Slashdot Mirror
New SMS Trojan Found In Android Markets
Trailrunner7 writes "The Android platform seems to have become the playground of choice for attackers and malware authors looking to make a quick buck. The latest example is a premium-rate SMS Trojan that not only automatically sends costly SMS messages, but also prevents users' carriers from notifying them of the new charges. The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China. This is just the latest in a series of similar incidents in which attackers and scammers have inserted either outright malicious apps or seemingly benign apps containing malware into app markets. Most of the attacks have targeted Android users, and several times Google has had to remove malicious apps from the official Android market."
Why don't these articles ever tell you WHICH markets and apps are affected? Oh, that's right, they're too busy trying to generate page hits through scare-mongering to care about information.
(I'm not trying to say these aren't legitimate threats: quite the opposite. But, good reporting would help mitigate these threats by publicly shaming and informing.)
I'm having trouble worrying about people who install apps onto their phone without knowing that the market creator is paying attention for that sort of thing. Google and Amazon are alert and watching. Random markets in China? I feel less confident in them.
I feel exactly the same compassion for them that I feel for people who download things from any random website they find.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
If you want the freedom to install whatever you want from wherever you want, you have to accept that some of those things may not be good for you or your devices. To me, it's worth the trade off.
In the end, the best protection will always be common sense. To those that do not feel they possess enough knowledge to make their own decisions in this regard, there is always Apple who will gladly make the decision for you. To each their own.
WHAT? You mean freedom also provides the opportunity to freely injure one's self?!?! You don't say!
Unofficial Markets. So in other words, Google has nothing to do with this. If you want security on Android, just stick to the standard market. Obviously Third party markets are bad news bears.
Not goatse but damn close, don't click the link.
As someone who is about to get their first Android device, is there a good resource for practices for protecting it?
Reading the summary, it seems this is a 3rd party market that was infeted. Obviously the first thing is not to install everything you see, followed by don't use 3rd party markets. However there seem to be several 3rd party markets that do have worthwhile software. Is there a suggested list of marketplaces that are reliable?
There also appear to be several Android firewall apps. Is there a site where they are reviewed and compared?
"I use a Mac because I'm just better than you are."
No, but the ones that do have a lot of developers making a lot of money...
Trolling is a art,
Non-story. "The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China." If you load apps from China directly you are asking for this sort of thing. It's nearly the equivalent of going to a "Warez" site for Windows programs.
One reason would be to write an app that ignored/deleted known SMS spammers?
I'd actually love one for my phone that would delete all the obnoxious AT&T spam text messages about new services and crap.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
App to block/sort/filter spam or unwanted senders? I'm sure there are more creative uses but that's just the most obvious one
There is a fairly large developer community that can't tell good software from bad so they just rely on the originating vendor to make their determination. MS - Bad, Apple - Good, OS - Excellent.
How about if carriers offer a free service which simply blocks "premium" SMS calls altogether?
Sure, I won't be able to donate $10 to the Red Cross the next time there is an earthquake in a 3rd world country, but at least I'll be legally immune from paying for any that do get through.
Think of it as 976/900-block for SMS.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
So you can replace the default SMS application?
... don't click the link.
pretty sure that bit is the M.O. when browsing /. ;)
I can agree that appliances should be restricted in their functionality. My current phone doesn't have "apps", it just handles calls and SMS, and I like it that way.
My deliciously ironic gripe is that people complain no matter what they have. Apparently an app store policing submissions = evil gestapo, while an app store failing to police submissions well enough = why didn't you protect meeee *whine*
Like any troll, the first thing he mentions is about the other guy. Just like any political "argument". If you're a Republican and you hear about something your party does wrong, the first thing you hear is "well the Democrats do this other thing that's bad, don't forget about that".
Yes, Apple has a "walled garden". I'm surprised you didn't mention the "Reality Distortion Field" too. Oh and in case you didn't hear, there was a major Trojan found in the Android Marketplace.
Meh. This isn't news. The app is available on some third party app markets (read: not google's market) which are used on the other side of the planet. There was a time when a malicious text message could damage or brick an iphone.
Not that malware hasn't slipped into the Google store before, but the summary seems to indicate that this particular malware is circulating in 3rd party app stores. Something I would wager 99% of users don't even know exist.
Check out my lame java blog at www.javachopshop.com
I don't know. Are they giving me candy or a trip to Disneyland?
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
Well, that brings us neatly around to my original point: If you have the freedom to install apps from anywhere, you have the freedom to install malware. This freedom does not come with what should be the prerequisite dependencies of common sense nor investigative abilities. So in essence, you now have the freedom to hurt yourself, alongside the freedom to do anything you want. You can't have one without the other.
I'm pretty technically competent; but I'll be the first to admit I've not reverse engineered a single android app that I've installed to verify it doesn't contain malware like this.
I wonder if there's any scan on demand anti malware apps out there. If not, there soon will be I'm sure. There's definitely a market for it.
and SMS, if abuse, could drain my account!
a year or two ago, I was with t-mobile and their PAYG plan did not have the ability to turn off sms send or receive! my balance went to nothing and I gave up on that carrier. a few years later, I checked back and now, if you call CS, they can turn sms off even if you are monthly and non-contract.
sms is for kids. I'm a middle aged man. I have no need for this childish bullshit. I do email. if you want me, you call or you email me. email is more in my domain that I can control. sms is purely a carrier thing and I want no part of that. (at least until they remove the fee on RECEIVING texts!)
--
"It is now safe to switch off your computer."
No there wasn't.
The only reason no one writes this malware for iPhones is that nobody uses iPhones. Oh wait....
same here. I'm a good coder, but who has TIME to audit every damned thing?
we do need auditing services. it should be non-profit and community/trust based. ie, like most opensource things.
I don't like a VENDOR being in control. I want it to be 'we the people' so to speak. that way its not political and not under some profit (or even government) directive, one way or another.
--
"It is now safe to switch off your computer."
Those who downloaded some malware from china deserved every charge they got billed against them. Those who are crazy enough to trust the Chinese with software deserve to be hacked. Hopefully we can avoid Chinese software but sadly we can't avoid Chinese hardware....
Jehovah be praised, Oracle was not selected
I know, we should lock down ALL computers. No software from anywhere except the hardware or OS vendor's approved locations!
This includes other OSes. Those terrible, evil Linux installations... you never know where they've been!
Yes I use GoSMS. Has way more features than Stock. Great app.
Having just got my first smart phone and being on AT&T, the *very first* message AT&T sent had "reply with stop to end automatic messages" at the end of it ... as have the other 3 I've gotten since (haven't told them to stop, so I'm good with that part).
Don't blame me, I voted for Kodos
Heh.
"Malicious code on the Android platform is proof of how great it is!!"
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
I write code and I can't tell the difference between good software and bad software (in terms of whether or not it contains code that would be considered malicious from the user's viewpoint), without an extensive and thorough code analysis. I know you are talking about "punch the monkey and win a free app" type software, but the really serious malware is not going to be that obvious.
eh... sort of... not permanent, anyway. I think there have been a few instances like this but this is the most recent I found http://www.theregister.co.uk/2010/12/30/rogue_sms_danger/
Wow, really? The single vulnerability known at the moment, hum... we should run for the hills or install an antivirus!
-dZ.
Carol vs. Ghost
There's certainly legitimate uses for the 3rd party app stores still, such as google has to remove emulators and such to avoid getting their asses sued into oblivion. I do have to say though I am not even slightly concerned about the infected apps from obscure chinese marketplaces, but I do think there is legitimate concern about the ones that have slipped into the marketplace. I do think google needs to step up and add a few layers of QC to the official marketplace. The best of both worlds scenario would be a fairly well audited for quality of apps official market place, or even maybe a certain sticker of "Google approved" applications, something simply to confirm that things are absolutely safe, for the average non-techie user, just as long as there are no warantee voiding/risking hurdles added for fairly competent users to get the unverified apps that they may want.
This developer community would be... the open source developer community?
Just wow. And people are surprised it's a Trojan? Finding a *non*-Trojan app in a place like that, that'd be the trick!
Meh. This isn't news. The app is available on some third party app markets (read: not google's market) which are used on the other side of the planet. There was a time when a malicious text message could damage or brick an iphone.
There was a proof of concept that could execute arbitrary code on iphone by sending about 500 SMS and which worked about 20% of the time, as explained by the hacker here. Of course serious bugs aren't really news on either platform. There was a time when Android would execute all text typed into the phone as root, then there was the Android bug that sent your messages to random contacts or the one where an SMS corrupts Androids SQLite database. People in glass houses should throw stones you know.
If all else fails, immortality can always be assured by spectacular error.
Anti-spam SMS app. Or an app for managing SMS messages in general.
This a failure on the part of providers. I dont want a "notification" I dont want it at all. Part of signing up should be the ability to limit
#SMS/day
Block "premium" SMS messages with exception list.
Block calls to foreign countries with an exception list
Block toll (900) calls.
IOW give me back control on how and how much they can shaft me.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
You ARE in control. If you look at an app and see it requests permissions that you don't like, or don't want them to have, you simply don't install it. Yes, that might mean you don't get to play strip poker or whatever.
For example, the only android developer that I trust with my personal information is Google... and that's only because they already have it all anyway.
The other option is the new CM7 roms have the ability to remove permissions from apps. It has opened up a whole new world for me, as I'm now able to use apps I never wanted to install before because of their permission requirements.
http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html
My point remains however. This isn't news. This is a non-google sanctioned market and they're responsible for what they post. Not google. Not android.
I'd much rather carefully pick my apps....and actually be able to carefully pick my apps, instead of being limited to only doing a small subset of the features my device would otherwise be capable of.
As you said, people in glass houses....
Who are these "fairly competent users" and how are they distinguished? I think Apple thought about this and decided that there was no manageable way to deal with such a concept. As a result they have just two groups, ordinary users and developers.
Oh to explain the blocking of incoming SMS. One such use is what GoSMS does. If your device is out of space which is common on budget Android devices that don't have app 2 sd functionality as they an be running old versions of Android, with the stock SMS app, it notifies you that it failed to receive an SMS but has already sent an acknowledgement of receiving it to the network so the message is lost. In GoSMS, it doesn't tell the network it received it until it is saved to disk so if you run out of space you can free up more and the message is saved when the network attempts to resend it to your phone. At least that is what I think is going on in the background. All I know is stock loses text message when out of space and GoSMS doesn't. The rest is assumptions on my part :)
I think that would be people who:
1) Want to use an unverified app or app store
and
2) Know how to do it.
That's one of the problems with Apple. They treat all their customers like idiots when it's possible that some of their customers may not be.
Your missing the point. The only way to to qualify that a person "Knows how to do it" and to only allow signed code is to require that you be a developer and have access to certs for signing the code. It's not acceptable under any conditions to have unsigned code on a device.
I guess we'll have to agree to disagree. Code signing in it's current form is merely a revenue vehicle for the signing authority and does not mean the slightest thing in relation to quality. In the end it may have the opposite effect since it lulls users into a false sense of security.