Mobile Spyware Conferences Into Your Calls

wiredmikey writes "Reports of Multiple Variants of Android Virus 'Hong Tou Tou' are showing up, which has mainly been working its way onto smartphones via alternative app marketplaces. Today, we saw reports of a new variant of spyware "Spy.Felxispy" targeting Symbian devices, identified by the National Computer Virus Emergency Response Centre of China. More than a dozen variants of the spyware have emerged since the first was spotted, and the latest has affected 150,000+ devices. Once installed, the spyware will turn on the Conference Call feature of the device without users' awareness. When users are making phone calls, the spyware automatically adds itself to the call to monitor the conversation."

Virus?

[ErroneousBee]

Pray tell. How does this virus propagate?

Re:Virus?

[v1]

There was an article recently about malware being highly prevalent in wallpaper packs. Malware authors would download the packs, jimmy their spyware payload into the installer, and repost it somewhere else, sometimes under the same name.

One of the disadvantages for an unlocked system, you are now placing the user primarily in charge of the security of the system. That's very hard to get right.

Re:Virus?

[slashgrim]

Pray tell. How does this virus propagate?

Spyware not virus. From article, "the cybercriminals usually install the spyware on the phone or send MMS containing the spyware to users to lure them to click."

Re:Virus?

[joeytmann]

I know most /.ers don't RTFA, but not even reading the OP.....wow. Sorry, thats probably uncalled for. Anyways, it is being "spread" by people downloading it from alternative app marketplaces.

Re:Virus?

GP is being Informative-Sarcastic to show the OP is wrong about calling it a Virus.

Re:Virus?

[Galestar]

Nice to see you RTFA, but apparently you missed the title:

Multiple Variants of Android Virus 'Hong Tou Tou' Surface in China

Re:Virus?

[ErroneousBee]

I know most /.ers don't RTFA

I was just leading readers along a path that ends with questioning the alarmist nature of the SecurityWeek article.

Its not a Virus, it doesn't propagate itself. You only get this Trojan by going to a unsecured website (A Chinese one at that) website and downloading it from there.

In other news, iPhones are dangerous when eaten.

Re:Virus?

I was looking for something for lunch, guess it wont be my phone now... You may have just saved my life!

Re:Virus?

[Bill_the_Engineer]

I agree that this sounds more like a trojan.

Maybe "BD.HongTouTou.A" and "BD.HongTouTou.B" propagate within a server hosting the app market place by infecting the android packages being distributed. A mother virus called "BD.HongTouTou" that injects its payload of "BD.HongTouTou.A" or "BD.HongTouTou.B" into android packages. I find this unlikely.

This should serve as an example of why you should be wary of what app marketplace you use.

Re:Virus?

[CatBandit]

But I ask the same I asked in the last Android trojan discussion here:

- On Android the app was installed from a bogus marketplace, so if I do not change this default android restriction (you are not able to install apps out of official marketplace without explicitly changing configuration with a beautiful warning), how is this a problem to a "normal" (maybe security conscious) user ? When you give a certain degree of freedom in a device, uncautious users are able to make this things even after several warnings against this.

- Is the issue Similar in the symbian OS ?

Re:Virus?

[CastrTroy]

Same could be said about HIV. You only get the virus through your own actions. Such is the meaning of the A in AIDS. Acquired means that you have to do something active to get it. It doesn't just get passed around in the air. Does the fact that something doesn't replication without human intervention make it not a virus? The wallpaper file itself is not a virus, but the whole infrastructure set up around the file enticing people to download and install the file, could indeed be characterized as a virus. Is an EXE not a virus if you have to click on the EXE in the first place to infect your computer? Unless we are talking about worms, which actually infiltrate the system without any user action at all, most viruses require user interaction of some sort.

Re:Virus?

Nice to see you RTFA, but apparently you missed the title:

Multiple Variants of Android Virus 'Hong Tou Tou' Surface in China

Viruses technically need to be capable of self replication according to the dictionary definition. Although the term 'virus' is now being used more generically to refer to any kind of nasty computer program but I do see the parent's point.

Re:Virus?

[JamesP]

Yes

And if you allow a 'wallpaper pack' permission to access the network, really?!

Ok, scratch that, if you download a 'wallpaper pack' instead of picking photos on flickr you deserve it

Re:Virus?

[drinkypoo]

We're talking about computer viruses, which are distinct from worms or trojans; all of them fall under the collective umbrella of the term "malicious software". Wikipedia probably has more info.

Re:Virus?

[ErroneousBee]

You only get the virus through your own actions.

Haemophiliacs, rape victims, children of HIV positive mothers.

The defining characteristic of a virus is that it makes copies of itself and broadcasts them around to hopefully contact and infect the next host.

The defining characteristic of a Trojan Horse is that is presents itself as a benign object and waits for an unwary administrator to install it within a defensive perimeter.

An EXE is not a virus if it does not attempt to broadcast itself to the next host.

Re:Virus?

+1 to the enormous pile of evidence that IQ is drastically inverse-proportional to the amount of time invested in "themes" and "wallpaper".

Re:Virus?

Same could be said about HIV. You only get the virus through your own actions. Such is the meaning of the A in AIDS.

Explain that to HIV-positive children in Africa born to HIV-positive mothers.

You might as well just go back to calling it GRID with that attitude (Gay-Related ImmunoDeficiency for anyone who doesn't remember).

Re:Virus?

How would you recommend implementing a wallpaper gallery application with hundreds or thousands of pictures in a reasonable size without using network access?

Re:Virus?

[WrongSizeGlass]

I'm getting an Android! Finally, I can get a 3-way going during phone sex :-)

Re:Virus?

[Reece400]

It's a problem because your call is being listened in on by spyware on the phone of the non-security concious user you just called?

Re:Virus?

[Kosi]

Same could be said about HIV. You only get the virus through your own actions.

Do you consider getting stabbed by a junkie with an infected needle, or receiving an infected blood conserve (like it happened to a friend of my father) really "your own" actions? Or getting born with it (400,000 kids just in Africa in 2009, source: Wikipedia article about BornHIVFree)?

Re:Virus?

[gl4ss]

you install it. thats how mobile malware has worked for the past 10 years. it's just that some android marketplaces have no upload checks of any kind.

i'm baffled by the summary a bit though, as there is no mention of the obvious problems with conferencing the calls of 150 000+ people and the problem of being tracked down.

Re:Virus?

[CatBandit]

You are correct.

Then it's the same it happens with email. Only one email fellow with a trojan makes you receive a lot of Spam.

It's time to educate people you talk to the same way you try when you are talking with email fellows.

I understand what you say, but installing an app out of official Marketplace cannot be seen as an accidental trojan infection (at least in my personal experience), you have to disable a couple of settings to be able to do so in a stock phone, so when someone does this it really wants that bogus app, then we have arrived at a social issue.

Re:Virus?

[Gizzmonic]

How would you recommend implementing a wallpaper gallery application with hundreds or thousands of pictures in a reasonable size without using network access?

Psst. Your phone has this thing called "flash memory." It may even have something called an "SD slot." Google around and maybe you'll figure something out.

Well...

[grub]

Say what you will about Apple's "walled garden" but I don't hear of such things on their AppStore.

Re:Well...

[tepples]

Say what you will about Apple's "walled garden" but I don't hear of such things on their AppStore.

Which doesn't mean it isn't happening. At least with Android, when you install an application from Market, AppsLib, or APK, it tells you what privileges the application wants.

Re:Well...

[vladmihaisima]

For sure you will not hear of alternative app markets either, will you ?

Re:Well...

[countertrolling]

Hee hee... They're just better at covering their tracks :-)... or... Apple does the spying for them. One thing is certain, smart phone, dumb phone, your call isn't private.

Re:Well...

[grub]

Sure I have. I have Firewall-IP from Cydia and block oodles of "call home" connection attempts.

Re:Well...

[slashgrim]

Say what you will about Apple's "walled garden" but I don't hear of such things on their AppStore.

It happens just by businesses rather than "cybercriminals" http://www.readwriteweb.com/archives/dear_iphone_users_your_apps_are_spying_on_you.php And of course all platforms have had some sort of remote exploit http://news.cnet.com/8301-27080_3-10299378-245.html Conclusion: "walled gardens" for apps just provide a feeling of security, while giving up the user-freedom of installing any app. Personally I prefer the freedom and am (so far) very happy with the homebrew community support offered by Palm (and now HP) http://www.precentral.net/hp-donates-server-homebrew-webos-internals-group

Re:Well...

[netsharc]

Unfortunately Android still doesn't have BlackBerry's feature: allow or deny individual priveleges (or prompt on each request).

So if you have an online game that wants network access and for some reason, access to your contact list, on Blackberries you can say "Ok for network, deny for contact list", and the application gets a AcccesDeniedException when it tries to open the contact list.

And all that from "outdated" technology!

Re:Well...

[sockman]

I would love to see that on Android, but they would have a problem with people denying for full internet access, when the app is ad-supported. So they would need to separate the channel for ad's and other internet access.

Re:Well...

[Zelgadiss]

It isn't happening on Google controlled Android market either. /shrug

Let just be thankful it's a virus that spreads due to user carelessness and not one that spreads via a weakness in Android's security.

The latter one is going to be a bitch to patch with Android's "unreliable" updating on various phones.

Re:Well...

[jdgeorge]

Agreed. The solution should be "if access to ad network is denied by client, exit app gracefully."

Re:Well...

[peragrin]

what happens when you have no network access?

There are thousands of square miles of NY State(home of 22 million people) that at best can get voice cellular service. Regions with Million dollar homes and property values of 100k an acre and the best cell coverage they get is phone calls if your lucky. It doesn't matter verizon, AT&T they all suck the same in those areas.

If the app when there is no ad network then huge sections of the USA won't be able to run the app.

Re:Well...

[node+3]

Say what you will about Apple's "walled garden" but I don't hear of such things on their AppStore.

Which doesn't mean it isn't happening. At least with Android, when you install an application from Market, AppsLib, or APK, it tells you what privileges the application wants.

Actually, it does mean exactly this, that it isn't happening. iOS apps *can't* secretly force you into conference calls. Also, are you saying this app asked for "permission to secretly initiate conference calls"?

The fact is, we *know* about these things happening on Android. They seem to crop up more than once a month. It's technically *possible* there's something similar happening on iOS, but it's irrational to assume this, because there is absolutely no evidence whatsoever of anything like this happening at all. You're trying to equate something that actually exists with something that might be possible, but is entirely non-indicated.

Re:Well...

[node+3]

I'm totally fascinated by this logic:

1. Yay, Android has alternative markets, iOS doesn't!
2. [virus on alternative markets]
3. iOS doesn't have alternative markets, yay for Android!

???

That's like saying Firefox sucks because it doesn't have ActiveX.

Re:Well...

We know it is happening on the android because people with half a brain who download the ap see the prompt saying "this wallpaper pack would like access to your network and phone-calls, and it is being announced and blown out of proportion. Yes they exist, just like linux virus's exist. I'd say most likely however there is a very small percentage of users who both.

 

1. Lack the knowledge to notice when an app is asking for outrageous privileges.

2. Posses the knowledge and desire to look for apps outside of androids official marketplace.
 

You hear about the virus's because it is newsworthy that they exist, both by propagandists, and security experts who want people to know phones are not invincible, yet you know one thing that isn't pointed out by either, a report of more then 10 victims for any virus

Re:Well...

[jschmitz]

Wait...someone bought a Palm?!?!?!?!?

Re:Well...

[thegarbz]

Don't hear such things from the Android Market either. But root your iPhone and start trolling bittorrent for a pack of 3000 pirate apps and you'll likely pick up the same viral crap there.

What I say about the walled garden is that the stupidly tight controls do not provide sufficient benefits. Simple quality control such as *this is virus* or *this is not virus* of the Andriod Market provide exactly the same benefits without having to turn over your soul to the will of Evil Genius Jobs. That and the bouncing boobies app is available on the Andriod Market too, as are any number of countless inert and harmless / legitimate apps that don't make it though Jobs' magic checklist.

Re:Well...

[Amouth]

i have a co worker who is on his 4th palm pre.. he got it because they where offering free tethering if you got one.. but the damn thing keeps dieing on him.

it isn't that bad of a device.. but by god is it lacking n some of the more basic user interface bits.

Re:Well...

[node+3]

That's quite a roundabout way of saying "there is serious malware for Android, and not for iOS, and this is directly related to the closed App Store model compared with the open Android model."

That's the dishonesty of most Android fans. They play up the openness (which is valid) without being honest about the downsides. Sure, a vigilant geek can traverse these dangers while simultaneously taking advantage of Android's openness, but the average person can't. Why should they take risks they can avoid for benefits they can't really utilize?

So, why not be honest? Why not own up to Android's strengths *and* it's weaknesses? iOS's strengths are primarily consumer-centric, and its weaknesses primarily geek-centric, and with Android it's the other way round. Why it so difficult for some people to accept this?

Re:Well...

It runs rampant in the many jailbroken appstores.
Strange unsafe android marketplace sources=strange unsafe cydia sources

Re:Well...

[pandrijeczko]

That's because you need a working antenna to be able to make the calls that can be conferenced into in the first place.

Re:Well...

[Kompressor]

I suspect that with the above system, there would be a different exception thrown for "no TCP/IP network access available" vs. "app is denied access to TCP/IP stack".

Re:Well...

[Ol+Olsoc]

Coming Next, Symantec for Android! Soon in addition to IT departments, we'll be hiring people to keep people's phones running - removing viruses, unbricking phones after updates kill them. The mind boggles at this new growth industry.

Re:Well...

[Gizzmonic]

The Pre has the best user interface and it's the most hacker-friendly phone as well. But why would anyone on Slashdot be interested in that?

Listening to

[NEDHead]

My conversations is so boring that I sometimes don't even pay attention myself

I hate to say it

[drhamad]

Was Steve Jobs right? Is a single, restrictive & tested, marketplace the way to go?

Re:I hate to say it

[DRMShill]

No

Re:I hate to say it

For users not advanced enough to be trusted to admin their own net-connected device, of course.

Re:I hate to say it

[Haedrian]

Nope.

Non-techy users can still use Android marketplace. If you believe yourself to be a tech user and want to try something else, you can feel free to do so. But its your risk.

Also there are tons of other reasons why a closed up marketplace sucks. If you don't want to pay the 30% to apple and sell the product from your own website - tough luck! Amazon is planning their own app store - they can't do it with apple.

Re:I hate to say it

>If you believe yourself to be a tech user
Perhaps you should look up the Dunning-Kruger effect. People think they're more competent than they really are.

Re:I hate to say it

[slashgrim]

Was Steve Jobs right? Is a single, restrictive & tested, marketplace the way to go?

No. Malware can get into a single market just by businesses rather than "cybercriminals" http://www.readwriteweb.com/archives/dear_iphone_users_your_apps_are_spying_on_you.php [readwriteweb.com] And of course all platforms have had some sort of remote exploit http://news.cnet.com/8301-27080_3-10299378-245.html [cnet.com] Conclusion: a "single, restrictive & tested, marketplace" just provides a feeling of security, while giving up the user-freedom of installing any app. I prefer the freedom and am (so far) very happy with the homebrew community support offered by Palm (and now HP) http://www.precentral.net/hp-donates-server-homebrew-webos-internals-group [precentral.net] Techy users should be able to install whatever homebrew app they want...just understanding "no lifeguard on duty."

Re:I hate to say it

[Dunbal]

These are also the kind of people who also need training wheels on their inappropriately named bicycles and warning labels on their plastic bags and even then manage to get into trouble.

Re:I hate to say it

[Reapman]

As others have already said.. No. This involves using a 3rd party (non official) market, which requires you to set your phone to enable 3rd praty downloads. You have to go through hoops to make this happen. It's possible that phones out there in China come like this, however it's quite possible your HiPhone4 isn't really an iPhone too...

I'm not aware of this happening on the official Android market, and in fact would be rather difficult. These guys are taking Market apps and repackaging them with the spyware crap, then loading them on 3rd party markets where that app doesn't already exist.

The iPhone approach prevents various markets from even existing (you can install any web browser on the iPhone as long as it's their web browser), and are at the mercy of their sometimes psychotic approval process.

I want Apple telling me what I can install on my phone as much as I want Microsoft doing this.

Re:I hate to say it

[JamesP]

If you really want to sell, the 30% is going to be payed by the user, not you...

Besides, ok, suppose you want to deal with everything: set up servers, CC processing, billing, etc, etc you'll start to think the 30% is a good deal

Been there, done that, etc

Re:I hate to say it

[Archangel+Michael]

How, exactly, do you tell if what you're downloading is infected with a trojan such as this? Permissions list is nice, but doesn't tell the whole story. Who inspects the packages being uploaded to the unsavory store you're about to download from? I'm certain you don't inspect the contents of every app you're downloading.

I know plenty of people who download crap because "it is free", from all sorts of places who get infected by all the crap that is out there. I usually tell them "its not free", that it costs them in infections and stolen identity or empty bank accounts.They just don't care, all they see is "free" and clickety click ..

There is no real good answer, because on the one hand, we don't want the walled iApp garden approach, but on the other hand we don't want a bunch of rooted Androids screwing life for the rest of us.

Re:I hate to say it

[tlhIngan]

Non-techy users can still use Android marketplace. If you believe yourself to be a tech user and want to try something else, you can feel free to do so. But its your risk.

Actually, non-techies can use alternative marketplaces as well, just as non-techies can jailbreak their iPhones and even use ssh.

Technology skill level is not a factor - if all you have to do is follow a bunch of steps to get what you want (free apps, free pr0n, whatever), you'll find the number of people who do it suddenly rise.

Why do you think a lot of jailbroken iPhones have default passwords set? The people jailbreaking them just followed instructions of "Download program X, run this, click that, click that, then wait 10 minutes. When you're done, reboot your phone, tap this icon, tap this thing, type this, tap that, blah blah blah". And before you know it, they've installed openssh, ssh'd into their phone and done a bunch of things, to get whatever they needed, but also left their phone vulnerable.

Androids are no different. They may tell their friends that they got some new cool Android phone, and their friend tells them "hey, follow this link, it'll tell you how ot get some great apps for free", and they'll just blindly follow the instructions.

It's even why all those people dismissing those trojans and botnets infecting chinese alternative marketplaces as irrelevant are wrong. If those chinese marketplaces are offering stuff people want (free apps - why pay for them?), you'll find people will do it. Even if you warn them "Don't ever use this app" or "that site contains nothing but viruses", you'll find them accessing it if some web page tells them to.

Anyone's who had to clean up their parent's PC or their kid's PC for the Nth time already know this, and it seems if you put a block up, they'd find a way around it. (Not unlike the behavior of tech savvy people when they encounter a block). Sure they won't ask you why they can't access their favorite virus-installing pr0n site anymore, they'll ask their friends who'll give them a bunch of proxy servers and crap.

There is no solution, either - it's fundamentally a social problem. People jailbreak because they seem some cool app not in the App Store. People install alternative marketplaces to get that 99 cent app for free.

No technological hurdle is too high if you have someone wanting something, and someone providing that thing they want. As long as someone somewhere has written a set of steps on how to do it, it will happen.

Even more annoying is these people will follow those steps to the letter while your steps and instructions are ignored.

Re:I hate to say it

Yeah, now we have a signed version of flexispy...

Re:I hate to say it

I don't see what's wrong with claiming no liability for software-caused issues on androids after you explicitly enable installing apps from untrusted sources. As long as it's clearly labeled...

I can tell you there's a lot wrong with forbidding you to install anything you want on a machine you own.

Re:I hate to say it

I'm sorry, but if my kid brought his smart-phone home infected for the second time, he'd either have to pay for the repair himself, or he wouldn't be getting that phone back - Nokia 3210 will do. Everyone can make a mistake once, but if they won't learn, I'm not going to be the one putting up with it.

As for my parents and girlfriend, that's a different matter, and I guess eventually I'd have to put up with it. As neither of them use smartphones, that's not an issue, and on the PC - while being Linux resistant - they haven't done much harm (above simple reinstall from time to time) yet.

I've got a customer though who kept bringing his laptop back with spyware, almost every month. First time he brought it back, I did it as a warranty service (while clearly stating it's normally NOT covered by warranty). Second time he brought it back, I have charged him the minimum fee, while stating it's the last time - and that considering he uses the laptop for both "fun" and work, I'd reccomend to install Linux on it, so he would be able to work when he buggers up his Windows install. He didn't seem to be impressed. Now I'm charging him full charge everytime he comes around (2 or 3 times), and he seems to be happy about it - I guess some people just are like that.

Posting as AC since I moderated.

Re:I hate to say it

But that's the problem as I've said all along. ithe igarden approach doesn't work EITHER.

Consider how much extra coding and special API calls are needed to get a wifi tethering subsystem. Now consider a flashlight app that got through the review process which basically does a quick check that the app doesn't crash (and, of course, doesn't obsolete existing or future plans the company may have).

Now consider the aforementioned wallpaper application. *EVEN IF* they did an API scan, it needs access to the Internet to download new wallpaper. It has access to your contacts to "refer a friend and get a free bonus wallpaper!". It has access to your mic, say, so you can speak-recognition to search it's database. All legit uses. There's absolutely no way to tell without an in-depth code review (good luck getting the code), a decompilation/API scan (harder than it sounds, as again, most of the API calls are legit), network traffic packet inspection (problems occur if it's encrypted or time-delayed after the review process, and can be quite tedious if obfuscated), etc. This applies for ALL applications on ANY platform and with any application: who knows what those companies are doing with your information (ad companies would LOVE access to who you know and where you are).

If people want to download free crap, then they *NEED* to take responsibility for protecting themselves. Tell them to remove your contact information from their phone, and de-friend them from Facebook as you do not want to be affected (spammed, phished, etc.) by their stupidity.

Also, why do you need to root Androids to copyright-infringe applications? I just tick a checkbox for off-market installs. For that matter, I'd trust Android more for pirating software because you do not need to compromise system security for it (unless you're on AT&T). Once you root / jb, processes can install hidden software at boot-time without anyone knowing. At worst case, and non-rooted Android phone can simply uninstall the application causing the problem rather than a factory reset (assuming that the malware hasn't affected the recovery image).

Re:I hate to say it

[thegarbz]

Quality control != psycho restrictive walled garden.

The Andriod Market isn't anywhere remotely near the perfect walled garden of happiness and friendship as the App Store, yet I don't hear of viruses or trojans propagating through it either. In fact the review / moderation system quickly weeds the chalk from the cheese, and all without some magical checklist that may or may not allow an app to pass on any given day.

Re:I hate to say it

All True. For the past few infections or PC setups I've been "removing" IE via the XP SP2 system defaults option. I then label Safari and Firefox as "Internet" or "[Safari/FF] Internet" and sometimes mess with icons to ensure familiarity isn't a problem.

Sometimes I don't "remove" IE, and just leave an emergency shortcut burried for "that ONE site" everyone needs to use IE. I haven't had a problem with CC's or banks coming as IE-only since 2003 and Hotmail et al. since ~2007. Swallowing the admin password and lowering their rights while setting up logmein remote control helps a bunch. It also makes them think twice about installing troyaned icon packs, facebook smileys and those fake antiviruses that come via spam links [yeah, the FEW remaining ones that don't just buffer-overflow their way into your PC]. The latter is my #1 cause for emergency calls this past 5 years.

Re:I hate to say it

[pandrijeczko]

9 out of 10 of Steve Jobs' suppliers of gold-leaf edged toilet paper said "Yes"... allegedly.

Re:I hate to say it

[pandrijeczko]

It could therefore be argued that Messrs. Dunning & Kruger deemed themselves to be competent enough to make such a statement when in reality they were not.

No, really?

[Daetrin]

And this would be reason number 7329 to _not_ use alternative app markets, especially if they're hosted in China. The ability to install unauthorized apps is great, but that ability should only be used if you can download the apk file directly from someone you have reason to trust. I've done that a couple times and not had any problem.

This may change slightly once Amazon and others start putting up their own app stores with their own authorization process, but that's entirely different from installing some random market run by nobody you've ever heard of before.

PRC government?

[Nidi62]

Could the PRC government be complicit in this? I mean, this only exists in Chinese third party app markets, right? It seems to me that, one, dissidents in China would be more likely to use app markets like that and, two, what state security apparatus like that in the PRC wouldn't drool and fall all over itself with an easy way to monitor cell calls within the state? Especially considering the PLA and government security/intelligence services actually employ uniformed hackers, and have many more in universities and business that are essentially "on-call".

I mean, what is the virus monitoring conversations for? Is it looking for financial information? Identifying information? Or keywords like "Tibet", "Falun Gong", "Christianity", "protests"?

Re:PRC government?

[swb]

I'd just delete PRC and call it "government complicity".

That something like this shows up in the PRC makes it easy to assume that CPC/PLA were involved, but how do we know some other country isn't doing what you might call "target area testing" with their own software that's designed to be deployed in the PRC or even elsewhere?

My sense is that PRC economy, especially the digital side of it, is probably "open" enough to allow other intelligence communities to operate with relative freedom. And if something like this gets noticed, it's really easy to brush it off as a CPC/PLA/Intelligence operation.

And given the need-to-know/secrecy generally associated with totalitarian societies, even those agencies that are *pegged* to be involved may believe "the other home team" is the one doing it, not them, or other internal arms they don't know about of their own organizations. When you live in a hall of mirrors, it's hard to know what's your reflection and what's someone else's...

Only a matter of time.

Not if but when it would happen was the question.

With the popularity of smartphones, apps and mobile broadband it comes as no surprise that everyone ... yes everyone has found new opportunities.

Who wins? The antivirus and anti-malware software companies of course. :-)

So, for most users, yes.

[name_already_taken]

For users not advanced enough to be trusted to admin their own net-connected device, of course.

So, in general the answer is "yes".

Anyone who has had to support "normal" users has an anecdote about someone with a malware problem. Say what you will about having a single company that has to vet all apps for a particular type of device - but it does help make things easier for those of us who have to support these devices in our organizations.

Obligatory

[clyde_cadiddlehopper]

Build teleconference virus to call 1-900 number that charges $$$ per minute

Deploy to 150,000 devices

...

PROFIT!!

In communist China, expensive phone number calls you.

Gee, I wonder who is behind this...

[MikeRT]

1. Convert phone call wave data to moderately high bitrate mp3 for transfer.
2. Send back a message with the phone numbers and mp3 attachment to the state security agency.
3. Add it to a batch operation to process for words and phrases of interest.
4. Build profiles along the way with tallies on each phone number.
5. Once a threshold has been reached, pass it onto a human to see if it's worthwhile to strap on the jackboots.
6. Arrest at your convenience.

This virus is probably a simple proof of concept for that scenario to test Android.

Re:Gee, I wonder who is behind this...

[drinkypoo]

That or someone is looking for some particular piece of information, the target has a Symbian phone, and they have the resources to burn through the mass of target data (or the software on the compromised host does it for them.)

Re:Gee, I wonder who is behind this...

ECHELON???!!!
It's Joshua! He's still playing the game!

But... why?

[EasyTarget]

When users are making phone calls, the spyware automatically adds itself to the call to monitor the conversation.

To what end? Does it record the call and then transfer the audio somewhere? or is there a whole army of hackers waiting to 'listen in' on the calls as they get conferenced to some central numbers. Oh, and what are these numbers and has anybody tried calling them?

Or does it just add costs to your call by turning it into a conference call? If so does one particular Telco benefit?

Re:But... why?

You dial your bank. You key in your account number. You key in your PIN. PROFIT!

Re:But... why?

[Dunbal]

Or perhaps speech recognition software has advanced to the point where files can be scanned for words like "my credit card number is"...

Re:But... why?

[Zelgadiss]

Or they can just watch what number you are calling ...

Re:But... why?

[EasyTarget]

All that takes is a keylogger, I was wondering about the apparent desire to capture audio data.

Re:But... why?

[EasyTarget]

That's true; only capture calls made to known bank customer service lines etc.. then just listen to them manually..

I for one...

[kiehlster]

welcome our new everything-is-my-business virus overlords.

This story definitely not sponsored by Apple

[PFactor]

...or its walled-garden app store that protects your snowflakes from the evil world.

Manufacturer

[future+assassin]

Can someone explain to me why manufacturers of software are not liable for leaving gaping security holes in software they release and its always turned towards the user. Oh the user shouldn't have done this, that and the other (yes people are stupid for downloading from unofficial sources) but the system shouldn't be so exploitable from the beginning.

  No one learned from Windows all these years? What, too hard to create secure system? I guess its more important to give the consumer a new shiny every 6 months then actually create a secure system that runs on the shiny new thing.

Re:Manufacturer

[stjobe]

We tried making the systems idiot-proof, but people kept coming up with better idiots...

Re:Manufacturer

[screwzloos]

What people have learned from Windows after all these years is that in general, US consumers would rather replace their electronics than reflash or reformat when they become compromised or otherwise less functional. Building a system with bulletproof security is actually counterproductive in the consumer market, since it would reduce how often a user purchases (or repurchases) the next big thing.

On the other hand, the secure system mindset works fine for corporate software development. They just have to charge in excess of an order of magnitude more for the product to pull in the same kinds of returns.

It sucks, but I don't see it changing.

Re:Manufacturer

[__aaxtnf2500]

They are not liable because you waive the right to hold them responsible for damages when you agree to the EULA or TOS.
Security hasn't significantly improved during the history of personal computing because the average users wants features, not security. Did you choose your operating system based solely on security, compatibility with applications, or compatibility with the hardware you desired to purchase?

Re:Manufacturer

[gl4ss]

buy a symbian phone with symbian signed problems.

it's not hard to create a secure system, it's just hard to create a secure system and allow it to do things too.

The execution channel...

[dargaud]

In The execution channel, Ken McLeod imagines a camera firmware that can recognizes when 'pain or suffering' is being filmed and automatically transmits it to a pirate TV. It's not that far off when your average virus now listens to your calls...

Re:Android will go down without Signed Apps

[NotAGoodNickname]

What do you mean? Android has signed apps. All apps in the Market are signed.

Wrong way to look at it

The 30% may not come out of the developer's pocket, but it WILL be reflected in lost sales for the developer. 30% could quite possibly be the difference between a sale or not.

IOW, Echelon for Android?

[macraig]

Homeland Security is at it again, eh? Now they wanna conference in on every mobile call as it happens, so they can listen in real-time for those Seven Words (or something)?

Re:Android will go down without Signed Apps

Android does it right:

Signed, 'safe', apps, and the option to forge off into the wild frontier if that is your thing.

Apple vs Franklin

[lazn]

It's better that you give up a few freedoms in the name of security so that you can get what you deserve..

AV like AVG protect against this?

[sys_mast]

How have people discovered this on their device? How have they removed it? Does any current AV on the main android market protect against or even detect these? I'm thinking of AVG, or is that no longer a reliable AV, I've personally not used AVG for a year or two.

Most comments here are worried about what exactly this one virus does. I'd think as IT types the focus should be what can be done about it. (lets assume that we will be exposed to it) How do we prevent negative results from that exposure.

Re:There is no solution

[DocSavage64109]

I'll agree with your assessment with my experiences with repairing people's malware infested PCs. Some 90% of the time I'll find limewire on these computers and can trace the viruses' origin to some song the user tried to download for free. It's astounding how many people ruin their computers - that cost a few hundred dollars - trying to save a few dollars by downloading a few songs for free.

Sync ads when syncing other data

[tepples]

what happens when you have no network access?

The same thing apps do when running on an iPod touch or Archos 43: show cached advertisements downloaded when the app last synchronized data to "the cloud". This makes them not clickable, but TV ads aren't clickable either.

Show me the iPhone SMS/Call monitoring app

There's not one iPhone SMS/Phone spyware app available for a non-jailbroken iphone.

The walled garden is more than just a feeling of security. To say otherwise is absurd.

outliers

[r00t]

In modernized countries, these problems are completely insignificant for spreading HIV. I'll grant that it's more likely than death by meteorite.

Re:outliers

[Kosi]

Yeah, I know, most common is willingly unprotected sex and sharing of drug tools.

Oh, and just like a computer virus may use OS routines to propagate itself, HIV uses our ejaculation routine. Propagating itself is not meant as doing that entirely on its own. One more example is airborne infection, which usually requires the host to be breathing.

Re:There is no solution

[clonehappy]

I've yet to see any computing device--mobile, laptop, etc. "ruined" by downloading a song. The OS trashed, yes. But never seen one actually permanently disabled.

I've found that most of the people who download malware/virii on a regular basis have now quite adept at popping a Windows disk in the optical drive and "Pressing any key to boot from CD/DVD...", probably because they saw me do it so many times to the tune of $40 and some beer that they actually learned something.

Besides, reinstalling your OS (provided you can follow instructions that any monkey can figure out) isn't that hard and costs zero, and actually paying for media costs you something.

Re:There is no solution

[DocSavage64109]

Of course it isn't ruined for one with sufficient technical skills, but for the average user, it is unless they want to pay someone else to fix it. And some techs are better at removing all of the viruses than others. Also, there is the matter of the user's personal data and apps.

Nothing to see here..

[Rexdude]

According to NetQin, the cybercriminals usually install the spyware on the phone by sending an MMS containing the spyware to users to lure them to click.

In other words, moronic end users who click on anything are susceptible to exploits. News at 11. I'll start worrying the day they are actually able to produce zero user intervention Symbian malware, right now, in 2011.