Slashdot Mirror


Android Data Stealing App Downloaded By Millions

wisebabo writes "A wallpaper utility (that presents purloined copyrighted material) 'quietly collects personal information such as SIM card numbers, text messages, subscriber identification, and voicemail passwords. The data is then sent to www.imnet.us, a site that hails from Shenzen, China.'"

11 of 335 comments (clear)

  1. I'm confused... by mcgrew · · Score: 4, Insightful

    A wallpaper APP? Why would you need an app? It can't just display a jpg as wallpaper?

    1. Re:I'm confused... by socz · · Score: 3, Insightful

      Well, what was interesting *to me* was that when I sent the program to the emulator, i left it blank! So I hadn't even made any changes to the default and it was asking for permission. In my mind, if it does nothing, why does it need access?

      --
      My abilities are only limited by my imagination
  2. Unfortunately by wraithguard01 · · Score: 4, Insightful

    This is one good reason to have a unified app service, where all the apps are first vetted before they are released. I think mozilla's addon collection is a good model to follow.

    1. Re:Unfortunately by AndrewNeo · · Score: 4, Insightful

      Excuse me? I somehow doubt you've ever submitted an addon to Mozilla before. I have, and a real person does indeed check your code.

      From the Editor's Guide:

      Every line of add-on code must be reviewed. The code validator can't detect all possible security or code quality issues, so we must always be in the lookout for bad code.

    2. Re:Unfortunately by diamondsw · · Score: 4, Insightful

      Amazing what a gets a +5 Informative these days. Adding links?

      The first example was due to a developer "hacking" accounts (i.e., guessing passwords).
      The second example is the same story as the first, from a different source.
      The final example is the only one that holds any water. And that allowing crap apps through, not malicious ones.

      --
      I don't know what kind of crack I was on, but I suspect it was decaf.
  3. People will click through anything by Coopjust · · Score: 5, Insightful
  4. I was going to troll, but... by Xaedalus · · Score: 3, Insightful

    When I read TFA, I saw the part where 47% of Droid apps use third party coding, and 23% of Apple apps also use it. Then I realized, there's no safe place to hide. I like my walled garden, but even that has leaks.

    --
    Here's to hot beer, cold women, and Glaswegian kisses for all.
  5. Re:This is a job for Droidwall by abigor · · Score: 4, Insightful

    You mean they'd have to wait for approval by the App Store? An interesting proposal!

  6. Re:This is a job for Droidwall by mlts · · Score: 4, Insightful

    There is the problem: People like you, me, and almost all Slashdot readers would click "no" if a generic fart app requires a slew of security privs (power, Net, access to SMS, access to contacts, ability to kill other apps, etc.), or even worse, prompted for root privs via su.

    However, the dancing bunny problem strikes here. Joe Sixpack will click "Install" to install a cool app, only to find all his contacts being spammed with "I need $900 ransom" notices, a sky high SMS bill because the app grabs a list of phone numbers and starts sending out text messages with ads on it, maybe even drained bank accounts if he left his banking info and passwords in the Web browser.

    I think Google made one mistake with Android, and that was assuming all users would be clued Linux types who know basic UNIX sanitation. I worry though, if there are more bad apples in the bunch that Android would be start being known as a hive for malware just because there is nothing stopping Joe Sixpack from installing a "pr0n viewer app" that reams his phone.

    I like the walled garden idea, with a way to hop out, that is foreboding to a nontechnical person, but for someone with half a clue, wouldn't pose a problem. For example, the "oem unlock" command with the N1 phones and the warning staying to say buh-bye to the phone's warranty if the user wants to continue. Something to make Joe Sixpack not want to do it and actually pass on watching the dancing bunnies.

  7. Re:Developers Bitch by diamondsw · · Score: 3, Insightful

    Such reporting wasn't disallowed until very recently. There was a very good reason for it as well - developers then got that data back so they could tell how many people were still on old OS versions, what the uptake was on a new OS, and could plan their features and releases accordingly.

    The only reason Apple got upset is it revealed prototype OS versions in their lab as a side effect.

    --
    I don't know what kind of crack I was on, but I suspect it was decaf.
  8. Re:Gee, if only... by DeskLazer · · Score: 3, Insightful

    you apparently missed the comments in the threads above; things have still snuck by the apple store folk. the only real way to catch this stuff is be conscious of what you're installing, and report suspicious items.

    from user -kyz:
    Apple is doing an equally bad job of protecting its ecosystem.

    There have been several customer-data-grabbing iPhone apps, and these have only been yanked after members of the public alerted Apple to them.

    Pinchmedia: http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html

    Storm8: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail??blogid=150&entry_id=51077

    MogoRoad: http://www.theregister.co.uk/2009/09/30/iphone_security/

    Smuggling tethering past the censors: http://top10.com/mobilephones/news/2010/07/app_smuggles_tethering_onto_iphone/


    the moral of the story is, it doesn't matter if it's closed or open-source. the end user is still the difference maker.