Forgot your password?
typodupeerror
Security

SMS Trojan Steals From Android Owners 168

Posted by CmdrTaco
from the no-way-i-wanted-hott-sexx dept.
siliconbits writes "A Trojan posing as a media player for Android smartphones automatically sends text messages to premium rate numbers, according to Kaspersky Lab. Company officials say the Trojan, dubbed Trojan-SMS.AndroidOS.FakePlayer.a, is the first of its kind for the Android platform, even though SMS Trojans are currently the most widespread type of malware on mobile phones."
This discussion has been archived. No new comments can be posted.

SMS Trojan Steals From Android Owners

Comments Filter:
  • by schon (31600) on Tuesday August 10, 2010 @01:19PM (#33206196)

    Or does it tell you what it's gonna do beforehand?

    If you install something that says "THIS WILL COST YOU MONEY", and it sends SMS that costs you money, how exactly is that a "trojan"?

    • by MozeeToby (1163751) on Tuesday August 10, 2010 @01:22PM (#33206254)

      Yes, the user must approve giving the 'Trojan' access to sending text messages, which is included under a big banner that says "Things that can cost you money". Of course, after the 40th or 50th app installed, no one reads them anymore and just clicks the OK button, but Android does notify you of what it's capable of, and even that requires you to check the install apps from other sources button.

      • by ThinkWeak (958195)
        I'm interested to know if anyone's deployed a trojan on an app you actually purchase.

        I'm sure this CAN be done, but has it been? I like a free app as much as the next person, but if you're not going to take the time to read what the program is capable of and paid apps are safer - then why not just purchase the full version of something similar?
        • Re: (Score:3, Insightful)

          by MozeeToby (1163751)

          Why not just take the literally 20 seconds to read what parts of the phone an app wants access to? Or at least the 5 seconds to make sure that there's nothing under the 'will cost you money' heading, unless it's an app where that makes sense (I think the only apps I have with entries under those headings are Google maps and Google voice, and both because they're allowed to initiate phone calls).

          • Re: (Score:3, Informative)

            by SCPaPaJoe (767952)
            I Agree. When I first got my Droid, I was going to install a free game until I saw it wanted access to by contacts list. The notification screen during app install is quite clear and easy to understand. There is no excuse for not reading it.
            • by geekoid (135745)

              What if you want to install a music tool that sends SMS?

              It would tell you it's going to send SMS, not that they will cost you money. SO while it's sending SMS info of the songs you listening to share playlists, it also sens SMS to places that charge?

              I have never used SMS to do anything financial. I had it turned off after I got a bogus charge for ringtones. For th record, I create and put all my personalized ringtone directly on the phone. So for me, I was able to easily detect that charge.

              In fact, that's a

              • Re: (Score:3, Insightful)

                by Sancho (17056) *

                It would tell you it's going to send SMS, not that they will cost you money. SO while it's sending SMS info of the songs you listening to share playlists, it also sens SMS to places that charge?

                On my phone, the category in the manifest is "Services that cost you money" (in big bold letters) and then under that, as an explanation, it says "directly call phone numbers, send SMS messages."

                An application which has the ability to send SMS has the ability to cost you money because it could send SMS to premium-rate numbers or out of the country. Many people wouldn't think about this, and there's probably no easy way for Android to differentiate between regular SMS and premium-rate SMS.

                • there's probably no easy way for Android to differentiate between regular SMS and premium-rate SMS.

                  How about an option to only send SMS messages to numbers in your address book? Or an option to require approval for each new number that the app is allowed to send messages to? Or even just a restriction based on area codes? I'm not sure how it works in the USA, but in the UK you can easily tell from a phone number whether it's a premium rate number or and overseas number...

                  • by Sancho (17056) *

                    Sounds a lot like UAC, though. Good in theory, but might turn into people just approving messages to get on with whatever they were doing.

                  • by camperslo (704715)

                    Or even just a restriction based on area codes?

                    In this era of number portability, an area code can no-longer be trusted to tell you where you are calling.

                    • by Cillian (1003268)
                      In this place of the UK, the area code tells you very much where/what you're calling, be it a normal landline, mobile, premium or free number. Even the cost of the number is often specified just in the area code. And if that's not enough there's a website which does premium rate phone number lookups. (Hint: 08 and 09, apart from 0800, are generally costy)
              • by shmlco (594907)

                Exactly. The permissions system isn't some sort of panacea.

                I mean, you could download an app that legitimately purports to send SMS or email messages as one of its functions. Like, say, a "social" RSS newsreader that exists to notify family and friends of interesting articles or stories.

                You then approve it, give it access to your contacts and email and SMS, only to find out later on that it sends special "paid" messages like the one in the article.

                Or spammed your entire contact list.

                By approving the legitim

                • by DJRumpy (1345787) on Tuesday August 10, 2010 @03:52PM (#33208184)

                  It's amazing how far folks are falling over themselves to defend this type of activity on the Android platform ("well it's their own fault" and "they should have read the warning"). I hate to break it to everyone, but most Android users are not geeks, nerds, or techies. They will do just as windows users have been doing for decades and click 'OK' when prompted. Such behavior should be expected and accounted for, or provisions made to protect end users in spite of themselves.

                  The difference here? There is no virus scan or malware blocker to save them.

          • Is it possible for an app to request access to the filesystem, then modify another existing app with a payload that makes it do all the dirty work? For example, take a legitimate and popular alternate phone/SMS app and modify it to call/SMS rogue numbers.

            • by metamatic (202216) on Tuesday August 10, 2010 @01:52PM (#33206650) Homepage Journal

              Is it possible for an app to request access to the filesystem, then modify another existing app with a payload that makes it do all the dirty work?

              No. Each Android app runs as a separate Linux userid [android.com]. Even if you give the app filesystem access, it can't write to files that belong to other apps, let alone rewrite the apps themselves.

              • by unix1 (1667411)

                No. Each Android app runs as a separate Linux userid [android.com]. Even if you give the app filesystem access, it can't write to files that belong to other apps, let alone rewrite the apps themselves.

                That would all be fine and dandy if there were no SD cards formatted with FAT32 with no filesystem security, and things like "move apps to SD card" features on top of that. These are simply bad choices for security.

                • As a Linux user, I would prefer to see the SD cards on Android phones using something like ext3 rather than FAT32. However, as someone firmly in touch with the real world, I understand why they chose FAT32. Since most desktops still run Windows, most of those that don't run Windows run OS-X, and it's still (unfortunately) a relative minority like me that runs a Linux OS on their (lap|desk)tops, FAT32 is still the logical choice, despite its security issues. I do agree that the "move apps to SD card
                  • FAT32 is still the logical choice, despite its security issues

                    Bill gates? Is that you?

                    Because at this point we all have seen when you design from the start for convenience OF THE DEVELOPER instead of security. The Windows world has been living with the consequences of that choice for decades now.

                    So now at the brink of a whole new wave of OS's, is not the time to repeat the mistakes of our virtual forefathers. Android could move apps into a smaller embedded filesystem in a file, but in no way should it o

                    • Because at this point we all have seen when you design from the start for convenience OF THE DEVELOPER instead of security.

                      It's rather the convenience of the user, but as he is the one who actually has to buy a gadget this might be the right thing to do, even as you're right with the consequences.

                    • Wow, that's really funny. I think this is the first time *I* have ever been called Bill Gates. Did you happen to notice my sig by any chance?

                      My point, which I thought was pretty clear and even though it pains me greatly to say so, was that there isn't another file system that is as widely supported out of the box as FAT32. UFS? Nope. Ext2/3/4? Nope. ReiserFS? Nope. NTFS? Nope. ZFS? Nope. There is a *reason* FAT32 is the standard for removable mass storage, even though it really sucks (especi
                    • by unix1 (1667411)

                      Android could move apps into a smaller embedded filesystem in a file

                      This could have been an arguable compromise solution. The other part - where your data on FAT32 is still wide open (pics/video/logs/whatever apps store on it) - would remain. But at least this way you could have some apps (depending on sensitivity of their info) store their data on such encrypted partition-in-a-file.

                      Other advantages would be:

                      - you could grow/shrink partition and filesystem as needed automatically by OS or manually
                      - you could just copy one file from one SD card to another and have it automat

                    • It's rather the convenience of the user

                      That's not so.

                      Because I already described how you would have the same exact functionality with an embedded file system in one large file on the DOS partition, where apps would go. That would be mounted and have proper security.

                      To the user everything works as it does now, it's just that underneath you can't have apps stored on an external partition infected by another app nearly as easily.

                      If you wanted to let users drag apps onto the removable storage you could still l

                    • Yes, I read your sig. Which is why being willing to repeat the same mistakes really made me do a double-take.

                      There is a *reason* FAT32 is the standard for removable mass storage

                      Yes, I totally agree with that. It's utterly unreasonable at this point (probably forever sadly) for removable media to be anything but FAST 32.

                      I am saying apps don't have to sit naked upon that.

                      Perhaps I was not clear enough but I was envisioning a binary blob in the FAT 32 system, that was an EXt4 (or whatever) disk image. The sy

                    • Perhaps I was not clear enough but I was envisioning a binary blob in the FAT 32 system, that was an EXt4 (or whatever) disk image.

                      Steve Jobs, is that you ;)

                      Seriously, that sounds like the reason why I can't just drag MP3s to an ipod from any OS without apple software. Its all about security, right? Personally I would take the risk and retain the hack-ability.

                    • Seriously, that sounds like the reason why I can't just drag MP3s to an ipod from any OS without apple software. Its all about security, right? Personally I would take the risk and retain the hack-ability.

                      I'm not saying you place all files in there, just application binaries.

                      Even application writable directories could be on FAT; music would certainly stay there.

                      There's no reason you can't leave the SD card generally writable and useful, but still prevent applications from being hacked from within.

                      And the re

                    • Finally someone that understands what I am proposing. The only tricky part would be mounting that virtual partition, that would probably require some serious coding somewhere in the Android filesystem to make that work...

                      Another cool thing is then you could use this support elsewhere - like a small encrypted data bundle for an application that only it could decode. So it would provide fringe benefits.

                  • by Teun (17872)
                    I noticed TomTom (of the navigators and the MS FAT legal challenge) has added the ext2fs 'plug-in' to their Windows application.

                    So I assume their navigators will in future use ext2/3 instead of FAT.

                    This option is open to any developer.

                    • True, and if the Android were to move to a better file system than FAT32, that's probably the best way to do it. But it does introduce the complexity of requiring software to access the device's file system from a Windows PC. While that may not be a big deal for TomTom (since they are the manufacturer for all TomTom devices), it becomes a somewhat bigger challenge for manufacturers of Android devices, since Motorola, HTC, etc., etc. would *all* have to include a Windows driver for the SD card. While I, f
                    • by adolf (21054)

                      The drivers for the EXT3 partition could simply be on the SD card itself, in a FAT32 partition. Easy enough.

                      But there's other reasons to keep FAT32 around: It's supported by bloody almost every hardware device with a USB port. I keep some videos and MP3s on my Droid, and it's dead simple to plug it into the car stereo or the PS3 and play whatever it is that's on there, or straight into a modern TV to do the same sort of thing. These devices don't support EXT2/3.

                      And my friends don't want me fucking aroun

                    • Re: (Score:3, Informative)

                      by mjwx (966435)

                      Out of curiosity, how does a Windows user gain access to the iPhone's file system? Is there even a removable storage card on an iPhone, or is the entire phone a USB mass storage device?

                      They dont. No MSC functionality what so ever. All communication with an Iphone is done through Itunes.

                      True, and if the Android were to move to a better file system than FAT32, that's probably the best way to do it

                      Android already uses a newer file system. The / is YAFFS2. Only /SDCARD is VFAT and this can be reformatted to

          • by geekoid (135745)

            Do apps say that? I think an installed app would tell you what it access. Blue tooth, wifi, gps, music, sms. I dont' think it tells you it will secretly send SMSs to place that cost you money.

            • Re: (Score:3, Informative)

              by Sancho (17056) *

              The manifest says, in big bold letters, that the app may cost you money by placing phone calls and sending SMS.

          • Because sometimes it's not that easy. I'm paranoid about what I've installed on mine, but say I make a GPS app that will show WIFI hotspot overlays on maps (cause I always wanted something like that). I now have an app that when downloaded, shows up as needing:

            * GPS Location (fine)
            * Network access

            I also want to make it switch off during phone calls, and maybe keep the phone from sleeping:

            * System tools
            * Phone state and identity


            Finally, wouldn't it be neato if it could save the overlays to the f
          • by Drew M. (5831)

            Speaking of which, on Android why does the very popular app "The Weather Channel" need "Services that cost you money: directly call phone numbers" because I sure don't see that functionality anywhere.

            • Ask the developers? I have done this with other apps a few times and often the answer is as lame as "oops, we forgot to take it out after experimentation". The culture of minimizing permissions hasn't really taken hold yet, but with enough nagging it can. Android usually offers ways of achieving what you want without a permission, eg, the weather channel can initiate a call by triggering the dialer with a number pre-populated. The the user can make the call with a single tap. After the call ends the user is
              • The culture of minimizing permissions hasn't really taken hold yet

                I think this is the real answer ... how to foster a culture of scepticism and caution among users that will make apps declaring unnecessary permissions get shunned in the market place. I would start, if I was Google, by putting an incentive into the market itself: "safer" apps should receive a special marking. Perhaps even appear first in search results. It should be possible to lock the phone to only access "safe" apps (sort of parental control type feature). Not big things, but enough to persuade

      • by flibuste (523578) on Tuesday August 10, 2010 @01:46PM (#33206576)

        In all honesty, the way Android reports what an application uses is way too weak and not granular enough. Basically, you require access to 1 URL, your application needs "Full Internet Access". Want to access the GPS data? Your application needs "Location access", "Services that may cost money", etc.

        The way an application declares its "needs" is through an element in the Android Manifest file. However, the choices are really limited to the existing Android services, and most of them have a 1 to 1 relation with the services they relate to, and nothing more granular such as "Requires GPS access using only satellites (costs nothing)", "Requires GPS access using cell towers", "Requires GPS access through paying services".

        In the end, the user downloading an app sees warning that are mostly meaningless, and which appear in many other applications. It's close to impossible to spot a possibly-offensive application such as this Trojan.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          In all honesty, the way Android reports what an application uses is way too weak and not granular enough. Basically, you require access to 1 URL, your application needs "Full Internet Access". Want to access the GPS data? Your application needs "Location access", "Services that may cost money", etc.

          Do you use Android? It is more granular than that. Location access can specify coarse (cell location) and fine (GPS). "Services that may cost money" can specify SMS or phone calls. Many apps use a "Phone" permission that's called "Read phone state" so that it can know when you're receiving a call. Apps like Google Voice that use the "Phone" permissions also include things like "Make outgoing calls" and "Intercept calls".

          Your fine-grained permissions are right there.

          • It still needs to be finer, in my opinion. One thing I would really value is a sandboxed internet access that includes restrictions on the domains it can access and the amount of data it can send. I'm quite happy for an app to talk to it's own server for a cloud based service. I see no reason that the same permission should let it blindly send unlimited amounts of my phone SD card data (possibly at great expense) to a mysterious web site in China. Unfortunately the same permission covers both.

            • by bnenning (58349)

              Agreed. Also, access to the SD card should be limited to an app-specific directory by default.

              I'm quite happy for an app to talk to it's own server for a cloud based service. I see no reason that the same permission should let it blindly send unlimited amounts of my phone SD card data (possibly at great expense) to a mysterious web site in China.

              Well, once you let an app talk to the developer's servers they can do whatever they want with the data from there. The advantage of whitelisting specific URLs is wh

        • Re: (Score:3, Funny)

          by nschubach (922175)

          Personally, I'd like to see an OS driven prompt to have access to things like contacts, messaging and phone access.

          If your app needs a contact to send a message, it would have to pass that message to the OS and the OS would prompt the user for the contact to send it to. This way, no apps need access to contacts to send messages for some reason. The same applies to phone numbers, etc.

          • by BcNexus (826974)
            ^This. The Java VM on my previous Sprint Samsung and LG feature phones (I mention the brands and provider because I don't know who pushed for such granular permissions) gave me more granular controls, meaning I could grant various permissions to an app once, never, or forever.

            When I tried the Droid Incredible for a month, I was appalled to see A)How vague Android was about the type of permissions apps asked for, and B)How it Android didn't offer the same once, never or forever options as my feature phone
      • Yes, the user must approve giving the 'Trojan' access to sending text messages, which is included under a big banner that says "Things that can cost you money". Of course, after the 40th or 50th app installed, no one reads them anymore and just clicks the OK button, but Android does notify you of what it's capable of, and even that requires you to check the install apps from other sources button.

        Fortunately, owning a G1, with limited memory storage available, I have yet to reach my 40th or 50th app install, and thus still read that stuff before I install. I figure I have about 20 more apps to go before I start skipping that section and just install without reading...

        ;-)

    • "Kaspersky officials suggest that Android users pay close attention to the services requested by an application at the time of installation"

      So yeah. But it hardly makes it not a trojan; by definition trojans masquerade as legitimate apps and this one seems to be no exception. But it doesn't spread or install automatically or give itself privileges the user doesn't grant it, so it's not a big concern. Just another example of users installing that app they MUST have no matter how loudly their anti-virus sc

      • The user is the trojan
      • by schon (31600)

        So yeah. But it hardly makes it not a trojan;

        Of course it makes it not a trojan!

        by definition trojans masquerade as legitimate apps

        By that definition, all malware are trojans.

        A trojan is something that has hidden and malicious functionality. You know, like the Trojan Horse.

        As this is not hidden, it's not a trojan.

    • by camperslo (704715)

      As an end user, I'd like to see an app store where liability insurance is mandatory to cover damages that users may experience from misleading or malicious closed-source apps. The insurance companies should still require source. For totally open source apps, the store should indicate if/what independent volunteer group (or one funded by a small per-app fee) has reviewed the app.

      I think that OS / software vendors that take the entire burden of security debugging on themselves by failing to provide source c

      • As an end user, I'd like to see an app store where liability insurance is mandatory to cover damages that users may experience from misleading or malicious closed-source apps. The insurance companies should still require source. For totally open source apps, the store should indicate if/what independent volunteer group (or one funded by a small per-app fee) has reviewed the app.

        All you'd really get out of that is a false sense of security and a scapegoat to shake your finger at.

      • by nahdude812 (88157) *

        This is an app which is not installed via the Android Market. You have to first enable the installation of apps from outside the Market (an option in system settings). Once you've made that change, neither Google nor any other entity controls what you install on your phone any longer.

        Also, you still have to go through a screen which warns that this application requires special permissions; the ability to send SMS's is listed under a big bold heading along the lines of "Things which may cost you money."

    • by GooberToo (74388)

      If you install something that says "THIS WILL COST YOU MONEY", and it sends SMS that costs you money, how exactly is that a "trojan"?

      Because it says it does one things and actually does another. That's what a trojan is.

      The fact that the installation tells you it can cost you money and people still install it means people are idiots. This is like anti-virus popping up and saying, application has been detected to do something which doesn't correspond to the type of application you are installing. Wish to continue? The fact this is news worthy implies headline, "User willingly and knowingly accepts virus - anti-virus and Windows is to blame

  • Hahaha (Score:5, Funny)

    by Anonymous Coward on Tuesday August 10, 2010 @01:21PM (#33206240)

    Hahaha! Good thing I have an iPhon.....*signal lost*

    • This is the iPhone we're talking about, how'd you manage to get a signal in the first place!?

      (Must have one of those Vulcan pinch phone holders...)
  • Read the TFA? (Score:5, Insightful)

    by NiteShaed (315799) on Tuesday August 10, 2010 @01:25PM (#33206284)

    Why bother? I read it, and I still don't know silly details like what the name of this app is, or whether it's been pulled from the Android Market. Actually, now that I think about it, I don't even know *if* it was in the Android Market, or if it's a side-load app. For all I know, Kaspersky "discovered" a proof-of-concept app that they developed themselves. Yeah, that last bit is pretty unlikely, but reading TFA is no help at all in ruling it out.....

    Content fail for TFA.

    • Re: (Score:3, Informative)

      by unix1 (1667411)

      Found the original announcement [kaspersky.com]. No name of an app there either.

      While there could definitely be such an app, the article definitely sounds like an advertisement for their product rather than a security notification.

      • While there could definitely be such an app, the article definitely sounds like an advertisement for their product rather than a security notification.

        It seems like its gotten to the point that anything that comes out of Kapersky, Sophos, Symantec, et al, is just a bunch of far-fetched hype for some product or service they are hawking. These guys have become so transparent that I have concluded that they are just a higher grade of spammers.

    • This was the same problem with the screen saver app that also did something malicious. Couldn't find the name of the app just said that it was out there. This is starting to bother me; tell me what the app, where it was installed from is and who the developer is.

    • by machxor (1226486)
      However we don't need to know any of that because it's clear that the application asks for permission to send SMS, the user accepts and then the app does exactly what it said it was going to do. This is no trojan this is a case of user's not wanting to be responsible for the security of their devices.
      • by NiteShaed (315799)

        I really can't agree there. I'd still be inclined to categorize it as a trojan since it's disguised as a music player (even a flawed disguise is still a disguise). In any case, I don't think there's any argument to be made that it isn't malware, and I'd still like to know what name it's being distributed under and who it's coming from....

        Also, since we don't really know anything about the app, it's entirely possible that its description explains the SMS access away as having the ability to text your frien

      • However we don't need to know any of that because it's clear that the application asks for permission to send SMS, the user accepts and then the app does exactly what it said it was going to do.

        This is where I'm not sure the Android security model is doing you many favors.

        You download a media player, go to install it, and you get a list of things it wants to do - access media library, perhaps access contacts for sharing, and so on... and way down at the end, a little notice about accessing SMS. You might n

        • by nahdude812 (88157) *

          The ability for an app to place phone calls or send SMSes are listed under big bold text reading something to the effect of "Things which may cost you money" on the permissions screen.

          If you look at the screen at all, you can't miss it.

          • If you look at the screen at all, you can't miss it.

            Even though saying a user "can't miss" something in a list of other things seems wrong to me from direct experience, I'm willing to concede that point.

            Because it does not matter.

            That screen is telling the user that at some theoretical point in the future, the app may want to SMS someone. Well who cares then? The user doesn't know what the app really does yet, perhaps (in the movie player case) it lets them SMS URL's of cool movies. The user has no way a

            • by nahdude812 (88157) *

              Even though saying a user "can't miss" something in a list of other things seems wrong to me from direct experience, I'm willing to concede that point.

              If you read the screen you can't miss it. If you missed it, then you haven't read the screen.

              Your only other choice is to prohibit software from doing things which might not be desirable to the user, including the legitimate uses of software in areas where there is also room for illegitimate uses.

              Personally I prefer to have a choice in what my software can d

              • If you read the screen you can't miss it. If you missed it, then you haven't read the screen.

                Already stated I conceded the point they saw it, and did not care (or could not evaluate).

                Your only other choice is to prohibit software from doing things which might not be desirable to the user

                Wrong. your OTHER choice is to ask the user at the time the app is trying to do the thing in question the app would like to get permission for - so it would ask when the app tried to send an SMS.

                You wouldn't have to keep as

  • Prosecution? (Score:4, Insightful)

    by AdamThor (995520) on Tuesday August 10, 2010 @01:28PM (#33206316)

    So this should lead to police activity quickly enough, right? One can't (at this time) prove where the trojan came from, but it's easy enough to see who benefits and what accounts the money gets paid into. That should all get frozen, cops should kick down some doors, machines should get confiscated?

    Will this happen?

    • Re: (Score:3, Insightful)

      by John Hasler (414242)

      > Will this happen?

      It could. It is quite possible that some mules will find themselves in serious trouble.

    • by geekoid (135745)

      " but it's easy enough to see who benefits and what accounts the money gets paid into. "
      maybe not.
      The person who owns the account might be a legitimate business and just claim he doesn't know what the write chose him. Or the writer just picked something and random to cause random, confusion and to make a point.

      Lets say you sold personalize adult SMS message for 5 bucks a pop. You're business really starts to rise. How are you to know that someone chose you at random for a PoC of malware? Or a rival isn't se

    • If someone you don't like makes money off of SMS messages, write a Trojan that sends them stuff, get people to download it, and viola! The SMS guys get raided!

    • by ErikZ (55491) *

      Absolutely. The Nigerian police are ever vigilant.

  • Bad summary (Score:5, Informative)

    by esocid (946821) on Tuesday August 10, 2010 @01:33PM (#33206392) Journal
    After trudging through several articles, not one mentions the application's name. It does however mention that the trojan can be packed into basically anything. It also doesn't mention that only users in Russia are affected by the SMS charges.

    According to Denis Maslennikov, Senior Malware Researcher at Kaspersky Lab, there's not an exact number of infected devices available at present, but the outbreak is currently regional. For now, only Russian Android users can actually lose money after installing the Trojan, but anyone can be infected.

    http://www.readwriteweb.com/archives/first_trojan_for_android_phones_goes_wild.php [readwriteweb.com]

    • Re:Bad summary (Score:4, Informative)

      by esocid (946821) on Tuesday August 10, 2010 @01:34PM (#33206410) Journal
      Also forgot to mention, it isn't in the market. It has to be manually installed, with that little box checked to allow non-market apps to be installed.
      • by tlhIngan (30335)

        Also forgot to mention, it isn't in the market. It has to be manually installed, with that little box checked to allow non-market apps to be installed.

        Given the number of jailbroken iPhones with OpenSSH installed, that's not a limitation at all. Turns out people are sheep, and if you give them instructions on how to install your SuperNewCoolAndroidApp.apk file, they'll do it. They'll blithely check that box, click OK on the permissions dialog, etc. Make it into a YouTube video and they'll just do it like a

    • by unix1 (1667411)

      Here's some more info [securelist.com]. Still no link/name/source of the app. They could have paid someone to write a proof of concept/hypothetical app that did that, so they could do a press release and plug in their upcoming product.

    • by MadJo (674225)

      Bad summary? I'd say bogus story perhaps even FUD. Given that they haven't told us the name of the app, and that it has to be installed from a source other than the market (which surprise, surprise, wasn't in ANY of the stories I read about this today)... I'd say this story is bullcrap.

  • Protection (Score:3, Funny)

    by Ukab the Great (87152) on Tuesday August 10, 2010 @01:33PM (#33206394)

    With Trojan-SMS.AndroidOS.FakePlayer.a, you can now have two different trojans in your pocket to offer the ladies.

  • This type of malware was obvious from the beginning. My question is what would be the phone companies' response to this?

    Will they;
    a) just charge the user for the messages saying that they are SOL
    b) void the charges
  • Those installing applications from questionable sources get what they deserve.

    • by Sancho (17056) *

      Do women who walk down dark alleys at 3 in the morning get what they deserve?

      Stop blaming the victim.

      • by cdrguru (88047)

        What is clearly needed here is insurance against this type of loss. Then nobody will be a victim anymore ... well, as long as they have insurance.

        The problem is that we started out giving hammers to 6 year-old boys without any instruction. This was the DOS command line in 1982. The result was predictable and painful for some but for the most part it is possible to use a PC now, 25 years later. But we still have huge volumes of phishing and botnet emails because people do fall for this stuff.

        With Android

      • by gweihir (88907)

        The comparison is grossly unfair. Better one: If having unprotected sex with various partners gives you a STD, then you share a large part of the blame.

        Downloading some software from somewhere and then running it is a high-risk activity. Walking down an alley at 3 in the morning does (at least here) not come with any significant risk of getting raped.

        People that did not bother to find out the risk-level for an activity or knowingly did high-risk things, always share the responsibility for a bad outcome.

    • I apply precisely the same opinion about those buying from iTunes which I consider a questionable source also.

  • by geekoid (135745)

    A company that makes money selling anti-virus software claims there is a Trojan that there android release will fix.

    Ok, I'm willing, for the moment, to say that
    s true and has happened.
    The article doesn't give any information. Was this spread through the market, or did some select the option to install apps from anywhere and then get hit?

    OTOH, this does follow my belief that online and smart phone financial transactions will end. The sheer number and easy or scamming people can't be stopped.

    I hope I am wrong

  • Any suggestions for an andriod app that can quickly do a security audit (assuming the API's allow it)?

    I'm thinking that it would list in table form all the installed applications (the rows) with all the security access types (columns) with all the cells checked or unchecked. This would allow an "at a glance" review of all the apps without having to navigate into the management of each one.
  • CNET reports here [cnet.com] that this is an app external to the Android Market, and you had to get it from a maliscious (I assume) website.

    I saw one report from a phone user claiming they saw it as a 13kb download that they didn't think they asked for, and deleted it. No idea if that is credible.

    So it does appear, at least for now, that this is not a Market app.

  • No trojan would spread all that rapidly unless it was spread via the marketplace, and anyone submitting anything to the marketplace (even free stuff) has to go through a credit background check. Not to mention Google has the ability (and has used it) to remotely wipe programs installed from the marketplace.

    Mark of a good virus is its ability to spread ;).

  • There is something that I miss in all of the reports I've read about this "trojan", they fail to actually name the app that's supposedly causing all this. Seriously, was the application called "fakeplayer" or something?
    It's useful information to know what app is malicious, don't you think? So that you can avoid installing it, or to remove it from your phone before it causes more damage.

Theory is gray, but the golden tree of life is green. -- Goethe

Working...