"SMSZombie" Malware Infects 500,000 Android Users In China

← Back to Stories (view on slashdot.org)

"SMSZombie" Malware Infects 500,000 Android Users In China

Posted by samzenpus on Sunday August 19, 2012 @09:33AM from the new-threat-on-the-block dept.

wiredmikey writes "Researchers have recently discovered a new sophisticated and resilient mobile threat targeting Android phones that is said to have infected about 500,000 devices, mainly in China. Called 'SMSZombie,' the malware is stubborn and hard to remove, but users outside of China have little to worry about with this latest discovery. The prime function of the mobile malware is to exploit a vulnerability in the mobile payment system used by China Mobile, making it of little value to the fraudsters outside of China. The malware takes advantage of a vulnerability in the China Mobile SMS Payment process to generate unauthorized payments to premium service providers, and can also remotely control the infected device. It has been spread via wallpaper apps that sport provocative titles and nude photos, and can only be removed using a lengthy process beyond the skills of a typical android user."

116 comments

Min score:

Reason:

Sort:

"Walled garden"? by Anonymous Coward · 2012-08-19 09:35 · Score: 0, Flamebait

For all the bitching I hear from FSF weenies about Apple, those of us who buy their products don't have to put up with this shit.
1. Re:"Walled garden"? by fuzzyfuzzyfungus · 2012-08-19 10:30 · Score: 5, Insightful
  
  Apple is quite lucky that that nobody ever weaponized anything back in the good old days of Jailbreakme... In-browser TIFF exploit leading to full root access just by loading a web page.
  Google, of course, is similarly lucky that nobody bothered to do anything wacky during the "yeah, everything you type gets silently dumped to a root shell, why do you ask?" period in early android...
  Punchline is, the state of 'mobile' security(really, security in general) is pretty fucking dire, and the current frenzy to tie as many payment systems as possible to mobile phones is complete insanity, except from the perspective of the bottom lines of the respective payment processors, naturally.
2. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 10:32 · Score: 0, Troll
  
  Yeah, just be careful the next time you send a text message on your iShiny, jackass.
3. Re:"Walled garden"? by 93+Escort+Wagon · 2012-08-19 11:15 · Score: 4, Interesting
  
  Amazon apparently still needs to learn this, given the recent Kindle Touch remote root exploit.
  
  --
  #DeleteChrome
4. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 11:29 · Score: 1
  
  Wow, Another cowardly anonymous schmuck Apple fanboy hates on Android...and this one got first post.
5. Re:"Walled garden"? by Shoten · 2012-08-19 11:33 · Score: 5, Insightful
  
  Sorry guys, but he's got a point. The attack vector here is an app that people voluntarily run, and the walled garden has been effective against that. Are there other vectors? Yeah. But that doesn't mean that his point about this one vector is wrong...it's not wrong at all. It took 5 years for the first malicious app to slip past Apple, and even then, the nature of how it all works meant Apple could remove it from everyone's iPhone with a single update. Android can't boast the same, either on the prevention or the remediation side. I don't hold any hate for either side, but this is just simple truth we're talking here. There have been scores of trojaned Android apps, and many for jailbroken iPhones as well...but only one, ever, for standard iPhones.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
6. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 11:49 · Score: 0
  
  I still can't understand why it costs me more to make an electronic or mobile payment than to walk in and hand over actual cash. I figure most customer service reps make $30,000 a year and can maybe process 500 payments a day whereas payment processing software could cost $30,000 one time and process exponentially more. So why the fuck do I have to pay more to not deal with a human?
7. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 12:11 · Score: 0
  
  Blackberry phones are secure lol
8. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 13:09 · Score: 1
  
  "Researchers at Kaspersky have discovered an app called “Find and Call” in Apple’s iOS App Store, Forbes noted on Thursday. The malicious app masquerades as a tool for simplifying contact lists but it instead uploads a user’s full contact list to a remote server and proceeds to send SMS and email spam to every person in the list."
9. Re:"Walled garden"? by AK+Marc · 2012-08-19 13:17 · Score: 3, Interesting
  
  Because capitalism is inherently anti-free market. In free market capitalism, we'd have processors coming in at cost + small% to do the same thing. Instead, we have monopoly based economics, with Visa/MC having a vast majority of the business, and network effects that keep out most competitors. So the price for the service is based on profit maximization, not revenue maximization at a minimum profit level.
  
  I've seen a $200 box with a patent sell for $50,000+ because the "value" was $50,000 plus, but the patent was obvious and not novel (It was essentially signal cancellation for an expensive piece of communications gear, with court cases about it because two companies patented the same thing at the same time, both valid because the patent office isn't technical enough and the filing periods overlapped so neither was granted before the other was filed, so not previous art for the other).
  
  --
  Learn to love Alaska
10. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 13:25 · Score: 1
  
  "Those who would give up app Liberty, to purchase smartphone Safety, deserve neither Liberty nor Safety"
  - Benjamin Franklin
11. Re:"Walled garden"? by mjwx · 2012-08-19 14:07 · Score: 0
  
  It took 5 years for the first malicious app to slip past Apple, and even then, the nature of how it all works meant Apple could remove it from everyone's iPhone with a single update.
  Erm, wrong.
  
  They've been able to sneak things passed the GateKeeper for at least 2 years now.
  http://www.wired.com/gadgetlab/2010/07/apple-approves-pulls-flashlight-app-with-hidden-tethering-mode/
  
  This is just the one we know of.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
12. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 14:31 · Score: 2, Insightful
  
  I'm not sure I agree with you, at least for iOS. Security was dire around v1.0, but now we're at 5.x going on 6.x and a lot has changed.
  iOS is definitely more secure than Mac/Windows/Ubuntu.
  There is always room for improvement, but iOS has sandboxing and code signing and full disk encryption with a hardware only encryption key derrivation algorithm, that is deliberately slow, providing a private key that can be erased remotely or after a few failed decryption attempts.
13. Re:"Walled garden"? by Shoten · 2012-08-19 15:12 · Score: 1
  
  A tethering app is not malware. It's software that the users wanted, but the cell phone companies didn't want. And it's "past," not "passed."
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
14. Re:"Walled garden"? by Shoten · 2012-08-19 15:14 · Score: 2
  
  Yep. That is the one malicious app.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
15. Re:"Walled garden"? by dudpixel · 2012-08-19 15:21 · Score: 2, Interesting
  
  From the article:
  "According to TrustGo, the malware is being spread through online forums and has been found in several packages on China’s largest mobile app marketplace, GFan"
  Better revise your "attack vector" description.
  Most Android users only use Google Play Store, which not only is not known to be affected by this malware, it also has the ability to remove it from users' phones after the fact - so you're wrong there too.
  You even admitted there is malware for 'jailbroken' iphones, which would be a more direct comparison here.
  Android likely has more malware potential, but this specific attack isn't a problem for those who stick with Google Play Store. Those who use alternative stores should understand the risks (or in fact, anyone using technology such as the internet should understand the risks).
  
  --
  This seemed like a reasonable sig at the time.
16. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 17:38 · Score: 1
  
  Except you can jailbreak it. This means all bets are off. You can arbitrarily disable one or all of those aforementioned features -- and breaking a 10,000 combination code is a joke for most medium to high end computers.
17. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 17:43 · Score: 0
  
  LOL, "cheap crap" that does way the hell more that any shiny overpriced crap, and has an equal if not better user experience (outside of China anyway, LOL)
18. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 17:46 · Score: 1
  
  There's only one that you know of. Keep repeating the lie. Maybe it'll come true one day, if you wish upon a star. LOL
  Just because researchers can't bulk-download even free applications and are not permitted to do so on-device, it makes it hard for anyone to say if any application is malicious.
  The ones that you see are just lucky guesses, someone actually bothered looking as to what it did, or come out with it themselves (in the case of Charlie Miller).
  You think their review does jack and shit to people who want your stuff?
19. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 17:50 · Score: 1
  
  It's still malware. It said it was a flashlight and it had code to do something completely different. Malware that researchers launch to clean up other malware is still malware.
  Ultimately, it doesn't even matter if it is. It just proves that the so-called "review" can only detect the stupidly obvious attempts at malware. Any malware or spyware with a delayed payload will make it through perfectly fine.
20. Re:"Walled garden"? by hawkinspeter · 2012-08-19 19:40 · Score: 1
  
  AFAIK, IOS doesn't have full disk encyrption and I don't know what you're on about with the "hardware only encryption key derivation algorithm". I just don't see how a phone OS is going to be more secure than a full OS with proper full disk encryption (e.g. LUKS).
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
21. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 20:24 · Score: 0
  
  "And what happens if you get malware on your iPhone, iPad, or iPod touch? You wouldn't necessarily know it. Not all malware has big, flashy alerts like FakeAlert malware. Some is quiet and surreptitious like Flame.
  And what's worse, you wouldn't be able to detect or remove iOS malware easily because Apple doesn't allow full-featured, real-time scanning anti-virus software in the iOS App Store."
22. Re:"Walled garden"? by BenJury · 2012-08-19 21:29 · Score: 2
  
  Did you read the article? You download the app from whatever store, then it downloads a second file which it then installs as a 'driver' which does 'bad things'. The user is prompted if they want to install it, but the box just reappears if you hit no. That would be hard to detect from which ever store it was posted to.
  Obviously the fact that a downloaded wallpaper can install this 'driver' is wrong and needs to be looked at.
  
  --
  Blatant Advert: Android Apps!
23. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 23:08 · Score: 1
  
  For all the bitching I hear from FSF weenies about Apple, those of us who buy their products don't have to put up with this shit.
  That's because the "Walled garden" system allows Apple to usually be tight-lipped about any IPhone vulnerabilities whereas Android flaws are found by the developer community and made public. If you are comfortable with not knowing about your phones vulnerabilities, then fine...Ignorance is bliss. BUT...occasionally, someone outside Apple finds an IOS vulnerability like THIS very recent one involving SMS spoofing:
  http://www.pcworld.com/article/261068/iphone_flaw_allows_sms_spoofing_says_hacker.html
  Oops now I've done it. I killed your euphoria.
24. Re:"Walled garden"? by Anonymous Coward · 2012-08-19 23:47 · Score: 1
  
  FYI:
  http://www.apple.com/iphone/business/integration/
  Data Protection
  To protect all data at rest, iPhone features built-in hardware encryption using AES 256-bit encoding. Building on the hardware encryption capabilities of iPhone, email messages and attachments stored on the device can be further secured by using Data Protection. Data Protection uses a user’s device passcode to generate a strong encryption key. This key prevents data from being accessed when the device is locked, ensuring that critical information is secured even if the device is compromised.
25. Re:"Walled garden"? by dimeglio · 2012-08-20 00:40 · Score: 1
  
  My understanding is there is in fact full encryption of the contents of the iPhone, i.e. you can't access the data without knowing the key.
  
  --
  Views expressed do not necessarily reflect those of the author.
26. Re:"Walled garden"? by hawkinspeter · 2012-08-20 02:25 · Score: 1
  
  Someone should tell these people: http://www.elcomsoft.com/iphone-forensic-toolkit.html
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
27. Re:"Walled garden"? by hawkinspeter · 2012-08-20 02:34 · Score: 2
  
  That doesn't sound like full disk encryption - they're only protecting "data at rest". I'm also concerned that a user's device passcode wouldn't have enough entropy (never mind the ease with which you can shoulder surf an iPhone user).
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
28. Re:"Walled garden"? by Shoten · 2012-08-20 02:57 · Score: 2
  
  I don't think you understand what a tethering app really is. It's not something that researches launch to clean up other malware. It's something that allowed you to use your iPhone as a hotspot, before any of the cellular providers had permitted it (at all). Back in the days when unlimited data plans for iPhones were somewhat common, this was seen as a problem by the cellular providers. People didn't download the flashlight app and say "Ah, surprise! My phone is doing something malicious!" Nothing malicious at all was happening. The "mal" in "malware" doesn't come from virus writers' love of Firefly's lead character...it stands for "malicious," and the people who downloaded the app knew exactly what they were getting, and wanted that functionality. Even the articles that refer to that app do not call it malware.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
29. Re:"Walled garden"? by fuzzyfuzzyfungus · 2012-08-20 03:56 · Score: 3, Insightful
  
  In the context of this article, it's probably worth noting that(even if the iPhone feature described works exactly as advertised) it is aimed at mitigating a completely different class of attack.
  Disk encryption setups aim to protect a lost or stolen device, in the physical custody of the attacker, from revealing whatever information is on the disk. They have no effect when the device is on and operating under the user's credentials(transparency is considered a feature).
  This attack in China is an attack on a live system, using the credentials of the user(or higher) to perform malicious operations as them. Even if the disk were encrypted in a suitably robust way, it'd be happily handing over whatever this bug asked for.
30. Re:"Walled garden"? by Anonymous Coward · 2012-08-20 04:09 · Score: 0
  
  Why is it, without fail, every time there is an Apple security issue, Apple marketing kicks in to come up with an anti-Android story? Apple has serious SMS flaw. Therefore, users INSTALLING malware on Android is equally flawed.
  Soooo tired of Apple marketing and rabid Apple fanboyism.
  This isn't directly specifically at you...just on my soap box.
31. Re:"Walled garden"? by Anonymous Coward · 2012-08-20 04:12 · Score: 0
  
  Nothing's stopping you from inventing something kick-ass that neutralizes it all. Oh. Not in your skill set, huh?
  Of course, your "Marxist Economics" model doesn't work in the real world: people aren't just willing to pay "what the market will bear" well beyond a "small%" profit but it's also THE ONLY WAY to fund advanced technology development of any kind. No. The Internet didn't "change everything".
32. Re:"Walled garden"? by Krojack · 2012-08-20 04:52 · Score: 1
  
  If you're willing to open your front door and let any stranger in your house or loan then the keys to your car withing first doing a background check then sure, you deserve to have your shit stolen.
  I on the other hand prefer having the freedom to do MORE with my Android phone. I use to have an iPhone and will never go back to that POS locked down for a baby device. A phone IS a computer and you treat it the same. You don't just go installing anything and everything on your computer do you?
33. Re:"Walled garden"? by quacking+duck · 2012-08-20 05:14 · Score: 1
  
  Someone should tell these people: http://www.elcomsoft.com/iphone-forensic-toolkit.html
  
  From your linked site:
  
  "Enhanced Forensic Access to iPhone/iPad/iPod Devices running iOS 4"
  [...]
  Protected file system dumps can be extracted from iPhone devices equipped with on-board hardware encryption and running iOS 4.x. Supported devices include iPhone 3GS and iPhone 4 (both GSM and CDMA models), first-gen iPad, and latest releases of iPod Touch (3rd and 4th generation).
  
  In other words, they don't support the latest-generation iPhone (4S) or iOS (5), nor the last two generations of iPad. According to Apple, as of June 2012 almost 80% of the 365 million iOS devices sold had been upgraded to iOS5.
  Maybe it works unofficially on these, but iOS5 and the iPhone 4S have been out for almost a year now. I imagine the ability to break into these would be a significant product feature they'd want to promote--if they had it.
34. Re:"Walled garden"? by AK+Marc · 2012-08-20 06:46 · Score: 1
  
  Inventing something better? Easy. Taking millions in losses to push it through the closed market to the point of profitibility? Not easy.
  
  Look at Discover card. It was backed by Sears, pushed with millions, then Sears went bankrupt. Coincidence? I think so, but I don't have visibility into their books to see if pushing a new option through was expensive enough to bankrupt one of the country's largest retailers. I just know I don't have the money to push it through.
  
  Of course, your "Marxist Economics" model doesn't work in the real world: people aren't just willing to pay "what the market will bear" well beyond a "small%" profit but it's also THE ONLY WAY to fund advanced technology development of any kind.
  Wait, "Free Market Capitalism" is Marxist economics? People in the US talk about the Free Market all the time, but I don't think anyone knows what it means anymore, other than economics professors, and obviously the ACs whining about the market don't take economics classes.
  
  --
  Learn to love Alaska
35. Re:"Walled garden"? by NerdmastaX · 2012-08-20 11:49 · Score: 0
  
  It took 5 years for the first malicious app to slip past Apple, and even then, the nature of how it all works meant Apple could remove it from everyone's iPhone with a single update. Android can't boast the same, either on the prevention or the remediation side.
  android does boast the same, they have had control over market apps from the start. methinks you are biased. also can you list the "scores of apps" that you so casually refer to....?
36. Re:"Walled garden"? by dudpixel · 2012-08-20 15:23 · Score: 1
  
  Did you even read my post? I could be accused of being an Android fanboy, but definitely not an Apple one.
  I worded my post so as to be as fair as possible to both sides, while correcting the previous post.
  
  --
  This seemed like a reasonable sig at the time.
Re:Sorry. Don't fucking live in China. by Anonymous Coward · 2012-08-19 09:37 · Score: 0

QUED!
Idfiot!
"Lengthy Process" by Anonymous Coward · 2012-08-19 09:37 · Score: 0

It looks like you uninstall it like any other app...
1. Re:"Lengthy Process" by Thantik · 2012-08-19 09:38 · Score: 4, Insightful
  
  In addition to removing it from device administrators. Which is like 2 actual steps. It's very tame compared to what it _could_ take.
2. Re:"Lengthy Process" by snowraver1 · 2012-08-19 09:59 · Score: 2
  
  I was expecting something like an os reinstall or something... Those instructions seem simple and straightforward.
  
  --
  Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
3. Re:"Lengthy Process" by stephanruby · 2012-08-19 10:21 · Score: 2
  
  In addition to removing it from device administrators. Which is like 2 actual steps. It's very tame compared to what it _could_ take.
  Yes, since they're a "security" company, they're taking the Norton approach and making the instructions as scary and as lengthy as they could make them.
  First of all, if the device is under a device administrators' control, I doubt very much that the phone would have gotten infected in the first place. And second of all, I can understand the normal Chinese grandma not understanding the instructions:
  "Just uninstall the 'naked girls' application, there is nothing more to it than that. "
  But at the very least, this one instruction should be more than enough for a device administrator to know what to do. And it should also be more than enough for the Chinese grandfather who originally installed the 'naked girls' application in the first place and who knew enough about his phone to enable the "allow applications from unknown sources". So making two different sets of instructions, one for the administrator and one for the user, and hiding them between one more level of links on the web site, is only making it seem more difficult than it really is.
  Also, I'd love to know where they got "that is said to have infected 500,000 devices", they don't quote anyone actually saying that. One can only assume this is a figure that the "Security" company itself made entirely up, based on what? they don't actually say.
4. Re:"Lengthy Process" by fuzzyfuzzyfungus · 2012-08-19 10:34 · Score: 1
  
  Given how little customization there is during a typical phone's OS install process(during the image build process, yes, the image install process, not so much), "just reflash it" actually counts as fairly noob-friendly, if somewhat tedious, advice.
  Unless the bootloader is shot, or the vendor has a hostile or nonexistent reflash process, it's pretty much just a matter of waiting while a nontrivial chunk of the phone's flash gets overwritten...
SMSJiangshi by Hsien-Ko · 2012-08-19 09:42 · Score: 2

We're not zombies!
Take better care next time. by MRe_nl · 2012-08-19 09:46 · Score: 0

Choosing your parents.
Lackwit.

--
"Kill 'em all and let Root sort 'em out"
1. Re:Take better care next time. by Anonymous Coward · 2012-08-19 10:34 · Score: 0
  
  Well, you can still blame them for the shortcoming in your pants.
2. Re:Take better care next time. by Anonymous Coward · 2012-08-19 10:58 · Score: 0
  
  No, that would be his hand!
Obvious scam by vlm · 2012-08-19 09:47 · Score: 2

wallpaper apps that sport provocative titles and nude photos
How can someone see that and not realize its gotta be a scam?
Probably just as effective as putting up a "idiots click here please".
The ability to be scammed is hardly limited to senior citizens.

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
1. Re:Obvious scam by mlts · 2012-08-19 10:20 · Score: 5, Interesting
  
  You would be surprised how easy it would be to get stung by this by an average user [1].
  A couple months ago, I was browsing for a couple games. Looked at the game, and it demanded every right under the sun. Of course, it didn't get the second install click.
  However, it was a game with an icon that was the logo for a popular game show, so it looked "legit" enough to a user. Most Android users are not the top tier IT people who know exactly what an app should and should not be doing. They tend to see an app, tap it, and go from there.
  All and all, the Android permissions are working fine. The app couldn't do much to hide in the system, so someone removing the device admin and then the app resulted in a cleanup. Had the app had root, it could insert itself into a lot more places.
  The problem is that whomever is the curator of the app store [2] in question. There really needs to be at least two tiers with some warning about entering into Mordor for the second tier. Android needs to have default stores like Amazon's that apps are vetted to a strict code before they hit the store. Not just checked with a scanner like the Bouncer, but put up to a higher tier of rules than the free-for-all of the present Google Play store. The reason for the higher standard is to minimize the "developer banned at 9:00, app is back in the store at 10:00 under a different name", which was not uncommon.
  Android is great (and it can be argued that the OS is more secure than iOS when compared side to side [3]); it just needs a beefy gatekeeper enforcing a proper dress code. iOS's security would be significantly weakened without an active gatekeeper, and Apple has done a good job at keeping the nasties out of the Apple ecosystem.
  [1]: The Dancing Bunnies "hole" has defeated many security systems.
  [2]: I wasn't sure if it is Google or what, so using "app store" as a generic term. App Store would likely mean Apple's offering.
  [3]: iOS depends on the "jail" system completely. A rooted Android device does not lessen any security, unless the user decides to let an app through via "Superuser" that shouldn't have root.
2. Re:Obvious scam by stephanruby · 2012-08-19 10:37 · Score: 1, Informative
  
  You would be surprised how easy it would be to get stung by this by an average user [1].
  A couple months ago, I was browsing for a couple games. Looked at the game, and it demanded every right under the sun. Of course, it didn't get the second install click.
  However, it was a game with an icon that was the logo for a popular game show, so it looked "legit" enough to a user. Most Android users are not the top tier IT people who know exactly what an app should and should not be doing. They tend to see an app, tap it, and go from there.
  Most users actually look at the number of stars and the number of downloads, and sometimes even read the reviews when the thing doesn't have a solid rating. Find me just one example of a WallPaper app, or a shady game, that hasn't been damaged in its star ratings and in its user reviews by having permissions that required access to the SMS functionality.
  In addition to that, the Google Play store also looks at the ratings and the number of installs, when deciding to display search results, thus reducing the discoverability of such apps drastically.
3. Re:Obvious scam by queazocotal · 2012-08-19 10:41 · Score: 2
  
  Then there is the side-effect of ads meaning that _EVERY_ app (well, the majority) has all the permissions it needs to start scanning your network at 3AM, and reporting what it finds back to china.
  Fixing this would not be that involved, but it would mean that there is some cost.
  Devs would need to write a one-line explanation for every permission.
  You'd need to have someone slightly clueful to see if all the permissions are in fact required for the features mentioned.
  This is around a 2 minute task for most apps.
  Restricted versions of some permissions would be needed - for example if an app wanted ads, it can get them from the internet, but only from one address (whos reverse DNS must resolve to the same host).
4. Re:Obvious scam by mlts · 2012-08-19 10:43 · Score: 1
  
  I am leery about reviews. The app I mentioned had five stars, and a ton of positive reviews. However, if you looked at the reviews, they were stuff like "Game play great!" [sic], or other pithy, fake reviews. One had to dig through a ton of the fake positives in order to find the one star "SMS spammer" items.
5. Re:Obvious scam by AK+Marc · 2012-08-19 13:25 · Score: 1
  
  Apps can lie to me. Why can't I lie to apps? Tell the App I agreed to all the permissions, but don't give the app those permissions. Let me choose the permissions. If it crashes, then I'll uninstall it. If it still runs neutered, then I'll leave it. I can't believe most of the apps need all the permissions they request. And I find it amusing that the customizable and open Android won't let me tell an app that it has permissions to my contact list, but is presented an empty sandbox contact folder.
  
  --
  Learn to love Alaska
6. Re:Obvious scam by mlts · 2012-08-19 14:21 · Score: 1
  
  There is an app for Android called LBE Privacy Guard which goes exactly that, where the app thinks it has the perms it wants... but doesn't.
  There is a similar app for jailbroken iPhones called PMP (Protect My Privacy). If an unauthorized app wants contacts, PMP will give gibberish, same with music. That way, the app thinks it is having a field day uploading data.
7. Re:Obvious scam by Anonymous Coward · 2012-08-19 22:32 · Score: 0
  
  re: Android Dalvik/Linux
  What you point out is inherently one of the problems with just being open source, but not free (as in freedom) software. Its the freedom part where the real power to end users is and hence why companies in the mobile space haven't embraced it.
8. Re:Obvious scam by quacking+duck · 2012-08-20 05:26 · Score: 1
  
  I will assume the app and reviews were on an app store or traditional aggregation website. It didn't have the ability to filter or sort by critical ratings first?
9. Re:Obvious scam by stephanruby · 2012-08-20 06:38 · Score: 1
  
  I am leery about reviews. The app I mentioned had five stars, and a ton of positive reviews. However, if you looked at the reviews, they were stuff like "Game play great!" [sic], or other pithy, fake reviews. One had to dig through a ton of the fake positives in order to find the one star "SMS spammer" items.
  It sounds like you were on a site like GetJar. If you notice, GetJar has iPhone applications as well. And if you're willing to take the extra steps required to leave the walled garden of your OS, whether it's Android or iOS, it's ultimately your responsibility if you decide to use a badly run online App Store after that.
10. Re:Obvious scam by Anonymous Coward · 2012-08-20 10:05 · Score: 0
  
  [3]: iOS depends on the "jail" system completely. A rooted Android device does not lessen any security, unless the user decides to let an app through via "Superuser" that shouldn't have root.
  That is not entirely true. The same vulnerabilities that are used to acquire root can often be used to escalate privileges.
11. Re:Obvious scam by mlts · 2012-08-20 11:31 · Score: 1
  
  Very true. However, a lot of root exploits use a procedure where one uses ADB in debug mode, pushes a binary onto the machine, said binary manages to get root, then you subsequently push the Superuser APK and the su binary into place. Few apps tend to have access to anything outside the Dalvik VM, much less the ability to run native ARM code on the Linux kernel.
  Definitely not disagreeing with you, as there are one click roots that are apps downloaded, but generally, for an app to get outside its privs, it has to get outside the VM, then find a root-level exploit.
Length process!? by schitso · 2012-08-19 09:49 · Score: 1

I'm sorry, but seriously? Two steps is beyond the skill of the typical Android user?
Besides that, maybe they shouldn't choose "YES" when explicitly prompted for device administrator permissions for the app?
1. Re:Length process!? by schitso · 2012-08-19 09:50 · Score: 1
  
  Lengthy process, rather. I don't even know what a length process would be.
2. Re:Length process!? by the_B0fh · 2012-08-19 09:56 · Score: 1
  
  yes. you obviously have not worked with end users. most people don't give a shit about how things work, as long as it works.
3. Re:Length process!? by darkfeline · 2012-08-19 09:59 · Score: 1
  
  "What was that noise?" "The sound of progress, my friend."
4. Re:Length process!? by Anonymous Coward · 2012-08-19 10:40 · Score: 0
  
  yes. you obviously have not worked with end users. most people don't give a shit about how things work, as long as it works.
  that's why I laugh at them when they get 0wned. serves them right for being so goddamned stupid and lazy.
  
  i will laugh even harder if malware ever comes out that cryptographically wipes all writable drives after spreading itself for a while. this kind of user is the same kind that does not make backups. they didn't want to learn the easy way? ok. welcome to the hard way.
  
  yeah i know that's not how you think the world should work. but the world didn't ask you (or me) how things should be. things just are. so what we actually have, the variables in the equation, are adult people who are making their decisions. they see news story after story about this and that malware, this and that getting hacked, ID theft, all sorts of shit ... then they decide that a little bit of RTFM is just too hard. ok. they made their bed, let them lay in it. stop feeling sorry for people who should know better. it doesn't help.
  
  if you are so interested in helping the situation, as in fewer exploits and fewer victims, what they need is some tough love. "yeah you screwed up because you took the lazy anti-intellectual route. here's how you can do better next time". why? because the difference between the criminals and their targets is that you can identify their targets and work to improve them. going after the criminals is a never-ending game of whack-a-mole. the diference between meatspace crimes like robbery and cybercrimes is that we could actually make cybercrimes a thing of the past. but not if we keep telling people who should know better that they can't be expected to know anything. that's just a worship of ignorance that masquerades as phony compassion.
5. Re:Length process!? by Anonymous Coward · 2012-08-19 13:12 · Score: 0
  
  A major reason people like doing all their web/mail/facebooky stuff with their cellphones is because of all the wonky "sysadmin" bullshit involved with PCs. Software updaters (but not the fake ones), antivirus programs (but not the fake ones), attachments (but not the fake ones), etc. If they don't feel like the Android is a trusted environment, its unlikely they will want to learn their lessons, they'll just switch to something else.
6. Re:Length process!? by noh8rz7 · 2012-08-19 17:57 · Score: 1
  
  yeah you screwed up because you took the lazy anti-intellectual route. here's how you can do better next time".
  you'd explain that they should get an iphone next time. if they don't want to invest the time in securing an operating system, then get an operating system that doesn't requrie any invesemtnt.
7. Re:Length process!? by Anonymous Coward · 2012-08-20 05:40 · Score: 0
  
  Who needs malware when the parent company will happily factory reset / wipe all your devices in one shot, without any user intervention?
  So ya, you're right. No investment at all! Just remain deaf, blind, and stupid about everything, and you'll be all right!
8. Re:Length process!? by Rakarra · 2012-08-22 08:22 · Score: 1
  
  Who needs malware when the parent company will happily factory reset / wipe all your devices in one shot, without any user intervention?
  Do you think the average user has any reason to worry about that all? Do you think the average user worries about whether Apple will pull some dirty trick? The average user knows better than you: he knows that Apple has no plans to do that on a mass scale; they'd be incredibly stupid to do so and it would serve no purpose.
  You're coming from an ownership point of view: "I own my device, I want to do whatever I want with it, and prevent anyone, including the parent company." That's fine, I feel the same way about my devices, and I've felt stifled enough in the iphone environment to give Android a try. But most users don't care about that. They don't need to. You're making it sound like they're some poor, oppressed masses, but the truth is that they don't care as much about their devices, or specifically, about software freedom as you do. If their iphones do what they want, they don't particularly care about factory resets or whatever scare stories come out that have little chance of ever affecting them. They have different priorities, and they don't want to spend their time on things like malware, device security, and all this other bullshit that is a waste of time. The device works, it's simple, and that's what they want.
  People don't care as much about owning. They care about using. The user experience is king. So the average user can't mod it, but they don't see any point in doing so.
So... by jamstar7 · 2012-08-19 09:50 · Score: 3, Funny

THIS is the dreaded Zombie Apocalypse we're constantly warned about??

--
Understanding the scope of the problem is the first step on the path to true panic.
1. Re:So... by Yvan256 · 2012-08-19 10:37 · Score: 1
  
  It's Zombies and Androids! Run!
2. Re:So... by jamstar7 · 2012-08-19 15:14 · Score: 1
  
  Android zombies? Zombie androids? Which is worse?
  
  Still, it doesn't sound too bad. What could possibly go wrong?
  
  --
  Understanding the scope of the problem is the first step on the path to true panic.
It's the windows jackpot again... by Anonymous Coward · 2012-08-19 10:03 · Score: 0

Rejoice if you own shares of McAfee or Symantec :-(
Lengthy Process? by rudy_wayne · 2012-08-19 10:20 · Score: 4, Funny

can only be removed using a lengthy process beyond the skills of a typical android user.
The "lengthy process" consists of:
Go to System Settings >> Location and Security >> Select Device Administrators
Remove "Android System Service"
Go to System Settings >> Applications >> Manage Applications >> Android System Service
Choose "Uninstall"
OMG!!!
4 steps!!!!!! It's so complicated!!!!!!!!
1. Re:Lengthy Process? by Anonymous Coward · 2012-08-19 11:16 · Score: 0
  
  You've listed nine steps. You can't assume everyone knows how to do that so each tap is a step. And because you already know what to do doesn't mean you get to ignore them...
2. Re:Lengthy Process? by Anonymous Coward · 2012-08-19 12:48 · Score: 1
  
  If you think in terms of the type of person who would get infected with this to begin with, then unfortunately yes, it is complicated.
3. Re:Lengthy Process? by Anonymous Coward · 2012-08-20 23:34 · Score: 0
  
  Why does the number of steps determine its complexity? It's like the guy who bangs the stuck machine and charges $500. It's knowing where to hit that matters.
  I'll bet you think counting the checks on a checklist is the definitive way to compare two products.
4. Re:Lengthy Process? by minstrelmike · 2012-08-21 08:14 · Score: 1
  
  Wait wait wait.
  Can you please type slower?
  I'm confused,
Important by Esteanil · 2012-08-19 10:31 · Score: 1

In addition to removing it from device administrators. Which is like 2 actual steps. It's very tame compared to what it _could_ take.
Does anyone have a decent remote kit for actually delousing Android phones? I've tried LogMeIn Rescue but the only thing their (premium, $79,- mo) mobile access for Rescue (which is £550 per user or so)...
The only thing this "cloud" application supports for Android is the ability to change network settings (which might be useful for reconfiguring devices, but hardly for rescuing them), and to set MMS settings.
Way to fail at that, LogMeIn. Fortunately, they let you trial it first, and I *did* end up buying Rescue itself.
Everything I've seen that even remotely works seem to demand full physical access to the phone, which seems a horrid oversight for a networked device ending up more and more often in Enterprise.
Any solutions? Anything at all for a (hypothetical) stressed-out SysAdmin who's suddenly gotten Android support in his lap?
Please explain in detail, if possible :-)

--
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
1. Re:Important by Anonymous Coward · 2012-08-19 17:55 · Score: 0
  
  Root the device. You can install VNC remote software.
  AFAIK, no straight-from-manufacturer device allows what even LogMeIn Rescue does.
I was going to... by VTI9600 · 2012-08-19 10:31 · Score: 2

...post a lenghty rant about miscoceptions of Android users, and quote the OP too. Unfortunately, I'm posting from an Android device and do not posess such skills.
Our mobile robots hurt us by Anonymous Coward · 2012-08-19 10:39 · Score: 0

https://www.youtube.com/watch?v=vY43zF_eHu4
Can anyone doubt that we need to put in First Law of Robotics?
huh? by hbean · 2012-08-19 10:40 · Score: 1

How is that a lengthy process beyond the skill of most android users? My father could do that easily and he barely knows how to dial his android.

--
"Give someone a program, frustrate them for a day... Teach someone to program, frustrate them for a lifetime."
1. Re:huh? by Anonymous Coward · 2012-08-19 10:58 · Score: 0
  
  you can dial on an android?
2. Re:huh? by PNutts · 2012-08-19 11:18 · Score: 1
  
  It depends on whether you mean follow a script or just do it. My mother-in-law could follow the 10 screenshots but she could not independently come up with those steps. The fact that the person granted the permissions leads me to believe they may not have the technical expertise to undo their choices.
3. Re:huh? by Anonymous Coward · 2012-08-19 11:44 · Score: 0
  
  Yes.
Re:But Android is Open !!! by JAlexoi · 2012-08-19 10:48 · Score: 2

open to trolls, as well.
Re:But Android is Open !!! by PNutts · 2012-08-19 11:15 · Score: 2

In a story about fraud on the Android platform someone points out that Android is open to fraud. Personally, I think it was a play on words and not a technical comment. Either way, I don't think the word troll means what you think it means. If you thought they were serious you could have explained why they were wrong and help keep this a useful technical forum. And I want a pony.
iOS more secure for most users by SuperKendall · 2012-08-19 11:42 · Score: 0

Android is great (and it can be argued that the OS is more secure than iOS when compared side to side [3])
The Android security system itself is strong enough, but the inherent flaw is that a user is asked for permissions for everything all up front. This is terrible as novice users simply cannot really tell what they are being asked to do, and even experienced users may think some particular permission in theoretically needed.
On iOS, permissions are asked in context, at the time the service needing permission is going to be accessed. This gives especially novice users a much stronger inkling if they should agree.
This is true regardless of an app running on a jailbroken system or not.
In the end, the proof lies in action - iOS has zero examples of things like this SMS malware, whereas we have seen a number of stories just like that over the years. How can you possibly lay out the case Android is more secure when in the real world it is obviously not?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:iOS more secure for most users by Anonymous Coward · 2012-08-19 18:10 · Score: 0
  
  Two words: Charlie Miller.
  Another two (and a symbol): Command & Control
  His application could do whatever the hell it wanted. It had root access.
2. Re:iOS more secure for most users by tlhIngan · 2012-08-20 03:40 · Score: 1
  
  The Android security system itself is strong enough, but the inherent flaw is that a user is asked for permissions for everything all up front. This is terrible as novice users simply cannot really tell what they are being asked to do, and even experienced users may think some particular permission in theoretically needed.
  On iOS, permissions are asked in context, at the time the service needing permission is going to be accessed. This gives especially novice users a much stronger inkling if they should agree.
  This is true regardless of an app running on a jailbroken system or not.
  In the end, the proof lies in action - iOS has zero examples of things like this SMS malware, whereas we have seen a number of stories just like that over the years. How can you possibly lay out the case Android is more secure when in the real world it is obviously not?
  It's like Windows vs. Unix. Windows actually has a great permission system, ACLs and other things that could be used to lock it down tighter than Unix (which until recently only acquired stuff liek ACLs and such, usually bolted on and never quite working right). But Unix is considered far safer because its permission system is simpler (easier to understand) and that leads to a lot more effective protection. With ACLs and stuff, there's always a problem of "what do I do to make this work" and you end up asking for ALL permissions just because you're too lazy to figure it out (or your boss wants the fix out NOW).
  The other problem is Dancing Pigs. Uesrs just don't care for popups, and this is a huge problem on iOS as well as Android. That permission list is useless if the user wants the app (and ICS/JB make it easier ot skip by put that nice big "Download and Install" button on top, coupled with the "Additional Permissions" list).
  iOS has the same issue with notifications. The current notification on locatoin isn't the best though since it applies to anything that has location information embedded in it - photos for example (an app wanting access to the photo library will trigger the popup).
  As for SMS and the like - the only reason IOS is "safer" is because Apple realized that and made the SMS APIs locked - if you want to send an SMS you have to go through the SMS app (or Siri), or use your own SMS gateway and write your own interface to it.
  Of course, the other problem with Android permissions is context - WHY do you need the permissions? "Full Internet Access" - why? Is it for ads? Is it because of additional content? Contacts - why? Access to friends for gaming? Profiling for ads? Even iOS can't provide this information...
Seriously... by dohzer · 2012-08-19 11:56 · Score: 1

When is SMS just going to vanish already?
1. Re:Seriously... by deadzaphod · 2012-08-19 14:25 · Score: 1
  
  I've been wondering that since the 90s... SMS is a crude hack that was past due for replacement before most people ever heard of it.
2. Re:Seriously... by Anonymous Coward · 2012-08-19 15:10 · Score: 0
  
  What do you mean, it's a GREAT vector...
  Send alphanumerics to parsers on any platform, standardized!
3. Re:Seriously... by noh8rz7 · 2012-08-19 18:00 · Score: 1
  
  all messages sent between iphones go on imessage instead of sms. sms is dead on iphones except for communications wiith other cell phone types.
4. Re:Seriously... by dohzer · 2012-08-19 21:45 · Score: 1
  
  I guess we'd should all get iPhones then. Personally the only thing stopping me is that it's an iPhone.
5. Re:Seriously... by Threni · 2012-08-19 23:57 · Score: 1
  
  When there is an alternative which is free, works on all mobile phones regardless of carrier/manufacturer, and is (almost) instant.
6. Re:Seriously... by noh8rz7 · 2012-08-20 01:29 · Score: 0
  
  "what's the solution to X?" "well, you could get Y." "but I don't want Y because I'm a fanboi." "Fine then don't complain about X."
7. Re:Seriously... by Anonymous Coward · 2012-08-20 06:16 · Score: 0
  
  Don't be a douche. Are you seriously suggesting that the only thing preventing the entire world from getting iPhones is Fanboyism?
8. Re:Seriously... by SuspectNumber3 · 2012-08-20 11:39 · Score: 1
  
  This really does seem to be an issue with some, that iPhones are iPhones, and I can understand the issue to a degree.
  
  1. Make a case for an iPhone with 'This is not an iPhone' printed on it.
  2. Load phone with 'Not an iPhone' skin.
  3. Sell next to Apple stores with a sign that reads 'Not iPhones'.
  4. Profit !!
9. Re:Seriously... by noh8rz7 · 2012-08-21 04:38 · Score: 1
  
  No, but I'm stating that a portion of android users are apple-haters and use android out of spite, even though they would get a better experience with apple.
HA! by Anonymous Coward · 2012-08-19 12:01 · Score: 0

The Chinese created a piece of malware that infects themselves! Oops. lol
Steps within steps. (Think IKEA.) by tepples · 2012-08-19 14:29 · Score: 1

There are two steps, where each step itself has steps. The concept of steps within steps should be familiar from assembling flat-pack furniture, where the steps to put the cams and screws into one shelf are often combined as inner steps into one outer step, or from the Bible where each book is made of chapters and each chapter made of verses. This way, the user knows how far along he is.
Part 1: Deactivate trojan's administrative privilege (6 taps)
1. Open Settings. 2. Open Location and Security. 3. Open Select Device Administrators. 4. Select Android System Service. 5. Choose Deactivate. 6. OK.
Part 2: Remove trojan entirely from device (6 taps)
1. Open Settings. 2. Open Applications. 3. Open Manage Applications. 4. Select Android System Service. 5. Choose Uninstall. 6. OK.
1. Re:Steps within steps. (Think IKEA.) by Anonymous Coward · 2012-08-19 18:31 · Score: 0
  
  To open slashdot...
  1. Type S
  2. Type L
  3. Type A.
  4. Type S.
  5. Type H. ...
  OMG. WHEN IT'S ALL SAID AND DONE, THAT'S LIKE 15 STEPS.
Chinese software by Taco+Cowboy · 2012-08-19 14:51 · Score: 0

I am not surprised at all by the news that it's the bug in the Chinese sms payment system software that provides the vulnerability
The quality, or rather, the lack of it, of Chinese software is a given
Almost all software that were written by Chinese, that I've come across, - no matter which platform the software run on, - are very poorly constructed, they are not intuitive, and very very buggy

--
Muchas Gracias, Señor Edward Snowden !
Sophisticated? by Anonymous Coward · 2012-08-19 15:24 · Score: 2, Interesting

The "Wallpaper" trojan has to get administrative priviledges from the user. Social engineering trick.
Then it downloads the malicious code. Not impressed.
Finally, it monitors keystrokes. Key logger anyone?
Is it just me, or does the company (TrustGo) that called this malware "Sophisticated" have an ulterior motive? Care to purchase a mobile security product?
http://www.trustgo.com/en/
zomg by rainmouse · 2012-08-19 18:04 · Score: 1

People peddling mobile phone security produce frighting figures of what happens when you don't own their product....
How come.. by Anonymous Coward · 2012-08-19 23:15 · Score: 0

How come this recent news about an IPHONE flaw with sms messaging isn't on Slashdot?
http://www.pcworld.com/article/261068/iphone_flaw_allows_sms_spoofing_says_hacker.html
1. Re:How come.. by SuspectNumber3 · 2012-08-20 11:50 · Score: 1
  
  Ummm....
  My guess is that you did not look for it?
  
  http://apple.slashdot.org/story/12/08/17/2057207/iphone-bug-allows-sms-spoofing
Installed via 'some guys blog' by sl4shd0rk · 2012-08-20 02:11 · Score: 1

GFan is probably bad enough, but Installing an application from some random-ass website is just asking for it.
FTFA: "the malware is being spread through online forums and has been found in several packages on Chinaâ(TM)s largest mobile app marketplace, GFan."

--
Join the Slashcott! Feb 10 thru Feb 17!
Click the next button by Alari · 2012-08-21 08:36 · Score: 1

"...beyond the skills of a typical android user."
It's 5 steps long, and at least one of those steps is essentially CTNB (click the Next button)
Ohhh...
I see what you did there.

--
I use Windows... like a two dollar wh.. why don't I just go ahead and not finish that sentence.