Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mobile Spyware Conferences Into Your Calls

Posted by CmdrTaco on from the i-hear-that dept.

wiredmikey writes "Reports of Multiple Variants of Android Virus 'Hong Tou Tou' are showing up, which has mainly been working its way onto smartphones via alternative app marketplaces. Today, we saw reports of a new variant of spyware "Spy.Felxispy" targeting Symbian devices, identified by the National Computer Virus Emergency Response Centre of China. More than a dozen variants of the spyware have emerged since the first was spotted, and the latest has affected 150,000+ devices. Once installed, the spyware will turn on the Conference Call feature of the device without users' awareness. When users are making phone calls, the spyware automatically adds itself to the call to monitor the conversation."

12 of 105 comments (clear)

  1. Well... by grub · · Score: 2


    Say what you will about Apple's "walled garden" but I don't hear of such things on their AppStore.

    --
    Trolling is a art,
    1. Re:Well... by slashgrim · · Score: 4, Insightful

      Say what you will about Apple's "walled garden" but I don't hear of such things on their AppStore.

      It happens just by businesses rather than "cybercriminals" http://www.readwriteweb.com/archives/dear_iphone_users_your_apps_are_spying_on_you.php And of course all platforms have had some sort of remote exploit http://news.cnet.com/8301-27080_3-10299378-245.html Conclusion: "walled gardens" for apps just provide a feeling of security, while giving up the user-freedom of installing any app. Personally I prefer the freedom and am (so far) very happy with the homebrew community support offered by Palm (and now HP) http://www.precentral.net/hp-donates-server-homebrew-webos-internals-group

  2. Re:Virus? by v1 · · Score: 2

    There was an article recently about malware being highly prevalent in wallpaper packs. Malware authors would download the packs, jimmy their spyware payload into the installer, and repost it somewhere else, sometimes under the same name.

    One of the disadvantages for an unlocked system, you are now placing the user primarily in charge of the security of the system. That's very hard to get right.

    --
    I work for the Department of Redundancy Department.
  3. I hate to say it by drhamad · · Score: 3, Interesting

    Was Steve Jobs right? Is a single, restrictive & tested, marketplace the way to go?

    --
    -Daniel
    1. Re:I hate to say it by Haedrian · · Score: 3, Insightful

      Nope.

      Non-techy users can still use Android marketplace. If you believe yourself to be a tech user and want to try something else, you can feel free to do so. But its your risk.

      Also there are tons of other reasons why a closed up marketplace sucks. If you don't want to pay the 30% to apple and sell the product from your own website - tough luck! Amazon is planning their own app store - they can't do it with apple.

    2. Re:I hate to say it by JamesP · · Score: 2

      If you really want to sell, the 30% is going to be payed by the user, not you...

      Besides, ok, suppose you want to deal with everything: set up servers, CC processing, billing, etc, etc you'll start to think the 30% is a good deal

      Been there, done that, etc

      --
      how long until /. fixes commenting on Chrome?
    3. Re:I hate to say it by tlhIngan · · Score: 3, Insightful

      Non-techy users can still use Android marketplace. If you believe yourself to be a tech user and want to try something else, you can feel free to do so. But its your risk.

      Actually, non-techies can use alternative marketplaces as well, just as non-techies can jailbreak their iPhones and even use ssh.

      Technology skill level is not a factor - if all you have to do is follow a bunch of steps to get what you want (free apps, free pr0n, whatever), you'll find the number of people who do it suddenly rise.

      Why do you think a lot of jailbroken iPhones have default passwords set? The people jailbreaking them just followed instructions of "Download program X, run this, click that, click that, then wait 10 minutes. When you're done, reboot your phone, tap this icon, tap this thing, type this, tap that, blah blah blah". And before you know it, they've installed openssh, ssh'd into their phone and done a bunch of things, to get whatever they needed, but also left their phone vulnerable.

      Androids are no different. They may tell their friends that they got some new cool Android phone, and their friend tells them "hey, follow this link, it'll tell you how ot get some great apps for free", and they'll just blindly follow the instructions.

      It's even why all those people dismissing those trojans and botnets infecting chinese alternative marketplaces as irrelevant are wrong. If those chinese marketplaces are offering stuff people want (free apps - why pay for them?), you'll find people will do it. Even if you warn them "Don't ever use this app" or "that site contains nothing but viruses", you'll find them accessing it if some web page tells them to.

      Anyone's who had to clean up their parent's PC or their kid's PC for the Nth time already know this, and it seems if you put a block up, they'd find a way around it. (Not unlike the behavior of tech savvy people when they encounter a block). Sure they won't ask you why they can't access their favorite virus-installing pr0n site anymore, they'll ask their friends who'll give them a bunch of proxy servers and crap.

      There is no solution, either - it's fundamentally a social problem. People jailbreak because they seem some cool app not in the App Store. People install alternative marketplaces to get that 99 cent app for free.

      No technological hurdle is too high if you have someone wanting something, and someone providing that thing they want. As long as someone somewhere has written a set of steps on how to do it, it will happen.

      Even more annoying is these people will follow those steps to the letter while your steps and instructions are ignored.

  4. So, for most users, yes. by name_already_taken · · Score: 2

    For users not advanced enough to be trusted to admin their own net-connected device, of course.

    So, in general the answer is "yes".

    Anyone who has had to support "normal" users has an anecdote about someone with a malware problem. Say what you will about having a single company that has to vet all apps for a particular type of device - but it does help make things easier for those of us who have to support these devices in our organizations.

    --
    Putting moderation advice in your .sig lowers your karma!
  5. But... why? by EasyTarget · · Score: 4, Insightful

    When users are making phone calls, the spyware automatically adds itself to the call to monitor the conversation.

    To what end? Does it record the call and then transfer the audio somewhere? or is there a whole army of hackers waiting to 'listen in' on the calls as they get conferenced to some central numbers. Oh, and what are these numbers and has anybody tried calling them?

    Or does it just add costs to your call by turning it into a conference call? If so does one particular Telco benefit?

    --
    "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
  6. Re:Virus? by ErroneousBee · · Score: 5, Insightful

    I know most /.ers don't RTFA

    I was just leading readers along a path that ends with questioning the alarmist nature of the SecurityWeek article.

    Its not a Virus, it doesn't propagate itself. You only get this Trojan by going to a unsecured website (A Chinese one at that) website and downloading it from there.

    In other news, iPhones are dangerous when eaten.

    --
    **TODO** Steal someone elses sig.
  7. Manufacturer by future+assassin · · Score: 2

    Can someone explain to me why manufacturers of software are not liable for leaving gaping security holes in software they release and its always turned towards the user. Oh the user shouldn't have done this, that and the other (yes people are stupid for downloading from unofficial sources) but the system shouldn't be so exploitable from the beginning.

      No one learned from Windows all these years? What, too hard to create secure system? I guess its more important to give the consumer a new shiny every 6 months then actually create a secure system that runs on the shiny new thing.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  8. Re:Virus? by ErroneousBee · · Score: 2

    You only get the virus through your own actions.

    Haemophiliacs, rape victims, children of HIV positive mothers.

    The defining characteristic of a virus is that it makes copies of itself and broadcasts them around to hopefully contact and infect the next host.

    The defining characteristic of a Trojan Horse is that is presents itself as a benign object and waits for an unwary administrator to install it within a defensive perimeter.

    An EXE is not a virus if it does not attempt to broadcast itself to the next host.

    --
    **TODO** Steal someone elses sig.