Slashdot Mirror
'Fee-Deduction' Malware On Android Spotted In the Wild
wiredmikey writes "New malware has been discovered embedded in more than 20 Android applications circulating via various forums on the Internet which auto-dials phone numbers to incur high user fees. Dubbed BaseBridge, the malware can be embedded in legitimate applications, and during the application's installation, the malware prompts the user to upgrade. If the user chooses to upgrade, the malware is installed on the Android device under the name 'com.android.battery'. Then, another prompt would pop up to ask the user to restart the app to run it, and the malware is formally activated upon restart. Once activated, the malware can activate three malicious services — AdSmsService, BridgeProvider and PhoneService, to communicate with a control server, from which it will download a configuration file to read related information and dial calls or send out SMS messages, incurring fees for users."
It would be nice to see a list of the Apps. If there are "over 20" the list is probably not too large to post.
Flexible bare-metal recovery for Linux/UNIX
Is it just to annoy people? What benefit do the authors receive from getting the phone to make random calls or send SMS?
Proof of concept, perhaps?
I know you're being facetious, but ironically in this case you're probably indirectly right. Windows Phone 7 has such a small market share that it's not worth bothering with from a malware author's perspective, while iOS and Linux (Android) are huge targets. Funny how the table's turned.
Better known as 318230.
...though not publicly, about the chaos in Android's ecosystem. Seems that everything he predicted is coming to pass.
Folks, we need sanity on Android. Currently, it's nowhere to be seen. Who can deny that?
Android is secured by default by disallowing the use of Unknown Sources. If you attempt to enable Unknown Sources for applications it will warn you about risking security. In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application to install it. So yes, Android is just as secure as iOS by default.
Trojans in software downloaded from sketchy websites? GTFO!
A user with root explicitly installing a program IS NOT A HOLE.
Good-bye
If only there were a setting to allow sideloading. One that's disabled by default to protect unsavvy users, but is easily enabled by people who know what they're doing/willing to accept the risks. Oh, hey, look! There it is! "Unknown Sources: Allow installation of non-market applications."
Good to know that the iphone has a similar setting, that was a good move on Apple's part. Oh, wait, it doesn't? You have to exploit security holes to enable sideloading? Huh. How about that.
The iPhone has similar issues. JB the iPhone, grab pirated apps from unknown/untrusted repos, shovel them via Installous, and there have been some really nasty things reported.
The average user is not going to be sideloading apps, and if told to by a website, he or she should be VERY wary, and be checking search engines about the app mentioned.
In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application
That or enter the URL from which the APK can be downloaded, such as through following a link in an e-mail, following a link in the web browser, or scanning a QR code. After that, the device downloads the package over Wi-Fi or cellular, and then the user can choose to install or cancel on the privilege screen. That's how, for example, Amazon Appstore for Android gets installed.
Some of us don't believe we should have to fight our device manufacturer to be able to use it. It is for primarily this reason I will never buy or recommend an iPhone or iPad.
AJ Henderson
Feeding time...
I take you you use a perfect OS then? Do tell us what it is...
At risk of feeding the troll, here goes:
No one who's had any clue about network and OS security has ever said "Linux is immune to malware." In fact, what us Penguins have said is that it's impossible to stop a truly dedicated admin-level user from shooting himself in the foot if he's determined to do so. However, Linux's security model does a really good job of limiting the scope of the damage done by a user installing malware. Unless you are root (or equivalent) on a Linux box, *your* account will be all that's compromised. You won't hose the entire box because you stupidly installed malware. You won't even turn up a service on a port < 1024 because only root can do that.
The Android malware that's cropped up lately does NOT disprove any of the assertions above, because they are all essentially affecting a single user account. Granted, on Android, there IS only a single user account (which is one of my gripes about the OS, since on my tablet for example, I'd like to be able to set up different user accounts for me, my wife and my daughter, so we could all use the device without screwing up each other's settings, apps, etc.). Such a poor implementation of user accounts, IMHO, goes a long ways towards negating some of the advantages of Linux. <shrug>
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
well, what's a dubious application?
a 'Make $$$ Fast' app.. probably
but how about something like 'Bubble Boinger'... would you be confident that *didn't* contain malware.. 'cos if you can't be sure, that's pretty much half the apps in the Market off limits to you.
Sure, if you put lots of security walls in place, the user can still be tricked into saying yes. ("restart app to apply update" says one, you say 'yes', oops. Not all malware asks 'install malware' in their popups).
So you still need to fall back on security measures like AV scanners and system monitors. I think it would also be useful to decline certain parts of app requests - Bubble Boinger doesn't need to make calls or send texts, but sometimes they ask for such. If you could prevent those parts from being available to an app, it might make things more secure.
At least Android has "Unknown sources" and "adb install" in the first place. Amazon appears to have convinced AT&T to push a firmware update that restores the checkbox, and "adb install" sideloading support is a requirement for Market access. In addition, devices without the Android Market application, such as such as all Archos products, ship with "Unknown sources" turned on so that the bundled AppsLib can work.
In my day, we called that "installing" a program. Sideloading? Really? What has the world come to? DRM-ified nonsense.
This is my sig. There are many like it, but this one is mine.
I am not sure 100% that this is the answer but I think it is high time that we use digital signatures to verify the authenticity of the code. In the open source community this is done all of the time with utilities like GNUPG. Just simply use the author's public key to verify the authenticity of the code. If there is a discrepancy, then there should be a provision to discard the downloaded app. That should, at least, put a severe curb on wrapping malware in legitimate applications.
Yes, some features on Android do require rooting, but it is possible to run non-elevated applications that are not distributed through Google's market. Rooting is also left more up to the carrier and device manufacturer. Carriers like to have devices locked, but some devices are rooted by default. Android as a whole doesn't put a lot of effort in to protecting or trying to break root and can actually always be rooted (as far as I know) through ODIN or similar flashing. The culture of carriers makes this something that you don't see clearly unless you get in to the nitty gritty details, but in general, it is far easier, with fewer barriers or attempts to break rooting on Android vs jail breaking on an iPhone. Also, the level of customization you can do to an Android device after rooting is completely different from the level of changes you can make to an iPhone. Jailbreaking may let you run other apps and have more device permissions for those apps, but as far as I know you can't then put other versions of the OS or other builds on (particularly seeing as iOS itself isn't open for their to be other builds of it.)
My perception of Apple has always been "you will do things our way whether you like it or not, because really, why would you want to do things any other way, cause we're Apple, savy." Where as Android's philosophy just feels like it is much more about trying to make a device for consumers and giving them control over their device to whatever level is appropriate for them.
AJ Henderson
Right, we need to check mental sanity of people that activate the option to install software from outside the market
As they are explicitly told to do by Amazon?
It's a design feature of the platform than any mainstream alternate application stores must have you disable this block, and then any random link can install something for you. Do you really not expect a significant number of users will be getting things from Amazon given the marketing clout they have?
"There is more worth loving than we have strength to love." - Brian Jay Stanley