Slashdot Mirror
Massive Android Mobile Botnet Hijacking SMS Data
wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."
Put it on some dodgy mobile cracked app site and have it perform some trivial functionsfunctions, post about it in a conspiratorial tone in some forums and watch the cheap bastards come rolling in. There are a million cheapskates for every real customer of android apps.
Sig Battery depleted. Reverting to safe mode.
The bigger problem is the really poor security options available on Android apps with somewhat ridiculously broad security rights. Most apps will ask to read phone identity simply because the need to be able to identify the device on which the app is installed, but the security grant for phone identity gives a whole crapload more than that. Manage accounts is another good one where in order for an app to actually store its own accounts it needs access to all the accounts.
Add to that the fact that Google themselves have been constantly trying to take over your SMS with bloody Hangouts and it's not really that surprising that folks don't really understand the permissions they are granting.
A million times this. Android's permission model is deeply flawed. You have to either accept or deny *all* that an app requests in its manifest, or you can't install.
So as a developer, sure you could add a setting to your app's config pages to, say, turn of location services -- but the app still has that privilege. nothing for it but uninstalling.
Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
Well, First there's Linux. Which is fine, except it's out of date, and thus can be compromised trivially. Then there's the device drivers which frequently have exploits due to the rapid progression of mobile platforms, being built by the lowest bidder, and the lack of consumer desire to pay a premium for security.
At this point we interact with the other small separate OS for the cellular radio -- It doesn't really validate inputs well and can be compromised trivially.
Moving on, we have an excellent application of user / group privileges which constrict application. Really would love actually a bit more than the level of control this has on desktops; Eg: Firefox runs as its own user on my desktop system and the Firefox user has access to its settings folder and is in the "Internet" group, so it can access the web. "sudo" is nice, but we need such a thing for granting user-level access to user-agents such as Firefox; It's one reason I'm developing an Agent Oriented OS and programming language... Anyhow, since the granularity is utterly shite it's basically pointless on mobile systems.
Then we have the Application. Note, this is not plural. We have the Davlik VM aka Java, but register based (faster, more memory use) instead of stack based (slower, less RAM use). There's some great stuff in the install process here whereby linkage occurs and the byte orders of values in the images are translated to machine order. Prior to running on Android the complied Java bytecode is translated into Davlik bytecode -- Unfortunately, there is no copy of this bytecode kept around in case you want to copy it to another device. I'm a firm believer of link on install, but they've done it horribly wrong: My OS links programs on install into MACHINE CODE... ugh. This is mobile so, yeah, let's use what little CPU we got to run a VM -- er, a just in time compiler for a VM.
Now, on desktop systems such as 80486, you'll have up to 4 different execution permission rings to leverage, but on the ARM and other systems you get 2: Kernel or Not. This really messes up the fact that you are running a VM atop a kernel. Well, Linux moronically doesn't reserve a ring level for applications to use against their plugins the same way the kernel isolates itself from user-land applications, so the hardware makers have adopted the monolithic kernel approach. Hey, guess what? We're running a monolithic VM atop a monolithic kernel! Yay! It's like Exploit HEAVEN! Remember how in 16 bit DOSs your program could access any other "TSR" program's memory, or even the OS / BIOS itself and wreak havok? Oh, man. It was great! Mobile has brought this back!
Then we have the app ecosystem, which is actually the strong point IMO. It at least gives you a chance to let other suckers become victims of an exploit and hope it gets pulled / blacklisted from the markets before you try it out. Also, 64GB micro SD's exist now... but a lot of new devices don't have SD card slots, so fuck 'em.
Finally we have the Carriers. They dig down deep into the nether regions of shit that shain't be shat around with, and do just that to create the UI's and app launchers high atop the software stack. Noticeably, desktop OSs have less overhead for doing things than the mobile methodology, but that's the sacrifice you make to have idiots develop you tech on the cheap.
For all the exaggerated scary words used like "one of the largest", "more than 60 campaigns" etc, there was not a single solid data point about the actual devices infected. Not even a ball park number - like whether it is tens, thousands or millions of devices.
Makes me suspect the claims.
I'm much more funny, interesting and insightful than the moderators think
No kidding. I had to look through dozens of "flashlight" apps to find one that didn't want my calendar, SMS, internet access, and GPS.
Download your apps from a reputable store and exercise some common sense. I wouldn't be surprised if this infection was because idiots were downloading warez from some dubious app store.
> No kidding. I had to look through dozens of "flashlight" apps
> to find one that didn't want my calendar, SMS, internet access,
> and GPS.
F-Droid is your friend.
As always, FOSS means you don't have to put up with the bullshit.
F-Droid build all apps they ship from source, including some sort
of grep filter on permissions to catch (and then remove) any code
which is not in the user's best interest, or at minimum flag and
explain the issue in detail to let you decide for yourself.
Otherwise-good apps with flagrant ad-ware or cripple-ware in it
simply gets patched.
~.~
I'm a peripheral visionary.
The Android permission system blows goats. It's not just the "all or nothing" approach to app acceptance. It runs deeper. It's also the app store itself, where I can't restrict (or prioritize) search results based on permissions demanded.
Using aSpotCat, under android.permission-group.PERSONAL_INFO I've got AdService, Chrome, Firefox, Gmail, Google Play, Pebble, and RunKeeper. I've had to bail on the installation of close to fifty apps to keep this list this short.
Basically the Android security model deters me from actually installing software, to the point where I no longer regard it as a platform.
This xmas between an Android tablet and an eReader, I'm likely to get an eReader (Kobo here in Canada), which is not a platform either, and doesn't play one on TV.
I was reading reviews that commented that a Kobo Aura is about the price of a servicable, entry level tablet from Walmart. Several of the reviewers commented "you might as well get the full Android platform for the price". What platform? Android is mainly a platform for sharing far more about myself than I wish to divulge with strangers I don't even know. Whatever information is gleaned will never be under my control ever again: it will almost certainly be amalgamated from one low-life to another ad nausium.
I'd be quite happy if not a single vendor knew my location ever, who wasn't providing me with a map for my own purposes (such as RunKeeper). If they need to know, I'll tell them. Yet 90% of Android applications demand to hoover this up and the Google play store provides no mechanism to put these applications on a personal shit list, so that better-behaved applications float to the top of the candidate list.
Android: Death by a thousand peeping toms. Where's well-behaved Waldo? Crushed by the throng. Eventually Diogenes tires of visiting the Turkish baazar and begins to subsist on juniper berries.
You can't download other app stores from Google Play because of the "non-compete" provision of the developer agreement. If you don't trust the F-Droid app, you can always download Eclipse and recompile it yourself. But a problem with F-Droid is an inherent limit in funding development of Free games. Even if a game's engine is free, it'll get blocked with "anti-features" if it recommends installing non-free mission packs.