankly that's bullshit. Where is the custom medical and shipping apps? software equal to Quicken/Quickbooks? it doesn't exist in Linux and it sure as hell doesn't exist in ARM Linux, which has even less apps than x86 Linux.

The reason Apple can get away with the numbers they do is because everyone considers their cell phones throw away items. folks use it until their contract is up and then get another one and they have been trained that their programs won't work because what worked with phone foo don't with phone bar. Hell everyone I know has drawers filled with the things as they don't know WTF to do with all their old phones. from what I've seen the masses treat the tablet as "a big cell phone" and therefor phone rules apply. but when you start talking netbooks and the like? those are "baby laptops" and they damned well WILL expect it to run everything their desktop runs, just slower because "its a baby". Believe me as a retailer I've seen it first hand.

I would mod your post insightful except for one thing -- you seem oblivious to the concept of emulation. Every thing you say could be true, if computers weren't Turing machines -- anything that can be implemented on one Turing machine can be implemented on another, and this includes the Turing machine itself. As processors and storage evolve, you can expect to see VM implementations for *any* hardware/software architecture you care to name transparently available for any platform. Right now, I run Windows-specific apps on my Solaris CDE desktop in a Windows XP VM that boots automagically when the app is launched. It is only a matter of (probably very little) time when you will be able to do this on your Android or IOS tablet. It just takes a little bit more CPU horsepower than is presently commercially available, and Moore's law isn't dead yet, not by a long shot.

Re:It's a Turing machine, people... (1)

hairyfeet (841228) | more than 2 years ago | (#37648618)

The problem with your theory of emulation is thus: emulation is illegal so it really doesn't help. X86 is patented and copyrighted up the ass and there is only THREE companies in the world that can legally use x86 instructions in any Berne Convention country, that is Intel, AMD, and until 2015 (when their license expires) Via, that's it.

That is why you don't see cell phones bragging about being able to play SNES games or anything like that, even though older machines would be trivial to emulate and in China they are. its because even if they only used ROT 13 under DMCA that counts as copyright protection and thus is illegal to circumvent. IIRC Intel and AMD also have their specific instructions covered by not only patents but copyrights on the code itself, and as I'm sure you know that is 150 years+ before they expire.

So I'm sorry but emulation isn't the answer, not for technical reasons but simply because of legal bullshit. That is why you don't see Loongson CPUs being sold in netbooks over here, their x86 emulation isn't allowed in the west. And if the USA ends up getting China onboard copyrights and patents frankly it won't be legal there either. sorry.

Another non-story. (4, Insightful)

Kenja (541830) | more than 2 years ago | (#37621818)

You first have to install a the app from an untrusted site and ignore the page full of warnings the OS throws at you before this can do anything. Seriously, look at the screen shot in the FA. You have to agree that the app can make outgoing phone calls. If you click through that many warnings I would hardly call this malware. Its doing exactly what it says it will do.

Re:Another non-story. (2, Insightful)

tepples (727027) | more than 2 years ago | (#37622050)

Given that pretty much every app that I've seen asks for full Internet access (so that it can talk to the Internet service it was made to talk to) and phone call state (so that it can back off if you get a call), I guess people have started ignoring these warnings.

Re:Another non-story. (4, Informative)

tycoex (1832784) | more than 2 years ago | (#37622260)

You didn't actually look before replying did you...?

I've installed about 100 apps on my phone and I have never seen a single app that had this many permissions.

Okay, so you download your third-party Chinese app store (bad idea in the first place, from my experience Chinese web sites are terrible for malware).

Next, you download an e-book reader. Now, off the top of my head I can think of a few permissions an e-book reader might need. Perhaps full internet access, modify SD contents, prevent phone from sleeping, and maybe a few more, but that's about it.

Now look at some of the permissions for this e-book reader, they are very obviously not needed for an e-book reader:

1) Edit, read, or receive SMS/MMS.
2) Read and write contact data.
3) Directly call phone numbers and send SMS messages.
4) Read system log files
5) Write access point name settings

I can see a situation where something ambiguous that might actually be needed such as "full internet access" could be exploited, but this definitely isn't one of those situations.

Re:Another non-story. (4, Insightful)

Charliemopps (1157495) | more than 2 years ago | (#37622334)

Ok, no put all those questions in front of your mom and... Malware!

Re:Another non-story. (-1)

Anonymous Coward | more than 2 years ago | (#37622464)

You potheads like to stick together, huh? Haha 420 amirite?

Re:Another non-story. (1)

JAlexoi (1085785) | more than 2 years ago | (#37623508)

Why would your mom take the trouble of allowing third party stores enabled and be perplexed by this notification?

My phone shows a big notification saying:
Services that cost you money - Directly call phone numbers and send SMS messages.

That usually results in my mother calling me for clarification...
You see, people don't take lightly any sentences that have cost + money in them. The ones that do, are soon left penniless.

Re:Another non-story. (1)

tycoex (1832784) | more than 2 years ago | (#37628476)

My mom wouldn't be using a third party Chinese app store.

She also wouldn't be downloading some random unheard of book reader, she would be using something she has heard of such as kindle or nook.

And lastly she would probably be alarmed by the bold lettered "services that cost you money" part of the permissions.

Your Mom may be an idiot but that doesn't mean everyone else who isn't tech savvy is.

SL4A (1)

tepples (727027) | more than 2 years ago | (#37622520)

I've seen Scripting Layer for Android (SL4A) request a shitload of permissions so that scripts loaded into it can access API features that require those permissions.

Re:SL4A (1)

JAlexoi (1085785) | more than 2 years ago | (#37623520)

So does the developer API Demo's app, what your point?

Re:SL4A (1)

tepples (727027) | more than 2 years ago | (#37625706)

My point was that "never" is a strong word.

Re:Another non-story. (2)

aiken_d (127097) | more than 2 years ago | (#37623156)

Yeah, I'm pretty sure even an 80 year old non-technologist like my dad would be tipped off by something as unambiguous as "write access point name settings."

Oh, wait, maybe not. Remind me, is Android for the mass market, or just for power users? Or is it like Windows, where anyone who's not an expert should expect to get their system owned, with platform apologists assuring everyone that it's the user's own fault?

Re:Another non-story. (2)

JAlexoi (1085785) | more than 2 years ago | (#37623556)

Actually, both on Android and on Windows it is the user's fault, and I'm no Windows apologist. It's as much user's fault as falling for a phishing email or "Your drive is infected. Check for viruses now." banner. It's like complaining that you get an STD after having sex with all your town's sluts... or downloading cracked software.
When a security hole is exploited, then it'll be Windows and Android to blame. Social engineering is still the biggest threat.

Re:Another non-story. (1)

flappinbooger (574405) | more than 2 years ago | (#37625052)

BS - Most malware infections today do not come from perusing around the dark alleyways of the internet. Here's an anecdote:

I repaired a machine with a bad malware infection. I also was able to do an audit and see exactly where the machine was going on the inernet, when, and even the searches. The owner's kid was literally searching for busty milfs and goat sex. All week long, after the owner was going to bed. Saturday morning the last search before infection was "TV repair in [local town]". Bam. Drive-by download.

Yeah, it's an anecdote, but it is very symptomatic of what I see all the time. Porn sites are not to blame. Warez is still not safe, but more people do porn than warez and porn is NOT the current main cause of malware.

The ONLY cure on the horizon for malware is browsing in a sandbox, either a purpose built sandbox like "sandboxie" or in a VM. Period.

Re:Another non-story. (0)

Anonymous Coward | more than 2 years ago | (#37634372)

Just out of curiousity, how did you know the precise point in time of infection? I'd love to know that, as I have a difficult time doing so when I go to help people.

What logs were you looking at (on a home computer, no less)? or was there software preinstalled?

Re:Another non-story. (1)

brunes69 (86786) | more than 2 years ago | (#37625444)

And do you think your dad would have gone into his phone, added untrusted applications, downloaded an APK from a Chinese website, used ADB to serial copy it to his phone, and install it?

NO????

Then shut up.

These capabilities in Android are great for power users. And non-power users don't even know they exist. The hyperbole about Android malware on these Chinese app markets is astounding.

Why turn on "Unknown sources" (1)

tepples (727027) | more than 2 years ago | (#37625808)

Perhaps someone already turned on "Unknown sources" to get the Amazon Appstore-exclusive game Angry Birds Rio working. And once that's on, you don't need to use ADB to sideload; you can just navigate to the APK using a web browser.

Re:Why turn on "Unknown sources" (0)

Anonymous Coward | more than 2 years ago | (#37634430)

Then that's the responsibility of the person who unchecked Unknown Sources. There's a big scary warning saying OMG UR DATA MIGHT BE STOLEN N STUFF.

If someone did that to my phone and didn't tell me, I'd be pretty pissed off.

That said, if I found a random chinese program lurking on my phone that I wasn't aware of... I'd just uninstall it.

Poof, problem solved.

Re:Another non-story. (1)

tepples (727027) | more than 2 years ago | (#37625932)

Yeah, I'm pretty sure even an 80 year old non-technologist like my dad would be tipped off by something as unambiguous as "write access point name settings."

So I guess you're right that some of the privileges' explanations are poorly worded. For example, this one appears to mean "use specific data networks".

Re:Another non-story. (0)

Anonymous Coward | more than 2 years ago | (#37634498)

The web based Android Market and the new on-device Android market explains each permission, with examples of what bad (and sometimes good) programs could use this permission for. Most of the less harmful (control vibrator, etc) is actually hidden by default, leaving only the really important ones.

That said, if you stay in the Android, you should be relatively safe. If you stay in the Amazon Store, you're "definitely" safe (they do a review, but can only see so much... just like any other platform). Looking at permissions are only really really necessary if you care about your own privacy or downloading stuff off market.

Also, the download screen from the Android market and the download screen from SD/web/all other sources look quite different -- also should raise red flags to even the uninformed.

Re:Another non-story. (1)

tycoex (1832784) | more than 2 years ago | (#37630970)

It's a good thing that was just ONE of the money red-flag raising permissions for this app. Even if he doesn't have a clue what "write access point name settings" means, he should know what " Services that cost you money: Directly call phone numbers and send SMS messages" means.

I also think it's pretty disingenuous to consider an "80 year old non-technologist" as the mass market. I think the mass market for smartphones is probably the under 65 crowd, and while no where near the average slashdot readers level of competency your average college age student is actually pretty well familiar with technology.

Besides I think they already made a phone specifically for 80 year olds: http://www.greatcall.com/ [greatcall.com]

Re:Another non-story. (0)

Anonymous Coward | more than 2 years ago | (#37623338)

Uh, yeah that's great and all.

Pandora's Android app asks for full access to your contacts list, call logs, and the ability to send email. None of which has jack shit to do with actually using the Pandora service. Well over a million people, and most of them with "rave reviews" on the comments section.

This is why the official market needs to start vetting apps, or at least make a distinction between 'verified' or 'certified' apps and the ones any idiot with a gmail account and $10 can upload.

Re:Another non-story. (1)

AI0867 (868277) | more than 2 years ago | (#37626536)

I have. Every last app from google.

Re:Another non-story. (1)

stephanruby (542433) | more than 2 years ago | (#37622668)

...and phone call state (so that it can back off if you get a call)

No, all Android apps have to back off when you get a call. That's not a permission, that's an absolute requirement.

And yes, older Android apps have this permission required by default [zdnet.com] (so the user sees it), but you should be starting to see this permission used for no reason less and less now as this is only for apps that still target API level 3 (and that only represents 1.1% of the user phones right now).

READ_PHONE_STATE, net radio, and COPPA (1)

tepples (727027) | more than 2 years ago | (#37626432)

I scanned down the list of things in TelephonyManager [android.com] that require READ_PHONE_STATE.

Say a program needs to stop playing music if the phone starts ringing. In Android, background processes such as Internet radio applications run as services. So how is a service created by a program without READ_PHONE_STATE notified that the phone is ringing so that the service can stop playing the stream? Or does Android automatically stop all other audio sources once the phone starts ringing?

Say a program needs to make a unique user ID. The program could require the user to enter an e-mail address and password, but that has three drawbacks:

  • Users under 13 couldn't use it due to the Children's Online Privacy Protection Act and foreign counterparts. This makes it not viable for games that would be rated E or E10+.
  • Having to key in a name and password on a touch screen every time creates a poor user experience.
  • Resetting forgotten passwords would cost the developer's customer support department money.

So applications tend to generate a user ID based on the IMEI or the IMSI, which requires READ_PHONE_STATE.

Re:Another non-story. (1)

AmberBlackCat (829689) | more than 2 years ago | (#37622190)

That's the same situation with the majority of Windows viruses (Windows, not Adobe or Java). People get a ton of warnings, they click on it anyway, and another person is complaining about how Windows is so vulnerable. I currently don't have any outstanding security issues on my PC. But I do have an outstanding security issue on my Android phone. Granted, it was put there by HTC, the maker of the phone.

Re:Another non-story. (1)

tlhIngan (30335) | more than 2 years ago | (#37622586)

You first have to install a the app from an untrusted site and ignore the page full of warnings the OS throws at you before this can do anything. Seriously, look at the screen shot in the FA. You have to agree that the app can make outgoing phone calls. If you click through that many warnings I would hardly call this malware. Its doing exactly what it says it will do.

Dancing Pigs [wikipedia.org] .

I can say that "Unauthorized Sources" can be enabled quite easily - perhaps you go use Amazon's App Store. That's not a protection anymore. In fact, it was Amazon that probably got AT&T to re-enable the option.

Either way though, the Dancing Pigs problem still exists. Remember the old iPhone virus? It spread by using default passwords on jailbroken devices running OpenSSH. OpenSSH was not installed by default, and jailbreaking was somewhat more complex than it is today. And we're talking about people having to use SFTP and SSH and enter in tricky UNIX commands to install stuff on their iPhones.

Long warning screens? People who will be infected don't read them. Especially when it says stuff like "Download this file, copy it to your SD card and run the installer. Click Install. Congratulations, you've installed Foo, now download all the apps you want for FREE!".

In fact, that permission list is probably longer than necessary to invoke the TL;DR response by people on purpose.

+100 - Install Permission Dog if you use untrusted (1)

brunes69 (86786) | more than 2 years ago | (#37625412)

This is why all Android users who install apps from "untrusted sources" should install permission dog. What permission dog does is twofold

a) It does a full audit of all the apps on your phone, so you can easily see a simple breakdown of all of the permissions apps you CURRENTLY HAVE are using. Ones using too many permissions are flagged with warning icons.

b) If you have root, then It allows you to deny individual permissions to apps. So if an app is asking for permission A B and C, you can allow A and C but deny B. Depending on the app, this can either simply not a certain function work, cause the app to crash totally, or allow it to work 100%. But the important thing is it gives the control to you as a user as to what you want every app to be allowed to do.

C&C Server (0)

Anonymous Coward | more than 2 years ago | (#37621872)

A blog in China is a C&C server? Okay, here's what we do:

We gather a whole bunch of engineers, load them into a helicopter, land *inside* their base, and then rush their construction yard. If we're lucky, they haven't built many SAM sites or antipersonnel defenses inside their base, and we can cut off their ability to build anything new.

God help us if they have a mobile construction vehicle hidden somewhere.

Re:C&C Server (2)

Mitchell314 (1576581) | more than 2 years ago | (#37621966)

What if they completed the hand of nod?

wrong, just wrong. (2)

Gravis Zero (934156) | more than 2 years ago | (#37621912)

and appears to be the first time Android malware implemented this kind of technique to communicate with its server.

correction, this is the first time those security researchers have found this implementation. this isn't exactly rocket science.

How awesome was that multiplayer? (0)

Anonymous Coward | more than 2 years ago | (#37622096)

Still crack up at "That was left-handed!"

ugg boots (-1)

Anonymous Coward | more than 2 years ago | (#37622202)

ugg outlets
australian ugg ...
"How did you know? The bridge to dangerous terrain here, acoustic goes roar, almost no one can succeed."
People are very surprised to ask them.
"How? Is there any danger?" The two men strange shortly.
"My eyes to see, and see not, don't know how topography." one of them said.
"My ears can't hear you. Don't know how the water." Another said.
Oh, I fell the abyss that man is the alertness!!!!!

FIRST pOST (-1)

Anonymous Coward | more than 2 years ago | (#37622422)

about outside Nigger Association Stagnant. As Linux were 8ullified by operating systems, they learn from our be any fucking where it belongs, from one folder on

Permissions? (0)

Anonymous Coward | more than 2 years ago | (#37622618)

Ok, so let me get this right. You have to agree to permissions for everything an android app does? Do you just spend your whole life agreeing to stuff on your phone? I'll take my iPhone, it works, and it always works thank you.

Re:Permissions? (1)

bky1701 (979071) | more than 2 years ago | (#37622800)

Translation: I don't care how other people do it because I am certain I can't be wrong. Do you realize how insane an argument from ignorance looks when the very people you are arguing with aren't ignorant on the topic?

Re:Permissions? (2)

Eyeball97 (816684) | more than 2 years ago | (#37622894)

Ok, so let me get this right. You have to agree to permissions for everything an android app does?

Yes.

Do you just spend your whole life agreeing to stuff on your phone?

[Sarcasm]Yes that's right, because I spend every waking moment installing apps on my phone...[/Sarcasm]

I'll take my iPhone, it works, and it always works thank you.

Ok, so let me get this right. You hand over ALL your trust to the app store, and you don't care what permissions an app gets. Because the iDrones at the app store would never make a mistake and let a bad app through, right? You have an iProduct because you like it simple, and reviewing what an app has permission to do while you're installing it is far too complicated for you?

C&C (0)

Anonymous Coward | more than 2 years ago | (#37622676)

Did anyone else read the headline as "Command and Conquer" instead of "Command and Control"?

Re:C&C (1)

Sockatume (732728) | more than 2 years ago | (#37623342)

Yeah, I was going to say that I didn't think C&C had dedicated servers, but renting fast nodes to online gamers might be a good way of monetising the zombies.

By Analogy (Interpretive Troll is Interpretive) (0)

Anonymous Coward | more than 2 years ago | (#37625762)

So, there's some Android malware using a blog in the .CN area as a C&C proxy? That's funny. By analogy, it reminds me of certain political tools in the modern society using pundits on certain TV networks as C&C proxies - and what else that could serve to remind oneself of, the irony.

Anonymous because Big Brother is a myth, but some would perceive a myth as though it was reality.

And hey, to put it back on topic: Where are all the "social engineering" threads, these days?

Read the app summary (1)

toxonix (1793960) | more than 2 years ago | (#37627420)

The Chinese may one day defeat my ultimate security system for Android: When the app's summary is written in bad Engrish, do not install.

Android Malware (1)

Transaction7 (1527003) | more than 2 years ago | (#37687572)

My wife and I have relatively new Sprint HTC EVO Android-based smart phones. My wife has downloaded a lot of apps, nothing that looks suspicious, reads a lot of Email newsletters, and uses hers to send and exchange GMail Email, etc. With limited vision, I do all my newsletters, Email, etc. on this desktop except I have read some news etc., and received some mail from her etc., on my cell phone. We're both suddenly getting both messages and mail from unknown sources that is spam, some highly objectionable, some signed with unrecognizable handles, some simply undecipherable gibberish not all of which is in English characters or recognizable and may be Chinese or whatever, . Our phones have both also started switching, changing home page apps, placing calls without being touched and to people in our directories but not last person called, etc. Our primary concern is that we both use our phones for privileged and confidential medical, legal, etc. matters, and our people lists contain doctors and friends with whom we have privileged and confidential relationships and some very sensitive confidential information. Both phones are on the federal Do Not Call list, though that is usually not necessarily for cell phones. Sprint is not happy hearing from us again. Please keep us posted on this including, but not limited to, effective defenses as they are developed. By the way, most sites I know don't cover Android apps for legal and other things and this is the only site on which I have found two wanrings now about Android malware. Where can I find best malware, security, legal and other research, adn other apps for Android? Also, several of the available free and cheap Android apps I don't really want on my cell phone, which has limited battery life, but would really like ot have on my MS Windows desktop, and there are some my wife would like on her laptop. I'm sure there must be a way to do that but can't figure out how. Any suggestions.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...