SMS Trojan Steals From Android Owners

siliconbits writes "A Trojan posing as a media player for Android smartphones automatically sends text messages to premium rate numbers, according to Kaspersky Lab. Company officials say the Trojan, dubbed Trojan-SMS.AndroidOS.FakePlayer.a, is the first of its kind for the Android platform, even though SMS Trojans are currently the most widespread type of malware on mobile phones."

Is this really a trojan?

[schon]

Or does it tell you what it's gonna do beforehand?

If you install something that says "THIS WILL COST YOU MONEY", and it sends SMS that costs you money, how exactly is that a "trojan"?

Re:Is this really a trojan?

[MozeeToby]

Yes, the user must approve giving the 'Trojan' access to sending text messages, which is included under a big banner that says "Things that can cost you money". Of course, after the 40th or 50th app installed, no one reads them anymore and just clicks the OK button, but Android does notify you of what it's capable of, and even that requires you to check the install apps from other sources button.

Re:Is this really a trojan?

Or does it tell you what it's gonna do beforehand?

If you install something that says "THIS WILL COST YOU MONEY", and it sends SMS that costs you money, how exactly is that a "trojan"?

Look, CmdrTaco JUST posted another Apple-praising fluff article about some bullshit connection between the iPad and Star Trek. Did you simply fail to see that? Thus, we can clearly infer that the answer is it's a "trojan" inasmuch as it's not on an iPhone, and what's better, it's a "trojan" in the sense that it is on one of Apple's competitors, making Apple look better. Duh.

Re:Is this really a trojan?

[The+MAZZTer]

"Kaspersky officials suggest that Android users pay close attention to the services requested by an application at the time of installation"

So yeah. But it hardly makes it not a trojan; by definition trojans masquerade as legitimate apps and this one seems to be no exception. But it doesn't spread or install automatically or give itself privileges the user doesn't grant it, so it's not a big concern. Just another example of users installing that app they MUST have no matter how loudly their anti-virus screams at them about it.

Re:Is this really a trojan?

[ThinkWeak]

I'm interested to know if anyone's deployed a trojan on an app you actually purchase.

I'm sure this CAN be done, but has it been? I like a free app as much as the next person, but if you're not going to take the time to read what the program is capable of and paid apps are safer - then why not just purchase the full version of something similar?

Re:Is this really a trojan?

[MozeeToby]

Why not just take the literally 20 seconds to read what parts of the phone an app wants access to? Or at least the 5 seconds to make sure that there's nothing under the 'will cost you money' heading, unless it's an app where that makes sense (I think the only apps I have with entries under those headings are Google maps and Google voice, and both because they're allowed to initiate phone calls).

Re:Is this really a trojan?

[mark72005]

The user is the trojan

Re:Is this really a trojan?

[SCPaPaJoe]

I Agree. When I first got my Droid, I was going to install a free game until I saw it wanted access to by contacts list. The notification screen during app install is quite clear and easy to understand. There is no excuse for not reading it.

Re:Is this really a trojan?

[flibuste]

In all honesty, the way Android reports what an application uses is way too weak and not granular enough. Basically, you require access to 1 URL, your application needs "Full Internet Access". Want to access the GPS data? Your application needs "Location access", "Services that may cost money", etc.

The way an application declares its "needs" is through an element in the Android Manifest file. However, the choices are really limited to the existing Android services, and most of them have a 1 to 1 relation with the services they relate to, and nothing more granular such as "Requires GPS access using only satellites (costs nothing)", "Requires GPS access using cell towers", "Requires GPS access through paying services".

In the end, the user downloading an app sees warning that are mostly meaningless, and which appear in many other applications. It's close to impossible to spot a possibly-offensive application such as this Trojan.

Re:Is this really a trojan?

[nacturation]

Is it possible for an app to request access to the filesystem, then modify another existing app with a payload that makes it do all the dirty work? For example, take a legitimate and popular alternate phone/SMS app and modify it to call/SMS rogue numbers.

Re:Is this really a trojan?

[metamatic]

Is it possible for an app to request access to the filesystem, then modify another existing app with a payload that makes it do all the dirty work?

No. Each Android app runs as a separate Linux userid. Even if you give the app filesystem access, it can't write to files that belong to other apps, let alone rewrite the apps themselves.

Re:Is this really a trojan?

[geekoid]

Do apps say that? I think an installed app would tell you what it access. Blue tooth, wifi, gps, music, sms. I dont' think it tells you it will secretly send SMSs to place that cost you money.

Re:Is this really a trojan?

[hattig]

Sounds like the required functionality is something that will stop sending texts when the phone has exceeded its contract allowance.

In addition it may be possible to identify premium rate numbers (maybe via a web service at the very least) before they are texted/phoned, allowing the android sandbox to be more granular with its permissions. Or to only allow SMS/phone calls to numbers in the user's phone book. Or to only allow web access to a limited list of specified websites.

Re:Is this really a trojan?

[geekoid]

What if you want to install a music tool that sends SMS?

It would tell you it's going to send SMS, not that they will cost you money. SO while it's sending SMS info of the songs you listening to share playlists, it also sens SMS to places that charge?

I have never used SMS to do anything financial. I had it turned off after I got a bogus charge for ringtones. For th record, I create and put all my personalized ringtone directly on the phone. So for me, I was able to easily detect that charge.

In fact, that's a feature I think should only be activated on request after the user has taken the phone home.

Re:Is this really a trojan?

[unix1]

No. Each Android app runs as a separate Linux userid. Even if you give the app filesystem access, it can't write to files that belong to other apps, let alone rewrite the apps themselves.

That would all be fine and dandy if there were no SD cards formatted with FAT32 with no filesystem security, and things like "move apps to SD card" features on top of that. These are simply bad choices for security.

Re:Is this really a trojan?

[Sancho]

It would tell you it's going to send SMS, not that they will cost you money. SO while it's sending SMS info of the songs you listening to share playlists, it also sens SMS to places that charge?

On my phone, the category in the manifest is "Services that cost you money" (in big bold letters) and then under that, as an explanation, it says "directly call phone numbers, send SMS messages."

An application which has the ability to send SMS has the ability to cost you money because it could send SMS to premium-rate numbers or out of the country. Many people wouldn't think about this, and there's probably no easy way for Android to differentiate between regular SMS and premium-rate SMS.

Re:Is this really a trojan?

[Sancho]

The manifest says, in big bold letters, that the app may cost you money by placing phone calls and sending SMS.

Re:Is this really a trojan?

[TheRaven64]

there's probably no easy way for Android to differentiate between regular SMS and premium-rate SMS.

How about an option to only send SMS messages to numbers in your address book? Or an option to require approval for each new number that the app is allowed to send messages to? Or even just a restriction based on area codes? I'm not sure how it works in the USA, but in the UK you can easily tell from a phone number whether it's a premium rate number or and overseas number...

Re:Is this really a trojan?

[Sancho]

Sounds a lot like UAC, though. Good in theory, but might turn into people just approving messages to get on with whatever they were doing.

Re:Is this really a trojan?

In all honesty, the way Android reports what an application uses is way too weak and not granular enough. Basically, you require access to 1 URL, your application needs "Full Internet Access". Want to access the GPS data? Your application needs "Location access", "Services that may cost money", etc.

Do you use Android? It is more granular than that. Location access can specify coarse (cell location) and fine (GPS). "Services that may cost money" can specify SMS or phone calls. Many apps use a "Phone" permission that's called "Read phone state" so that it can know when you're receiving a call. Apps like Google Voice that use the "Phone" permissions also include things like "Make outgoing calls" and "Intercept calls".

Your fine-grained permissions are right there.

Re:Is this really a trojan?

[slater.jay]

I work on Android for a living, and one of the things I've been doing of late is the radio interface layer for a device we haven't done Android GSM for before (see www.sdgsystems.com; the device is the Trimble Nomad).

It's not even possible at the modem level to see if it's a premium number or not, or at least not on any of the modems I've worked with.

Re:Is this really a trojan?

[element-o.p.]

As a Linux user, I would prefer to see the SD cards on Android phones using something like ext3 rather than FAT32. However, as someone firmly in touch with the real world, I understand why they chose FAT32. Since most desktops still run Windows, most of those that don't run Windows run OS-X, and it's still (unfortunately) a relative minority like me that runs a Linux OS on their (lap|desk)tops, FAT32 is still the logical choice, despite its security issues. I do agree that the "move apps to SD card" option is a really poor choice, in light of FAT32's security model, however.

Re:Is this really a trojan?

[camperslo]

Or even just a restriction based on area codes?

In this era of number portability, an area code can no-longer be trusted to tell you where you are calling.

Re:Is this really a trojan?

[Teun]

I noticed TomTom (of the navigators and the MS FAT legal challenge) has added the ext2fs 'plug-in' to their Windows application.

So I assume their navigators will in future use ext2/3 instead of FAT.

This option is open to any developer.

Re:Is this really a trojan?

[dyingtolive]

Because sometimes it's not that easy. I'm paranoid about what I've installed on mine, but say I make a GPS app that will show WIFI hotspot overlays on maps (cause I always wanted something like that). I now have an app that when downloaded, shows up as needing:

* GPS Location (fine)
* Network access

I also want to make it switch off during phone calls, and maybe keep the phone from sleeping:

* System tools
* Phone state and identity


Finally, wouldn't it be neato if it could save the overlays to the filesystem?

* SD card access

You might say, "Hey, I'd expect that app to want all that, and it's cool, so I'll take my chances." Great, I might too, and it would probably be legit. However, say I realize this line of thinking, and I catch asshat-itis. I now build a trojan in it that scrapes whatever it can off your filesystem and can tell me who you're calling and when, and where you are when you do it. I'm sure I could find SOMETHING to do with that data. Honestly, I think that if they got more specific about how the apps were accessing each of those categories, I'd feel better about it, but it's not always so clear cut. Admittedly, I've never seen a texting one, but if it's anything like the others, "Text messages" could just be a read type thing, or it could be read/write/whatever.

Re:Is this really a trojan?

[shmlco]

Exactly. The permissions system isn't some sort of panacea.

I mean, you could download an app that legitimately purports to send SMS or email messages as one of its functions. Like, say, a "social" RSS newsreader that exists to notify family and friends of interesting articles or stories.

You then approve it, give it access to your contacts and email and SMS, only to find out later on that it sends special "paid" messages like the one in the article.

Or spammed your entire contact list.

By approving the legitimate functionality, you approved the illegitimate functionality as well.

So, just writing this off by saying that the user needs to "understand permissions" isn't really an answer.

Re:Is this really a trojan?

[camperslo]

As an end user, I'd like to see an app store where liability insurance is mandatory to cover damages that users may experience from misleading or malicious closed-source apps. The insurance companies should still require source. For totally open source apps, the store should indicate if/what independent volunteer group (or one funded by a small per-app fee) has reviewed the app.

I think that OS / software vendors that take the entire burden of security debugging on themselves by failing to provide source code to all should be liable for all direct or indirect damages that result from vulnerabilities others might have found and fixed (or reported for fixing).

Re:Is this really a trojan?

[maxume]

In the U.S., premium numbers are area code 900 and international calls require dialing 011 before the phone number, so it is also quite obvious here.

Re:Is this really a trojan?

[toadlife]

Of course, after the 40th or 50th app installed, no one reads them anymore and just clicks the OK button...

That reminds me of the criticism of UAC in Windows.

(Not arguing with you here. Just an observation)

Re:Is this really a trojan?

[nschubach]

Personally, I'd like to see an OS driven prompt to have access to things like contacts, messaging and phone access.

If your app needs a contact to send a message, it would have to pass that message to the OS and the OS would prompt the user for the contact to send it to. This way, no apps need access to contacts to send messages for some reason. The same applies to phone numbers, etc.

Re:Is this really a trojan?

[DJRumpy]

It's amazing how far folks are falling over themselves to defend this type of activity on the Android platform ("well it's their own fault" and "they should have read the warning"). I hate to break it to everyone, but most Android users are not geeks, nerds, or techies. They will do just as windows users have been doing for decades and click 'OK' when prompted. Such behavior should be expected and accounted for, or provisions made to protect end users in spite of themselves.

The difference here? There is no virus scan or malware blocker to save them.

Re:Is this really a trojan?

[GooberToo]

If you install something that says "THIS WILL COST YOU MONEY", and it sends SMS that costs you money, how exactly is that a "trojan"?

Because it says it does one things and actually does another. That's what a trojan is.

The fact that the installation tells you it can cost you money and people still install it means people are idiots. This is like anti-virus popping up and saying, application has been detected to do something which doesn't correspond to the type of application you are installing. Wish to continue? The fact this is news worthy implies headline, "User willingly and knowingly accepts virus - anti-virus and Windows is to blame." WTF?

You just can't fix stupid.

Re:Is this really a trojan?

[element-o.p.]

True, and if the Android were to move to a better file system than FAT32, that's probably the best way to do it. But it does introduce the complexity of requiring software to access the device's file system from a Windows PC. While that may not be a big deal for TomTom (since they are the manufacturer for all TomTom devices), it becomes a somewhat bigger challenge for manufacturers of Android devices, since Motorola, HTC, etc., etc. would *all* have to include a Windows driver for the SD card. While I, for one, would certainly appreciate the irony if the SD card worked natively in my Linux boxes, but wouldn't work without a driver on Windows machines, I'm not sure that would help the Android platform gain widespread acceptance.

Out of curiosity, how does a Windows user gain access to the iPhone's file system? Is there even a removable storage card on an iPhone, or is the entire phone a USB mass storage device?

Re:Is this really a trojan?

[jcrousedotcom]

I think they're referring to premium SMS messages, not phone calls. Those are not always a phone number - often shorter (like These folks).

I have seen ads to text 90999 with the word Haiti in the body to donate the the Red Cross for example. I never have actually used one of those donation methods, but the "phone number," if you will, is only 5 digits rather than a full 10 (for North America). And the program could potentially send that message (if embedded into is programming) without additional user intervention if the user chose to allow it to do so upon installation.

Re:Is this really a trojan?

[MobileTatsu-NJG]

As an end user, I'd like to see an app store where liability insurance is mandatory to cover damages that users may experience from misleading or malicious closed-source apps. The insurance companies should still require source. For totally open source apps, the store should indicate if/what independent volunteer group (or one funded by a small per-app fee) has reviewed the app.

All you'd really get out of that is a false sense of security and a scapegoat to shake your finger at.

Re:Is this really a trojan?

[schon]

So yeah. But it hardly makes it not a trojan;

Of course it makes it not a trojan!

by definition trojans masquerade as legitimate apps

By that definition, all malware are trojans.

A trojan is something that has hidden and malicious functionality. You know, like the Trojan Horse.

As this is not hidden, it's not a trojan.

Re:Is this really a trojan?

[nahdude812]

This is an app which is not installed via the Android Market. You have to first enable the installation of apps from outside the Market (an option in system settings). Once you've made that change, neither Google nor any other entity controls what you install on your phone any longer.

Also, you still have to go through a screen which warns that this application requires special permissions; the ability to send SMS's is listed under a big bold heading along the lines of "Things which may cost you money."

Re:Is this really a trojan?

[Drew+M.]

Speaking of which, on Android why does the very popular app "The Weather Channel" need "Services that cost you money: directly call phone numbers" because I sure don't see that functionality anywhere.

Re:Is this really a trojan?

On the other hand, if you provide a list of permission types that are too granular, then the flood of permissions that a single app may request would become so large that it would end up being ignored by most users. If an app requested access to half a dozen different websites/domains, GPS via multiple methods, Wi-Fi, Edge, 3G, phone numbers, e-mail addresses, reads and writes to SD (or particular parts of SD) -- each as a separate permission, then nobody's going to pay attention after a while, which isn't any better than the current situation.

Re:Is this really a trojan?

[IamTheRealMike]

Ask the developers? I have done this with other apps a few times and often the answer is as lame as "oops, we forgot to take it out after experimentation". The culture of minimizing permissions hasn't really taken hold yet, but with enough nagging it can. Android usually offers ways of achieving what you want without a permission, eg, the weather channel can initiate a call by triggering the dialer with a number pre-populated. The the user can make the call with a single tap. After the call ends the user is returned to the app.

Re:Is this really a trojan?

[lowrydr310]

What about the apps that are locked and won't let you remove them?

I'm referring to the Sprint NFL app, Sprint TV app, Sprint NASCAR app, HTC Footprints, and Amazon MP3 store app on my HTC EVO.

I don't want these apps, I don't need them, and I should be allowed to get rid of them on this "OPEN PLATFORM" Android device, but I can't until Froyo is rootable. Maybe I could live with them if they didn't do anything, but they seem to be constantly starting on their own even when I don't initiate anything; I stop the processes, and they start again shortly afterward. I don't even know if they're sending data, but I'm guessing they are.

I wonder how likely or possible it is to bundle malware with some of these custom ROMs. Just because a ROM is popular and has a dedicated following doesn't mean the author didn't include a hidden process that's collecting tons of personal data. Should I take the tinfoil hat off now, or is this a realistic possibility?

Re:Is this really a trojan?

[BcNexus]

^This. The Java VM on my previous Sprint Samsung and LG feature phones (I mention the brands and provider because I don't know who pushed for such granular permissions) gave me more granular controls, meaning I could grant various permissions to an app once, never, or forever.

When I tried the Droid Incredible for a month, I was appalled to see A)How vague Android was about the type of permissions apps asked for, and B)How it Android didn't offer the same once, never or forever options as my feature phones.

Re:Is this really a trojan?

[Cillian]

In this place of the UK, the area code tells you very much where/what you're calling, be it a normal landline, mobile, premium or free number. Even the cost of the number is often specified just in the area code. And if that's not enough there's a website which does premium rate phone number lookups. (Hint: 08 and 09, apart from 0800, are generally costy)

Re:Is this really a trojan?

[adolf]

The drivers for the EXT3 partition could simply be on the SD card itself, in a FAT32 partition. Easy enough.

But there's other reasons to keep FAT32 around: It's supported by bloody almost every hardware device with a USB port. I keep some videos and MP3s on my Droid, and it's dead simple to plug it into the car stereo or the PS3 and play whatever it is that's on there, or straight into a modern TV to do the same sort of thing. These devices don't support EXT2/3.

And my friends don't want me fucking around with weird (to them, at least) filesystem drivers on their computers so I can do something mundane with my phone like dump a bunch of pictures or video from a party onto their PC while I'm still at their place, instead of fucking around with emailing them later, fucking around with emailing them on the spot, or otherwise fucking around doing such a simple thing.

As to file system access on the iPhone: There is no filesystem access. It is not a USB mass storage device. The normal methods for getting program data to/from the device are either through iTunes or over the network. And the storage is both non-removable and non-upgradable. This is one of the many reasons why it loses.

Re:Is this really a trojan?

Seriously?, with the current granularity level (that IMHO has a good balance between detail and ease for non tech people), most people skip from reading permissions. Do you think that giving a more detailed list of permissions would help? I agree with the first comment: If you are so lazy to skip from reading that some music player will have access to send text messages, then you deserve to pay the bill...
The important thing is to create an habit of reading what an application requests to do, the same way we have the habit of checking the change when we pay for something. It's just common sense.

Re:Is this really a trojan?

[zuperduperman]

The culture of minimizing permissions hasn't really taken hold yet

I think this is the real answer ... how to foster a culture of scepticism and caution among users that will make apps declaring unnecessary permissions get shunned in the market place. I would start, if I was Google, by putting an incentive into the market itself: "safer" apps should receive a special marking. Perhaps even appear first in search results. It should be possible to lock the phone to only access "safe" apps (sort of parental control type feature). Not big things, but enough to persuade developers that it's worth spending 10 minutes to hone down the permissions they are using and not throw in gratuitous features that require large expansion in permissions. Right now there's not much incentive and in fact it's easier to ask for lots of permissions just in case rather than receive bug reports for cases where your app tries to do something and gets knocked back in an unexpected situation.

Re:Is this really a trojan?

[zuperduperman]

It still needs to be finer, in my opinion. One thing I would really value is a sandboxed internet access that includes restrictions on the domains it can access and the amount of data it can send. I'm quite happy for an app to talk to it's own server for a cloud based service. I see no reason that the same permission should let it blindly send unlimited amounts of my phone SD card data (possibly at great expense) to a mysterious web site in China. Unfortunately the same permission covers both.

Re:Is this really a trojan?

This simplest, largest improvement I'd like to see to the Android security model is to allow users to deny certain types of access to applications. This application wants the ability to send SMSes? I'm going to install it without that ability, and see if it still does what I want it to do. (Failing gracefully under such circumstances is the app writer's responsibility.)

Re:Is this really a trojan?

[RobertM1968]

Yes, the user must approve giving the 'Trojan' access to sending text messages, which is included under a big banner that says "Things that can cost you money". Of course, after the 40th or 50th app installed, no one reads them anymore and just clicks the OK button, but Android does notify you of what it's capable of, and even that requires you to check the install apps from other sources button.

Fortunately, owning a G1, with limited memory storage available, I have yet to reach my 40th or 50th app install, and thus still read that stuff before I install. I figure I have about 20 more apps to go before I start skipping that section and just install without reading...

;-)

Re:Is this really a trojan?

[bnenning]

Agreed. Also, access to the SD card should be limited to an app-specific directory by default.

I'm quite happy for an app to talk to it's own server for a cloud based service. I see no reason that the same permission should let it blindly send unlimited amounts of my phone SD card data (possibly at great expense) to a mysterious web site in China.

Well, once you let an app talk to the developer's servers they can do whatever they want with the data from there. The advantage of whitelisting specific URLs is when the app doesn't need to talk to the developer's server directly, but uses third-party services like ads or high score tracking.

Re:Is this really a trojan?

[farble1670]

Of course, after the 40th or 50th app installed, no one reads them anymore and just clicks

speak for yourself.

after installing 40 or 50 apps on your PC, do you quit paying attention to virus warnings? after 40 or 50 people pass you by and the street, do you feel safe leaving your backpack unattended?

really, if someone acts like this, they deserve what they get. no amount of security is going to save people from their own sense of complacency.

Re:Is this really a trojan?

[farble1670]

It's close to impossible to spot a possibly-offensive application such as this Trojan.

it's not that simple. if you add more granularity, then the user is bombarded with information that they will not understand and will probably ignore. there has to be a balance between granularity and understandability.

it's actually not hard at all to spot problem apps. you will probably have a lot of false positives, but that's unavoidable without deluding the user with *exactly* what the app is doing, and then hoping they can understand why it needs to do that to function.

Re:Is this really a trojan?

[mjwx]

Out of curiosity, how does a Windows user gain access to the iPhone's file system? Is there even a removable storage card on an iPhone, or is the entire phone a USB mass storage device?

They dont. No MSC functionality what so ever. All communication with an Iphone is done through Itunes.

True, and if the Android were to move to a better file system than FAT32, that's probably the best way to do it

Android already uses a newer file system. The / is YAFFS2. Only /SDCARD is VFAT and this can be reformatted to EXT3 if the user wants. FAT32 is only there for compatibility with OS's that cant read EXT file systems

Re:Is this really a trojan?

[farble1670]

If your app needs a contact to send a message, it would have to pass that message to the OS and the OS would prompt the user for the contact to send it to.

oddly, that's how it works for email ... but not for SMS. once granted the permission, an app can programmatically send an SMS on behalf of the user with no interaction. for email however, the best you can do is launch the compose window with a pre-defined to:, cc:, subject:, etc.

Re:Is this really a trojan?

[zuperduperman]

> Well, once you let an app talk to the developer's servers they can do whatever they want with the data from there.

Absolutely, it is still open to abuse but it provides me many more tools to evaluate how much I trust the developers - (where is it hosted, who owns the domain, how long as it been registered, etc). Which most normal users will not look at but it only takes a few to follow up and post comments to alert people to a dangerous or sketchy app. It might even make sense to have an 'https' option only so that it requires a valid / reputable cert.

Re:Is this really a trojan?

[dissy]

Why not just take the literally 20 seconds to read what parts of the phone an app wants access to?

I don't see how that would even help.

So you are looking for a text messaging app, do a search and find a ton of them.
My evil app is in the store listed as an SMS app, and listed with some neato features that look interesting to you. It's free, so you download it to give it a try.

Are you telling us that when the text messaging app requests permissions to send text messages, after spending 20 seconds reading the dialog box, you would be shocked and appalled at that and click to disallow it??

That is what they mean by hiding such 'trojan' (really just bad) behavior in an app that has otherwise useful and related features.

Re:Is this really a trojan?

Is this really off-topic? To the parent poster - I've got a HTC desire in the uk bundled with similar annoying apps - I have no interest in the stockmarket, yet the built in app constantly starts up and sends/recieves data.

Re:Is this really a trojan?

[Acaeris]

SMS messages aren't always sent to a 07*** ****** number and not all ***** SMS numbers are premium rate

Re:Is this really a trojan?

I have a solution, ask STORES to screen potential buyers, you wouldnt sell a baby a chainsaw would you?

U cant protect every user from themselves all the time.

Measures that protect users are ignored by users? how is that the makers of the software or the phone fault?

Re:Is this really a trojan?

[EvilJoker]

In this era of number portability, an area code can no-longer be trusted to tell you where you are calling.

No, but it can tell you the fees associated with calling it.

Re:Is this really a trojan?

[element-o.p.]

They dont. No MSC functionality what so ever. All communication with an Iphone is done through Itunes.

Ugh...glad I bought an Android, then.

Only /SDCARD is VFAT and this can be reformatted to EXT3 if the user wants. FAT32 is only there for compatibility with OS's that cant read EXT file systems

Hmmm...I've got an extra microSD for my Hero. I'll have to give that a try and see how it works.

Re:Is this really a trojan?

Certainly they could add some metadata?

Re:Is this really a trojan?

[flibuste]

That is very true, indeed. Too much details might confuse end users. I suppose Google engineers have put more thought into this than us. For the time being, I don't really see a better alternative that would be a one size fits all.

Re:Is this really a trojan?

[flibuste]

Indeed. But the trouble is the number of "false" positives; are you a paranoid customer? Then you would probably flag 90% of applications a as potential "threat". You're a power Android user who knows what those messages mean and you happen to read Slashdot? Same thing, reversed: you get scared by a simple app that requires "Internet Access" and "Location services" at the same time (a paranoid Slashdotter such as me will immediately think the app is going to send my location to the intertubes). Tough problem...

Re:Is this really a trojan?

[byisk]

It's their own fault if they are not able to think! Stupid, poor people loses. It's the theory of evolution and nothing more.

Re:Is this really a trojan?

That's all nice and fine until Android gets the 'malware sponge' reputation like Windows, with the added bonus of lacking any malware protection.

People don't want to deal with it on a PC, and the phone actually has far more potential to damage a user financially, just in errant SMS, Phone calls to 900 numbers, etc.

Re:Is this really a trojan?

[Gaffod]

Because the warning screen is extremely unhelpful. Maybe things improved since 1.5, but I get a warning saying "data may be sent over the internet". What data, Android? Do you mean my highscore, or my Gmail password?

media player?

Well, what is the name of the malicious media player?

Re:media player?

[mark72005]

RealPlayer is back!

Re:media player?

It reminds me of those studies that find "Out of 12 popular vitamin supplements tested, 8 contained ingredients deemed to be harmful to people's health."

So...

A Trojan posing as a media player for Android smartphones

So, uhh, what's the name of the infected media player app? It's not in TFA, either.

Re:So...

[John+Hasler]

If mercenaries can find work in the middle east, why can't we hire them to find and dispose of the people making withdrawals from the bank accounts of the "premium rate" numbers?

At a guess, either because you are not looking in the right places or because you are not offering enough money. What have you tried so far?

This just really seems like one of those problems that some good old fashioned violence would be great for solving/deterring.

Right. After all, it's working so well in the Middle East, and it's not like your "mercenaries" have a record of killing the wrong people or anything.

Re:So...

[ground.zero.612]

If mercenaries can find work in the middle east, why can't we hire them to find and dispose of the people making withdrawals from the bank accounts of the "premium rate" numbers?

At a guess, either because you are not looking in the right places or because you are not offering enough money. What have you tried so far?

This just really seems like one of those problems that some good old fashioned violence would be great for solving/deterring.

Right. After all, it's working so well in the Middle East, and it's not like your "mercenaries" have a record of killing the wrong people or anything.

Wait, what? You answer a rhetorical question by telling me that the mercenaries are mine? And that you have a record of their kill statistics?

Oh and why do you capitalize the 'middle east'? Is it a country now, worthy of promotion to a proper noun?

If you could just open your mouth for a second, I'd like to introduce it to your foot. :)

Re:So...

[schon]

<sarcasm>
Well duh - for security purposes, they're not gonna tell you. If you don't know what it's called, you can't go looking for it to install it!
</sarcasm>

Seriously - it's an antivirus company. If they told you what it was called, you wouldn't need to buy their services.

Re:So...

[shmlco]

"Oh and why do you capitalize the 'middle east'? Is it a country now, worthy of promotion to a proper noun?"

Doesn't need to be a country. Region names are capitalized when they stand alone and are widely understood to designate a specific geographic (or geopolitical) area. e.g. Southern California, the Bay Area, the Middle East.

http://www.utexas.edu/visualguidelines/capitalization.html

Re:So...

[mcgrew]

"Violence is the last refuge of the incompetent". - Salvor Hardin

Re:So...

"Violence has resolved more conflicts than anything else. The contrary opinion that violence doesn't solve anything is merely wishful thinking at its worst." - Starship Troopers

Re:So...

Quoting people doesn't make things true, or make a point. - YOUR MOM

Re:So...

[ground.zero.612]

"Oh and why do you capitalize the 'middle east'? Is it a country now, worthy of promotion to a proper noun?"

Doesn't need to be a country. Region names are capitalized when they stand alone and are widely understood to designate a specific geographic (or geopolitical) area. e.g. Southern California, the Bay Area, the Middle East.

http://www.utexas.edu/visualguidelines/capitalization.html

Should have been modded +4 Whoosh

Re:So...

[ground.zero.612]

Plus, if there are any problems that violence didn't solve, that is just evidence that not enough violence was used.

Re:So...

[John+Hasler]

Wait, what? You answer a rhetorical question by telling me that the mercenaries are mine?

"We" includes you. In this case it most certainly does not include me. But, no, I didn't tell you that the mercenaries were yours: you said that you were having trouble hiring any. I offered some suggestions.

And that you have a record of their kill statistics?

While the details are secret (well, until recently...) according to news reports totals run to 200,000 or so in the Middle East recently (mostly civilians, of course).

Re:So...

It's not in the Android Market. And it's probably got a few dozen names at this point. Given how viruses and trojans usually work, I'd search for and avoid anything that says it was made by Kaspersky.

Re:So...

[shmlco]

You're the one that attempted to deflect his argument with a personal attack. If you're going to accuse someone else of ignorance, try not to expose your own in the process.

Re:So...

"Violence is the last refuge of the incompetent". - Salvor Hardin

Because competent people resort to it first :-)

Re:So...

[ground.zero.612]

You're the one that attempted to deflect his argument with a personal attack. If you're going to accuse someone else of ignorance, try not to expose your own in the process.

You're the one that answered an obvious rhetorical question, and then got modded up... I didn't realize +Obvious was an option.

doesn this...

require you to
1. enable "install from other places", since by default only market apps can be installed
2. be infinitely stupid??

regards,
Anonymous Coward

Hahaha

Hahaha! Good thing I have an iPhon.....*signal lost*

Re:Hahaha

[BitZtream]

hahaha that was almost as funny as it wasn't 2 months ago since its likely that even with your fingers in the wrong place the iPhone works better than whatever you're carrying.

Re:Hahaha

iPhanboy

Re:Hahaha

butthurt much?

Re:Hahaha

[ViViDboarder]

False

Re:Hahaha

[TheRaven64]

Besides, with an iPhone, you don't need to download a trojan, you just need to visit a web site and the person with the server can get remote root access to your iPhone. Apple wins on usability again!

So...

[ground.zero.612]

If mercenaries can find work in the middle east, why can't we hire them to find and dispose of the people making withdrawals from the bank accounts of the "premium rate" numbers?

This just really seems like one of those problems that some good old fashioned violence would be great for solving/deterring.

To android owner...

All your text are belong to us!!

uhhhhl

[Essequemodeia]

You know, I really wish articles like this would lead with THE NAME OF THE APP THAT HURTS SO BADLY. "A SMS trojan" is hardly specific. I'd like to know if that thing in my pocket is gonna rape my privacy.

Cuz there be Winders in there someware

It only goes to show, Winders is in there. No ways there be only Linux in there.

Public service or just self serving?

[FrkyD]

So, we know that the company will be releasing security software for android, we know that they have included a signature for thetrojan in their software...

But we don't know the name of the firkkin app that is actually doing it. Good thing those security software vendors are so concerned about our well being.

Re:Public service or just self serving?

[Monchanger]

Sounds about right. And it's not just bad reporting as usual- the press release had few details on the application, not including a name.

I found it strange it said they can "fix" the problem with a security system which hasn't been released yet.

Re:Public service or just self serving?

[natehoy]

I don't own an Android, but I'm struggling with what a security app could do about something like this on a phone with a permissions-based architecture. I was under the impression that the Android security model was somewhat similar to the Blackberry one, but feel free to correct me if I'm wrong.

On the Blackberry, when you install software, each software package has "permissions" you can assign to it. Those permissions include things like "Address Book", "Email", "Corporate Network", "Calendar", "Internet", "GPS", "Bluetooth", "Telephony/SMS", and each one can have "Allow", "Deny", and (usually "Ask me").

My default permissions are "ask me" (or "deny" where "ask me" is not available). That way, every time a package starts up, it has to ask if it can access each resource it wants. If the request is reasonable, I check the "remember this" box and click "allow" and the app never bugs me again. If the app fails for lack of permission, I can always go into the app settings and turn specific permissions on for that app. This adds almost zero effort to installing and running applications. I get the occasional pop-up, but when Google Maps wants access to my GPS or the Internet, I figure it's pretty OK, and I never get asked again.

It sucks when something like Google Maps 4 demands "Allow" on every goddamned permission or it refuses to run at all, but a revert back to Google Maps 3 fixed that problem up just fine.

You can be pretty sure I'd notice if a media player asked for access to "Telephony/SMS" I'd be clicking the "FUCK NO" button (aka check "remember this" and click "deny"), followed immediately by a rapid trip to the uninstaller to obliterate it from my phone.

Surely the Android has similar tools, right? And, if it does, what is a security application going to do except watch for after-the-fact attacks from apps with specific signatures?

Read the TFA?

[NiteShaed]

Why bother? I read it, and I still don't know silly details like what the name of this app is, or whether it's been pulled from the Android Market. Actually, now that I think about it, I don't even know *if* it was in the Android Market, or if it's a side-load app. For all I know, Kaspersky "discovered" a proof-of-concept app that they developed themselves. Yeah, that last bit is pretty unlikely, but reading TFA is no help at all in ruling it out.....

Content fail for TFA.

Re:Read the TFA?

[unix1]

Found the original announcement. No name of an app there either.

While there could definitely be such an app, the article definitely sounds like an advertisement for their product rather than a security notification.

Re:Read the TFA?

Until the app is named, this sounds like "anonymous sources" BS that some news sites like to do which can't be independently verified.

Unless the app and its developer is specified, this reeks of fear-mongering akin to the lines of "OMG, 1/3 of Android apps have access and *could* expose your personal data".

My take: Name and shame, or don't bother publishing. Even though the Weekly World News is out of print, the US still has more than its share of sensationalistic topics.

Re:Read the TFA?

[shawn(at)fsu]

This was the same problem with the screen saver app that also did something malicious. Couldn't find the name of the app just said that it was out there. This is starting to bother me; tell me what the app, where it was installed from is and who the developer is.

Re:Read the TFA?

[machxor]

However we don't need to know any of that because it's clear that the application asks for permission to send SMS, the user accepts and then the app does exactly what it said it was going to do. This is no trojan this is a case of user's not wanting to be responsible for the security of their devices.

Re:Read the TFA?

[NiteShaed]

I really can't agree there. I'd still be inclined to categorize it as a trojan since it's disguised as a music player (even a flawed disguise is still a disguise). In any case, I don't think there's any argument to be made that it isn't malware, and I'd still like to know what name it's being distributed under and who it's coming from....

Also, since we don't really know anything about the app, it's entirely possible that its description explains the SMS access away as having the ability to text your friends what music you're listening to or something. Yeah, it's a dumb feature to want, but I could see some people thinking to themselves that they'd just use the player without using the SMS feature or something.

Re:Read the TFA?

It turned out to be some guy in Asia who created that app. Google took his app off the market, but restored it after it was found not to be any of the things that it was accused of being. Of course no one apologized for falsely accusing a legitimate app.

Re:Read the TFA?

[Jah-Wren+Ryel]

While there could definitely be such an app, the article definitely sounds like an advertisement for their product rather than a security notification.

It seems like its gotten to the point that anything that comes out of Kapersky, Sophos, Symantec, et al, is just a bunch of far-fetched hype for some product or service they are hawking. These guys have become so transparent that I have concluded that they are just a higher grade of spammers.

Prosecution?

[AdamThor]

So this should lead to police activity quickly enough, right? One can't (at this time) prove where the trojan came from, but it's easy enough to see who benefits and what accounts the money gets paid into. That should all get frozen, cops should kick down some doors, machines should get confiscated?

Will this happen?

Re:Prosecution?

[John+Hasler]

> Will this happen?

It could. It is quite possible that some mules will find themselves in serious trouble.

Re:Prosecution?

[geekoid]

" but it's easy enough to see who benefits and what accounts the money gets paid into. "
maybe not.
The person who owns the account might be a legitimate business and just claim he doesn't know what the write chose him. Or the writer just picked something and random to cause random, confusion and to make a point.

Lets say you sold personalize adult SMS message for 5 bucks a pop. You're business really starts to rise. How are you to know that someone chose you at random for a PoC of malware? Or a rival isn't setting you up?

What about when it's in another country?

The writer could be an idiot and have the money going to a company he set up. Online scams are getting a lot more sophisticated then that..

Re:Prosecution?

[BitZtream]

In Soviet Russia ... no.

Re:Prosecution?

[ErikZ]

Absolutely. The Nigerian police are ever vigilant.

Bad summary

[esocid]

After trudging through several articles, not one mentions the application's name. It does however mention that the trojan can be packed into basically anything. It also doesn't mention that only users in Russia are affected by the SMS charges.

According to Denis Maslennikov, Senior Malware Researcher at Kaspersky Lab, there's not an exact number of infected devices available at present, but the outbreak is currently regional. For now, only Russian Android users can actually lose money after installing the Trojan, but anyone can be infected.

http://www.readwriteweb.com/archives/first_trojan_for_android_phones_goes_wild.php

Re:Bad summary

[esocid]

Also forgot to mention, it isn't in the market. It has to be manually installed, with that little box checked to allow non-market apps to be installed.

Re:Bad summary

[unix1]

Here's some more info. Still no link/name/source of the app. They could have paid someone to write a proof of concept/hypothetical app that did that, so they could do a press release and plug in their upcoming product.

Re:Bad summary

[tlhIngan]

Also forgot to mention, it isn't in the market. It has to be manually installed, with that little box checked to allow non-market apps to be installed.

Given the number of jailbroken iPhones with OpenSSH installed, that's not a limitation at all. Turns out people are sheep, and if you give them instructions on how to install your SuperNewCoolAndroidApp.apk file, they'll do it. They'll blithely check that box, click OK on the permissions dialog, etc. Make it into a YouTube video and they'll just do it like a monkey.

There is no good security solution for users. Maybe if Android popped up a dialog saying "This app is wanting to do something that may cost money ("Dial +xx-xxx-xxx-xxxx" or "SMS +xx-xxx-xxx-xxxx" etc) - allow?". But even then it's iffy.

Perhaps maybe a default security settings box where things that cost money are unchecked and denied explicitly (I never liked Android's "all or nothing" - why not grant "safe" settings and deny "dangerous" ones (call/sms/use network) by default).

Re:Bad summary

[IamTheRealMike]

Android actually does display a window that says "This app wants to do something that may cost money".

Re:Bad summary

[MadJo]

Bad summary? I'd say bogus story perhaps even FUD. Given that they haven't told us the name of the app, and that it has to be installed from a source other than the market (which surprise, surprise, wasn't in ANY of the stories I read about this today)... I'd say this story is bullcrap.

Protection

[Ukab+the+Great]

With Trojan-SMS.AndroidOS.FakePlayer.a, you can now have two different trojans in your pocket to offer the ladies.

Re:Protection

[hydromike2]

I don't see any point to carrying around the latter, nobody on /. will ever get a chance to use it

Re:Protection

[VortexCortex]

I don't see any point to carrying around the latter, nobody on /. will ever get a chance to use it

Hey! Sure I will, (I don't want to get my Realdoll messy).

Re:Protection

[mujadaddy]

I read on the internet that the holes can get really stinky if you don't wash them out.

That sounds like just as much work as a real girl! NO THANKS

Re:Protection

awesome!

Duh

If your phone was in a protective case, like an iPhone 4, you would be infected with such trojans!!! Stupid Android users!!!

Phone companies' response?

[Galestar]

This type of malware was obvious from the beginning. My question is what would be the phone companies' response to this?

Will they;
a) just charge the user for the messages saying that they are SOL
b) void the charges

Re:Phone companies' response?

[natehoy]

If it's AT&T, they'd take option (b) until they got sick of issuing credits, followed shortly by a system-wide option (c).

"In order to avoid surprise charges, any phone you use on the AT&T network that is capable of sending or receiving SMS messages must include at least our $5 a month 100-message plan. For your convenience and peace of mind, this plan has been added to your monthly bill starting last month, and is a required component of your account and may not be canceled."

Laugh all you want. That's exactly what they did to a lot of smartphones and data plans last year. Why would SMS messages be any different?

There is still no substitute for common sense

[gweihir]

Those installing applications from questionable sources get what they deserve.

Re:There is still no substitute for common sense

[Sancho]

Do women who walk down dark alleys at 3 in the morning get what they deserve?

Stop blaming the victim.

Re:There is still no substitute for common sense

If she's that dumb, then yes she probably did get what she deserved.

Re:There is still no substitute for common sense

It's not just a problem for the stupid.

My phone is rooted and I use a firewall. I white-list apps that I know need internet--this has the nice side effect of blocking ads. I don't install any apps that allow "Services that cost you money", unless they come from Google, or from other companies that I trust, or are open source. My concern is that even though I've taken reasonable steps to protect myself, I have no way of stopping my friends from being stupid. Do I deserve to have my contact information sent to thieves because I happen to be on the contact list of somebody who was stupid enough to install such an app?

Re:There is still no substitute for common sense

[cdrguru]

What is clearly needed here is insurance against this type of loss. Then nobody will be a victim anymore ... well, as long as they have insurance.

The problem is that we started out giving hammers to 6 year-old boys without any instruction. This was the DOS command line in 1982. The result was predictable and painful for some but for the most part it is possible to use a PC now, 25 years later. But we still have huge volumes of phishing and botnet emails because people do fall for this stuff.

With Android phones we have more like a situation where we have given hydraulicly powered hammers to 6 year-old boys and are suprised when the neighbor's car (and dog) have been "hammered". The actual damage is much worse, the potential damage is virtually unlimited and some technical people are standing around saying how nice these huge hydraulic hammers are and how capable they are of smashing anything. All without any thought as to the consequences of handing these powerful tools to 6 year-old boys without any understanding of the tools they are using.

Yes, I am equating the general public's familiarity with technology with the common sense of a six year-old boy. Absolutely. And I may be overestimating somewhat.

Don't blame the victim only goes so far. We need to blame the victim's lack of education and common sense and we also should think before handing out powerful tools to people that cannot make use of the without damaging the world.

Re:There is still no substitute for common sense

[pandrijeczko]

I apply precisely the same opinion about those buying from iTunes which I consider a questionable source also.

Re:There is still no substitute for common sense

[Duradin]

My apologies to your survivors (or congratulations, their decision) but you neglected to wear body armor capable of withstanding an anti-materiel round. You got what you deserved for being so careless.

Re:There is still no substitute for common sense

[gweihir]

The comparison is grossly unfair. Better one: If having unprotected sex with various partners gives you a STD, then you share a large part of the blame.

Downloading some software from somewhere and then running it is a high-risk activity. Walking down an alley at 3 in the morning does (at least here) not come with any significant risk of getting raped.

People that did not bother to find out the risk-level for an activity or knowingly did high-risk things, always share the responsibility for a bad outcome.

hmmm

[geekoid]

A company that makes money selling anti-virus software claims there is a Trojan that there android release will fix.

Ok, I'm willing, for the moment, to say that
s true and has happened.
The article doesn't give any information. Was this spread through the market, or did some select the option to install apps from anywhere and then get hit?

OTOH, this does follow my belief that online and smart phone financial transactions will end. The sheer number and easy or scamming people can't be stopped.

I hope I am wrong. I would love to make my smart phone my wallet.

SMS Trojan ... seriously?

[BitZtream]

How the fuck can you get ripped off by an 'SMS Trojan'?

Okay, so it sends SMS messages to 'preimum numbers' ... so its a safe bet that the guy who wrote it is the guy who owns those 'premium numbers'.

It should take all of about 8 seconds for someone to turn off the SMS number so the messages no longer get charged to anyone and arrest the fink who started it.

Could it be someone using a trojan directed at an innocent 3rd party? Sure. Is that whats happening? No, stop being so naive.

In addition to the usual cross-border problems...

[alispguru]

If someone you don't like makes money off of SMS messages, write a Trojan that sends them stuff, get people to download it, and viola! The SMS guys get raided!

What Signal?

[ciroknight]

This is the iPhone we're talking about, how'd you manage to get a signal in the first place!?

(Must have one of those Vulcan pinch phone holders...)

BIgger picture.

Ever notice that most (not all, but most) of the AV firms are from Russian/Baltic regions? From the guys who write the most virum and hacking?

The question is when to agree...

[SuperKendall]

However we don't need to know any of that because it's clear that the application asks for permission to send SMS, the user accepts and then the app does exactly what it said it was going to do.

This is where I'm not sure the Android security model is doing you many favors.

You download a media player, go to install it, and you get a list of things it wants to do - access media library, perhaps access contacts for sharing, and so on... and way down at the end, a little notice about accessing SMS. You might not even think about it much being close to permissions for contacts.

So you agree.... and then it proceeds.

That's why I think a model where the system asks for permission as the phone accesses each protected resource is probably somewhat healthier. Then you can see in context just what it plans to do. Then you would be wondering at any point in time using the media player, why is it sending an SMS to this number I do not recognize?

It doesn't have to ask you every time, just the first few times and then it can be sure you really are OK with it accessing a specific resource.

Re:The question is when to agree...

[nahdude812]

The ability for an app to place phone calls or send SMSes are listed under big bold text reading something to the effect of "Things which may cost you money" on the permissions screen.

If you look at the screen at all, you can't miss it.

NO NO NO

[SuperKendall]

FAT32 is still the logical choice, despite its security issues

Bill gates? Is that you?

Because at this point we all have seen when you design from the start for convenience OF THE DEVELOPER instead of security. The Windows world has been living with the consequences of that choice for decades now.

So now at the brink of a whole new wave of OS's, is not the time to repeat the mistakes of our virtual forefathers. Android could move apps into a smaller embedded filesystem in a file, but in no way should it open up users to app modifications like this.

Re:NO NO NO

[bickerdyke]

Because at this point we all have seen when you design from the start for convenience OF THE DEVELOPER instead of security.

It's rather the convenience of the user, but as he is the one who actually has to buy a gadget this might be the right thing to do, even as you're right with the consequences.

Re:NO NO NO

[element-o.p.]

Wow, that's really funny. I think this is the first time *I* have ever been called Bill Gates. Did you happen to notice my sig by any chance?

My point, which I thought was pretty clear and even though it pains me greatly to say so, was that there isn't another file system that is as widely supported out of the box as FAT32. UFS? Nope. Ext2/3/4? Nope. ReiserFS? Nope. NTFS? Nope. ZFS? Nope. There is a *reason* FAT32 is the standard for removable mass storage, even though it really sucks (especially from a security standpoint).

So, yes, Android *could* move apps into a different file system (or even, as you suggest, into an embedded file system inside a single file), but then you would completely lose the ability to pull your SD card from your phone and access the data on the card from your PC (which, incidentally, I did just the other day on my microSD card in my Android phone).

Re:NO NO NO

[unix1]

Android could move apps into a smaller embedded filesystem in a file

This could have been an arguable compromise solution. The other part - where your data on FAT32 is still wide open (pics/video/logs/whatever apps store on it) - would remain. But at least this way you could have some apps (depending on sensitivity of their info) store their data on such encrypted partition-in-a-file.

Other advantages would be:

- you could grow/shrink partition and filesystem as needed automatically by OS or manually
- you could just copy one file from one SD card to another and have it automatically work on your device without compromising any info in it and bunch of other benefits you get from encryption.

Suggestions for Quick audit app?

[Brit_in_the_USA]

Any suggestions for an andriod app that can quickly do a security audit (assuming the API's allow it)?

I'm thinking that it would list in table form all the installed applications (the rows) with all the security access types (columns) with all the cells checked or unchecked. This would allow an "at a glance" review of all the apps without having to navigate into the management of each one.

Re:Suggestions for Quick audit app?

[OutOfMyTree]

ASpotCat is the one I use. There are possible alternatives listed on the right of that page -- one is called Permission Viewer.

To the user it's the same

[SuperKendall]

It's rather the convenience of the user

That's not so.

Because I already described how you would have the same exact functionality with an embedded file system in one large file on the DOS partition, where apps would go. That would be mounted and have proper security.

To the user everything works as it does now, it's just that underneath you can't have apps stored on an external partition infected by another app nearly as easily.

If you wanted to let users drag apps onto the removable storage you could still let them do that and add them to the safe partition on attachment of the card, not letting anything in the system write to the card until the app extraction was complete.

Read my post again, there is a solution

[SuperKendall]

Yes, I read your sig. Which is why being willing to repeat the same mistakes really made me do a double-take.

There is a *reason* FAT32 is the standard for removable mass storage

Yes, I totally agree with that. It's utterly unreasonable at this point (probably forever sadly) for removable media to be anything but FAST 32.

I am saying apps don't have to sit naked upon that.

Perhaps I was not clear enough but I was envisioning a binary blob in the FAT 32 system, that was an EXt4 (or whatever) disk image. The system would mount that and read apps from it; apps that were moved by the user to removable media would go in there. So you'd have a mounted file system with full security and no-way for anything to access an application on the weaker FAT32 partition (the blob could be encrypted to prevent direct tampering).

So, yes, Android *could* move apps into a different file system (or even, as you suggest, into an embedded file system inside a single file), but then you would completely lose the ability to pull your SD card from your phone and access the data on the card from your PC

Not if you think carefully about the problem.

And that's my point. There's always a technical way that will work, if you think long enough about it. But in this case they rushed into a solution that was easier to the developers and left the user totally exposed. This is what I am saying "NO NO NO" to. This is what we cannot continue to allow, especially not as we transition to a whole now set of mobile OS's.

Re:Read my post again, there is a solution

[MichaelSmith]

Perhaps I was not clear enough but I was envisioning a binary blob in the FAT 32 system, that was an EXt4 (or whatever) disk image.

Steve Jobs, is that you ;)

Seriously, that sounds like the reason why I can't just drag MP3s to an ipod from any OS without apple software. Its all about security, right? Personally I would take the risk and retain the hack-ability.

CNET ( I know) has this report... external app.

[rickb928]

CNET reports here that this is an app external to the Android Market, and you had to get it from a maliscious (I assume) website.

I saw one report from a phone user claiming they saw it as a 13kb download that they didn't think they asked for, and deleted it. No idea if that is credible.

So it does appear, at least for now, that this is not a Market app.

Sure, but who cares (or knows to care) THEN?

[SuperKendall]

If you look at the screen at all, you can't miss it.

Even though saying a user "can't miss" something in a list of other things seems wrong to me from direct experience, I'm willing to concede that point.

Because it does not matter.

That screen is telling the user that at some theoretical point in the future, the app may want to SMS someone. Well who cares then? The user doesn't know what the app really does yet, perhaps (in the movie player case) it lets them SMS URL's of cool movies. The user has no way at that point to know which features are reasonable for an application; they have not used it yet. So generally they would accept just about anything because they could see they MIGHT want to do something.

Now consider instead what happens when the user is simply watching a movie or video clip, and all the sudden they get an alert asking to SMS a number they have never seen. Now the user is thinking "what the hell" and not very likely to agree - they didn't ask to SMS anyone and they just want to get back to the movie. Permission denied.

  I think it's great that Android has these list of abilities and you can turn them off individually (well as a user I think it's great but then developer opinions should not matter). But I do not think the presentation of them is great, no matter how you adorn the more perilous choices.

Re:Sure, but who cares (or knows to care) THEN?

[nahdude812]

Even though saying a user "can't miss" something in a list of other things seems wrong to me from direct experience, I'm willing to concede that point.

If you read the screen you can't miss it. If you missed it, then you haven't read the screen.

Your only other choice is to prohibit software from doing things which might not be desirable to the user, including the legitimate uses of software in areas where there is also room for illegitimate uses.

Personally I prefer to have a choice in what my software can do, and I think Android provides an excellent middle ground. Software is limited to what it advertises that it does. I wouldn't install a music player which has a SMS function. Of course just because this app is poorly disguised does't mean another trojan wouldn't be. But still, I'll take software freedom over lack of choice.

Re:Sure, but who cares (or knows to care) THEN?

[SuperKendall]

If you read the screen you can't miss it. If you missed it, then you haven't read the screen.

Already stated I conceded the point they saw it, and did not care (or could not evaluate).

Your only other choice is to prohibit software from doing things which might not be desirable to the user

Wrong. your OTHER choice is to ask the user at the time the app is trying to do the thing in question the app would like to get permission for - so it would ask when the app tried to send an SMS.

You wouldn't have to keep asking (Vista) after the first few times it would get a pass. But that would mean a media player you didn't expect to be SMS'ing anyone would not be able to do so.

Personally I prefer to have a choice in what my software can do

Me too, that's why I'd like to be able to make an informed choice and not a blind one around what systems an application should be able to access.

Re:Sure, but who cares (or knows to care) THEN?

[nahdude812]

Wrong. your OTHER choice is to ask the user at the time the app is trying to do the thing in question the app would like to get permission for - so it would ask when the app tried to send an SMS.

This just changes the nature of the trojan, it doesn't protect the user against anything. Particularly since it's impossible to tell from the number whether a text will cost you money.

As I observed, a media player sending SMS's is a poorly disguised trojan, but what if instead it's an app for which it seems to make sense to send SMS messages? Perhaps it advertises itself as an American Idol Voter app, or perhaps it advertises itself as a Charity SMS Donation app, and so forth. The point being that there are legitimate uses for SMS in applications, and if the app disguises itself as an app which has legitimate uses, the app developer can still screw you over.

Either the phone will ask every time (frustrating if you're trying to develop a replacement app for the built-in one), in which case it just has to trick the user into agreeing (this is just a different aspect of the same social engineering which the malicious developer already had to engage in), or as you suggest, if it only prompts n times, then the app just has to generate n legitimate seeming SMS's before it sends a flood of malicious ones.

Android needs an application for that?

[MatanZ]

The Nokia N900 has this feature in official firmware.

Re:Android needs an application for that?

[SETIGuy]

Nearly every feature on Android is an app (including the phone dialer), even if it's located in the firmware. I would guess most phones come with the "Music" app in firmware. But that doesn't mean people can't download other music players, install them, and use them. Other players may offer features not found in the standard app (visualizations, equalization, special effects, library management).

Read my post AGAIN

[SuperKendall]

Seriously, that sounds like the reason why I can't just drag MP3s to an ipod from any OS without apple software. Its all about security, right? Personally I would take the risk and retain the hack-ability.

I'm not saying you place all files in there, just application binaries.

Even application writable directories could be on FAT; music would certainly stay there.

There's no reason you can't leave the SD card generally writable and useful, but still prevent applications from being hacked from within.

And the reason you can't randomly drag files into an iPod by default is because most users get lost when you start talking about files and where they are. That part is not as much about security as user experience. It's not like ou can't buy a music player that does let you drag things into it, Apple simply has no interest in producing a device that you access in that way.

The inclusion of the iPod is irrelevant though, since we are talking about how to close an Android application security hole.

Seems like a lot of fun

[Skuld-Chan]

No trojan would spread all that rapidly unless it was spread via the marketplace, and anyone submitting anything to the marketplace (even free stuff) has to go through a credit background check. Not to mention Google has the ability (and has used it) to remotely wipe programs installed from the marketplace.

Mark of a good virus is its ability to spread ;).

What freaking app are we talking about?!

[MadJo]

There is something that I miss in all of the reports I've read about this "trojan", they fail to actually name the app that's supposedly causing all this. Seriously, was the application called "fakeplayer" or something?
It's useful information to know what app is malicious, don't you think? So that you can avoid installing it, or to remove it from your phone before it causes more damage.

Yes, thank you

[SuperKendall]

Finally someone that understands what I am proposing. The only tricky part would be mounting that virtual partition, that would probably require some serious coding somewhere in the Android filesystem to make that work...

Another cool thing is then you could use this support elsewhere - like a small encrypted data bundle for an application that only it could decode. So it would provide fringe benefits.

Re:Yes, thank you

[unix1]

Finally someone that understands what I am proposing. The only tricky part would be mounting that virtual partition, that would probably require some serious coding somewhere in the Android filesystem to make that work...

Not as hard as you think. All the tools are already there or readily available.

You could easily do this yourself on your rooted Android phone.

Revoke permissions

[Tekoneiric]

I've read on some sites that say Android has no way to revoke permissions after an app is installed. Had anyone come up with a way to revoke permissions?

Re:Revoke permissions

[farble1670]

I've read on some sites that say Android has no way to revoke permissions after an app is installed. Had anyone come up with a way to revoke permissions?

it's all or nothing. if you want to install the app, you have to grant it the permissions it asks for. if you don't, it doesn't get installed. to "revoke" the permissions, you uninstall the app.

pretty hairy job for the developer otherwise ... trying to figure out which combinations of permissions that it wants have been granted and how to gracefully degrade functionality in the face of that.

Re:Revoke permissions

[OutOfMyTree]

Is it possible for a security app to check the sending of SMS and outgoing phone calls and ask for confirmation?

Advertisements open a hole

[OutOfMyTree]

Yes, we should all read the permissions that an app requires. But, recently, a lot of free apps are advertisement supported. And those ask for full Internet access to fetch the ads. This seems a hole that is hard to block.

meh..

[gleffler]

The thing that annoys me the most about Android's permissions model is that it's all-or-nothing -- you either grant every single permission in the manifest or you grant none of them and then don't get to install the app.

I'd much much much prefer being able to say "no, this dumb widget does not need to access my location (ads) or know my phone number (ads)" or "no, this 'trojan' does not need to be able to send SMS". But, you can't - you eithe grant access to everything, or you can't install the app. I was very disappointed by that.