Infected Androids Run Up Big Texting Bills

Hugh Pickens writes "Computerworld reports that a rogue Android app is hijacking smartphones and running up big texting bills to premium rate numbers before the owner knows it. Chinese hackers grabbed a copy of Steamy Windows, a free program, added a backdoor Trojan horse to the app's code, then placed the reworked app on unsanctioned third-party "app stores" where unsuspecting or careless Android smartphones find it, download it and install it."

Holy AI, Batman

[Calibax]

"[...] where unsuspecting or careless Android smartphones find it, download it and install it."

I really dislike careless phones. Perhaps reviewers can test and report which are careful.

I'd also like to know how to make my phone less naive about unauthorised app stores.

Perhaps I should take away my phone's download privileges...

Oh noes!

[Microlith]

Obviously this means we should abdicate (forcibly, if necessary) all control over our computing devices to large corporations with a vested interest in denying us the ability to use them as we see fit.

Re:Oh noes!

[icebike]

Obviously this means we should abdicate (forcibly, if necessary) all control over our computing devices to large corporations with a vested interest in denying us the ability to use them as we see fit.

You buy stuff from trusted sources. There are a few trusted ones, and none of them have addresses in China.
The people getting these infected apps knew damn well what they were doing. They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way. Looking for Porn is my guess. I have very little sympathy.

The point is no one falls into this trap using the Google market or the upcoming Amazon market, or a couple others.

Re:Oh noes!

[mjwx]

The people getting these infected apps knew damn well what they were doing. They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way

Worse yet, they actually went out of their way to find pirated software and install it with little regard for actual consequences.

Not really for or against piracy but... If you do do it and dont know how to check for things like this then you get what you deserve.

Re:Oh noes!

[Jane+Q.+Public]

"Most people don't give a shit about "openness" or being able to install software from any third-party."

Perhaps not, but that is rapidly changing. Even governments are recommending open source and open standards, and those ideas are making it into the mainstream, because their advantages have become too large and obvious to ignore.

Re:Oh noes!

[ArcherB]

Giving the average user control, is like giving them a plane and believing that since they have an autopilot they can land safely.

Apple's walled garden has limited this kind of behavior so far despite having 10's of million of more phones sold.

Well, if you are an "average user", and I presume you are, then I guess you need someone holding your hand in a walled garden.

Personally, I'm NOT an average user. To use your airplane analogy, I'm a pilot who wants the auto-pilot turned off! I demand the ability to do whatever I wish to MY phone and I am fully aware that I am responsible for the consequences. Look, I don't mind a walled garden. All the stuff I install comes from the Android Market exclusively. But within my walled garden, I want to choose the plants that are in there. I want to choose the color of the wall and decide what bricks it's made of. I want to decide if my garden is organic or so full of pesticides that the birds die from flying over it. So, with a simple rooting of my phone, I have my walled garden and the ability to remove/disable all the crapware I don't want on my phone. I'm now fully able to put any GUI I wish on MY phone. I chose the one that came with it, but dammit I MADE THAT CHOICE, not some turtleneck wearing, Hollywood social elite who thinks he knows what I want better than I do.

Re:Oh noes!

[compro01]

Where are you getting pirated software out of this? They're referring to non-Google markets, like Amazon's Appstore, Archos' Appslib, and others.

Re:Oh noes!

[Kitkoan]

The apps weren't pirated since the original App was free. This is one of the catches of freedom. You have the freedom to choose and make it yours, but that freedom can also be the freedom to screw yourself over by malicious people. This is why Android phones by default don't allow you to install non-market apps. You can of course turn that off and install any and everything under the sun that works on Android and that it your choice and freedom but it warns you when trying to do it that you can be taking a risk and be careful what you install. (my phone lists it as "Your phone and personal data are more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these applications") This is a very good popup (and you have to click OK for it to let you do this) that gives a nice, clear, non-legalese warning. Now if your ignore this clearly spelled out warning and still get screwed over, then its your fault and your problem.

Re:Oh noes!

[mabhatter654]

Except what's the draw of Open Source for users.... think about it.

Hint, it's the fact that almost all the stuff you need is on a LiveCD or in a Repository.... so it's right back to a "garden" even if it isn't walled because what normal user has any business editing or compiling their own code... ultimately, they still trust some company, or community, to tell them the code they're running is OK.

Re:Oh noes!

[Jane+Q.+Public]

That may be true to some extent, but it's off the subject. GP asked if end users care about open standards. The answer -- increasingly -- is "yes".

Re:Oh noes!

[davester666]

It's the usual consumer thing.

I want a phone capable of running any application, no matter where it may originate from, and it must be able to make full use of every hardware feature of my phone, but if it actually does so, I also must be able to reject any charges it may incur.

I deny being responsible for what my phone may or may not have done or will do.

And I want a pony.

Re:Oh noes!

[alostpacket]

Symantec found the cloned Steamy Windows app on a Web site hosted by Chinese servers.

They dont say what app store they are referring to, you're assuming those app stores. I doubt Amazon or Achos are hosted in China.

Re:Oh noes!

[marcosdumay]

"so it's right back to a "garden" even if it isn't walled"

So? The entire argument is about the existence and uselfuness of the wall. Who doesn't want a garden?

Who wrote this virus?

[MrEricSir]

AT&T, Verizon, or Sprint?

Re:Who wrote this virus?

[olsmeister]

Apple.

Common Sense

[timeOday]

Android apps should operate within a jail that limits anomalous behavior like this - that is, the OS itself should have a form of common sense, and they should make it easy to install useful apps without giving them enough access to overwrite that part of the OS.

If not within the OS itself, cellphone accounts should come with voluntary (user-adjustable) quotas to mitigate such things. It might be just as useful for parents to control runaway texting teenagers.

Re:Common Sense

[Locke2005]

When you install any Android app, it explicitly asks for permissions to perform various categories of activities. If you granted the app permission to perform activities it doesn't need, e.g. SEND TEXT MESSAGES, then shame on you, not on the OS!

Re:Common Sense

[jayveekay]

Who do you trust: The phone company, the phone, or the user?

If you trust the phone company, then having a cellphone contract option to limit data/text/etc. usage to some cap can mitigate the worst case bill you'll be surprised with.
If you trust the phone, then OS options to limit what an app can do can mitigate worse case damage done.
In either case, you have to trust the user to make the right choices with respect to cellphone contract or app permissions.

I think my problem is that I don't trust any of the above.

Re:Common Sense

[h4rr4r]

Because the VM enforces those rules, not the application.

Re:Common Sense

[mabhatter654]

this is where the carriers are part of the problem. They get big kickbacks for managing "billing" on all these fraudulent text-to scams.

When you sign up for a telephone line you sign up for "unlimited" credit. I never, ever understood how I could sign up for a $50 phone bill and get $500+ in charges? That's like 10x the amount of "credit" extended in the first place, no sane business would ever do that... except the phone company's "product" in this case is essentially free, so take what sticks. If that happened with a Credit Card company, courts would laugh at them trying to collect that debt. Why does "on a phone" make any difference. My personal bane are the little IQ tests that want a cell phone number to get the answer. Any pre-teen without a phone is going to punch in the number and not think twice... Happy $9.99 (and $3 pure profit for the telco!). Getting blocks on all the lines, for all the different charges is a pain in the Ass. My wife has spent hours on the phone... but every time you make a change to the plan, all the "unconventional" locks get dropped and 2 months later you find out when something slips through.... it's not like the monthly statement TELLS you what locks you have or anything.

Re:Common Sense

[hedwards]

State laws tend to encourage that sort of bad behavior on the part of corporations. It's presumed that an individual had the opportunity to opt out and have the contract explained to his or her satisfaction. The problem is that for a lot of these things one does not have the money to contact an attorney for advice and so signs with little understanding as to the actual meaning. Which to an extent is understandable, if the contract is for phone service, one doesn't expect that the carrier will extend a larger line of credit than most credit cards without at least asking for permission.

Bad summary

[Mark19960]

"...where unsuspecting or careless Android smartphones find it, download it and install it."

You mean ..' unsuspecting or careless USERS find it'
The phone itself is not reaching out to download it, the user is doing it.

Startling...

[PopeRatzo]

Infected Androids Run Up Big Texting Bills

I'm old enough to remember when "android" meant something besides a smartphone.

That's why I found this headline a bit disturbing for a few moments. I imagined Rutger Hauer and Darryl Hannah thumbing their Blackberries. And yes, I'm also old enough to remember when "Blackberry" meant something besides a corporate communicator or a designer fruit sold at Whole Foods for $9 for three ounces.

permissions

[t2t10]

They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way

More importantly, they had to give the app permission to send texts. Very few apps need that permission.

Re:permissions

[macs4all]

They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way

More importantly, they had to give the app permission to send texts. Very few apps need that permission.

But the REAL problem is that Android only asks ONCE, at install time, for whatever permissions it might need. So, instead of them getting an Alert saying "Hey, Hello Kitty Wallpaper Needs Permission To Send Text Messages", when they were just checking their to-do list, they MIGHT be just a LITTLE more suspicious, even if they are a noob.

I am not advocating something that asks every time an app needs to do something other than display text; but asking a non-computer-savvy person to decide on permissions at the very time that he just wants to get his new Shiny, is just asking for trouble. But anyone but the most completely arrogant (a special brand of stupidity) will probably question why their new "cooking" app suddenly wants access to your GPS, when all you did was download and launch it to find out how to cook something for dinner.

You should also be able to change your mind after granting access to a feature/service/database. At least from the Android GUI, I don't believe you can change an apps "permissions" after you decide at install time, amiriite?

Of course, I would be remiss if I failed to mention that iOS offers both of those improvements over Android...

Just sayin'...

Android security needs to be tweaked.

[pecosdave]

Lots of apps wanting lots of info. Instead of "install or not" there needs to be an option to "deny access to this feature but install anyways".

Re:Android security needs to be tweaked.

[Zebedeu]

You've obviously never done support for software.

People don't read error messages. Some people don't even turn their brains on long enough to look at their screen before lashing out at the developer.

I have a published Android app where you could open the menu and select an option to go to a certain activity. After a few months I moved that functionality to a large icon on the top of the app to make the process easier -- no menu, simply tap the large button on top.
I got at least two emails asking where that functionality went.

Another guy wrote telling me that I had a bad bug in my date code -- apparently the month of February was only showing 28 days in my app.
I lost two days off my life right there. (BTW, he was from a country which uses the Gregorian calendar).

It's true that most people are smarter than that, but the idiots are usually much more vocal.

What makes a source trusted, preempt or react?

[perpenso]

You buy stuff from trusted sources.

What makes a source trusted? Do they screen apps for inappropriate behavior before putting an app on the store (preempt) or do they just remove inappropriately behaving apps after they are discovered in the field (react)? I don't think trust is a binary state, its a range of levels. A reputable source that preempts may be more trustworthy, a reputable source that merely reacts may be less trustworthy but more convenient.

Re:What makes a source trusted, preempt or react?

[icebike]

What makes a source trusted?

That little check box in the Android Applications Settings Labeled "unknown sources".

Once you allow unknown sources all bets are off. You can download an app with the standard
web browser, but you can't install it unless you uncheck that box.

So that is what makes a source trusted or untrusted.

Re:What makes a source trusted, preempt or react?

[perpenso]

What makes a source trusted?

That little check box in the Android Applications Settings Labeled "unknown sources".

Once you allow unknown sources all bets are off. You can download an app with the standard web browser, but you can't install it unless you uncheck that box.

So that is what makes a source trusted or untrusted.

A known source is not necessarily a trusted source regardless of what the check box is labeled. You need to read the sentences beyond the first one to understand the question, ie how trustworthy is a source that merely reacts? Less so for early adopters of an app, more so for those who those who get it later?

Yes, you are pathetic

[SmallFurryCreature]

So basically you want some magic situation where people have freedom but no responsibility. How typical. This is NOTHING new, everyone can install software from anywhere on the PC and the stupid have always had problems with this.

We do leave people behind here, if you are to stupid to tell what software is legit and which isn't, then you shouldn't be installing crap.

Freedom for those who can handle the responsibility, lockin for those who can't.

Clearly you can't.

Then go dry hump your Android and shut up

[Brannon]

Seriously--you never hear any iPhone-fan screaming that Android or the Android marketplace shouldn't exist. Never. If that's what you want, then go for it.

The Android world, though, (by and large) is completely obnoxious towards people who choose an iPhone (I guess CHOICE is only a virtue when someone chooses your way)--to the point of trying to somehow force Apple to do things differently. The Android world looks down on the grandmothers of the world who just want to be able to Facetime easily with their grandchildren. You see, if you aren't l33t enough to run SETI@home on your phone then you don't deserve to have a smartphone, right?

And, most irksome to me personally, the Android world operates under the delusion that technical people don't use iPhones. I think I probably know more about computers than you do--and I use an iPhone because I appreciate good design and I want something that works. I don't care that I can't compile the Linux kernel on it for the same reason that I don't care that I can compile the Linux kernel on my microwave.

Get a life.

Re:That's strange

[macs4all]

I though open-source was infinitely more secure than "Micro$oft Windoze omglolwut!". Funny I haven't heard about any viruses affecting windows phones.

That's because there isn't enough marketshare.

Sorry, couldn't resist!

Re:That's strange

[TheRaven64]

Why does this app have the capability to send text messages? With a Symbian phone, the first time an app tries to send a text message, a dialog will pop up asking if you want to permit it. If you say 'no', then it can't. It also can't do anything else that costs you money, unless you explicitly grant it these permissions. This kind of capability system has been part of Symbian for over a decade. I believe iOS and WP7 have something similar. Doesn't Android?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:That's strange

[Eraesr]

It does, when installing an app you get a list of permissions required for the app which you have to agree to before it is installed. And yes, I must admit that the meaning of this list isn't always as clear and obvious to the less tech-savvy people among us, but it is especially those people that should be careful with what apps they install.

Wallpapers, always

[KlaymenDK]

From the article:
"The latest Trojan horse for Google’s Android operating system has been seen posing in Chinese third-party app stores as legitimate programs such as Wallpaper apps."

Is it just me or do these things invariably trace back to wallpaper apps? People* must be real suckers for these things. And here I am, writing *productivity* apps ... *smacks forehead*

This is why iphone is better.

[nblender]

Seriously, bear with me a second... Non-technical in-the-box thinking hippies can have their walled-off iphone and probably not get into a lot of trouble. Techies like me can have our iphone, jailbreak it, and with cydia install some additional stuff to placate us; we can ssh into our phone, etc... If I pickup some malware, that's fine, it probably came from a 3rdparty source via Cydia and I have myself to blame and I'm probably not going to end up being some "Man shoots own foot" media sensation...

If you let any old weenor with an android install any old random shit on it by just tapping 'accept' on some dialog that he or she doesn't really understand (err, Windows, anyone?), then of course you're going to wind up with stories like this.