Smartphone Malware Planted In Popular Apps Pre-sale

← Back to Stories (view on slashdot.org)

Smartphone Malware Planted In Popular Apps Pre-sale

Posted by timothy on Tuesday September 1, 2015 @03:46AM from the not-by-the-nsa-this-time dept.

An anonymous reader writes with news from The Stack that makes it a little harder to scoff at malware on phones as being largely the fruit of dodgy sideloaded software, game cracks, et cetera. They report that even phones marketed as brand new, from well-known brands like Lenovo and Xiaomi, have been tampered with and "infected prior to sale with intelligent malware disguised in popular apps such as Facebook." (To U.S. buyers, those makers may be slightly obscure as cellphone vendors; the scheme this article addresses involves handsets sold by vendors in Europe and Asia, involving more than 20 different handset types.)

42 comments

Min score:

Reason:

Sort:

Alphabet by Anonymous Coward · 2015-09-01 03:51 · Score: 0

How can Alphabet let that happen? Why aren't they protecting their customers better?
1. Re:Alphabet by Travis+Mansbridge · 2015-09-01 04:09 · Score: 2
  
  It's a numbers game.
2. Re:Alphabet by Anonymous Coward · 2015-09-01 05:03 · Score: 0
  
  That's like blaming Linus for any spyware packaged with Red Star OS.
3. Re:Alphabet by Anonymous Coward · 2015-09-01 06:21 · Score: 0
  
  That's like blaming Linus for any spyware packaged with Red Star OS.
  Why hasn't Linus done anything about the spyware packaged with Red Star OS?
4. Re:Alphabet by Anonymous Coward · 2015-09-01 06:27 · Score: 0
  
  Just yesterday people here were blaming Apple for not protecting against malware on jail broken iOS devices. Isn't this the same thing? I mean, except in the android world, the hardware vendor does the jail breaking for you before you even buy the phone.
5. Re: Alphabet by Anonymous Coward · 2015-09-01 06:55 · Score: 0
  
  Wow, the people who were bitching about the "misleading" title in the comments section of the article you mention seem to be hiding here.
  I had to read the article AND summary very carefully before realising that these are FAKE phones sold through unauthorised channels.
  This is like someone using/jbing an i device and selling it on ebay as "new and unopened".
  Holy shit the slant us real...
6. Re: Alphabet by Anonymous Coward · 2015-09-01 07:25 · Score: 0
  
  Other than their fine ethics, what would keep a major vendor from doing the same - installing their own little special malware?
Bad trend by Tablizer · 2015-09-01 03:52 · Score: 1

Are smartphones going to become like PC's such that malware scanners will have to scan them 24/7 and make them slow to crawl and use up all the battery? Some blame this on Windows' design, but it seems the more ubiquitous an OS, the more its targeted by malware makers, often by dangling tainted carrots in front of users.

--
Table-ized A.I.
1. Re:Bad trend by Anonymous Coward · 2015-09-01 03:59 · Score: 1
  
  It has nothing to do with windows, apple or linux (android), and everything to do with market share, as you indicated. The more popular an OS, the more of a target it becomes. With apple and windows you have, for the most part, 1 os to deal with, the differences being so minor that you can edit 1 text file on your windows 7 install disk to gain access to home,pro and ultimate, regardless of which you thought you bought (your win7 home serial will NOT activate anything other than win7 home, sorry.)
  With linux there are so many flavors and variations it's hard to really call it a target but go ahead and put your unprotected linux box online and see how long it takes before things get weird or broken.
  When it comes to phones we also have to consider the apple walled off garden, as well as microsofts garden. Android is all over the place.
  The real take away here is, don't buy your phone from some shady dude standing on a street corner, lest it be pre-filled with garbage.
2. Re:Bad trend by Anonymous Coward · 2015-09-01 04:04 · Score: 0
  
  What's the difference between what this "malware" does and what standard Android apps do?
  Collecting personal information? Showing ads?
  Yes, back in the days of Windows, all of this stuff was unacceptable and we used all kinds of programs to remove and block it, but it's the norm on mobile.
3. Re:Bad trend by ihtoit · 2015-09-01 04:29 · Score: 1
  
  They're there already. There're onboard AV suites for smartphones and enough processor power to run them in the background. It's ridiculous, there are phones out now that are more powerful than my four year old LAPTOP. What the fuck do you need to make a fucking phone call??
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
4. Re:Bad trend by Anonymous Coward · 2015-09-01 05:02 · Score: 0
  
  They were like PCs in the 90s from the beginning. Tons of stupid binary apps that do their best to grab as much information from your device.
  I consider the Gmail app to be malware too. So, yes, there you go.
5. Re:Bad trend by Anonymous Coward · 2015-09-01 05:39 · Score: 0
  
  No. Just buy an iPhone, and don't root it.
6. Re:Bad trend by BasilBrush · 2015-09-01 08:36 · Score: 1
  
  This story is about another Android problem. iPhones are not affected. They don't ship with crapware or malware.
7. Re:Bad trend by Anonymous Coward · 2015-09-01 09:41 · Score: 0
  
  Yes. Have you looked at the number of Android security exploits over the last year? The number of remote exploits alone is staggering and most Android phones will remain vulnerable forever since most people never get updates.
8. Re:Bad trend by Anonymous Coward · 2015-09-01 11:33 · Score: 0
  
  Yeah, because Apple can spy on you just as easily with it's locked down bootloader and walled-garden of pre-approved (by your favorite three-letter-agency) apps. Hell, they have the master pass-codes to unlock most of the devices out there so they don't NEED to resort to bugged third party shovelware.
  TL:DR Regardless of manufacturer, you are not the device owner and you WILL be spied on if the big boys demand it. Who and How are irrelevant.
9. Re:Bad trend by Tablizer · 2015-09-01 16:28 · Score: 1
  
  After 15 years of shit, MS finally learned to make them automatic.
  
  --
  Table-ized A.I.
Re:Bad trend = No surprise by BoRegardless · 2015-09-01 03:54 · Score: 1

Hey, even some well known top brands have done this.
Not really ... by gstoddart · 2015-09-01 03:55 · Score: 1

It's still dodgy side-loaded stuff, it's just been put on by the people who sold it to you.
Which is why the owner of the phone needs to have the ability to uninstall any damned app instead of having shitware put on my the carrier or vendor be something you can't get rid of ... and why we need the ability to enforce granular permissions on everything an app wants to do.
Most apps exist to do one of two things: steal your information, or deliver ads. Which is why I have give up on any app which has a corresponding web-page.
Increasingly I just don't trust the companies who make apps, and assume they're all going to act like assholes. Usually they do.

--
Lost at C:>. Found at C.
1. Re:Not really ... by Calydor · 2015-09-01 04:13 · Score: 1
  
  Let's take the Facebook app as an example. If you buy a smartphone, and it has the Facebook app pre-installed, and you WANT to use the Facebook app ... what reasonable person would assume the pre-installed app is malware, and they should uninstall it then install the official one straight from Facebook?
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
2. Re:Not really ... by gstoddart · 2015-09-01 04:20 · Score: 1
  
  Well, that's a terrible example. The Facebook app pretty much is malware already.
  Kidding aside, I have more or less come to the conclusion that almost all pre-installed software is malware or crapware. When I bought my last phone there was a bunch of garbage the carrier had put on it which I couldn't uninstall, but could only disable.
  Why the hell can't I, as the owner of the device, uninstall a piece of software? Because some asshole in marketing decided so? That shouldn't even be possible.
  
  --
  Lost at C:>. Found at C.
3. Re:Not really ... by ihtoit · 2015-09-01 04:27 · Score: 1
  
  First time I rooted a phone it was my MotoRAZR V3i, because I hated the red-themed Vodafone softbranding. I got a factory image and flashed it with that, it's been unlocked and absolutely peachy ever since.
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
4. Re:Not really ... by mlts · 2015-09-01 04:30 · Score: 1
  
  Problem is that we will see this problem "fixed" by things similar to Samsung's KNOX, where if someone tries to manually install their own ROM or unlock the bootloader, the device blows an e-Fuse, rendering it either incapable of using a factory ROM, or showing it has been tampered with on boot.
5. Re: Not really ... by Anonymous Coward · 2015-09-01 04:44 · Score: 0
  
  Just ask the car mfgr companies... you don't own anything, merely the right to use it.
6. Re:Not really ... by Solandri · 2015-09-01 05:18 · Score: 2
  
  Which is why I have give up on any app which has a corresponding web-page.
  This is a really important point. The reason the web was so successful was because once you made a website, anyone with a computer could access it and anyone else's website using a single program. A common, unified method of interacting with multiple persons or organizations with minimum hassle. Prior to that was the telephone, which allowed you to call anyone using a single device. And prior to that was the invention of postal mail, which allowed you to write to anyone by dropping off your letters at a single location.
  
  What's happening with every site out there trying to foist their own app onto your phone is a huge step backwards. It takes us back to the day when the only way for you to interact with a person or a organization was to physically travel to their unique location. We've spent centuries arriving at the optimal solution to the problem of contacting others to exchange information with a minimum of hassle. Now marketers want to undo several centuries of progress in the name of advertising and data collection. What's happening with apps right now is equivalent to each person in your contact list insisting that you keep a separate telephone just for calling them, and which can only call them, and oh by the way that phone will listen in on what you're doing and report it back to its master..
  
  Don't fall for it. Unless the app includes some functionality which requires it to be an app (e.g. my banking app lets me deposit checks by securely taking a picture), insist on using the website. If the experience on your phone's browser sucks, that just means the website needs a better mobile site, or HTML needs to be extended to allow for a better mobile experience (theoretically the browser could be allowed access to your camera to let my bank's website take a picture allowing me to deposit checks). And if a site is so obnoxious as to block mobile browsers and insist you download their app, stop giving them your business and find an alternate.
7. Re:Not really ... by gstoddart · 2015-09-01 05:24 · Score: 3, Insightful
  
  If the experience on your phone's browser sucks, that just means the website needs a better mobile site
  I find the vast majority of web sites with a mobile version are complete crap.
  You hit a site due to a search, get redirected to the crap which is their useless mobile site, and can never find what you're looking for because apparently mobile sites are written by morons who write useless sites.
  I can't tell you how many sites I have had to do the "request desktop site" for because they don't seem to realize a useless mobile site is worse and more broken than not having a mobile website in the first place.
  In my experience the mobile version of most websites are pointless, because they don't really work.
  
  --
  Lost at C:>. Found at C.
8. Re:Not really ... by mlts · 2015-09-01 05:27 · Score: 2
  
  The real solution is something like xPrivacy (or on iOS, PMP), where the app thinks it has all the permissions it ever will want, but it gets fed bogus data. Contacts? Gets garbage. Location? Fake. Advertising ID? Sure, pick one. ESN/IMEI? Whatever the RNG says, its all yours.
  It is surprising what apps ask for, permission-wise. If one uses a firewall program (Firewall IP on iOS, others on Android), you will find that a lot of apps communicate with tens to hundreds of sites that are pretty much irrelevant to anything you are doing, but usually are related to ad-based stuff, be it analytics, behavioral tracking, or other stuff that has no benefit to the end user, but a windfall for a snoop.
  I've found the only real solution is to either move to a more user-respecting ROM like CM or whatever the talent in XDA has built, which almost always works better than what came from the factory.
9. Re:Not really ... by Anonymous Coward · 2015-09-03 06:35 · Score: 0
  
  "side-loaded"
  I do not think you know what this means.
Lenovo by Calydor · 2015-09-01 04:06 · Score: 3, Insightful

Does Lenovo make ANYTHING anymore that isn't full of malware?

--
-=This sig has nothing to do with my comment. Move along now=-
1. Re:Lenovo by willworkforbeer · 2015-09-01 04:13 · Score: 3, Funny
  
  Does Lenovo make ANYTHING anymore that isn't full of malware?
  I found one possibility, but I haven't personally checked it for malware: http://shop.lenovo.com/SEUILib...
  
  --
  Pretending this is my office full of bitter coworkers..
2. Re:Lenovo by ITRambo · 2015-09-01 04:18 · Score: 1
  
  They have a new logo that makes all the problems go away. I wish it did. Lenovo is turning into a POS company with their actions of the past year abusing customer trust. The only product left undamaged by Lenovo managements stupid stunts are the ThinkPad line of laptops. How long before some Lenovo bean counter says "hey, we can save more money if we turn ThinkPads into crap!"
3. Re:Lenovo by Carewolf · 2015-09-01 06:03 · Score: 1
  
  Does Lenovo make ANYTHING anymore that isn't full of malware?
  The classic ThinkPad lines T and W, but it really does appear to be exceptions.
There is only one trusted source. by grub · 2015-09-01 04:13 · Score: 2

There is only one source you can trust for technology. That source is Apple.
Sent from my Blackberry.

.

--
Trolling is a art,
slacky by Anonymous Coward · 2015-09-01 04:17 · Score: 0

and now SLACKWARE? :PPPP
Lenovo make phones? by ihtoit · 2015-09-01 04:25 · Score: 0

They're not even in the list of makers that I know of:
Samsung
Apple (Samsung again)
Motorola
Nokia (Microsoft)
LG
Sony
Sagem
Siemens
ZTE
Blackberry
(not exhaustive but my brain's a bit fucked right now).

--
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
1. Re:Lenovo make phones? by Solandri · 2015-09-01 05:26 · Score: 2
  
  Lenovo bought Motorola. That coupled with their China-only smartphones made them the #4 phone manufacturer in 2014.
2. Re:Lenovo make phones? by ihtoit · 2015-09-01 09:30 · Score: 1
  
  oh, ok.
  
  --
  Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Dumb phones by JustAnotherOldGuy · 2015-09-01 04:31 · Score: 1

And this is another reason that I find a "dumb" phone fits my needs. Good luck installing malware on the dinosaur-era flip-phone I use.

--
Just cruising through this digital world at 33 1/3 rpm...
Smartphones are barely phones by sjbe · 2015-09-01 04:41 · Score: 2

there are phones out now that are more powerful than my four year old LAPTOP. What the fuck do you need to make a fucking phone call??
Smartphones are not really primarily phones. They're small tablet computers that happen to be able to make calls. The phone feature is almost incidental since 90%+ of the time they are used for other purposes. I spend maybe 1-2 hours talking on my smartphone each month and probably 20+ hours doing other stuff with it like reading news, checking email, taking pictures, etc.
Yes Lenovo makes phones. Lots of them. by sjbe · 2015-09-01 04:46 · Score: 2

They're not even in the list of makers that I know of:
That's because you probably don't live in China. They're actually a good sized player in the market. Also they are buying (have bought?) Motorola's handset operations from Google.
Copycats by Anonymous Coward · 2015-09-01 04:53 · Score: 0

"The researchers suspect that the illegal software was used to collect private metadata, among other personal information stored on the device. According to the research report, in some cases the malware was reading and sending messages, installing other apps, collecting and modifying call data, gathering location details, and recording phone conversations."
Hey! That sounds like what the google does!
intelligent malware apps such as Facebook by penguinoid · 2015-09-01 06:40 · Score: 1

Malware, sure, but intelligent?

--
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways