Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploits Propagated Via Social Media Increase

Posted by CmdrTaco on from the bad-moon-rising dept.

Orome1 writes "Infection via email, traditionally the most popular vector for spreading malware, has declined in favor of greater use of social media. These include clickjacking attacks using the Facebook 'Like' button, fake Web pages positioned on search engines (BlackHat SEO), and zero-day vulnerability exploits. The rise in popularity of smart phones powered by Google's Android operating system for smart phones has been accompanied by an increase in attacks targeting these devices. A number of different threats have appeared, primarily aimed at racking up phone bills or using the geolocalization function to transmit a user's position to a third party."

28 comments

  1. Google Android Exploits by savanik · · Score: 2, Interesting

    And here I am with an android phone that's running 1.5 because the vendor refuses to release any more updates for this 1-year old model of phone.

    Oh, wait, that's right, I already rooted and upgraded to 2.2. Nevermind.

    1. Re:Google Android Exploits by Anonymous Coward · · Score: 0

      And here I am with an android phone that's running 1.5 because the vendor refuses to release any more updates for this 1-year old model of phone.

      I have t-mobile too.

    2. Re:Google Android Exploits by dieth · · Score: 1

      Gogo Telus HERO... Fucking Telus, even MEXICO has Android 2.1 on there Hero

  2. Android default permissions by Anonymous Coward · · Score: 0, Troll

    As I said in the last Android article, all apps have access to your sdcard, and to your identity (esn/imei/meid/phone number). Once you give an app permission to access the internet, your identity and sdcard contents are public. Go in to the Market and search for pub:"Adao Team" and look at the permissions on their app called "File Manager". It only asks for internet acces, install shortcuts, and kill background processes. I bet it can access the sdcard even though it doesn't ask for it. It would be useless if it couldn't access the sd card.

    1. Re:Android default permissions by morgan_greywolf · · Score: 1

      As I said in the last Android article, all apps have access to your sdcard, and to your identity (esn/imei/meid/phone number)

      The Android Developer reference says otherwise:

      A basic Android application has no permissions associated with it, meaning it can not do anything that would adversely impact the user experience or any data on the device. To make use of protected features of the device, you must include in your AndroidManifest.xml one or more tags declaring the permissions that your application needs.

      --
      My blog
    2. Re:Android default permissions by AnonymousClown · · Score: 1

      The reference may say otherwise, but what about in practice? Meaning, maybe there's a bug that allows the access.

      --
      RIP America

      July 4, 1776 - September 11, 2001

    3. Re:Android default permissions by Anonymous Coward · · Score: 3, Insightful

      And actually using an Android phone says otherwise. Just install a simple app like "Text Edit" by Paul Mach - easy to find on the market. Before installing, hit the menu softkey, then the security icon that pops up. It will say "No permissions required."

      Use it, save a file. Where does the file end up? On your SD card. How did it do that?

      Now go to the homescreen, hit menu, applications, manage applications, text edit. Scroll down and what do we see under permissions? "modify/delete SD card contents" and "read phone state and identity". Permissions you were NOT warned about during the install.

      This isn't Paul Mach's fault. I just used his app as an example. This is Google's fault and they need to fix Android security!

    4. Re:Android default permissions by _Sprocket_ · · Score: 1

      Now go to the homescreen, hit menu, applications, manage applications, text edit. Scroll down and what do we see under permissions? "modify/delete SD card contents" and "read phone state and identity". Permissions you were NOT warned about during the install.

      Is this more of an issue with the Market (which is, of course, Google's to fix)?

    5. Re:Android default permissions by morgan_greywolf · · Score: 2, Interesting

      Yet, the application must have requested WRITE_EXTERNAL_STORAGE in its Manifest.xml. If Market didn't tell you about it, that's a Market issue.

      All applications can READ from the external storage, which is considered public. Private data, OTOH, is required to be stored on the internal storage. This is secifically mentioned in the Developer Guide. If an app is storing private data on the external storage, then you need to tell the author that he or she is stupid. You can, of course, always remove files from the public storage by connecting mounting the SD card on a PC.

      --
      My blog
    6. Re:Android default permissions by Anonymous Coward · · Score: 3, Interesting

      Market and Android are one and the same. You can argue all day about how the documentation says this, and the AOSP code doesn't contain that, but at the end of the day, any Android device worth using has the Market app on it. People install apps through the market and have no idea that (#1) apps like "Text Edit" that didn't even ask for SD card permissions might save their documents on the SD card, and (#2) that any app that requests internet access will be able to upload those documents along with your phone number and ESN out to some sleazy server on the internet.

      The expected behavior would be that an app that doesn't request SD card writing can't save to the SD card, and that an app that doesn't request permission to read your phone's identity won't know it.

      Google has failed us. I love my Android phone, and I hope Google fixes this problem.

  3. Kind of humorous, actually by WillAffleckUW · · Score: 1

    Today the guys trying to force Seattle to give away public park land to a Chihulhy museum hacked the social media SLOG site poll to "fix" a poll that was going heavily against them.

    Link as follows: Chihulhy.com hacks SLOG poll as they lose to Tiger Breeding option

    Very sad.

    But the Android OS holes and exploits are more likely due to it's popularity amongst tech geeks.

    In my personal experience, most people prefer the iPhone, but I always say if you're a tech geek, you should opt for the Android instead, cause it's what YOU want.

    --
    -- Tigger warning: This post may contain tiggers! --
  4. Why does Facebook allow the fake "Like" apps? by swb · · Score: 1

    They're really deceiving.

  5. AVG 2011 by Anonymous Coward · · Score: 0

    AVG antivirus 2011 is supposed to offer some kind of new protection thing for social networking sites. Presumably its previous surf shield and link scanner stuff weren't good enough.

    1. Re:AVG 2011 by hairyfeet · · Score: 1

      Or you can use Comodo which is also free and sandboxes everything by default. As for TFA? Social media is gonna be THE way to infect systems, mark my words. as a PC repairman i can tell you that people seem to lose their damned minds when using that crap. I'm talking about clicking on ANY link, opening ANY file, man, just when I had most of them trained not to do stupid shit like open emails from people they didn't know, here comes all this FB IM and junk and suddenly all those lessons seemed to be gone out the window. They act like because it is "social" all those lessons don't mean jack anymore, like FB and these other sites are gonna "protect" them or something. Sheesh. I swear for the next couple of years social anything is gonna be a scammers paradise, as at least the folks I deal with act like all those "no nos" they learned about the web in general don't apply to things like FB and twitter.

      It is even worse with their cell phones, as they assume ANYTHING you find in an "app store" must be safe. They don't ever read the EULA, just blindly click through everything without a thought, man it is a mess. As much as I hate the Apple "walled garden" approach I think that is the only way to keep the cell networks from ending up zombie heaven, as folks just don't seem to be able to accept that a phone can be every bit as powerful and as vulnerable as a PC, even though the average smart phone today is more powerful than my first 4 Windows PCs put together. But you even try to tell them their phone has an OS and their eyes just kind of gloss over. To them it is a "screen with buttons" and trying to explain to them the importance of good practices with their phones is like talking to a wall. Ugh.

      Not trying to be mean here, but if you'd had to deal with as many "security tool" infections as I have which always seems to start with "but (insert friend) sent me a link on (insert FB/Twitter/other social site) so I thought it HAD to be safe!" you'd be a little cranky too. Maybe someone should do a study on why using the word "social" makes everyone forget even the most basic security and act like they have never touched a PC before.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  6. Bounce around much? by Galestar · · Score: 4, Interesting
    The title of TFA is "E-mail infections decline as exploits propagated via social media increase"

    yet it likes to bounce around to

    "The rise in popularity of smart phones powered by Google's Android operating system for smart phones has been accompanied by an increase in attacks targeting these devices."

    Then to

    There has also been a great deal of commotion around two serious zero-day flaws in Microsoft OS code, one of which was exploited to attack SCADA systems (specifically in, nuclear power stations).

    This article really has nothing to say about the rise of use of social media as a vector, other than mentioning the recent twitter exploits--in the last paragraph. Why did this article make it to the front page again?

    --
    AccountKiller
    1. Re:Bounce around much? by BJ_Covert_Action · · Score: 1

      Why did this article make it to the front page again?

      Because it falls right in line with the, "We're all screwed. The world is going to end. Tomorrow is worse than yesterday. The fall of civilization is on the horizon. DOD has adopted perl as its primary nuclear arsenal launch control language..." theme that is so prevalent in news these days.

      --
      Motorcycles, Robots, Space Gossip and More!
    2. Re:Bounce around much? by apoc.famine · · Score: 1

      Yet another example of how the editing of this website is solely focused on adviews, and nothing else. I'm looking for a new website, as are quite a few others. Any ideas?

      --
      Velociraptor = Distiraptor / Timeraptor
  7. Zero Day Exploits by Swanktastic · · Score: 1

    Zero Day Exploits don't seem to have anything to do with Social Media, even though thrown thrown in as a subcategory.

  8. Duh by Spad · · Score: 3, Insightful

    People with nefarious goals target massively popular services with shitty security and largely uninformed users. Film at 11.

  9. Statestheobviousman by Idiomatick · · Score: 3, Insightful

    "The rise in popularity of smart phones powered by Google's Android operating system for smart phones has been accompanied by an increase in attacks targeting these devices."

    In other news, the rise in people having unprotected sex resulted in a rise in pregnancies.

    And a rise in the number of boaters has increased the number of boating accidents.

  10. Social Media? Gr8 by ls+-la · · Score: 3, Funny

    In true slashdot fashion, I haven't RTFA. However, I see a number of people saying the article mentions attacks targeted at social media, android phones, and microsoft. As I don't use any of these, I would like to tell the hackers: Great! Keep up the good work.

  11. No way! by RocketRabbit · · Score: 2, Insightful

    I say no way! Nobody could be pirating my clicks. /drools and goes back to raising virtual pigs and sending virtual gifts to virtually unknown "friends."

  12. Comment Count by cosm · · Score: 2, Insightful

    As of posting I see 21 comments for this story, ~5 hours after its initial posting. Conclusion: Nobody cares and/or nobody empathizes with those affected by said malicious exploits propagated via social media.

    Hell, if anything, I call it digital natural selection. Taking out the weak and ignorant one Like at a time.

    --
    'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
    1. Re:Comment Count by Anonymous Coward · · Score: 0

      No, it's because they are all busy wiping viruses out of their computer.

    2. Re:Comment Count by thijsh · · Score: 1

      Hell, if anything, I call it diggital natural selection. Taking out the weak and ignorant one Like at a time.

      FTFY

    3. Re:Comment Count by Anonymous Coward · · Score: 0

      It will be interesting to see how social networking mixed with data gathering will pinpoint the social weaknesses out there...

      The worry for me is that if data can flow between 'friends' on these social networking sites, what happens when someone makes a bug that can propogate across all the friends... and friends of friends? It means a lot more people become infected much more quickly? How many users are there on Facebook again?

      Viagra!!Grow your penis, Suzy wants to speak to you, Hi (SOUND FAMILURE, or is that just what data that's been gathered about me assumes?).

  13. Twatter, Facebook - are for wankers anyway. by dogzdik · · Score: 0
    Malware and hoaxes and scams via social media?

    .

    Who cares.... IF you really need to have an actual, real world, face to face relationship with another person, and you have a legitimate basis for that relationship..... PERHAPS Facebook may be OK, but try writing a real letter to them with some photo's in it. Email them. Phone them.

    --

    .

    Voting up, Voting down - If I really gave a fuck about your approval or not, I'd come and ask you.