Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SMS Trojan Found In Android Markets

Posted by Soulskill on from the popping-up-like-weeds dept.

Trailrunner7 writes "The Android platform seems to have become the playground of choice for attackers and malware authors looking to make a quick buck. The latest example is a premium-rate SMS Trojan that not only automatically sends costly SMS messages, but also prevents users' carriers from notifying them of the new charges. The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China. This is just the latest in a series of similar incidents in which attackers and scammers have inserted either outright malicious apps or seemingly benign apps containing malware into app markets. Most of the attacks have targeted Android users, and several times Google has had to remove malicious apps from the official Android market."

22 of 114 comments (clear)

  1. Information, please! by Chonnawonga · · Score: 5, Informative

    Why don't these articles ever tell you WHICH markets and apps are affected? Oh, that's right, they're too busy trying to generate page hits through scare-mongering to care about information.

    (I'm not trying to say these aren't legitimate threats: quite the opposite. But, good reporting would help mitigate these threats by publicly shaming and informing.)

    1. Re:Information, please! by Chonnawonga · · Score: 4, Informative

      No, that's the name of the malware, not the apps. FTFA:

      "The malware is embedded in a seemingly legitimate application in the market, and once users download and install that app, the fun begins."

      It goes on to talk about "the host app" which the malware "piggybacks". Which app? They don't tell you. They'd rather tell you that "The Apple iPhone may still be the gold standard when it comes to smartphones".

  2. Price you pay.. by AngryDeuce · · Score: 4, Insightful

    If you want the freedom to install whatever you want from wherever you want, you have to accept that some of those things may not be good for you or your devices. To me, it's worth the trade off.

    In the end, the best protection will always be common sense. To those that do not feel they possess enough knowledge to make their own decisions in this regard, there is always Apple who will gladly make the decision for you. To each their own.

  3. Re:Well on the bright side by djdanlib · · Score: 4, Insightful

    WHAT? You mean freedom also provides the opportunity to freely injure one's self?!?! You don't say!

  4. This only affects chinese 3rd party markets... by Anonymous Coward · · Score: 5, Insightful

    Unofficial Markets. So in other words, Google has nothing to do with this. If you want security on Android, just stick to the standard market. Obviously Third party markets are bad news bears.

  5. For a new Android user by 0racle · · Score: 3, Insightful

    As someone who is about to get their first Android device, is there a good resource for practices for protecting it?

    Reading the summary, it seems this is a 3rd party market that was infeted. Obviously the first thing is not to install everything you see, followed by don't use 3rd party markets. However there seem to be several 3rd party markets that do have worthwhile software. Is there a suggested list of marketplaces that are reliable?

    There also appear to be several Android firewall apps. Is there a site where they are reviewed and compared?

    --
    "I use a Mac because I'm just better than you are."
    1. Re:For a new Android user by alanebro · · Score: 2

      A good practice is to find an app in which you are interested, then review the permissions to verify they make sense.

      For instance, if you're downloading a new phonebook and the app asks for permission to your contacts, you can assume that it really needs it.
      If you're downloading a new tic-tac-toe game that asks for full permission to read your ingoing and outgoing calls, you should really question why it needs that.

      This isn't foolproof, but it is a really good place to start.

    2. Re:For a new Android user by TheGratefulNet · · Score: 2

      I'm pretty technical but I find the permissions too vague. they are still mostly 'opaque' and I have little actual idea what's going on.

      maybe if they showed some of the data they GET, as an illustration? maybe they cache some of the 'captured' data the app 'takes' and show you that, on demand? that way I can say 'oh, you mean you're grabbing THAT from me! fuck you! delete.'

      if there's no examples of the data they take, conceptual permissions just don't work for users. works for programmers who have the code. this is NOT the users, though! not even tech ones. no one has time to audit every program in your phone.

      --

      --
      "It is now safe to switch off your computer."
    3. Re:For a new Android user by Soft · · Score: 2

      As someone who is about to get their first Android device, is there a good resource for practices for protecting it?

      You may want to read this earlier Slashdot story, from which the suggestion that made the most sense to me was to install DroidWall and just not let applications access the network. Of course, they might not work then, and it can be difficult to single out a single app among, say, Google Services.

    4. Re:For a new Android user by WankersRevenge · · Score: 2

      Uggh ... terrible moderation here. This is flamebait, not insightful. As an ios developer, I recommend that you buy the device that best caters to your needs and if you do get off the beaten path with that device -- educate yourself on possible dangers. If you install 3rd apps on your android device, check its requested permissions. If you root your ios device, change the freakin' root password. The issue isn't the device, but the person using it.

      Seriously ... I'm tired of this android / ios pissing match on Slashdot -- and that includes mods. I know it generate hits but it's make for terrible conversations. Believe it or not, they can co-exist.

  6. Re:The real WTF... by imunfair · · Score: 2

    App to block/sort/filter spam or unwanted senders? I'm sure there are more creative uses but that's just the most obvious one

  7. Re:The real WTF... by AndrewNeo · · Score: 3, Insightful

    So you can replace the default SMS application?

  8. Re:Well on the bright side by djdanlib · · Score: 3, Insightful

    I can agree that appliances should be restricted in their functionality. My current phone doesn't have "apps", it just handles calls and SMS, and I like it that way.

    My deliciously ironic gripe is that people complain no matter what they have. Apparently an app store policing submissions = evil gestapo, while an app store failing to police submissions well enough = why didn't you protect meeee *whine*

  9. Re:Well on the bright side by rwven · · Score: 2, Insightful

    Meh. This isn't news. The app is available on some third party app markets (read: not google's market) which are used on the other side of the planet. There was a time when a malicious text message could damage or brick an iphone.

  10. Re:Well on the bright side by bberens · · Score: 4, Insightful

    Not that malware hasn't slipped into the Google store before, but the summary seems to indicate that this particular malware is circulating in 3rd party app stores. Something I would wager 99% of users don't even know exist.

    --
    Check out my lame java blog at www.javachopshop.com
  11. Re:Well on the bright side by djdanlib · · Score: 2

    Well, that brings us neatly around to my original point: If you have the freedom to install apps from anywhere, you have the freedom to install malware. This freedom does not come with what should be the prerequisite dependencies of common sense nor investigative abilities. So in essence, you now have the freedom to hurt yourself, alongside the freedom to do anything you want. You can't have one without the other.

  12. Re:Well on the bright side by kelemvor4 · · Score: 2

    I'm pretty technically competent; but I'll be the first to admit I've not reverse engineered a single android app that I've installed to verify it doesn't contain malware like this.


    I wonder if there's any scan on demand anti malware apps out there. If not, there soon will be I'm sure. There's definitely a market for it.

  13. Re:Damn Apple's Walled Garden by mac84 · · Score: 2

    The only reason no one writes this malware for iPhones is that nobody uses iPhones. Oh wait....

  14. Re:The real WTF... by brim4brim · · Score: 2

    Yes I use GoSMS. Has way more features than Stock. Great app.

  15. Re:Well on the bright side by Riceballsan · · Score: 2

    There's certainly legitimate uses for the 3rd party app stores still, such as google has to remove emulators and such to avoid getting their asses sued into oblivion. I do have to say though I am not even slightly concerned about the infected apps from obscure chinese marketplaces, but I do think there is legitimate concern about the ones that have slipped into the marketplace. I do think google needs to step up and add a few layers of QC to the official marketplace. The best of both worlds scenario would be a fairly well audited for quality of apps official market place, or even maybe a certain sticker of "Google approved" applications, something simply to confirm that things are absolutely safe, for the average non-techie user, just as long as there are no warantee voiding/risking hurdles added for fairly competent users to get the unverified apps that they may want.

  16. Re:Well on the bright side by CharlyFoxtrot · · Score: 2

    Meh. This isn't news. The app is available on some third party app markets (read: not google's market) which are used on the other side of the planet. There was a time when a malicious text message could damage or brick an iphone.

    There was a proof of concept that could execute arbitrary code on iphone by sending about 500 SMS and which worked about 20% of the time, as explained by the hacker here. Of course serious bugs aren't really news on either platform. There was a time when Android would execute all text typed into the phone as root, then there was the Android bug that sent your messages to random contacts or the one where an SMS corrupts Androids SQLite database. People in glass houses should throw stones you know.

    --
    If all else fails, immortality can always be assured by spectacular error.
  17. Provider failure by Anomalyst · · Score: 4, Insightful

    This a failure on the part of providers. I dont want a "notification" I dont want it at all. Part of signing up should be the ability to limit
    #SMS/day
    Block "premium" SMS messages with exception list.
    Block calls to foreign countries with an exception list
    Block toll (900) calls.
    IOW give me back control on how and how much they can shaft me.

    --
    There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.