Slashdot Mirror
"SMSZombie" Malware Infects 500,000 Android Users In China
wiredmikey writes "Researchers have recently discovered a new sophisticated and resilient mobile threat targeting Android phones that is said to have infected about 500,000 devices, mainly in China. Called 'SMSZombie,' the malware is stubborn and hard to remove, but users outside of China have little to worry about with this latest discovery. The prime function of the mobile malware is to exploit a vulnerability in the mobile payment system used by China Mobile, making it of little value to the fraudsters outside of China. The malware takes advantage of a vulnerability in the China Mobile SMS Payment process to generate unauthorized payments to premium service providers, and can also remotely control the infected device. It has been spread via wallpaper apps that sport provocative titles and nude photos, and can only be removed using a lengthy process beyond the skills of a typical android user."
In addition to removing it from device administrators. Which is like 2 actual steps. It's very tame compared to what it _could_ take.
We're not zombies!
wallpaper apps that sport provocative titles and nude photos
How can someone see that and not realize its gotta be a scam?
Probably just as effective as putting up a "idiots click here please".
The ability to be scammed is hardly limited to senior citizens.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
THIS is the dreaded Zombie Apocalypse we're constantly warned about??
Understanding the scope of the problem is the first step on the path to true panic.
I was expecting something like an os reinstall or something... Those instructions seem simple and straightforward.
Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
The "lengthy process" consists of:
Go to System Settings >> Location and Security >> Select Device Administrators
Remove "Android System Service"
Go to System Settings >> Applications >> Manage Applications >> Android System Service
Choose "Uninstall"
OMG!!!
4 steps!!!!!! It's so complicated!!!!!!!!
In addition to removing it from device administrators. Which is like 2 actual steps. It's very tame compared to what it _could_ take.
Yes, since they're a "security" company, they're taking the Norton approach and making the instructions as scary and as lengthy as they could make them.
First of all, if the device is under a device administrators' control, I doubt very much that the phone would have gotten infected in the first place. And second of all, I can understand the normal Chinese grandma not understanding the instructions:
"Just uninstall the 'naked girls' application, there is nothing more to it than that. "
But at the very least, this one instruction should be more than enough for a device administrator to know what to do. And it should also be more than enough for the Chinese grandfather who originally installed the 'naked girls' application in the first place and who knew enough about his phone to enable the "allow applications from unknown sources". So making two different sets of instructions, one for the administrator and one for the user, and hiding them between one more level of links on the web site, is only making it seem more difficult than it really is.
Also, I'd love to know where they got "that is said to have infected 500,000 devices", they don't quote anyone actually saying that. One can only assume this is a figure that the "Security" company itself made entirely up, based on what? they don't actually say.
Apple is quite lucky that that nobody ever weaponized anything back in the good old days of Jailbreakme... In-browser TIFF exploit leading to full root access just by loading a web page.
Google, of course, is similarly lucky that nobody bothered to do anything wacky during the "yeah, everything you type gets silently dumped to a root shell, why do you ask?" period in early android...
Punchline is, the state of 'mobile' security(really, security in general) is pretty fucking dire, and the current frenzy to tie as many payment systems as possible to mobile phones is complete insanity, except from the perspective of the bottom lines of the respective payment processors, naturally.
...post a lenghty rant about miscoceptions of Android users, and quote the OP too. Unfortunately, I'm posting from an Android device and do not posess such skills.
open to trolls, as well.
In a story about fraud on the Android platform someone points out that Android is open to fraud. Personally, I think it was a play on words and not a technical comment. Either way, I don't think the word troll means what you think it means. If you thought they were serious you could have explained why they were wrong and help keep this a useful technical forum. And I want a pony.
Amazon apparently still needs to learn this, given the recent Kindle Touch remote root exploit.
#DeleteChrome
Sorry guys, but he's got a point. The attack vector here is an app that people voluntarily run, and the walled garden has been effective against that. Are there other vectors? Yeah. But that doesn't mean that his point about this one vector is wrong...it's not wrong at all. It took 5 years for the first malicious app to slip past Apple, and even then, the nature of how it all works meant Apple could remove it from everyone's iPhone with a single update. Android can't boast the same, either on the prevention or the remediation side. I don't hold any hate for either side, but this is just simple truth we're talking here. There have been scores of trojaned Android apps, and many for jailbroken iPhones as well...but only one, ever, for standard iPhones.
For your security, this post has been encrypted with ROT-13, twice.
Because capitalism is inherently anti-free market. In free market capitalism, we'd have processors coming in at cost + small% to do the same thing. Instead, we have monopoly based economics, with Visa/MC having a vast majority of the business, and network effects that keep out most competitors. So the price for the service is based on profit maximization, not revenue maximization at a minimum profit level.
I've seen a $200 box with a patent sell for $50,000+ because the "value" was $50,000 plus, but the patent was obvious and not novel (It was essentially signal cancellation for an expensive piece of communications gear, with court cases about it because two companies patented the same thing at the same time, both valid because the patent office isn't technical enough and the filing periods overlapped so neither was granted before the other was filed, so not previous art for the other).
Learn to love Alaska
I'm not sure I agree with you, at least for iOS. Security was dire around v1.0, but now we're at 5.x going on 6.x and a lot has changed.
iOS is definitely more secure than Mac/Windows/Ubuntu.
There is always room for improvement, but iOS has sandboxing and code signing and full disk encryption with a hardware only encryption key derrivation algorithm, that is deliberately slow, providing a private key that can be erased remotely or after a few failed decryption attempts.
Yep. That is the one malicious app.
For your security, this post has been encrypted with ROT-13, twice.
From the article:
"According to TrustGo, the malware is being spread through online forums and has been found in several packages on China’s largest mobile app marketplace, GFan"
Better revise your "attack vector" description.
Most Android users only use Google Play Store, which not only is not known to be affected by this malware, it also has the ability to remove it from users' phones after the fact - so you're wrong there too.
You even admitted there is malware for 'jailbroken' iphones, which would be a more direct comparison here.
Android likely has more malware potential, but this specific attack isn't a problem for those who stick with Google Play Store. Those who use alternative stores should understand the risks (or in fact, anyone using technology such as the internet should understand the risks).
This seemed like a reasonable sig at the time.
The "Wallpaper" trojan has to get administrative priviledges from the user. Social engineering trick.
Then it downloads the malicious code. Not impressed.
Finally, it monitors keystrokes. Key logger anyone?
Is it just me, or does the company (TrustGo) that called this malware "Sophisticated" have an ulterior motive? Care to purchase a mobile security product?
http://www.trustgo.com/en/
Did you read the article? You download the app from whatever store, then it downloads a second file which it then installs as a 'driver' which does 'bad things'. The user is prompted if they want to install it, but the box just reappears if you hit no. That would be hard to detect from which ever store it was posted to.
Obviously the fact that a downloaded wallpaper can install this 'driver' is wrong and needs to be looked at.
Blatant Advert: Android Apps!
That doesn't sound like full disk encryption - they're only protecting "data at rest". I'm also concerned that a user's device passcode wouldn't have enough entropy (never mind the ease with which you can shoulder surf an iPhone user).
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
I don't think you understand what a tethering app really is. It's not something that researches launch to clean up other malware. It's something that allowed you to use your iPhone as a hotspot, before any of the cellular providers had permitted it (at all). Back in the days when unlimited data plans for iPhones were somewhat common, this was seen as a problem by the cellular providers. People didn't download the flashlight app and say "Ah, surprise! My phone is doing something malicious!" Nothing malicious at all was happening. The "mal" in "malware" doesn't come from virus writers' love of Firefly's lead character...it stands for "malicious," and the people who downloaded the app knew exactly what they were getting, and wanted that functionality. Even the articles that refer to that app do not call it malware.
For your security, this post has been encrypted with ROT-13, twice.
In the context of this article, it's probably worth noting that(even if the iPhone feature described works exactly as advertised) it is aimed at mitigating a completely different class of attack.
Disk encryption setups aim to protect a lost or stolen device, in the physical custody of the attacker, from revealing whatever information is on the disk. They have no effect when the device is on and operating under the user's credentials(transparency is considered a feature).
This attack in China is an attack on a live system, using the credentials of the user(or higher) to perform malicious operations as them. Even if the disk were encrypted in a suitably robust way, it'd be happily handing over whatever this bug asked for.