Infected Androids Run Up Big Texting Bills

Hugh Pickens writes "Computerworld reports that a rogue Android app is hijacking smartphones and running up big texting bills to premium rate numbers before the owner knows it. Chinese hackers grabbed a copy of Steamy Windows, a free program, added a backdoor Trojan horse to the app's code, then placed the reworked app on unsanctioned third-party "app stores" where unsuspecting or careless Android smartphones find it, download it and install it."

Holy AI, Batman

[Calibax]

"[...] where unsuspecting or careless Android smartphones find it, download it and install it."

I really dislike careless phones. Perhaps reviewers can test and report which are careful.

I'd also like to know how to make my phone less naive about unauthorised app stores.

Perhaps I should take away my phone's download privileges...

Oh noes!

[Microlith]

Obviously this means we should abdicate (forcibly, if necessary) all control over our computing devices to large corporations with a vested interest in denying us the ability to use them as we see fit.

Re:Oh noes!

[icebike]

Obviously this means we should abdicate (forcibly, if necessary) all control over our computing devices to large corporations with a vested interest in denying us the ability to use them as we see fit.

You buy stuff from trusted sources. There are a few trusted ones, and none of them have addresses in China.
The people getting these infected apps knew damn well what they were doing. They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way. Looking for Porn is my guess. I have very little sympathy.

The point is no one falls into this trap using the Google market or the upcoming Amazon market, or a couple others.

Re:Oh noes!

[Jane+Q.+Public]

"Most people don't give a shit about "openness" or being able to install software from any third-party."

Perhaps not, but that is rapidly changing. Even governments are recommending open source and open standards, and those ideas are making it into the mainstream, because their advantages have become too large and obvious to ignore.

Re:Oh noes!

[ArcherB]

Giving the average user control, is like giving them a plane and believing that since they have an autopilot they can land safely.

Apple's walled garden has limited this kind of behavior so far despite having 10's of million of more phones sold.

Well, if you are an "average user", and I presume you are, then I guess you need someone holding your hand in a walled garden.

Personally, I'm NOT an average user. To use your airplane analogy, I'm a pilot who wants the auto-pilot turned off! I demand the ability to do whatever I wish to MY phone and I am fully aware that I am responsible for the consequences. Look, I don't mind a walled garden. All the stuff I install comes from the Android Market exclusively. But within my walled garden, I want to choose the plants that are in there. I want to choose the color of the wall and decide what bricks it's made of. I want to decide if my garden is organic or so full of pesticides that the birds die from flying over it. So, with a simple rooting of my phone, I have my walled garden and the ability to remove/disable all the crapware I don't want on my phone. I'm now fully able to put any GUI I wish on MY phone. I chose the one that came with it, but dammit I MADE THAT CHOICE, not some turtleneck wearing, Hollywood social elite who thinks he knows what I want better than I do.

Re:Oh noes!

[compro01]

Where are you getting pirated software out of this? They're referring to non-Google markets, like Amazon's Appstore, Archos' Appslib, and others.

Re:Oh noes!

[Kitkoan]

The apps weren't pirated since the original App was free. This is one of the catches of freedom. You have the freedom to choose and make it yours, but that freedom can also be the freedom to screw yourself over by malicious people. This is why Android phones by default don't allow you to install non-market apps. You can of course turn that off and install any and everything under the sun that works on Android and that it your choice and freedom but it warns you when trying to do it that you can be taking a risk and be careful what you install. (my phone lists it as "Your phone and personal data are more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these applications") This is a very good popup (and you have to click OK for it to let you do this) that gives a nice, clear, non-legalese warning. Now if your ignore this clearly spelled out warning and still get screwed over, then its your fault and your problem.

Re:Oh noes!

[Jane+Q.+Public]

That may be true to some extent, but it's off the subject. GP asked if end users care about open standards. The answer -- increasingly -- is "yes".

Re:Common Sense

[Locke2005]

When you install any Android app, it explicitly asks for permissions to perform various categories of activities. If you granted the app permission to perform activities it doesn't need, e.g. SEND TEXT MESSAGES, then shame on you, not on the OS!

Re:Common Sense

[jayveekay]

Who do you trust: The phone company, the phone, or the user?

If you trust the phone company, then having a cellphone contract option to limit data/text/etc. usage to some cap can mitigate the worst case bill you'll be surprised with.
If you trust the phone, then OS options to limit what an app can do can mitigate worse case damage done.
In either case, you have to trust the user to make the right choices with respect to cellphone contract or app permissions.

I think my problem is that I don't trust any of the above.

permissions

[t2t10]

They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way

More importantly, they had to give the app permission to send texts. Very few apps need that permission.

Android security needs to be tweaked.

[pecosdave]

Lots of apps wanting lots of info. Instead of "install or not" there needs to be an option to "deny access to this feature but install anyways".

What makes a source trusted, preempt or react?

[perpenso]

You buy stuff from trusted sources.

What makes a source trusted? Do they screen apps for inappropriate behavior before putting an app on the store (preempt) or do they just remove inappropriately behaving apps after they are discovered in the field (react)? I don't think trust is a binary state, its a range of levels. A reputable source that preempts may be more trustworthy, a reputable source that merely reacts may be less trustworthy but more convenient.

Then go dry hump your Android and shut up

[Brannon]

Seriously--you never hear any iPhone-fan screaming that Android or the Android marketplace shouldn't exist. Never. If that's what you want, then go for it.

The Android world, though, (by and large) is completely obnoxious towards people who choose an iPhone (I guess CHOICE is only a virtue when someone chooses your way)--to the point of trying to somehow force Apple to do things differently. The Android world looks down on the grandmothers of the world who just want to be able to Facetime easily with their grandchildren. You see, if you aren't l33t enough to run SETI@home on your phone then you don't deserve to have a smartphone, right?

And, most irksome to me personally, the Android world operates under the delusion that technical people don't use iPhones. I think I probably know more about computers than you do--and I use an iPhone because I appreciate good design and I want something that works. I don't care that I can't compile the Linux kernel on it for the same reason that I don't care that I can compile the Linux kernel on my microwave.

Get a life.

Re:That's strange

[macs4all]

I though open-source was infinitely more secure than "Micro$oft Windoze omglolwut!". Funny I haven't heard about any viruses affecting windows phones.

That's because there isn't enough marketshare.

Sorry, couldn't resist!

Re:That's strange

[TheRaven64]

Why does this app have the capability to send text messages? With a Symbian phone, the first time an app tries to send a text message, a dialog will pop up asking if you want to permit it. If you say 'no', then it can't. It also can't do anything else that costs you money, unless you explicitly grant it these permissions. This kind of capability system has been part of Symbian for over a decade. I believe iOS and WP7 have something similar. Doesn't Android?

Re:That's strange

[Eraesr]

It does, when installing an app you get a list of permissions required for the app which you have to agree to before it is installed. And yes, I must admit that the meaning of this list isn't always as clear and obvious to the less tech-savvy people among us, but it is especially those people that should be careful with what apps they install.