Infected Androids Run Up Big Texting Bills 279
Hugh Pickens writes "Computerworld reports that a rogue Android app is hijacking smartphones and running up big texting bills to premium rate numbers before the owner knows it. Chinese hackers grabbed a copy of Steamy Windows, a free program, added a backdoor Trojan horse to the app's code, then placed the reworked app on unsanctioned third-party "app stores" where unsuspecting or careless Android smartphones find it, download it and install it."
Holy AI, Batman (Score:5, Insightful)
"[...] where unsuspecting or careless Android smartphones find it, download it and install it."
I really dislike careless phones. Perhaps reviewers can test and report which are careful.
I'd also like to know how to make my phone less naive about unauthorised app stores.
Perhaps I should take away my phone's download privileges...
Re: (Score:2)
Re:That's strange (Score:5, Funny)
I though open-source was infinitely more secure than "Micro$oft Windoze omglolwut!". Funny I haven't heard about any viruses affecting windows phones.
That's because there isn't enough marketshare.
Sorry, couldn't resist!
Re:That's strange (Score:4, Interesting)
Re: (Score:3)
Re:That's strange (Score:4, Informative)
Wallpapers, always (Score:3)
From the article:
"The latest Trojan horse for Google’s Android operating system has been seen posing in Chinese third-party app stores as legitimate programs such as Wallpaper apps."
Is it just me or do these things invariably trace back to wallpaper apps? People* must be real suckers for these things. And here I am, writing *productivity* apps ... *smacks forehead*
Oh noes! (Score:3, Insightful)
Obviously this means we should abdicate (forcibly, if necessary) all control over our computing devices to large corporations with a vested interest in denying us the ability to use them as we see fit.
Re: (Score:2)
Re: (Score:2)
What are they going to do, call your cell phone number? so if it's being used by someone else they'll call them and that person will say "yeah sure go ahead"?
In this case though it's a bit of caveat emptor. This isn't a remote attack vector that you get just by visiting a website - you have to install the app. Be wary of installing apps from unofficial sources and monitor your own damn bill.
Re: (Score:2)
It's the usual consumer thing.
I want a phone capable of running any application, no matter where it may originate from, and it must be able to make full use of every hardware feature of my phone, but if it actually does so, I also must be able to reject any charges it may incur.
I deny being responsible for what my phone may or may not have done or will do.
And I want a pony.
Re:Oh noes! (Score:5, Insightful)
Obviously this means we should abdicate (forcibly, if necessary) all control over our computing devices to large corporations with a vested interest in denying us the ability to use them as we see fit.
You buy stuff from trusted sources. There are a few trusted ones, and none of them have addresses in China.
The people getting these infected apps knew damn well what they were doing. They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way. Looking for Porn is my guess. I have very little sympathy.
The point is no one falls into this trap using the Google market or the upcoming Amazon market, or a couple others.
Re: (Score:3)
Worse yet, they actually went out of their way to find pirated software and install it with little regard for actual consequences.
Not really for or against piracy but... If you do do it and dont know how to check for things like this then you get what you deserve.
Re:Oh noes! (Score:5, Informative)
Where are you getting pirated software out of this? They're referring to non-Google markets, like Amazon's Appstore, Archos' Appslib, and others.
Re:Oh noes! (Score:5, Informative)
permissions (Score:5, Insightful)
More importantly, they had to give the app permission to send texts. Very few apps need that permission.
Re: (Score:2)
This is something that Google needs to work on. They really need to add a feature that requires you to authorize things like that when they come up. At least for the first time. It's seemed to me for some time that it's irresponsible not giving users more control over a function which they might only use once in a while. Directory applications shouldn't have to be given permanent permission to place calls just because once in a long while the user might want that.
Ultimately, it makes little sense to require
Re: (Score:2, Interesting)
More importantly, they had to give the app permission to send texts. Very few apps need that permission.
But the REAL problem is that Android only asks ONCE, at install time, for whatever permissions it might need. So, instead of them getting an Alert saying "Hey, Hello Kitty Wallpaper Needs Permission To Send Text Messages", when they were just checking their to-do list, they MIGHT be just a LITTLE more suspicious, even if they are a noob.
I am not advocating something that asks every time an app needs to do something other than display text; but asking a non-computer-savvy person to decide on permissions at
Re: (Score:2)
Re: (Score:2)
Considering the ease with which one can release software in the Android Market I'm not that sure. Of course they have some measures in place to verify identity (the small, one-off registration fee particularly), this is not much to stop malicious software from entering that market.
Reg fees can be paid with stolen credit card numbers, for example. And good chance it takes a month for the owner to realise this has happened (as in next billing cycle), so it may take a while before such fraudulent accounts are
READ (Score:2)
What does Google have to do with unofficial markets? This is NOT the Android Market place that this is happening on. The PC equivelant would be blaiming EA for virusses found in games on thepiratebay.
Re: (Score:2)
The point is no one falls into this trap using the Google market or the upcoming Amazon market, or a couple others.
where he implied that Google's official Android market is guaranteed trusted. And I just wanted to point out that at least Google's market is not to be trusted blindly, and that due diligence remains important. Amazon's market is not up yet, they may vet apps before release so may be better, but nonetheless even Apple's thoroughly vetted app store is not perfectly clean. They will definitely be better and safer than many third-party app stores; it doesn't mean they're perfect.
A
What makes a source trusted, preempt or react? (Score:4, Insightful)
You buy stuff from trusted sources.
What makes a source trusted? Do they screen apps for inappropriate behavior before putting an app on the store (preempt) or do they just remove inappropriately behaving apps after they are discovered in the field (react)? I don't think trust is a binary state, its a range of levels. A reputable source that preempts may be more trustworthy, a reputable source that merely reacts may be less trustworthy but more convenient.
Re: (Score:3)
What makes a source trusted?
That little check box in the Android Applications Settings Labeled "unknown sources".
Once you allow unknown sources all bets are off. You can download an app with the standard
web browser, but you can't install it unless you uncheck that box.
So that is what makes a source trusted or untrusted.
Re: (Score:3)
What makes a source trusted?
That little check box in the Android Applications Settings Labeled "unknown sources".
Once you allow unknown sources all bets are off. You can download an app with the standard web browser, but you can't install it unless you uncheck that box.
So that is what makes a source trusted or untrusted.
A known source is not necessarily a trusted source regardless of what the check box is labeled. You need to read the sentences beyond the first one to understand the question, ie how trustworthy is a source that merely reacts? Less so for early adopters of an app, more so for those who those who get it later?
Re: (Score:2)
I don't think trust is a binary state
No, it's a source state, of course. Unfortunately, these newfangled app-stores only show binary :-(
Long live Maemo/Meego, where you are able to see source!
Re: (Score:2)
The funny part is - this is exactly what many Slashdotters have been howling for ever since, well, forever. That users be able to get apps from whoever they want without being tethered, forced, or locked in. But as soon as that freedom exists, and (quite predictably) something goes wrong - the cry goes
Yes, you are pathetic (Score:3, Insightful)
So basically you want some magic situation where people have freedom but no responsibility. How typical. This is NOTHING new, everyone can install software from anywhere on the PC and the stupid have always had problems with this.
We do leave people behind here, if you are to stupid to tell what software is legit and which isn't, then you shouldn't be installing crap.
Freedom for those who can handle the responsibility, lockin for those who can't.
Clearly you can't.
Re: (Score:2)
The people getting these infected apps knew damn well what they were doing. They had to make at lease one nonstandard setting, download in a nonstandard way, and launch the installation in a nonstandard way.
Not necessarily. Access to Android Market is restricted to official OS builds. A lot of the cheap device manufacturers in China are shipping devices that run unofficial builds and are not able to access the official market. Users of these devices are just doing the only thing they can by using altern
Re:Oh noes! (Score:5, Interesting)
"Most people don't give a shit about "openness" or being able to install software from any third-party."
Perhaps not, but that is rapidly changing. Even governments are recommending open source and open standards, and those ideas are making it into the mainstream, because their advantages have become too large and obvious to ignore.
Re: (Score:3)
Except what's the draw of Open Source for users.... think about it.
Hint, it's the fact that almost all the stuff you need is on a LiveCD or in a Repository.... so it's right back to a "garden" even if it isn't walled because what normal user has any business editing or compiling their own code... ultimately, they still trust some company, or community, to tell them the code they're running is OK.
Re:Oh noes! (Score:4, Interesting)
Re: (Score:3)
So? The entire argument is about the existence and uselfuness of the wall. Who doesn't want a garden?
Re: (Score:2)
I think you're being overly optimistic about open source reaching some sort of inevitable tipping point. Open standards need not be implemented with open source software - you can easily write a closed-source implementation. And frankly, open "standards" - the ability to say "I need to be able to play my songs & videos, open my books, and view & edit my documents on whatever device I buy," is the only part of "open" that most individuals care about (and even that... it's often not viewed as a terr
Re: (Score:2)
No, it means that people should stick to trusted software, and sites. You can have a software repository with a ton of third party applications without having a huge corporation behind it.
Debian, for instance.
Google and iPhone stores are only a half step. The ability to have third party repositories should be added.
--
BMO
Re: (Score:2)
It is the third party repositories and side loading apps that are causing this to happen to being with.
users can't be trusted to do the smart, right thing. they don't understand why their app needs internet access, or text access. so they click on yes all the time. they have been trained to just give the application what it requests because that is the ONLY answer the application will accept. If your new game doesn't run without internet access then it gets it no questions asked. even if it doesn't act
Re:Oh noes! (Score:4, Interesting)
Giving the average user control, is like giving them a plane and believing that since they have an autopilot they can land safely.
Apple's walled garden has limited this kind of behavior so far despite having 10's of million of more phones sold.
Well, if you are an "average user", and I presume you are, then I guess you need someone holding your hand in a walled garden.
Personally, I'm NOT an average user. To use your airplane analogy, I'm a pilot who wants the auto-pilot turned off! I demand the ability to do whatever I wish to MY phone and I am fully aware that I am responsible for the consequences. Look, I don't mind a walled garden. All the stuff I install comes from the Android Market exclusively. But within my walled garden, I want to choose the plants that are in there. I want to choose the color of the wall and decide what bricks it's made of. I want to decide if my garden is organic or so full of pesticides that the birds die from flying over it. So, with a simple rooting of my phone, I have my walled garden and the ability to remove/disable all the crapware I don't want on my phone. I'm now fully able to put any GUI I wish on MY phone. I chose the one that came with it, but dammit I MADE THAT CHOICE, not some turtleneck wearing, Hollywood social elite who thinks he knows what I want better than I do.
Then go dry hump your Android and shut up (Score:3, Insightful)
Seriously--you never hear any iPhone-fan screaming that Android or the Android marketplace shouldn't exist. Never. If that's what you want, then go for it.
The Android world, though, (by and large) is completely obnoxious towards people who choose an iPhone (I guess CHOICE is only a virtue when someone chooses your way)--to the point of trying to somehow force Apple to do things differently. The Android world looks down on the grandmothers of the world who just want to be able to Facetime easily with their g
Re: (Score:2)
Android has third party repositories.
And they are generally safe, since apps need to request permission to text--third party app store or not.
Who wrote this virus? (Score:3, Funny)
AT&T, Verizon, or Sprint?
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
he paid Woz $5 and a tangled ball of yarn to do it.
Google generated news? (Score:2)
Hmm.
The cynic in me would suspect Google of throwing these stories out there, via proxy, so that people would not stray from their app store.
Realistically though, I don't think I've seen a large surge in non-Google app stores.. although, perhaps in countries / areas where providers haven't paid Google for access, there is a growing trend?
Re: (Score:2)
Re: (Score:2)
A friend of mine showed me one he had on his phone. It was basically a warez site. All those apps you have to pay for in Android Market? The pay-versions were available for download for free there.
Re: (Score:2)
One click, duh! Convenience trumps everything for most consumers.
Common Sense (Score:3, Insightful)
If not within the OS itself, cellphone accounts should come with voluntary (user-adjustable) quotas to mitigate such things. It might be just as useful for parents to control runaway texting teenagers.
Re:Common Sense (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
At some point, it i
Re: (Score:2)
Re: (Score:3)
this is where the carriers are part of the problem. They get big kickbacks for managing "billing" on all these fraudulent text-to scams.
When you sign up for a telephone line you sign up for "unlimited" credit. I never, ever understood how I could sign up for a $50 phone bill and get $500+ in charges? That's like 10x the amount of "credit" extended in the first place, no sane business would ever do that... except the phone company's "product" in this case is essentially free, so take what sticks. If that hap
Re: (Score:2)
Re: (Score:2)
Perhaps it would help if you could just hit the no button and still install the app.
There is no reason that users shouldn't be able to veto individual permissions.
Re: (Score:2)
I agree with you, but this would mean people could install ad supported versions and never see the ads. This is why Google will not allow that.
Re: (Score:2)
True, but there's ways around that. Google could provide an API specifically for ads and data required for that. Which if done properly would greatly restrict what malware authors could be doing, if say they could only pull ads in through that.
Re: (Score:2)
I am just uncomfortable with any piece of automation that can generate unlimited costs. I wouldn't want a printer with a 10,000 page paper tray, either. Granted in some cases it is unavoidable, but at least minimize the number of trusted parties involved. Carriers naturally tend not to be aggressive enough about he
Re: (Score:2)
The app in question (steamy window) should not be asking for permission to send texts. If you see that, and it doesn't raise flags...
Maybe the user naively assumed that it was just sending usage statistics or somesuch to the developers?
Maybe there should be an intermediate mode between "allow" and "deny": "monitor".
In "monitor" mode, the app could still send SMS, but each SMS would be subject to the user's approval (... who after the 6th SMS would see that there's something fishy...)
Re: (Score:2)
A binary rule is not good enough. There is nothing odd or strange about an app sending an SMS here or there
When you are installing an app whose only purpose is to make it look like your display is fogged up, and it says it needs permission to send SMS messages, that should be a definite clue-by-four that there might be something suspicious going on. And yes, I do ask myself every time I install a free app "why would this app need these privileges?" If it doesn't make sense, I don't install it, period.
Re: (Score:2)
Exactly how does the phone know that it's running up a huge texting bill, which wou
Re: (Score:2)
effectively the phone company claims to "own" the phone, at least the cell firmware.... so why CAN'T your phone know that stuff, in nearly real time? I can understand international charges being difficult, but cell transmission is specifically designed to mimic the circuit-switched networks and have near absolute traceability... heck it wasn't that long ago they charged premium if your call "roamed" to a different tower driving down the highway.
What needs to happen is that regulations need to change to mak
Re: (Score:2)
What makes you so sure a hacker written app would follow those rules?
Re: (Score:3)
Because the VM enforces those rules, not the application.
Re:Common Sense (Score:5, Insightful)
Who do you trust: The phone company, the phone, or the user?
If you trust the phone company, then having a cellphone contract option to limit data/text/etc. usage to some cap can mitigate the worst case bill you'll be surprised with.
If you trust the phone, then OS options to limit what an app can do can mitigate worse case damage done.
In either case, you have to trust the user to make the right choices with respect to cellphone contract or app permissions.
I think my problem is that I don't trust any of the above.
Re: (Score:2)
Re: (Score:2)
Off the top of my head...
Re: (Score:2)
"Bad PR, though let's face it, this doesn't mean much to multi-million customer organisations (at least, until it starts happening to tens of thousands of them)."
It should. Look how much a math mistake on one person's bill cost Verizon in PR, and how much their handling of one guitar cost an airline in PR and business.
Even the multimillion-dollar corporations are waking up. Look at how much Microsoft's well-earned reputation has cost them.
Re: (Score:2)
but the bad PR is on some deadbeat that didn't pay their bill... because their 7 year old signed up for a bunch of texts they saw on KIDS TV. There's no real downside for the telco here. They get a sizable chunk of that $9.99 charge up front, and I doubt they refund to the "content providers" when somebody want's backcharges. There's literally ZERO LOSE for them! Default doesn't matter because if the bill goes over 60 days while you dispute it starts hitting your credit report, so the higher income folks m
Re: (Score:2)
I think we're talking about very different circumstances. TFA doesn't disclose amounts, but I would expect at least a thousand times larger as a starting point for a bill racked up in that way, and being careless with my phone and leaving it unlocked and in reach of a child is a different level of personal responsibility to having malware take over my phone.
If it were my child, and $10, sure, I'd pay it.
Re: (Score:3)
State laws tend to encourage that sort of bad behavior on the part of corporations. It's presumed that an individual had the opportunity to opt out and have the contract explained to his or her satisfaction. The problem is that for a lot of these things one does not have the money to contact an attorney for advice and so signs with little understanding as to the actual meaning. Which to an extent is understandable, if the contract is for phone service, one doesn't expect that the carrier will extend a large
Re: (Score:2)
But that's how it is. When you install an app, it tells you which services the application has access to. Sending text messages, internet communication, making phone calls etc.
The apps don't have access to the underlying OS. The problem stems from people who don't read the permissions, or ignore them.
Re: (Score:2)
Android apps should operate within a jail that limits anomalous behavior like this - that is, the OS itself should have a form of common sense, and they should make it easy to install useful apps without giving them enough access to overwrite that part of the OS.
First off, you have to try pretty hard to overwrite parts of the OS. You need to have "rooted" your phone to do that. The simplest and least destructive way is via the bootloader which requires human intervention.
Secondly, Android already has this kind of security measure in place. The user in question downloaded pirate software and accepted the "services that cost you money" permission. Android is a very security conscious OS but nothing can trump user stupidity.
Now I do agree that Service Providers
Re: (Score:2)
How hard is it really? If I sign up for a $50 plan... why would I ever use $500 or even $200 without needing special arrangements? My $500 credit card doesn't let me charge $500 at 10 different places.. OK it can be done, but it's the BANK'S money so they don't let that happen. Telcos spent like a nickel in costs and get several dollars in fees... there's just no "lose" to allowing this crap.
Re: (Score:2)
This is exactly what Android does. Every app is isolated, and no app has enough access to "overwrite that part of the OS".
Android apps have to declare the permissions they request, users are informed what permissions are requested at install time, a
Re: (Score:2)
Bad summary (Score:3)
"...where unsuspecting or careless Android smartphones find it, download it and install it."
You mean ..' unsuspecting or careless USERS find it'
The phone itself is not reaching out to download it, the user is doing it.
Re: (Score:2)
There, fixed that for you.
.apk from China, what did he expect.
He was downloading a pirated
Startling... (Score:3)
I'm old enough to remember when "android" meant something besides a smartphone.
That's why I found this headline a bit disturbing for a few moments. I imagined Rutger Hauer and Darryl Hannah thumbing their Blackberries. And yes, I'm also old enough to remember when "Blackberry" meant something besides a corporate communicator or a designer fruit sold at Whole Foods for $9 for three ounces.
Re: (Score:2)
So, you're what like over the age of 10?
on most US carriers you don't need to hack text bi (Score:2)
on most US carriers you don't need to hack to run up the texting bill just text spam people and they pay for in coming.
Re: (Score:2)
But they pay the phone company not you, which makes that just a tad pointless.
Re: (Score:2)
The difference is that there is no gain to be made by the sender.
And if receiving texts has a benefit for the sender, then there are usually serious measures in place from the phone company's side to prevent such abuse.
Android security needs to be tweaked. (Score:4)
Lots of apps wanting lots of info. Instead of "install or not" there needs to be an option to "deny access to this feature but install anyways".
Re: (Score:2)
That's my thought, or more likely, require my attention to access that feature, or something less wordy. Some functions can be abused in this fashion, but are actually useful from time to time.
Re: (Score:3)
You've obviously never done support for software.
People don't read error messages. Some people don't even turn their brains on long enough to look at their screen before lashing out at the developer.
I have a published Android app where you could open the menu and select an option to go to a certain activity. After a few months I moved that functionality to a large icon on the top of the app to make the process easier -- no menu, simply tap the large button on top.
I got at least two emails asking where that
Are we really looking for the correct solution? (Score:2)
Which is easier:
A. Make it impossible to install or execute "rogue" apps on a computer system.
B. Make it impossible to do anything on a phone which will cost money unless the phone owner has authorized it ahead of time with the phone's service provider, and set an upper limit of how much you're willing to pay for it per month (like $5 to spend on texts, apps, etc). Anything
Re: (Score:2)
Re: (Score:2)
the trouble is that C is rarely the case. Getting locks on all the various ways you can be charged is difficult at best. Every time you make a plan change the telco tries to take away the locks... you usually find out when your 10 year old couldn't sleep and was texting all the numbers on KIDS TV channels.
I've mostly seen that stop now, but there for a while it was really, really bad. I don't think very many people INTEND to sign up for these services until they see the bill and want them stopped. My favori
Re: (Score:2)
and children from 8-13 are different from "bots" how exactly? When they see it on a kids show or a kids website (at least sites that know they have large kid demographics) they basically are no different than bots... the kid fills the missing link to hit the button on the phone and "accept" the charge... they don't "know" what they're doing is going to rack up for months and months and the telco's rules are set up to make catching every little billing trick harder and harder.
In other news, the in-app purch
Logical actions (Score:2)
Re: (Score:2)
Also, as in most other crime, the easiest way to get a lead to the criminal is by following the money / tracking who benefits from the crime.
Having a fraudulent app spam your premium number isn't proof of your wrongdoing, but it certainly is grounds for investigation, and proper policing should have a decent chance of identifying who/if was getting paid from this money and turn a virtual crime into real jail time.
Re: (Score:2)
Re: (Score:2)
but the REAL flaw is a system where my $50 phone bill can some how rack up $100's in extra charges... no other form of consumer credit is that open-ended. Why I need to make "payments" to other companies with my phone bill is just crazy in the first place.
The simple fact is that the telco has a very, very tiny overhead and benefits from "mistakes" 100x over.
This would never happen with an iPhone (Score:2)
"Steamy Windows" ?!? (Score:2)
This is why iphone is better. (Score:3)
If you let any old weenor with an android install any old random shit on it by just tapping 'accept' on some dialog that he or she doesn't really understand (err, Windows, anyone?), then of course you're going to wind up with stories like this.
Re: (Score:2)
Re: (Score:2)
if you have a NEW platform that NEEDS a virus scanner for any reason other than passing along infected documents, it's a design fail.
My opinion is that a device should run managed code like iPhone or heavily sandboxed scripts like a web browser. At minimum an "unsecured" OS like Android should mandate every app install have some kind of valid third-party certificate to sign it.... similar to how SSL works. To guarantee you got the code from a known vendor and that the code they published was not tampered wi