Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Massive Android Mobile Botnet Hijacking SMS Data

Soulskill posted about 10 months ago | from the all-your-texts-are-belong-to-us dept.

Android 117

wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."

cancel ×

117 comments

Sorry! There are no comments related to the filter you selected.

LOL WTF LMFAO (1)

retroworks (652802) | about 10 months ago | (#45723489)

Seriously, what is the "trickery" that gets one to download and install this "Google Vx" application, and how many Chinese people does it take to read our LOLs? Is someone out there texting their social security number or bank PIN?

Re:LOL WTF LMFAO (3, Interesting)

icebike (68054) | about 10 months ago | (#45723545)

Put it on some dodgy mobile cracked app site and have it perform some trivial functionsfunctions, post about it in a conspiratorial tone in some forums and watch the cheap bastards come rolling in. There are a million cheapskates for every real customer of android apps.

Re:LOL WTF LMFAO (1)

VortexCortex (1117377) | about 10 months ago | (#45723705)

The same can be said for pre-made botnet command & control client software...

Re:LOL WTF LMFAO (1)

PC_THE_GREAT (893738) | about 10 months ago | (#45723571)

I guess those Koreans or Chinese who are running those C&C must be having the time of their life fapping over who is cheating with whom via reading the world's sms :p,

who knows, new category of porn soon:

"Click here to see sexy conversations between %person you want% and %other person you fantasize% online, for only $5/monthly and receive a free android device on booking for 5 years!"

Luminaria (1)

SuperKendall (25149) | about 10 months ago | (#45723921)

Seriously, what is the "trickery" that gets one to download and install this "Google Vx" application

Flashlight App.

Re:LOL WTF LMFAO (1)

Plumpaquatsch (2701653) | about 10 months ago | (#45723937)

Seriously, what is the "trickery" that gets one to download and install this "Google Vx" application, and how many Chinese people does it take to read our LOLs? Is someone out there texting their social security number or bank PIN?

The fact that almost nobody in China can get to Google Play without trickery?

Re:LOL WTF LMFAO (1)

robmv (855035) | about 10 months ago | (#45724731)

There is a reason Mozilla is hard with the requirements to name a build for Firefox codebase "Firefox", it is their trademark, if you build Firefox and replace Mozilla addons "store" with one that doesn't do reviews (manual or automated) and is filled with malware, I am pretty sure Mozilla will make you use another name. Android is trademarked by Google, Amazon don't call their tablets Android, because they can't. Google is to light allowing forkers to call it Android, tainting their brand

Re:LOL WTF LMFAO (2)

nightsky30 (3348843) | about 10 months ago | (#45724881)

Seriously, what is the "trickery" that gets one to download and install this "Google Vx" application, and how many Chinese people does it take to read our LOLs? Is someone out there texting their social security number or bank PIN?

The fact that almost nobody in China can get to Google Play without trickery?

Don't get me wrong. I love android, but even Google Play has crappy asian malware. I wish they would clean that shat up.

Search for a game or something and you get...

LOVE BLOND KITCHEN See girl beautiful aprons...

And 12 other similar apps from the same creepy ass developer...No way would someone with half a brain download that. Even worse, it wastes space in the search results, the results aren't relevant to what was searched, and it also wastes the end user's bandwidth in having do download the metadata for that nonsense. WTF GOOGLE?

Re:LOL WTF LMFAO (2)

mlts (1038732) | about 10 months ago | (#45726071)

Google needs to start tiering their store. One tier is stuff actively moderated with strict, Draconian guidelines and perhaps additional fees to support this degree of moderation. This tier would be similar to Amazon's, Microsoft's, or Amazon's store and if an app doesn't toe the line perfectly, it gets pulled without mercy (since it can easily be offered on the "free for all" tier.) The second tier would be what their store is now -- pay a fee for an account, upload, and go from there.

The next step is by default, have Android devices download only from the restricted tier of the Google Play Store, and a checkbox, similar to the one that allows sideloading, for using the open tier of their market. This way, the average Joe who doesn't know or doesn't care about permissions is kept safe from potentially malicious software by only being in the actively moderated tier, but someone who has some sort of a clue can turn that protection off and go for whatever utility they want.

Of course, there is worse in the way of markets. AFIAK, China has no access to the Google Play store, and Chinese app stores may have absolutely zero curation or moderation in place whatsoever, so there may be numerous copies of a perfectly legit app, except only one doesn't bring with it an added payload. To boot, number of downloads isn't a good statistic if bogus store accounts are easily created.

Re:LOL WTF LMFAO (0)

Dishevel (1105119) | about 10 months ago | (#45726823)

This way, the average Joe who doesn't know or doesn't care about permissions is kept safe from potentially malicious software by only being in the actively moderated tier, but someone who has some sort of a clue can turn that protection off and go for whatever utility they want.

Fuck the Average Joe.

He is getting stupider and less capable of caring for himself every year. I for one am tired of this pathetic leech screwing shit up for the rest of us.

Fuck Average Joe and all those that support his continued existence.

Re:LOL WTF LMFAO (1)

mlts (1038732) | about 10 months ago | (#45726997)

I think we all feel that way. However, the average Joe is the one with the money, and keeping him relatively safe is a boon for everyone in the Android ecosystem.

The other answer is to have a locked down platform like iOS where nobody can see a true "#" prompt or know what is going on in the device. Given a choice between a walled garden with no way out, versus one that has walls with a switch to flip to drop the walls as one's will, I'll take the latter.

Re:LOL WTF LMFAO (2)

Dishevel (1105119) | about 10 months ago | (#45727151)

If we allow the stupid to die off in massive amounts by removing warning labels from hair dryers, airbags and cleaning supplies before they breed we could have a very positive effect on the average IQ of future Average Joe s.

Re:LOL WTF LMFAO (2)

jeffmeden (135043) | about 10 months ago | (#45726955)

Google needs to start tiering their store. One tier is stuff actively moderated with strict, Draconian guidelines and perhaps additional fees to support this degree of moderation. This tier would be similar to Amazon's, Microsoft's, or Amazon's store and if an app doesn't toe the line perfectly, it gets pulled without mercy (since it can easily be offered on the "free for all" tier.) The second tier would be what their store is now -- pay a fee for an account, upload, and go from there.

The next step is by default, have Android devices download only from the restricted tier of the Google Play Store, and a checkbox, similar to the one that allows sideloading, for using the open tier of their market. This way, the average Joe who doesn't know or doesn't care about permissions is kept safe from potentially malicious software by only being in the actively moderated tier, but someone who has some sort of a clue can turn that protection off and go for whatever utility they want.

Of course, there is worse in the way of markets. AFIAK, China has no access to the Google Play store, and Chinese app stores may have absolutely zero curation or moderation in place whatsoever, so there may be numerous copies of a perfectly legit app, except only one doesn't bring with it an added payload. To boot, number of downloads isn't a good statistic if bogus store accounts are easily created.

The Play store is wiped of malware on a pretty regular basis, but there are still a lot of pointless/crappy apps in there. Any true malware capable apps are swiftly removed from the store and from users devices. Your second point is exactly right though; China and other non-western areas don't get the Play store like NA/EUR does. Specifically Google cant collect/disseminate charges from the Play store there, so no developers are interested in making anything but free crApps for it. This means that even if China wern't a hotbed of "loose copyright morals" the people who do pay for software would still not be able to spend their money on the "good" apps from the store. This means they might as well just get a third-party market or better yet just pirate/sideload the apps they want.

So aside from the FUD in this headline, the real story here is that poor sales practices (or a lack of) can push users to do things they might not otherwise, and a huge market is being downright abused. Have there been any malware infection groups coming from NA/EUR where there are a ton of phones and a ton of uneducated users, but full access to the Play store? Nope didnt think so.

Re:LOL WTF LMFAO (2)

fuzzyfuzzyfungus (1223518) | about 10 months ago | (#45724005)

SMSes seem to be fairly commonly abused as the cheapskate's "Two-factor authentication" (a convenient excuse to rake in customer phone numbers, and a device that probably isn't infected with the same malware as the users' PCs, plus it's cheaper than dedicate hardware security tokens!)

Theres a simple solution to stop this. (0)

cheekyboy (598084) | about 10 months ago | (#45724211)

Google, i dare you, i really dare you, make android by default, whitelist countries IP addresses.

So that I can choose, EU only, or Asia only, except china/korea. Or USA only ip addresses.

Yeah its drastic, but 99% of users wont access websites outside usa, or their home country or two.

But france is as bad, I know no one there or use their websites, so should block the whole country on my linux server...

Is there any easy to use firewall configs to block/allow by country?

depends. netfilter just like any other Linux (1)

raymorris (2726007) | about 10 months ago | (#45724339)

> Is there any easy to use firewall configs to block/allow by country?

That very much depends on your definition of easy.
Netfilter is there. Some phones have iptables pre-installed, so on those phones you'd blacklist or whitelist list exactly the same as any other Linux distribution. That's easy for me, it would be hard for a lot of people.

  Other phones don't have iptables installed so you'd need to copy the binary over to the phone.

At minimum, you'll need root access on the device.

Re:LOL WTF LMFAO (0, Troll)

hairyfeet (841228) | about 10 months ago | (#45725733)

I think you are missing the more important information here, malware like this and Linux servers being targeted for attack [arstechnica.com] finally drive a stake through the lie that just because you have source that magically makes it more secure. As we see its just as many of us have been saying for years that once Linux reached a level of popularity it too would fall, no different than windows and OSX.

All having the source does is make it so that 1.- if you have the money, or 2.- if you have the coding talent, that you can continue to have that older piece of hardware or software supported...that's it, that's all it does, it keeps you from ending up with software or hardware being unsupported because everybody moved on because you can pay to keep it going or fix it yourself. I mean if anybody even thought about it for more than 30 seconds it would be plain as the nose on your face why "many eyes" is a myth, how many tens of millions of loc is in your average distro? How many programs and/or components are updated/upgraded on that distro per quarter? This is why every bug tracker has bugs going back several years, for the vast majority of any distro I seriously doubt anybody other than the guys that actually work on the project look at it with any regularity and you can be damned sure the majority of it isn't getting a security audit, it simply changes too fast.

But of course I'll be modded off the page for daring to point out what TFA clearly shows, but IRL Linux is just as complex as any other modern OS and where there is complexity there is flaws, simple as that.

Re:LOL WTF LMFAO (2, Interesting)

jeffmeden (135043) | about 10 months ago | (#45727129)

I think you are missing the more important information here, malware like this and Linux servers being targeted for attack [arstechnica.com] finally drive a stake through the lie that just because you have source that magically makes it more secure. As we see its just as many of us have been saying for years that once Linux reached a level of popularity it too would fall, no different than windows and OSX.

All having the source does is make it so that 1.- if you have the money, or 2.- if you have the coding talent, that you can continue to have that older piece of hardware or software supported...that's it, that's all it does, it keeps you from ending up with software or hardware being unsupported because everybody moved on because you can pay to keep it going or fix it yourself. I mean if anybody even thought about it for more than 30 seconds it would be plain as the nose on your face why "many eyes" is a myth, how many tens of millions of loc is in your average distro? How many programs and/or components are updated/upgraded on that distro per quarter? This is why every bug tracker has bugs going back several years, for the vast majority of any distro I seriously doubt anybody other than the guys that actually work on the project look at it with any regularity and you can be damned sure the majority of it isn't getting a security audit, it simply changes too fast.

But of course I'll be modded off the page for daring to point out what TFA clearly shows, but IRL Linux is just as complex as any other modern OS and where there is complexity there is flaws, simple as that.

Linux vulnerabilities have nothing to do with this, since users are willingly installing the apps and granting them permission to do these things (whether there is a better way of doing the aforementioned things in Android is moot since you decided to attack Linux). The one thing you missed is that when the source is open, the discovery of a vulnerability doesn't have to wait for the corporate "is it worth it to fix it" cycle. Anyone with a smidgen of coding talent can dig in and take a swing at it, which doesnt decrease 0-days but does decrease 180-days or 360-days that we have seen in many closed platforms. You might also want to investigate the fact that it's not a "distro" that needs to be secure at all, it's the individual, visible things (network stack, plus firewalling applications and finally the internet-facing applications) that consist of a much smaller and better reviewed set of code. But have fun getting modded.

Re:LOL WTF LMFAO (1)

SCHecklerX (229973) | about 10 months ago | (#45726465)

This was my exact question. What is the infection vector? I don't care what software is installed, but how it gets there in the first place. If it's not exploiting a flaw in the OS itself, then it's just user stupidity.

Ha Ha (-1)

Anonymous Coward | about 10 months ago | (#45723497)

Fuck Android, and Google.

Closed source... (0)

Anonymous Coward | about 10 months ago | (#45723513)

...What could possibly go wrong?

For a split second... (0)

Anonymous Coward | about 10 months ago | (#45723525)

For a split second I read it as "Massive Asteroid...", then I slowed down and was glad to find out it was nothing that really matters. Data plan: $1000/year. Handset upgrade: $100. The look on your face when somebody actually tries to send executable crap to your feature phone: priceless.

MisoSMS (1)

PC_THE_GREAT (893738) | about 10 months ago | (#45723553)

"The mobile malware masquerades as an Android settings app used for administrative tasks. When executed, it secretly steals the user’s personal SMS messages and emails them to a command-and-control (CnC) infrastructure hosted in China,” the researchers reported."

The problem is with dumb users out there who just do not read the type of permissions required by apps they download versus the functionalities that it is supposed to give, that also without reading reviews and comments about it, such problems are bound to happen.

C&C exists because of irresponsible users, unfortunately, however care one can take, if the user themselves don't give much a damned about what they are installing and not giving a "grace period" to notice what each new app is doing for a period of time, we will keep having such problems.

Besides, that playstore thing, can't it have a peer review weightage on apps which helps flagging such stuffs and could potentially help in informing any users of such potential issues (granted, once you've been breached, you can't trust anything on that device.) Oh well, security keeps being a problem, so many years after, the problem is with the people not the software! +selven

Re:MisoSMS (5, Insightful)

Eskarel (565631) | about 10 months ago | (#45723617)

The bigger problem is the really poor security options available on Android apps with somewhat ridiculously broad security rights. Most apps will ask to read phone identity simply because the need to be able to identify the device on which the app is installed, but the security grant for phone identity gives a whole crapload more than that. Manage accounts is another good one where in order for an app to actually store its own accounts it needs access to all the accounts.

Add to that the fact that Google themselves have been constantly trying to take over your SMS with bloody Hangouts and it's not really that surprising that folks don't really understand the permissions they are granting.

Re:MisoSMS (1)

Anonymous Coward | about 10 months ago | (#45723795)

The problem is that there is really no shame in exploiting the user anymore. This has led to the situation where users routinely have to give permissions that are not related to the primary function of an app, simply to enable the app monetization. The difference between a truly hostile app and ad-supported apps is only a nuance.

Re:MisoSMS (4, Informative)

Rob Simpson (533360) | about 10 months ago | (#45723929)

No kidding. I had to look through dozens of "flashlight" apps to find one that didn't want my calendar, SMS, internet access, and GPS.

Re:Mf-droidisoSMS (5, Informative)

nadaou (535365) | about 10 months ago | (#45724309)

> No kidding. I had to look through dozens of "flashlight" apps
> to find one that didn't want my calendar, SMS, internet access,
> and GPS.

F-Droid [f-droid.org] is your friend.

As always, FOSS means you don't have to put up with the bullshit.

F-Droid build all apps they ship from source, including some sort
of grep filter on permissions to catch (and then remove) any code
which is not in the user's best interest, or at minimum flag and
explain the issue in detail to let you decide for yourself.
Otherwise-good apps with flagrant ad-ware or cripple-ware in it
simply gets patched.

Re:Mf-droidisoSMS (-1, Troll)

Threni (635302) | about 10 months ago | (#45724605)

Is that app on Google Play or do you expect me to sideload it? Lolz!

F-Droid has limits in some categories (3, Insightful)

tepples (727027) | about 10 months ago | (#45725139)

You can't download other app stores from Google Play because of the "non-compete" provision of the developer agreement. If you don't trust the F-Droid app, you can always download Eclipse and recompile it yourself. But a problem with F-Droid is an inherent limit in funding development of Free games. Even if a game's engine is free, it'll get blocked with "anti-features" if it recommends installing non-free mission packs.

Re:F-Droid has limits in some categories (2)

Nerdfest (867930) | about 10 months ago | (#45725673)

Humble Bundle is a great source of games where you can pay what you want. If you really can't afford very much, it's perfect for you. If you like supporting cross-platform games, charities like the EFF, and the developers that write the games, it's also perfect for you. They actually have a decent number of games for Linux as well for those who are interested.

Android: death by a thousand peeping toms (3, Insightful)

epine (68316) | about 10 months ago | (#45724347)

No kidding. I had to look through dozens of "flashlight" apps to find one that didn't want my calendar, SMS, internet access, and GPS.

The Android permission system blows goats. It's not just the "all or nothing" approach to app acceptance. It runs deeper. It's also the app store itself, where I can't restrict (or prioritize) search results based on permissions demanded.

Using aSpotCat, under android.permission-group.PERSONAL_INFO I've got AdService, Chrome, Firefox, Gmail, Google Play, Pebble, and RunKeeper. I've had to bail on the installation of close to fifty apps to keep this list this short.

Basically the Android security model deters me from actually installing software, to the point where I no longer regard it as a platform.

This xmas between an Android tablet and an eReader, I'm likely to get an eReader (Kobo here in Canada), which is not a platform either, and doesn't play one on TV.

I was reading reviews that commented that a Kobo Aura is about the price of a servicable, entry level tablet from Walmart. Several of the reviewers commented "you might as well get the full Android platform for the price". What platform? Android is mainly a platform for sharing far more about myself than I wish to divulge with strangers I don't even know. Whatever information is gleaned will never be under my control ever again: it will almost certainly be amalgamated from one low-life to another ad nausium.

I'd be quite happy if not a single vendor knew my location ever, who wasn't providing me with a map for my own purposes (such as RunKeeper). If they need to know, I'll tell them. Yet 90% of Android applications demand to hoover this up and the Google play store provides no mechanism to put these applications on a personal shit list, so that better-behaved applications float to the top of the candidate list.

Android: Death by a thousand peeping toms. Where's well-behaved Waldo? Crushed by the throng. Eventually Diogenes tires of visiting the Turkish baazar and begins to subsist on juniper berries.

Re:MisoSMS (-1)

Anonymous Coward | about 10 months ago | (#45725701)

No kidding. I had to look through dozens of "flashlight" apps to find one that didn't want my calendar, SMS, internet access, and GPS.

Or just use one of teh "broken, fragmented" devices that includes flashlight-style functionality out of the box? Sure don't do that. Keep bitching that you want what you don't want and that you would do it differently because your ideas are so much better. Go make a fucking linux phone, troll. You can even get your own kickstarter.

Re:MisoSMS (2)

Applehu Akbar (2968043) | about 10 months ago | (#45725939)

Had you gotten that, um, other popular smartphone, the flashlight function would be built in, right on the popup control panel.

Re:MisoSMS (1)

Anonymous Coward | about 10 months ago | (#45726807)

Had you gotten that, um, other popular smartphone, the flashlight function would be built in, right on the popup control panel.

You mean the most popular smartphone, a samsung-branded android-powered galaxy device? Yep, you are right, those phones have it built right in to the panel (even before iOS copied it for the iPhone). He sure should have; hell, he probably did, but he is just trolling. We don't troll like that though, do we?

Re:MisoSMS (3, Informative)

erikkemperman (252014) | about 10 months ago | (#45723799)

A million times this. Android's permission model is deeply flawed. You have to either accept or deny *all* that an app requests in its manifest, or you can't install.

So as a developer, sure you could add a setting to your app's config pages to, say, turn of location services -- but the app still has that privilege. nothing for it but uninstalling.

Re:MisoSMS (2)

Reprint001 (1838702) | about 10 months ago | (#45723877)

No. Not a million times this. To get this stupid app on your device you have to deliberately go out of your way to enable sideloading, download the app when promted from some dodgy website, install it, grant it admin.

This has nothing to do with the Android permissions system and everything to do with dumb people. Actually REALLY dumb becaus they chose to enable sideloading, they are going out of their way to be hacked... the "Google Vx" settings app isn't pinging up in the Top 10's in the app store, it's side loaded by the user!

Even if you could individually select the permissions an app requests, this level of dumb user would STILL just "accept all".

They deserve to have all of their "I'll b hm in 20 mins" messages lifted!

Re:MisoSMS (2)

erikkemperman (252014) | about 10 months ago | (#45723939)

Sorry, but the post I replied to was about Android's poor permission model. You're right that this particular nasty would still bite a lot of people in the ass -- due to their own carelessness -- even with a less crappy permission system. That much is not disputed, there is no easy fix for stupid.

The argument of GGP, as I read it at least, is basically saying that even bona fide devs and clever users are stuck with this all-or-nothing approach to granting privileges.

Re:MisoSMS (1)

Anonymous Coward | about 10 months ago | (#45724077)

In China, phones do not have Google Play installed. You can't use it. Period. How many times do you have to be told before that fact sinks in?

Re:MisoSMS (1)

gl4ss (559668) | about 10 months ago | (#45723885)

it could ask every fucking time it does something too, like j2me security model as implemented on phones did. want to write a file, a single file with filesystem api? that's 3-4 security questions each with two button presses.

too bad they didn't think of the middle ground option. you know, too many screens to designs and committees to attend if doing that(also this is why the official mobile java failed and android emerged as the victor)...

Re:MisoSMS (0)

Anonymous Coward | about 10 months ago | (#45724061)

You have to either accept or deny *all* that an app requests in its manifest, or you can't install.

If only there were something that would fix that that [androidcentral.com] .

Oh, but wait that's a community ROM. If only Google had something [eff.org] like that.

Ehrm.. as strongbad used to say... DELETED [eff.org] .

Re:MisoSMS (1)

Richy_T (111409) | about 10 months ago | (#45725801)

I've actually considered releasing two versions of my app to allow people this fine grained control. There's some really neat features I could add by adding location services but I am conscious that there are some people who would balk at that. If it was an "optional" setting, it would be a no-brainer.

Re:MisoSMS (1)

Archangel Michael (180766) | about 10 months ago | (#45726959)

I don't know why Android Security Model doesn't include the option for apps to request trading features for permissions. If you want to use cool feature X it needs location services. Or Feature Y needs access to your SMS/Contacts. If you don't enable X or Y, those features are not available.

Re:MisoSMS (1)

Anonymous Coward | about 10 months ago | (#45723839)

And to add on top of that the user is presented with two choices: Either install the app and grant all the requested permissions, or don't install the app.

Not even an obviously malicious permission request will stop most users from installing (cf: flashlight app [bbc.co.uk] , Why does this need data? I don't care. *click*). My guess is that this happens because at this point the user has already made the decision (I've just clicked on 'Install'!).

Google treats this as works as intended/wontfix [eff.org] , so don't expect any changes anytime soon.

The Android permission system is a joke. Windows UAC gives you more options.

Re:MisoSMS (0)

Anonymous Coward | about 10 months ago | (#45727437)

Are you serious?

Look at every other platform out there: by default, any network connection is NOT announced and no other option asides from disabling your entire internet connection!

I, for one, make it a point to not install invasive permissions on my phone. Think of the alternative: you either have *NO* access entire swaths of applications, or you get nagged with popups.

If you choose popups:
1) There's a reason why most websites have done away with unexpected popup windows. It's poor UI, and the average Jo won't read them and won't understand them. I had an i User in my office ask me if they should click Yes/No to the permission for contacts from an application someone else had recommended a while ago. Considering most people have been trained to click "Yes", he's just bothered and lost by it.
2) If you don't trust the app developer, why are you downloading their software? Who knows what else they're doing with the existing permissions. With something as innocuous as Internet, they can track where you are roughly with GeoIP. They can use your CPU/battery for other calculations unrelated to the application. Once you grant the permission (regardless of popup or preinstall message), they have free reign over the data.

Re:MisoSMS (1)

DrXym (126579) | about 10 months ago | (#45724045)

Android certainly has poor security options once an app installs, but I would say in this case that if someone is stupid enough to download an app from an untrusted source, click through when it asks for suspiciously broad permissions, that more fine grained controls is not going to help these people. They are idiots.

That said, Android has some shocking poor security behaviour that Google should fix. It should be possible to turn off certain permissions an app says it wants regardless of what the manifest says. It should be possible to control permissions related to making calls, sending or receiving SMS messages, camera, location or hitting the internet. Apps can't take for granted that these services exist or are even available in a device so I don't see much fallout from allowing the user to control the visibility of these services.

compare Windows - no control of application perms (1)

raymorris (2726007) | about 10 months ago | (#45724441)

I understand what you're saying. However, compare this "ridiculously broad" system to almost anything else, such as your Windows desktop. On Windows, applications have 100% permissions to do whatever they want on your computer. The user is either admin or not admin, two choices only.

It seems to me Android's system is a giant leap forward, although it's imperfect. You have very fine grained control in Linux through SELinux. Some people might prefer that level of control, but that level of detailed control can also be unwield.

* I haven't used Windows 8. If Windows 8 finally has a security model even as powerful as "chmod g+r" from 1972 Unix please forgive my lack of knowledge about Microsoft's latest silliness.

Yes. Let's compare (-1)

Anonymous Coward | about 10 months ago | (#45725063)

Android's being infested faster than Windows ever was in the same timeframe of existence. So much for the years of bs here on /. about how secure Linux is, and yes: Android IS a Linux.

Re:Yes. Let's compare (1)

pr0fessor (1940368) | about 10 months ago | (#45726397)

Android's being infested faster than Windows ever was in the same timeframe of existence.

There are far more established malicious software developers making money than when windows first launched so I would not be surprised if that is true. Regardless of how secure your OS is once it becomes the most common consumer platform then that is where the money is, it is a target, and someone will find a way to make that money even if it is playing on the inexperience and stupidity of the average user.

Up until this point the lamp has been the biggest area where linux is used and they are usually managed by more experienced {more experienced than a regular consumer} admins. I imagine that the quality of admin increases as the monetary reward for an exploited lamp increases making it more difficult to turn some easy bucks. Making it a not so promising target although it is not unheard of for an exploit to happen.

Re:Yes. Let's compare (0)

Anonymous Coward | about 10 months ago | (#45727557)

A virus is simply a program that does what a normal program does. Anyone can write a program that screws up your personal information or sends your texts anywhere else. Hacking it in without intention user installation is a little different, but the payload is the same.

Most of Android's malware have been installed by the user, much like how most malware gets on desktop computers. Most of the malware reports from poorly managed app markets in China outside of Google's control.

You can't fix this even being in a walled garden -- how many applications have slipped through the reviewers. i.e. Secret tethering subsystem in a flashlight application: that's right, you can slip in a DHCP server, a DNS reflector into any application - stuff no normal application would ever need - and get it by the reviewers. The ONLY reason why it was kicked off the store was because it became popular and known to the world.

Can you imagine if this application sent SMSes somewhere instead of actually providing a missing function? Especially with the mindset that "omg, nothing bad can happen on a reviewed store" and only those reviewers can scan in bulk?

You're asking for trouble.

Re:MisoSMS (1)

riis138 (3020505) | about 10 months ago | (#45725589)

Not to mention they have severely hampered the ability to limit permissions on a per app basis, and you have a recipe for disaster.

Re:MisoSMS (0)

Anonymous Coward | about 10 months ago | (#45725655)

The bigger problem is the really poor security options available on Android apps with somewhat ridiculously broad security rights. Most apps will ask to read phone identity simply because the need to be able to identify the device on which the app is installed, but the security grant for phone identity gives a whole crapload more than that. Manage accounts is another good one where in order for an app to actually store its own accounts it needs access to all the accounts.

Add to that the fact that Google themselves have been constantly trying to take over your SMS with bloody Hangouts and it's not really that surprising that folks don't really understand the permissions they are granting.

Thats not really the bigger problem at all, troll. If an unsuspecting user gets a popup saying "an app needs to update" and that app is in charge of the whole system, why teh fuck would they flinch when the app needs permissions for the whole system?

You _can_ say that the idea of system-level apps doing their own updates is a problem because it only takes one incorrect "Allow" to pwn the system, but you didnt because you are a troll. Go back to your iPad.

Re:MisoSMS (1)

Russ1642 (1087959) | about 10 months ago | (#45725725)

The permission system itself is flawed. There's no reason for an all-or-nothing approach. Let me install an app and deny it internet access. Please. If the app doesn't like it it can just not run. That way we can put the control in the hands of users while not having any worse security than we have now.

Re:MisoSMS (2)

martin-boundary (547041) | about 10 months ago | (#45724121)

The problem is with dumb users out there who just do not read the type of permissions required by apps they download versus the functionalities that it is supposed to give, that also without reading reviews and comments about it, such problems are bound to happen.

No, the problem is commercial "appstores" that try to mimick the original open source model for application repositories, also known as package management systems, badly.

The reason software packages on Free OSes work well is because the software is free and open, so that anybody can inspect what it does, and anybody can patch the problems if they find any. Thus you get distro volunteers who look over a software package, verify that it actually does what it says it does, and package it according to distro guidelines. The result, in the case of large distros like Debian, is a high quality software repo that people can and do trust. And if one person doesn't see the problems in the source, someone else will.

The reason sofware packages on commercial "appstores" cannot ever work well or be safe to use is because the greedy OS vendors allow anyone who pays enough to put their closed software in the store, without ever checking what the software actually does. It's trivial to hide malicious code in a closed source binary. It might work fine all year, except on December 24 when it steals your credit details.

The truth is that this isn't a dumb user issue (although dumb users do exist), it's really a greedy appstore owner issue.

Games are more often non-free (1)

tepples (727027) | about 10 months ago | (#45725175)

Then the app developer can just hide the malicious functionality in a game. Users of free software repositories are already used to going to the non-free repositories for games for several reasons [pineight.com] .

Let me guess? (-1)

Anonymous Coward | about 10 months ago | (#45723557)

This is somehow Apple and Micro$oft's fault? Patents and DRM are to blame? Spin this story for me, Sheepdot!

Re:Let me guess? (1)

erroneus (253617) | about 10 months ago | (#45723667)

An amazing leap there eh?

It also seems you're pretty far off the mark. As people read the articles, they discovered there's much about how the botnet works and not so much about how the infection gets in there except to say "the malware pretends to be something useful" or in other words, as a trojan horse.

And the short concensus of it is "if you're stupid enough to install these sketchy apps, you deserve what's coming to you." That said, the articles never exactly stated how wide spread this is. I suspect it's limited largely to China and Korea as I suspect those locations might, in some way, control what apps get loaded to their devices. In any case, I don't think it's global in any way.

And so far, all Android malware is acquired through stupid behavior which is not strongly blocked by Android though each user pretty much has to manually allow installing apps from locations other than Google.

Pirated/Cracked software for the lolz (0)

Anonymous Coward | about 10 months ago | (#45723575)

Instantly - the reason most pirated/cracked android apps exist, becomes clear.

People installing pirated apps don't realise most of the motivations for doing so - to 'bundle' spyware/keyloggers in with popular android apps that they don't pay for.

That, and other 'competing' android markets that don't check their apps (and outright 'pirate' android markets)

let me guess? mobogenie? (0)

Anonymous Coward | about 10 months ago | (#45723649)

Couple of times found that it was
"accidentally" downloaded and was ready to install...

Point of view (1, Insightful)

Anonymous Coward | about 10 months ago | (#45723655)

Heh you Android guys are funny. If that was an article about Microsoft Windows, you'd be all over the place spewing end of days stuff :))))))

Re:Point of view (0)

Anonymous Coward | about 10 months ago | (#45723677)

Or if it was Apple Mac/iOS ^^

What will it look like? (1)

ls671 (1122017) | about 10 months ago | (#45723681)

What will it look like if I ever go into one of those mobile OSes from the security standpoint compared to less mobille OSes? I haven't touched mobile OSes even remotely yet. I understand the apps ecosystem might cause problems not directly linked to the OS but still, overall?

Re:What will it look like? (4, Interesting)

VortexCortex (1117377) | about 10 months ago | (#45723801)

Well, First there's Linux. Which is fine, except it's out of date, and thus can be compromised trivially. Then there's the device drivers which frequently have exploits due to the rapid progression of mobile platforms, being built by the lowest bidder, and the lack of consumer desire to pay a premium for security.

At this point we interact with the other small separate OS for the cellular radio -- It doesn't really validate inputs well and can be compromised trivially.

Moving on, we have an excellent application of user / group privileges which constrict application. Really would love actually a bit more than the level of control this has on desktops; Eg: Firefox runs as its own user on my desktop system and the Firefox user has access to its settings folder and is in the "Internet" group, so it can access the web. "sudo" is nice, but we need such a thing for granting user-level access to user-agents such as Firefox; It's one reason I'm developing an Agent Oriented OS and programming language... Anyhow, since the granularity is utterly shite it's basically pointless on mobile systems.

Then we have the Application. Note, this is not plural. We have the Davlik VM aka Java, but register based (faster, more memory use) instead of stack based (slower, less RAM use). There's some great stuff in the install process here whereby linkage occurs and the byte orders of values in the images are translated to machine order. Prior to running on Android the complied Java bytecode is translated into Davlik bytecode -- Unfortunately, there is no copy of this bytecode kept around in case you want to copy it to another device. I'm a firm believer of link on install, but they've done it horribly wrong: My OS links programs on install into MACHINE CODE... ugh. This is mobile so, yeah, let's use what little CPU we got to run a VM -- er, a just in time compiler for a VM.

Now, on desktop systems such as 80486, you'll have up to 4 different execution permission rings to leverage, but on the ARM and other systems you get 2: Kernel or Not. This really messes up the fact that you are running a VM atop a kernel. Well, Linux moronically doesn't reserve a ring level for applications to use against their plugins the same way the kernel isolates itself from user-land applications, so the hardware makers have adopted the monolithic kernel approach. Hey, guess what? We're running a monolithic VM atop a monolithic kernel! Yay! It's like Exploit HEAVEN! Remember how in 16 bit DOSs your program could access any other "TSR" program's memory, or even the OS / BIOS itself and wreak havok? Oh, man. It was great! Mobile has brought this back!

Then we have the app ecosystem, which is actually the strong point IMO. It at least gives you a chance to let other suckers become victims of an exploit and hope it gets pulled / blacklisted from the markets before you try it out. Also, 64GB micro SD's exist now... but a lot of new devices don't have SD card slots, so fuck 'em.

Finally we have the Carriers. They dig down deep into the nether regions of shit that shain't be shat around with, and do just that to create the UI's and app launchers high atop the software stack. Noticeably, desktop OSs have less overhead for doing things than the mobile methodology, but that's the sacrifice you make to have idiots develop you tech on the cheap.

Re:What will it look like? (0)

Anonymous Coward | about 10 months ago | (#45723859)

The only thing I disagree with is "and the lack of consumer desire to pay a premium for security."

Sorry, but the iPhone and high end Adndroid phones prove a significant proportion of people ARE willing to spend more.

Apart from that, yep...agree.

Re:What will it look like? (1)

aesiamun (862627) | about 10 months ago | (#45725491)

Are they willing to pay more for security? They are willing to pay their normal cell phone contract amount and $200 for a high end phone.

How many people would pay for security software for their phone?

Re:What will it look like? (0)

Anonymous Coward | about 10 months ago | (#45725839)

Well, First there's Linux. Which is fine, except it's out of date, and thus can be compromised trivially.

nope

Then there's the device drivers which frequently have exploits due to the rapid progression of mobile platforms, being built by the lowest bidder, and the lack of consumer desire to pay a premium for security.

nope

At this point we interact with the other small separate OS for the cellular radio -- It doesn't really validate inputs well and can be compromised trivially.

nope

Also, 64GB micro SD's exist now... but a lot of new devices don't have SD card slots, so fuck 'em.

nope

Finally we have the Carriers. They dig down deep into the nether regions of shit that shain't be shat around with, and do just that to create the UI's and app launchers high atop the software stack.

nope

Noticeably, desktop OSs have less overhead for doing things than the mobile methodology, but that's the sacrifice you make to have idiots develop you tech on the cheap.

Insightful? Thefuck?

The only real story here is that there aren't out-of-the-box marketplaces in the countries where Android phones have a major presence. There are a bazillion Android handsets in the US/Canada/EU, almost all of which are of the "fragmented, insecure, n-releases-behind" variety, and almost all of which are being piloted by completely uninformed lusers, and yet no botnets in those countries? Sure, let's blame the phone/OS.

Re:What will it look like? (0)

Anonymous Coward | about 10 months ago | (#45723833)

Do not do anything on a cellular phone that you would not do on a public computer in the library. Treat them as you would a public phone.

That should tell you everything you need to know about the "security".

Re:What will it look like? (1)

Bongo (13261) | about 10 months ago | (#45723863)

No phone calls?

Re:What will it look like? (1)

fuzzyfuzzyfungus (1223518) | about 10 months ago | (#45724015)

Do not do anything on a cellular phone that you would not do on a public computer in the library. Treat them as you would a public phone.

That should tell you everything you need to know about the "security".

You must be one of those 'optimists' I've read about. A public phone isn't strongly correlated with you, personally, nor does it provide much in the way of real time location data (aside from the 'well, he must have been in the phone booth when he made that call' data point). Plus, you can still get computers without cameras and microphones...

Re:What will it look like? (0)

Anonymous Coward | about 10 months ago | (#45724693)

Do not do anything on a cellular phone that you would not do on a public computer in the library. Treat them as you would a public phone.

That should tell you everything you need to know about the "security".

Ok, so let's see.. I wouldn't let the public computer in the library have my address list, so there goes the address book on my phone. I wouldn't let the public computer have any of my photos, so there goes all phone camera use. I wouldn't let the public computer have persistent access to my Gmail, so there goes permanent mail setup and use. Etc. Not sure what I then would need a smartphone for, or even a phone at all if no address book.

FUD? (3, Insightful)

wannabgeek (323414) | about 10 months ago | (#45723895)

For all the exaggerated scary words used like "one of the largest", "more than 60 campaigns" etc, there was not a single solid data point about the actual devices infected. Not even a ball park number - like whether it is tens, thousands or millions of devices.
Makes me suspect the claims.

Was it on the Play Store? (1)

Rik Sweeney (471717) | about 10 months ago | (#45723985)

I can't find any information about where this was downloaded from. It's not on the Play Store (or at least, not anymore), so where were people downloading it from?

Re:Was it on the Play Store? (0, Informative)

Anonymous Coward | about 10 months ago | (#45724083)

The Google Play Store isn't available in China. My phone, an LG P-765, came preloaded with AnZhi [anzhi.com] , a Chinese app store. I've seen more than a few suspicious apps on there. I actually download most of my apps from 3rd party APK download sites, like APKTop [papktop.com] .

And the moral here is (4, Insightful)

DrXym (126579) | about 10 months ago | (#45724001)

Download your apps from a reputable store and exercise some common sense. I wouldn't be surprised if this infection was because idiots were downloading warez from some dubious app store.

Better yet, walled garden (0, Insightful)

Anonymous Coward | about 10 months ago | (#45724017)

The vendor has a moral responsibility to protect their customers from themselves. When was the last "Massive iOS Mobile Botnet Hijacking SMS Data" headline?

Re:Better yet, walled garden (1, Insightful)

DrXym (126579) | about 10 months ago | (#45724073)

When was the last "Massive iOS Mobile Botnet Hijacking SMS Data" headline?

When was the last maximum security prisoner getting run over by a bus headline? Sometimes freedom has its own risks, which includes idiots making poor decisions over where to get their software from. Does that mean everyone should be locked up in a cage to prevent that from happening?

Re:Better yet, walled garden (0)

jo_ham (604554) | about 10 months ago | (#45724505)

When was the last "Massive iOS Mobile Botnet Hijacking SMS Data" headline?

When was the last maximum security prisoner getting run over by a bus headline? Sometimes freedom has its own risks, which includes idiots making poor decisions over where to get their software from. Does that mean everyone should be locked up in a cage to prevent that from happening?

No, not at all, but there are parts of this story that expose one of the weaknesses of the Android permissions model; namely that an app requests a set of permissions (that are overly broad to cut down on the number of permissions groups) and you have to either accept or deny those permissions wholesale. This affects apps from all sources, even reputable ones. On that front, the iOS model is better - it asks for permissions as the app requests them, so you can accept/block an app on a granular basis. So you could allow an app access to your location, for example, but deny it access to your contacts.

Given the flexibility of Android to be able to install apps from all manner of sources, I would have thought this type of security model would be better (or at least an option).

Re:Better yet, walled garden (1)

DrXym (126579) | about 10 months ago | (#45724859)

I think Android's upfront permissions model is weak but I don't think it has much bearing on this particular story. Anyone stupid enough to download apps from an untrusted source and click through the permissions the app wants is not going to be protected by having the option to remove some of those permissions. Because if they were that concerned about their security they wouldn't have allowed the app on their device in the first place.

That said I think it is vital that Android should allow me to withhold a permission, exchange the permission for a lesser one (e.g. fine grained location for a dummy location), or receive a prompt. I also think that Google should weight apps in the store by the risk they pose which could be a weighting based on the reputation of the seller, the app's rating and the permissions it asks for. Apps would be inclined to ask for less permissions or farm those permissions out into an optional and auxiliary app if they knew it improved their search rankings.

Re:Better yet, walled garden (1)

swillden (191260) | about 10 months ago | (#45725029)

When was the last "Massive iOS Mobile Botnet Hijacking SMS Data" headline?

When was the last maximum security prisoner getting run over by a bus headline? Sometimes freedom has its own risks, which includes idiots making poor decisions over where to get their software from. Does that mean everyone should be locked up in a cage to prevent that from happening?

No, not at all, but there are parts of this story that expose one of the weaknesses of the Android permissions model; namely that an app requests a set of permissions (that are overly broad to cut down on the number of permissions groups) and you have to either accept or deny those permissions wholesale.

Because the people who download dodgy apps and sideload them, then click past the permissions list without even looking at it would selectively disable the permissions they didn't really want to grant?

The permissions problem you refer to is a really difficult one to solve. Oh, it could be solved for you, by giving you the ability to selectively disable permissions (which, BTW, you can actually do with a small amount of one-time effort), but face it, less than 1% of Android users would carefully vet and individually select the permissions. Probably much less than 1%.

Then there's also the problem that individual permission selection would just cause app developers to test to see if they got all the permissions they wanted, and refuse to function at all if they didn't. Google could respond by trying to make it appear that the apps did get permission, perhaps by serving up fake data, but that would just create an arms race between app developers and Google, and apps have a much shorter release cycle. In fact, for power users the status quo is probably better, because they can root their phones and use an app to selectively disable permissions, but there aren't enough of them (far less than 1%) to motivate app developers to try to work around it.

I don't know what the solution is, but I don't think that's it. I lean more towards finding ways, at least in the official app store, to shame apps that request broader permissions than they should. Maybe Google should develop some sort of a "risk rating", based on the permissions requested and the trustworthiness of the publisher and tag every app in the store with it, perhaps even adding an additional warning dialog if the risk is over some threshold, and probably artificially lowering "risky" apps in the search results. Of course, the really problematic apps aren't on the Play store, and adding an additional warning on an app that a user has already chosen to get from some dodgy site is unlikely to help. But Google might be able to dissuade publishers of apps on Play from requesting more permissions than absolutely required.

(Disclaimer: I work for Google, but not on Android. My relationship with Android is that of a user.)

Re:Better yet, walled garden (1)

fredprado (2569351) | about 10 months ago | (#45725341)

This "arm race" wouldn't ever occur. Apple and MS are considerably more hostile towards developers and the developers just accept it. Making the OS, Hardware and Store owner mad at you is not a recipe for success if you want to be an app developer.

Re:Better yet, walled garden (1)

swillden (191260) | about 10 months ago | (#45726161)

This "arm race" wouldn't ever occur. Apple and MS are considerably more hostile towards developers and the developers just accept it. Making the OS, Hardware and Store owner mad at you is not a recipe for success if you want to be an app developer.

I suppose Google could institute a policy of banning apps that try to circumvent ad-hoc user permission restrictions. Yeah, that would cut the arms race off at the knees. Good point.

Re:Better yet, walled garden (1)

tlhIngan (30335) | about 10 months ago | (#45726865)

Because the people who download dodgy apps and sideload them, then click past the permissions list without even looking at it would selectively disable the permissions they didn't really want to grant?

The permissions problem you refer to is a really difficult one to solve. Oh, it could be solved for you, by giving you the ability to selectively disable permissions (which, BTW, you can actually do with a small amount of one-time effort), but face it, less than 1% of Android users would carefully vet and individually select the permissions. Probably much less than 1%.

The problem is in China, Google is not allowed, so Android phones do NOT ship with Google Play. Instead they ship with one or dozens of official Chinese Android app stores, which have poor quality control, often contain pirated apps (submitted by other people), and yes, tons of malware. (It's also a failure of competition as each store competes for business, so they end up wanting people to post as many apps as possible so they get used the most).

Asking the user about security is a big no-no these days, because the user will pick the option that gets them to their goal to the quickest. Or, put another way, users will pick dancing pigs over security any day [wikipedia.org] . It's a failure of security policy to not recognize this (think about all the times people workaround IT security restrictions just to get their job done).

The Android permission system is basically that policy - pop up that huge list of permissions, the user's eyes glaze over and they want to pick the option that gets them "Candy Crush With Everything For Free" the quickest. Well geez, what are they going to do?

Same goes for any popular app - recommend them a cool app and they probably won't look at the permission list at all.

With this in mind, on iOS, there's no API to get at the SMS directly - you need to rely on OS flaws to do it. Even sending an SMS requires switching to the iMessages app - no app can send an SMS directly unless they implement SMS functionality within themselves (which means they can't use the cell network SMS facilities).

In that case, Apple simply makes it impossible for the user to "do the wrong thing" under the assumption that 99% of the time, any app wanting to do this will use it for evil. Sure it keeps innovative SMS apps off the App Store, but developers it turns out that for every innovative SMS app, there will be hundreds, if not thousands of other developers who would abuse the privilege. (Especially for say, advertising).

Re:And the moral here is (1)

zoffdino (848658) | about 10 months ago | (#45724969)

It's the biggest challenge in software design. There are lots of dumb or technically-inept people. 20% of the cars are stolen each year when the drivers left their vehicles ' engines on, with keys still in ignition. If people don't have common sense like that, how do you expect them know that a flash light app doesn't need access to SMS, photos, emails and contacts?

What store in the most populous country? (1)

tepples (727027) | about 10 months ago | (#45725317)

What "reputable store" happens to be available to people who live in the People's Republic of China, which doesn't appear to have Google Play or Amazon?

Re:And the moral here is (2)

Vitriol+Angst (458300) | about 10 months ago | (#45725467)

Advertisers and junk apps on legitimate sites are now common vectors for these trojan horses.

I can't go to Download.com anymore because there's no real way to tell the difference between; "click here to download your file" and "click here to download your file" from an ad unless you closely examine the link -- though the only difference is usually a hashed code from the same download location. They look exactly the same, but the other will download an installer to put spam on your machine and it turn it into a botnet for all intents and purposes.

You don't have to be a fool anymore -- the main reason is economics and all these "advertiser content" areas that nobody takes responsibility for have reduced the meaning of "legitimate site."

I have to go to smaller, less commercialized websites to update applications. It does actually require real research these days to find a "safe source" for an app.

FIRSt (-1)

Anonymous Coward | about 10 months ago | (#45724003)

Baby take my To fight what has to llok into balance is struck, the project is in [tuxedo.org], isn't a lemonade to deliver what,

Oh, so we're gonna get upset by this... (0)

Anonymous Coward | about 10 months ago | (#45724081)

but not the daily spying on ALL devices by the NSA...

Quit getting hung up on android vs. apple vs. microsoft; and focus on the real issues affecting us all on a daily basis

Am I missing something? (1)

tom229 (1640685) | about 10 months ago | (#45724419)

Why go through all the trouble just to know my wife asked me to pick up milk?

Two-factor authentication (1)

tepples (727027) | about 10 months ago | (#45725327)

Increasingly, major webmail and social networking providers have been using access to a particular mobile phone number's SMS inbox as a second factor in 2-factor authentication.

Hangouts? (0)

Anonymous Coward | about 10 months ago | (#45724613)

Wait, this theft of personal SMS messages and exfiltrating them to attackers wasn't about the new Google Hangouts which sucks in your SMSes unless you expressedly tell it not to...? OK, I stand corrected.

Exfiltrating???? (1)

wyr_taliesin (1000725) | about 10 months ago | (#45724825)

I assume that's a strange way of spelling 'sending'

Re:Exfiltrating???? (0)

Anonymous Coward | about 10 months ago | (#45725113)

The word "exfiltrate" doesn't just mean sending, it carries the connotation "in a secret and hostile way".

Big, !Massive (0)

Anonymous Coward | about 10 months ago | (#45724967)

Big Android Mobile Botnet Hijack...

BAMBHi?

Android malware FUD © (1)

codeusirae (3036835) | about 10 months ago | (#45725009)

"MisoSMS is wreaking havoc on the Android platform"

This is BS, how does this malware get on to the device in the first place, does it require user action or can it install silently and root the device.

Exfiltrating (0)

Anonymous Coward | about 10 months ago | (#45725311)

exfiltrate
verb
gerund or present participle: exfiltrating

        1.
        withdraw (troops or spies) surreptitiously, esp. from a dangerous position.

What?

Re:Exfiltrating (0)

Anonymous Coward | about 10 months ago | (#45725873)

exfiltration (plural exfiltrations)
(military) The process of exiting an area (usually behind enemy lines or in enemy territory).
(civil engineering) A method for managing storm water runoff.
(sciences) A filtering out (usually movement of a substance through a barrier).
(biology) A gradual movement of a substance to exterior (as through cell membrane to extracellular fluid or medium).
(computing) Covert extraction of data.

Gee, which one's applicable here, I wonder?

Sprint? (1)

Megane (129182) | about 10 months ago | (#45725537)

the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages.

Rumor has it that they are paying James Earl Jones and Malcom McDowell to read those stolen SMS messages out loud.

Tablets Wi-Fi Only (0)

Anonymous Coward | about 10 months ago | (#45725555)

I have rooted my Nexus 7 and installed a ROM toolbox, ads blocker, iptables, plus more and block shady app requests. Or do I just have a false sense of being secure?

No fix from the NSA for this ?? (0)

Anonymous Coward | about 10 months ago | (#45725727)

How come the NSA didn't save us from this one like they did the BIOS attack???

Re:No fix from the NSA for this ?? (1)

hAckz0r (989977) | about 10 months ago | (#45727085)

They do have a fix. Its called 'SELinux for Android' (SEforAndroid).

.
http://selinuxproject.org/page/SEAndroid [selinuxproject.org]

"Security Enhancements for Android (SE for Android) is a project to identify and address critical gaps in the security of Android. Initially, the project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps and in order to enforce separation guarantees between apps. However, the scope of the project is not limited to SELinux."

In fact its part of the latest Android distributions (Android 4.3+) but its not generally enabled by default yet. Eventually we should be able to lock down the device to prevent all kinds of malware, but unfortunately it doesn't block users from being stupid and installing apps from the more seedy places. Chances are if you install a hacked app you'll just grant it all kinds of permissions that you shouldn't. It can't fix 'stupid'.

Thank You Google (0)

Anonymous Coward | about 10 months ago | (#45726925)

That's why I don't use android spy-phones. Why can't they make andriod as secure as linux?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?