Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Android Trojan Fakes Device Shut Down, Spies On Users

Posted by timothy on from the let's-listen-in dept.

An anonymous reader writes A new Android Trojan that tricks users into believing they have shut their device down while it continues working, and is able to silently make calls, send messages, take photos and perform many other tasks, has been discovered and analyzed by AVG researchers. They dubbed it, and AVG's security solutions detect it as PowerOffHijack.

20 of 118 comments (clear)

  1. not-a-bug; wont-fix by sbrown7792 · · Score: 4, Funny

    Issue closed by NSA

    1. Re:not-a-bug; wont-fix by slashmydots · · Score: 2

      This sounds much more like something the Chinese government would do, although they would simply force the manufacturer to do it, not trick people with fake apps.

    2. Re:not-a-bug; wont-fix by ShanghaiBill · · Score: 3, Insightful

      This sounds much more like something the Chinese government would do

      It sounds more like something an anti-virus company like AVG would make up to get publicity and boost sales. If this was something real, they should name the app (they don't) and/or describe a plausible mechanism. An Android app can detect a hard power down (so that it can save data or whatever) but it cannot stop or delay it. So the only way it could work is to trick the user into releasing the power button too early.

    3. Re:not-a-bug; wont-fix by slashmydots · · Score: 2

      Or just follow the golden rule of Android since it's invention: stay off the third party app stores!

  2. This is why..... by TheCarp · · Score: 5, Insightful

    If you really need privacy, you pull the phone battery....and if you might need privacy, you don't buy a phone that can't have its battery pulled.

    Not really any solutions, as long as people are walking around with what amount to wireless microphones in their pockets this will always be a potetial problem.

    --
    "I opened my eyes, and everything went dark again"
    1. Re:This is why..... by Iamthecheese · · Score: 5, Insightful

      Requiring an action as inconvenient as partially dismantling the device in order to not experience undesired operation is a piss-poor design.

      --
      If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
    2. Re:This is why..... by thieh · · Score: 2

      If you need privacy, you don't buy a phone. Do all your talking in person. Actually, do everything in person.

    3. Re:This is why..... by TheCarp · · Score: 2

      In theory I agree, in practice, this requirement is imposed by the intersection of the other stated requirement "privacy" and the necessary capabilities of the device known as a "smart phone".

      You can't really have a device that does what a smart phone does and isn't a privacy risk without some sort of hard power disconnect.

      You could, otoh, leave the phone in another room, or lock it inside a soundproof box. There are many solutiuons but none of them involve "hit the soft off switch and put it in your pocket"

      --
      "I opened my eyes, and everything went dark again"
    4. Re:This is why..... by GrumpySteen · · Score: 4, Funny

      They could have an untrustworthy mobile hidden in an orifice. Best don the latex and do a thorough cavity search!

    5. Re:This is why..... by markdavis · · Score: 3, Insightful

      I think you hit on the solution: A hard power switch.

      And better yet, also add: A hard microphone switch and a physical shutter for the cameras. I wouldn't mind having a hard radio switch and/or GPS switch too.

      No software can work around that when you need real privacy.

  3. WTF? by gstoddart · · Score: 3, Funny

    Why is it so damned easy for malware to get root access, and so damned annoying for me to get it?

    And, quite honestly, by how annoying and intrusive AVG was becoming when I got away from it ... do we have another source which confirms this?

    I'm just not sure I trust them to be quite honest.

    --
    Lost at C:>. Found at C.
    1. Re:WTF? by gstoddart · · Score: 2

      Look, if I want to build my fucking phone in a kit ... well, actually, I don't want to build my phone in a kit, which is my damned point.

      So first I need to find an exploit for my phone, hope it works, hope it has no chance of bricking my phone (which no matter what anybody says is non-zero), then I need to download a ROM, then I need to recreate all the functionality I need, and then I need to hope it works. Then I need to do who knows what to keep it running.

      Sorry, but no.

      I've looked into rooting both my phone, and my tablet ... and both of them sound like they're a lot more nuisance than it's worth.

      If you're a hobbyist who craves nothing more than endlessly fiddling with your device, maybe it sounds worthwhile. But from what I've been able to tell, it's a lot more than I'm willing to do.

      All I want is the damned app which lets me say "no, you can't to that" to remove perms from apps .. I don't want to build a phone from scratch.

      --
      Lost at C:>. Found at C.
    2. Re:WTF? by AmiMoJo · · Score: 4, Informative

      There is nothing to see here. The malware doesn't get root. It's just a normal app that simulates shutdown, like those lame joke apps we used to write back in the day that mimic the DOS format command output or Netware login screen. The user has to be simultaneously knowledgeable enough to enable app installation from sources other than Play and extremely dumb to install an app requiring so many permissions and from a dubious source.

      The malware doesn't do anything a normal app can't. No exploits, it just makes the screen completely black and starts sending text messages (which the user gave it permission to do), while hoping you don't press the home key and discover the ruse.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:WTF? by stephanruby · · Score: 2

      Why is it so damned easy for malware to get root access, and so damned annoying for me to get it?

      In this case, the phone must already be rooted, and the user must be willing to grant root permission to the application. In other words, this is essentially a surveillance app for your spouse/girlfriend/boyfriend/children, where you must have physical access to their device for you to be able to install the trojan.

      After all, why else would the AVG vendor not give us the name of the app?? And why else does the AVG vendor vaguely says that the app "applies for the root permission" when it goes down to the absolute nitty-gritty details for everything else.

      In that context, it makes sense that 10,000 people downloaded/installed this app from some Chinese app store. Finding jealous people that want to spy on their significant other is easy enough (especially around Valentines day, which was only four days before this article was written). And rooting a phone in China is easy also, even for people that wouldn't know how to do it themselves, there is an entire corner shop service industry that's dedicated to helping Chinese consumers getting rid of regional locks, copy-write restrictions, software locks on pirated software, etc.

  4. Re:Fuck off. by davydagger · · Score: 2

    yes actually, but the NSA has been caught doing the last few times in a row, its not ignorant ot make that assumption.

  5. Not new by JeffOwl · · Score: 2

    This capability predates Android and was used against feature phones quite a number of years ago. The countermeasure then, as it is now, leave your phone elsewhere or pull the battery if you really need to be sure you aren't being monitored.

  6. Re:Don't be silly by blackest_k · · Score: 4, Insightful

    I think its fair to say that it takes a user to install it first, linux has pretty much always had trustworthy repositories, Google not so much.

    I love some of the things you can add to chrome but there seems to be little to no security checking of what an app or extension does. That does worry me.

    --
    Blarney Quality Restaurant, Plants
  7. Re:AVG: People still use it? by mlts · · Score: 2

    The only AV products I've found which actually do anything are SpywareBlaster and Malwarebytes, because MB actually blocks by IPs, and SpywareBlaster doesn't actively run, but sets kill bits and blocklists in browsers.

    However, with an adblocking browser extension, Web based malware should never hit your system in the first place, and with click to play functionality, should not have a chance of being activated... and with a VM or sandbox, even if the browser does get compromised, it won't get past that.

    As for Android, the weakness is that a lot of Chinese stores have little to no curation or filtering out bad stuff. Google does a decent job in stomping out the bad stuff, but I still think they need to go with two tiers, one tier as things are currently, and one tier where developers have to agree to more stringent rules, and the software has to pass more tests... that way, if a user sticks to the more curated tier, there is less chance of an infection happening.

    One note -- the exploits we read about with Android almost always are related to either pirate repositories or "app stores" with little to no moderation. Even something like Cydia's ecosystem would be highly unlikely to have malware like this ever hit it it in the first place, and if it did, the devs would have it pulled in minutes to hours.

    As for AV software, I use it on machines to make legal eagles happy. I've yet to see it actually actively stop a compromise of a machine. At best, it is good for scanning for 1+ day stuff. The real defense are the IP blacklists, hosts files, kill bits (SpywareBlaster is quite useful), Web browser extensions and click-to-play. The best mitigation if an infection happens are sandboxes (SandboxIE), virtual machines, and jails. AV was useful back when one scanned a floppy with the latest copy of Doom on it, but these days, it is more for the checkbox in paperwork than actual protection.

  8. Re:Fuck off. by Anonymous Coward · · Score: 3, Insightful

    yes actually, but the NSA has been caught doing the last few times in a row, its not ignorant ot make that assumption.

    With a track history like the NSAs, it's not even an assumption. It's more like a statistical certainty.

  9. FUD anyone? by farble1670 · · Score: 2

    That's because the malware, after having previously obtained root access

    how did it get root? either the device was rooted and the user granted the app root privs (duh!), or they've discovered a hack to gain root on non-rooted devices. if it was the latter, we'd be hearing a lot more about it, and faking a phone shutdown is the least of our concerns.