Slashdot Mirror
'Fee-Deduction' Malware On Android Spotted In the Wild
wiredmikey writes "New malware has been discovered embedded in more than 20 Android applications circulating via various forums on the Internet which auto-dials phone numbers to incur high user fees. Dubbed BaseBridge, the malware can be embedded in legitimate applications, and during the application's installation, the malware prompts the user to upgrade. If the user chooses to upgrade, the malware is installed on the Android device under the name 'com.android.battery'. Then, another prompt would pop up to ask the user to restart the app to run it, and the malware is formally activated upon restart. Once activated, the malware can activate three malicious services — AdSmsService, BridgeProvider and PhoneService, to communicate with a control server, from which it will download a configuration file to read related information and dial calls or send out SMS messages, incurring fees for users."
That is the treat of sideloading. And I wouldn't give it up for anything.
Say what you will about Apple's "walled garden", but I'm kinda happy I'm inside it. That's not to say that iOS is not exploitable because it most certainly is, but it's much less likely something I purchase off the app store will contain malware like this.
It would be nice to see a list of the Apps. If there are "over 20" the list is probably not too large to post.
Flexible bare-metal recovery for Linux/UNIX
Plain and simple.
Is it just to annoy people? What benefit do the authors receive from getting the phone to make random calls or send SMS?
Proof of concept, perhaps?
That is the treat of sideloading. And I wouldn't give it up for anything.
So you would doom millions to be raked over the coals by exploits like this, all so you can sideload. Awesome.
Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?
It's worked well for iOS from a security standpoint.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I know you're being facetious, but ironically in this case you're probably indirectly right. Windows Phone 7 has such a small market share that it's not worth bothering with from a malware author's perspective, while iOS and Linux (Android) are huge targets. Funny how the table's turned.
Better known as 318230.
...though not publicly, about the chaos in Android's ecosystem. Seems that everything he predicted is coming to pass.
Folks, we need sanity on Android. Currently, it's nowhere to be seen. Who can deny that?
I kept hearing that Linux was immune to malware all these years here, and yet I am seeing a Linux variant in ANDROID showing holes and malware attacks left and right the past few years now.
(Has slashdot's Penguin crowd been lying to us all for all these years now? Seems so.)
Go back to your bridge.
Trojans in software downloaded from sketchy websites? GTFO!
A user with root explicitly installing a program IS NOT A HOLE.
Good-bye
The iPhone has similar issues. JB the iPhone, grab pirated apps from unknown/untrusted repos, shovel them via Installous, and there have been some really nasty things reported.
The average user is not going to be sideloading apps, and if told to by a website, he or she should be VERY wary, and be checking search engines about the app mentioned.
In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application
That or enter the URL from which the APK can be downloaded, such as through following a link in an e-mail, following a link in the web browser, or scanning a QR code. After that, the device downloads the package over Wi-Fi or cellular, and then the user can choose to install or cancel on the privilege screen. That's how, for example, Amazon Appstore for Android gets installed.
No operating system can protect stupid users from installing dubious applications.
Regardless how many security walls you put in place, if the user says yes to everything there is no way he will get protected.
The stupid thing is that this then lands in the stupid non-technical press as "platform X has malware" articles.
Feeding time...
I take you you use a perfect OS then? Do tell us what it is...
I love apps on my phone, but along the way, I have to wonder, just how smart is this? My phone is for me, as for many, my primary communications device. I get loading an IM app or an invoicing app or even some Angry Birds. There comes an implicit trust there, I suppose.
I'm cool with tinkering.. that's how our modern marvels came to be. However, tinkering comes with implicit risk. The problem is people tinker and expect the mission critical stuff (like your phone making calls everytime you want, and only when you want) to still remain iron-clad.
It's like jacking with beta software. Yeah, do it on your local machine. However, if you do it on your production server, and you lose data or have run-away costs, that's just too bad.
The best thing about a boolean is even if you are wrong, you are only off by a bit.
At risk of feeding the troll, here goes:
No one who's had any clue about network and OS security has ever said "Linux is immune to malware." In fact, what us Penguins have said is that it's impossible to stop a truly dedicated admin-level user from shooting himself in the foot if he's determined to do so. However, Linux's security model does a really good job of limiting the scope of the damage done by a user installing malware. Unless you are root (or equivalent) on a Linux box, *your* account will be all that's compromised. You won't hose the entire box because you stupidly installed malware. You won't even turn up a service on a port < 1024 because only root can do that.
The Android malware that's cropped up lately does NOT disprove any of the assertions above, because they are all essentially affecting a single user account. Granted, on Android, there IS only a single user account (which is one of my gripes about the OS, since on my tablet for example, I'd like to be able to set up different user accounts for me, my wife and my daughter, so we could all use the device without screwing up each other's settings, apps, etc.). Such a poor implementation of user accounts, IMHO, goes a long ways towards negating some of the advantages of Linux. <shrug>
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
there have been some really nasty things reported.
References? While there's certainly the potential for such abuses, I haven't heard of anything in the wild to date.
https://www.eff.org/https-everywhere
At least Android has "Unknown sources" and "adb install" in the first place. Amazon appears to have convinced AT&T to push a firmware update that restores the checkbox, and "adb install" sideloading support is a requirement for Market access. In addition, devices without the Android Market application, such as such as all Archos products, ship with "Unknown sources" turned on so that the bundled AppsLib can work.
It may or may not be worthwhile. If you know someone(s) who has something you want, and uses Windows Phone 7, you might write such a piece of malware. Remember, Siemen's Industrial Control Systems for Centrifuges have an even smaller number of manufactured units than Windows Phones. But I've heard there's been quite the nifty malware written for them. The criteria for writing malware is the value of what you achieve, not just the number of devices you can attack.
If one visits sites like MacRumors, and looks under the iPhone hacks section, you will find a good amount of people posting about installing apps with Installous from dodgy repos. They all kinds of problems, from having to DFU restore, to corruption of other app's data, and so on.
The evidence is anecdotal (someone whining about a spotty JB iPhone that has been heavily modified could be a lot of issues), but slapping on pirated apps from repos that have not been vetted is just asking for an additional payload to come with the .apk file.
Friend, I work as a Linux/UNIX security consultant and if I thought you had enough knowledge about Linux/UNIX to understand an explanation I could give you about how a UNIX-like OS differs from, say, Windows in terms of threat attack vectors, then I would do so. But because I doubt your IQ barely reaches 3-digits in length, such an explanation would be wasted on you.
Suffice it to say, I do not recall anyone on here ever saying that Linux is immune to malware because, the fact is, any program you run on any OS anywhere that you cannot guarantee is malware-free could be malware - so clearly anyone making such a statement would be a bigger fool than yourself.
But you can satisfy yourself in the knowledge that, by virtue of the well-paid job that I do, that there are security considerations you must take into account when deploying any Linux or UNIX server - beyond that, you need not worry yourself as clearly your lack of knowledge shows you don't use Linux in any shape or form. Therefore how secure or insecure it is would be irrelevant within your small and blinkered view of reality.
Gentoo Linux - another day, another USE flag.
I am not sure 100% that this is the answer but I think it is high time that we use digital signatures to verify the authenticity of the code. In the open source community this is done all of the time with utilities like GNUPG. Just simply use the author's public key to verify the authenticity of the code. If there is a discrepancy, then there should be a provision to discard the downloaded app. That should, at least, put a severe curb on wrapping malware in legitimate applications.
which may void your warranty (on the hardware, not just the OS)
You simply restore to factory OS before taking it in for hardware support.
Because if you jailbreak you have a clue. Remember?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Linux is just the kernel, the small but complex piece of software that sits between the user's operating system and the system hardware. It's function is to ready the hardware for use by the operating system, so is responsible for loading drivers and setting up parameters specific to the CPU it is running on.
Anything else beyond that is the operating system that gets loaded once the kernel is in place. For convenience, the whole thing is referred to as "Linux" but, in reality, it is just a myriad of programs doing various tasks on that piece of hardware.
Bearing in mind that the OS tools running on top of the kernel are Open Source, there are no "rules" as to how you design that system to run once the kernel has loaded. Therefore, if you want to design an OS schema whereby everything runs at the highest root permissions, there is nothing stopping you doing that.
Having explained the above to you, I have permitted you to divest yourself of your clear ignorance when it comes to how Linux and free operating systems work.
With the above in mind, Android does indeed use a Linux kernel to initialise the hardware in a smartphone, touchpad, netbook, etc. etc. However, beyond that there are numerous reasons why an Android system would boot into the OS very differently to, say, a Ubuntu or Fedora Linux desktop - one of the major diffences would be because storage space and memory are far more limited on a smartphone or tablet than on an average desktop PC.
Consequently, your comparison between Android and Linux is invalid - if anything, a piece of malware running on an Android system probably wouldn't run on a Ubuntu system if it was transferred across, or indeed vice versa.
Any computer system needs to be hardened against security threats but your comments clearly show that you possess little knowledge of the subject - therefore you would be better employed spending your free time becoming better-informed on the subject first, and then coming on here to make what could be some very valid points about Linux security.
This would be a constructive alternative to just spewing out random comments and appearing like a complete and utter plonker.
Gentoo Linux - another day, another USE flag.
Or, we could treat the real problem, personal idiocy, and educate people.
Bullshit. It's not idiocy, it's lack of understanding. And the truth is that you cannot educate people on something they have no interest in. Nor should there be a need for education, I don't have to be a structural engineer to drive over a bridge, because I know the people who made it are competent. The same should be true of OS's we use, the makers should have secured that for us as much as possible to the point where normal users do not need any understanding or education to keep the device safe for use.
Your response is every bit as absurd as "you're holding it wrong".
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Excellent.
You are improving. You have mastered "Cut & Paste" keys, well done! :-)
Now go read a few security manuals, get a few years experience in OSes and security, then you can set your sights on one day being able to speak to me at the same intellectual level. Hell, I may even reach down and help pull you up those last few steps of your very tiring climb.
Gentoo Linux - another day, another USE flag.
This is ultimately no different from the days of downloading trojan-laden warez from a BBS or pr0n site and getting infected with an autodialer that calls some random long-distance number through the modem.
If you're not willing to be careful about what you're installing, or where you're downloading it from, don't be surprised when your phone racks up random charges without your direct input.
Someday, you're going to die. Get over it.
Friend,
Your mastery of CTRL-C and CTRL-V is impressive indeed but cutting and pasting links to security advisories is wasted on me as I already subscribe to updates from Secunia, Bugtraq, Cert, Red Hat, Oracle and probably a few others you haven't heard about - do you not remember me saying that I am in a well-paid security job?
You seem to be doing your best to rile me on the somewhat mistaken assumption that I treat operating systems like a religion and that therefore anything said against Linux in particular would have me foaming at the mouth and crying to the heavens demanding that a plague of demons be brought down upon your head.
Unfortunately, the reality is that whilst Linux is my favourite OS platform to use, it has got there because I've used it and UNIX for so long so know it well and find it perfect for most of the computing and entertainment tasks that I need a computer to do. However, it does not preclude me from using other OSes, I actually like using Windows XP for certain tasks and for gaming, neither do I give two hoots whether or not Linux wins some fictitious war over Microsoft.
The fact is, I like using it, have a well-paid job as a result of it's very existence and would therefore consider myself a "happy chappie" all-in-all, content with occasionally casting out a verbal challenge on here occasionally in order to see what thrashing dervish of a fish is willing to take a bite.
So please, it's a quiet evening, indulge me more...
Gentoo Linux - another day, another USE flag.
Oh, you're back. And SO quickly!
Sorry, were we discussing Windows at any point in this conversation? I thought we were talking purely about Linux & Android from the perspective of you clearly having little understanding of UNIX topology and what might or might not constitute a threat attack vector on those.
At this stage, my advice to you is to restrict the topic of conversation rather than trying to broaden it, you will find the assimillation and learning process much easier.
And PLEASE stop with the endless Secunia links. I am relaxing after a nice home-cooked meal this evening and you're making this whole thing feel a bit too much like work.
You have a real opportunity to learn something really useful from an OS & security professional with three decades of experience in the field - so make the most of it.
Gentoo Linux - another day, another USE flag.
With all respect, I have nothing to prove to you as I have no idea who you are and actually care little of your opinion as to my skills.
I've got three decades experience in telecoms, OSes and security, I've written a few technical whitepapers in my time, developed training courses on TCP/IP, Linux, Shell Scripting and Security but beyond that I am not prepared to go into more detail - it's an illustration for you as to the depths of my skills, but I've no interest in boasting to you more specifically as to what I've done - suffice it to say, I had just started my telecoms career in 1982.
And, if I'm honest, you do sound a bit too much like a petulant child to have the maturity and experience that you claim to, so I'll take that with a pinch of salt.
That's enough about me anyway. If you want to continue discussing the core topic then please continue, otherwise I've no interest in getting into a pissing contest with you or anyone else.
Gentoo Linux - another day, another USE flag.
Right, we need to check mental sanity of people that activate the option to install software from outside the market
As they are explicitly told to do by Amazon?
It's a design feature of the platform than any mainstream alternate application stores must have you disable this block, and then any random link can install something for you. Do you really not expect a significant number of users will be getting things from Amazon given the marketing clout they have?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
We could require people to develop on a specific platform to make the software easier to analyze, then have digitally signed software sold on a single walled-garden, only allow authorized software to run on the phone, with the phone provider able to take down and turn off any malware app as needed.
Oh yeah, that is called an iPhone!
If we walked past each other in the street, we would not know it.
I have no interest in the opinions of anyone I do not know and have nothing to prove to such a person. I have stated all I have to say, you are entirely within your rights to accept them or disbelieve them, to me it is of no consequence.
For the same reasons, trying to goad me into revealing more will achieve nothing, I am far too old and wise to fall for that trick.
You are also getting repetitive. By all means continue this with another repeated posting if you feel the need for the last word on me, I will not respond any more.
Gentoo Linux - another day, another USE flag.
Despite all your "big talk" & trying to put me down, you haven't been even a FRACTION of as well noted in the art & sciences of computing as I have...
On some level, this is true. Anonymous Coward has done a LOT of stuff over the years.
--"insert clever quote here"
It's one thing to feed a troll, but to feed a troll and get thoroughly called out and owned?
That's shameful.
Of course its Android so everyone here is defending it. However if the same case was with iOS or RIM you all would be downing them to the max
A user with root explicitly installing a program IS NOT A HOLE.
Yes, but a user with root explicitly installing malware is most definitely an A HOLE.
I moderate "-1, Fool"
In fact, today is a more secure era.
Back in the BBS and early internet days, download shit of random sites was the only way to install software. You had to choose wisely the place you got your software from. If you /.er wanted to get the latest compiler suite, you had to fetch it from somewhere. If grandma wanted a weather app or a smiley pack, she got it from the interwebs too, and caught a nice trojan while doing it.
Now, systems like Android, WebOS, etc. provide you a nice walled garden of vetted apps. So most users can be sure they won't get malware. Advanced users, who are more knowledgeable and probably better at telling which sources are trusted, can enable other repositories ("sideloading", "dev mode", etc.) /.er want to install some crazy experimental piece of software, you're still allowed to fetch it from somewhere. If grandma want a nice "kitten" theme for her homescreen, she simply get it from the official repository and is spared from trojan.
Thus if you
Well, except for iPhone users. They are stuck in walled garden mode. Unless they go against Apple's effort, and have to use hacks and exploits on the phone that they actually own. Weird...
BTW: It's "Plus ça change, plus c'est la même chose"
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]