Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smartphone Malware Planted In Popular Apps Pre-sale

Posted by timothy on from the not-by-the-nsa-this-time dept.

An anonymous reader writes with news from The Stack that makes it a little harder to scoff at malware on phones as being largely the fruit of dodgy sideloaded software, game cracks, et cetera. They report that even phones marketed as brand new, from well-known brands like Lenovo and Xiaomi, have been tampered with and "infected prior to sale with intelligent malware disguised in popular apps such as Facebook." (To U.S. buyers, those makers may be slightly obscure as cellphone vendors; the scheme this article addresses involves handsets sold by vendors in Europe and Asia, involving more than 20 different handset types.)

26 of 42 comments (clear)

  1. Bad trend by Tablizer · · Score: 1

    Are smartphones going to become like PC's such that malware scanners will have to scan them 24/7 and make them slow to crawl and use up all the battery? Some blame this on Windows' design, but it seems the more ubiquitous an OS, the more its targeted by malware makers, often by dangling tainted carrots in front of users.

    --
    Table-ized A.I.
    1. Re:Bad trend by Anonymous Coward · · Score: 1

      It has nothing to do with windows, apple or linux (android), and everything to do with market share, as you indicated. The more popular an OS, the more of a target it becomes. With apple and windows you have, for the most part, 1 os to deal with, the differences being so minor that you can edit 1 text file on your windows 7 install disk to gain access to home,pro and ultimate, regardless of which you thought you bought (your win7 home serial will NOT activate anything other than win7 home, sorry.)

      With linux there are so many flavors and variations it's hard to really call it a target but go ahead and put your unprotected linux box online and see how long it takes before things get weird or broken.

      When it comes to phones we also have to consider the apple walled off garden, as well as microsofts garden. Android is all over the place.

      The real take away here is, don't buy your phone from some shady dude standing on a street corner, lest it be pre-filled with garbage.

    2. Re:Bad trend by ihtoit · · Score: 1

      They're there already. There're onboard AV suites for smartphones and enough processor power to run them in the background. It's ridiculous, there are phones out now that are more powerful than my four year old LAPTOP. What the fuck do you need to make a fucking phone call??

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    3. Re:Bad trend by BasilBrush · · Score: 1

      This story is about another Android problem. iPhones are not affected. They don't ship with crapware or malware.

    4. Re:Bad trend by Tablizer · · Score: 1

      After 15 years of shit, MS finally learned to make them automatic.

      --
      Table-ized A.I.
  2. Re:Bad trend = No surprise by BoRegardless · · Score: 1

    Hey, even some well known top brands have done this.

  3. Not really ... by gstoddart · · Score: 1

    It's still dodgy side-loaded stuff, it's just been put on by the people who sold it to you.

    Which is why the owner of the phone needs to have the ability to uninstall any damned app instead of having shitware put on my the carrier or vendor be something you can't get rid of ... and why we need the ability to enforce granular permissions on everything an app wants to do.

    Most apps exist to do one of two things: steal your information, or deliver ads. Which is why I have give up on any app which has a corresponding web-page.

    Increasingly I just don't trust the companies who make apps, and assume they're all going to act like assholes. Usually they do.

    --
    Lost at C:>. Found at C.
    1. Re:Not really ... by Calydor · · Score: 1

      Let's take the Facebook app as an example. If you buy a smartphone, and it has the Facebook app pre-installed, and you WANT to use the Facebook app ... what reasonable person would assume the pre-installed app is malware, and they should uninstall it then install the official one straight from Facebook?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:Not really ... by gstoddart · · Score: 1

      Well, that's a terrible example. The Facebook app pretty much is malware already.

      Kidding aside, I have more or less come to the conclusion that almost all pre-installed software is malware or crapware. When I bought my last phone there was a bunch of garbage the carrier had put on it which I couldn't uninstall, but could only disable.

      Why the hell can't I, as the owner of the device, uninstall a piece of software? Because some asshole in marketing decided so? That shouldn't even be possible.

      --
      Lost at C:>. Found at C.
    3. Re:Not really ... by ihtoit · · Score: 1

      First time I rooted a phone it was my MotoRAZR V3i, because I hated the red-themed Vodafone softbranding. I got a factory image and flashed it with that, it's been unlocked and absolutely peachy ever since.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    4. Re:Not really ... by mlts · · Score: 1

      Problem is that we will see this problem "fixed" by things similar to Samsung's KNOX, where if someone tries to manually install their own ROM or unlock the bootloader, the device blows an e-Fuse, rendering it either incapable of using a factory ROM, or showing it has been tampered with on boot.

    5. Re:Not really ... by Solandri · · Score: 2

      Which is why I have give up on any app which has a corresponding web-page.

      This is a really important point. The reason the web was so successful was because once you made a website, anyone with a computer could access it and anyone else's website using a single program. A common, unified method of interacting with multiple persons or organizations with minimum hassle. Prior to that was the telephone, which allowed you to call anyone using a single device. And prior to that was the invention of postal mail, which allowed you to write to anyone by dropping off your letters at a single location.

      What's happening with every site out there trying to foist their own app onto your phone is a huge step backwards. It takes us back to the day when the only way for you to interact with a person or a organization was to physically travel to their unique location. We've spent centuries arriving at the optimal solution to the problem of contacting others to exchange information with a minimum of hassle. Now marketers want to undo several centuries of progress in the name of advertising and data collection. What's happening with apps right now is equivalent to each person in your contact list insisting that you keep a separate telephone just for calling them, and which can only call them, and oh by the way that phone will listen in on what you're doing and report it back to its master..

      Don't fall for it. Unless the app includes some functionality which requires it to be an app (e.g. my banking app lets me deposit checks by securely taking a picture), insist on using the website. If the experience on your phone's browser sucks, that just means the website needs a better mobile site, or HTML needs to be extended to allow for a better mobile experience (theoretically the browser could be allowed access to your camera to let my bank's website take a picture allowing me to deposit checks). And if a site is so obnoxious as to block mobile browsers and insist you download their app, stop giving them your business and find an alternate.

    6. Re:Not really ... by gstoddart · · Score: 3, Insightful

      If the experience on your phone's browser sucks, that just means the website needs a better mobile site

      I find the vast majority of web sites with a mobile version are complete crap.

      You hit a site due to a search, get redirected to the crap which is their useless mobile site, and can never find what you're looking for because apparently mobile sites are written by morons who write useless sites.

      I can't tell you how many sites I have had to do the "request desktop site" for because they don't seem to realize a useless mobile site is worse and more broken than not having a mobile website in the first place.

      In my experience the mobile version of most websites are pointless, because they don't really work.

      --
      Lost at C:>. Found at C.
    7. Re:Not really ... by mlts · · Score: 2

      The real solution is something like xPrivacy (or on iOS, PMP), where the app thinks it has all the permissions it ever will want, but it gets fed bogus data. Contacts? Gets garbage. Location? Fake. Advertising ID? Sure, pick one. ESN/IMEI? Whatever the RNG says, its all yours.

      It is surprising what apps ask for, permission-wise. If one uses a firewall program (Firewall IP on iOS, others on Android), you will find that a lot of apps communicate with tens to hundreds of sites that are pretty much irrelevant to anything you are doing, but usually are related to ad-based stuff, be it analytics, behavioral tracking, or other stuff that has no benefit to the end user, but a windfall for a snoop.

      I've found the only real solution is to either move to a more user-respecting ROM like CM or whatever the talent in XDA has built, which almost always works better than what came from the factory.

  4. Lenovo by Calydor · · Score: 3, Insightful

    Does Lenovo make ANYTHING anymore that isn't full of malware?

    --
    -=This sig has nothing to do with my comment. Move along now=-
    1. Re:Lenovo by willworkforbeer · · Score: 3, Funny

      Does Lenovo make ANYTHING anymore that isn't full of malware?

      I found one possibility, but I haven't personally checked it for malware: http://shop.lenovo.com/SEUILib...

      --
      Pretending this is my office full of bitter coworkers..
    2. Re:Lenovo by ITRambo · · Score: 1

      They have a new logo that makes all the problems go away. I wish it did. Lenovo is turning into a POS company with their actions of the past year abusing customer trust. The only product left undamaged by Lenovo managements stupid stunts are the ThinkPad line of laptops. How long before some Lenovo bean counter says "hey, we can save more money if we turn ThinkPads into crap!"

    3. Re:Lenovo by Carewolf · · Score: 1

      Does Lenovo make ANYTHING anymore that isn't full of malware?

      The classic ThinkPad lines T and W, but it really does appear to be exceptions.

  5. Re:Alphabet by Travis+Mansbridge · · Score: 2

    It's a numbers game.

  6. There is only one trusted source. by grub · · Score: 2


    There is only one source you can trust for technology. That source is Apple.
    Sent from my Blackberry.

    .

    --
    Trolling is a art,
  7. Dumb phones by JustAnotherOldGuy · · Score: 1

    And this is another reason that I find a "dumb" phone fits my needs. Good luck installing malware on the dinosaur-era flip-phone I use.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  8. Smartphones are barely phones by sjbe · · Score: 2

    there are phones out now that are more powerful than my four year old LAPTOP. What the fuck do you need to make a fucking phone call??

    Smartphones are not really primarily phones. They're small tablet computers that happen to be able to make calls. The phone feature is almost incidental since 90%+ of the time they are used for other purposes. I spend maybe 1-2 hours talking on my smartphone each month and probably 20+ hours doing other stuff with it like reading news, checking email, taking pictures, etc.

  9. Yes Lenovo makes phones. Lots of them. by sjbe · · Score: 2

    They're not even in the list of makers that I know of:

    That's because you probably don't live in China. They're actually a good sized player in the market. Also they are buying (have bought?) Motorola's handset operations from Google.

  10. Re:Lenovo make phones? by Solandri · · Score: 2

    Lenovo bought Motorola. That coupled with their China-only smartphones made them the #4 phone manufacturer in 2014.

  11. intelligent malware apps such as Facebook by penguinoid · · Score: 1

    Malware, sure, but intelligent?

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  12. Re:Lenovo make phones? by ihtoit · · Score: 1

    oh, ok.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel