Forgot your password?
typodupeerror
Android Security IT

New SMS Trojan Found In Android Markets 114

Posted by Soulskill
from the popping-up-like-weeds dept.
Trailrunner7 writes "The Android platform seems to have become the playground of choice for attackers and malware authors looking to make a quick buck. The latest example is a premium-rate SMS Trojan that not only automatically sends costly SMS messages, but also prevents users' carriers from notifying them of the new charges. The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China. This is just the latest in a series of similar incidents in which attackers and scammers have inserted either outright malicious apps or seemingly benign apps containing malware into app markets. Most of the attacks have targeted Android users, and several times Google has had to remove malicious apps from the official Android market."
This discussion has been archived. No new comments can be posted.

New SMS Trojan Found In Android Markets

Comments Filter:
  • Information, please! (Score:5, Informative)

    by Chonnawonga (1025364) on Monday July 11, 2011 @12:38PM (#36722036)

    Why don't these articles ever tell you WHICH markets and apps are affected? Oh, that's right, they're too busy trying to generate page hits through scare-mongering to care about information.

    (I'm not trying to say these aren't legitimate threats: quite the opposite. But, good reporting would help mitigate these threats by publicly shaming and informing.)

    • by Anonymous Coward

      It did?

      The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China.

      • by Chonnawonga (1025364) on Monday July 11, 2011 @01:00PM (#36722452)

        No, that's the name of the malware, not the apps. FTFA:

        "The malware is embedded in a seemingly legitimate application in the market, and once users download and install that app, the fun begins."

        It goes on to talk about "the host app" which the malware "piggybacks". Which app? They don't tell you. They'd rather tell you that "The Apple iPhone may still be the gold standard when it comes to smartphones".

      • It did?

        The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China.

        No it didn't dumbass. All it tells you is the name of the malware that has been found in the app, not the name of the app or apps themselves.

    • by molnarcs (675885)

      Why don't these articles ever tell you WHICH markets and apps are affected? Oh, that's right, they're too busy trying to generate page hits through scare-mongering to care about information.

      (I'm not trying to say these aren't legitimate threats: quite the opposite. But, good reporting would help mitigate these threats by publicly shaming and informing.)

      Exactly. Also, chances are, that there are HUNDREDS of malware in unofficial Chinese markets - will we get a new slashdot post for each and every one of them? Editors: wtf?

    • Why don't these articles ever tell you WHICH markets and apps are affected? Oh, that's right, they're too busy trying to generate page hits through scare-mongering to care about information.

      Slashdot generates lots of ad revenue when we argue about walled gardens and malicious apps. We keep falling for it.

  • I'm having trouble worrying about people who install apps onto their phone without knowing that the market creator is paying attention for that sort of thing. Google and Amazon are alert and watching. Random markets in China? I feel less confident in them.

    I feel exactly the same compassion for them that I feel for people who download things from any random website they find.

    • by Night64 (1175319)
      Slashdot should change the headline to "New SMS Trojan Found In Application Stores/Markets". That would call even more readers. Because that IS the point, isn't?
  • Price you pay.. (Score:5, Insightful)

    by AngryDeuce (2205124) on Monday July 11, 2011 @12:40PM (#36722076)

    If you want the freedom to install whatever you want from wherever you want, you have to accept that some of those things may not be good for you or your devices. To me, it's worth the trade off.

    In the end, the best protection will always be common sense. To those that do not feel they possess enough knowledge to make their own decisions in this regard, there is always Apple who will gladly make the decision for you. To each their own.

    • Yeah, and "from wherever" for me NEVER includes apps from China.

    • by Trufagus (1803250)

      Why?

      First off, let's note that this /. article is about a Trojan that is not in the Android market. Publishing an article about that is just stupid scare-mongering. There could be millions of viruses/trojans outside the market and I wouldn't care. What matters is when they get into the market.

      Now, back to your trade-off.

      Google can and should make the Android market 99.99% free of trojans/viruses. Free enough that I can recommend the Android market to my proverbial mom or uncle and know they will be safe

      • Google already makes the Android market secure. They've yanked malware off the official market many times. Outside of technical issues such as things locking up, your mom or uncle is perfectly safe downloading from the official market, and most issues like that are easily discerned in reading the reviews of an app. Chances are, if it's got less than a 3 star rating, it's probably not worth the download, and even the most non-technical person should be able to read those reviews and make an intelligent de

    • by gmon750 (1216394)

      You are assuming most users of smartphones have common sense to begin with in order to stay away from red-light-district App stores. That is simply not true. Most users (regardless of platform) are simply not savvy enough to know better.

      Sure, you can label them as "ignorant", or "stupid". I've read countless of postings from tech-brats preaching that if a user doesn't know any better, they should not even buy a smartphone. If that were the case, then Android would have had a much more difficult time get

      • Users don't know (and should not have to know)...

        I absolutely disagree, I think that those of us that do know the dangers of the internet should be beating it into the heads of every person we know that doesn't. People need to learn that the internet is not a fantasy land with unicorns and funny images. People get taken advantage of due to their ignorance all day long. It's never going to stop. There are no internet police. For every shady app or program or attachment or virus you eradicate in the wild another one is going to pop up.

        Imagine how many

      • by robsku (1381635)

        Best protection is not common sense. We're beyond that now. People should not have to babysit their phones. It should be treated as an appliance, not a PC. Google needs to address this or it will be their downfall. This is one area where Apple really has their act together.

        Well, some of us want a smartphone that IS mare like PC, not restricted appliance - and google is giving us that. Too bad if they fail, I'm glad that someone is trying... and I disagree with you on that *everyone* should have some basic understanding of things they use - if they can learn how to install and use software and browse internet they should learn basic safety also, if they don't... well, boo-hoo, no sympathy for them.

  • by Anonymous Coward on Monday July 11, 2011 @12:49PM (#36722252)

    Unofficial Markets. So in other words, Google has nothing to do with this. If you want security on Android, just stick to the standard market. Obviously Third party markets are bad news bears.

  • by 0racle (667029) on Monday July 11, 2011 @12:54PM (#36722350)
    As someone who is about to get their first Android device, is there a good resource for practices for protecting it?

    Reading the summary, it seems this is a 3rd party market that was infeted. Obviously the first thing is not to install everything you see, followed by don't use 3rd party markets. However there seem to be several 3rd party markets that do have worthwhile software. Is there a suggested list of marketplaces that are reliable?

    There also appear to be several Android firewall apps. Is there a site where they are reviewed and compared?
    • by tlhIngan (30335)

      Obviously the first thing is not to install everything you see, followed by don't use 3rd party markets.

      Can't help you with Android security, but there are probably a few million people willing ot sell you Android AntiVirus 2011 XP Premium Edition and the like as well, plus a few legit antivirus/antispyware and other stuff, and roots to install DroidWall and such.

      The thing is it's a 3rd party market. They exist in China mostly because Android allows quick and easy pirating, and China being China, well, it's

    • by alanebro (1808492)

      A good practice is to find an app in which you are interested, then review the permissions to verify they make sense.

      For instance, if you're downloading a new phonebook and the app asks for permission to your contacts, you can assume that it really needs it.
      If you're downloading a new tic-tac-toe game that asks for full permission to read your ingoing and outgoing calls, you should really question why it needs that.

      This isn't foolproof, but it is a really good place to start.

      • I'm pretty technical but I find the permissions too vague. they are still mostly 'opaque' and I have little actual idea what's going on.

        maybe if they showed some of the data they GET, as an illustration? maybe they cache some of the 'captured' data the app 'takes' and show you that, on demand? that way I can say 'oh, you mean you're grabbing THAT from me! fuck you! delete.'

        if there's no examples of the data they take, conceptual permissions just don't work for users. works for programmers who have the

    • by Is0m0rph (819726)
      Pay attention to what the app wants access to when you install it. You have to OK it before it will install. If it's a live wallpaper there should never be a reason it needs to access anything on your phone for example.
    • roll a few sheets of tin foil on the top part of the device, slowly have it encircle itself near the top.

      Your device is now protected from mind control rays and other nefarious parts of the EM spectrum.

    • Install Lookout security suite, scans every application you install for malware. Don't know if it would have worked in this case but if you stick to Android market then you won't have many issues anyway. Best bet is to stick to apps with good reviews and let those that can tell, flag the crap.
    • by Soft (266615)

      As someone who is about to get their first Android device, is there a good resource for practices for protecting it?

      You may want to read this earlier Slashdot story [slashdot.org], from which the suggestion that made the most sense to me was to install DroidWall and just not let applications access the network. Of course, they might not work then, and it can be difficult to single out a single app among, say, Google Services.

    • by Reapman (740286)

      The biggest thing is check the permissions the app needs (it tells you) and don't install if you question why it needs that. A lot of free apps have Ad's so they require a network connection. If your installing some standard game and it asks for SMS sending capabilities - you probably shouldn't install it.

    • Don't tick the "Unknown Sources" box in Settings > Applications.
    • by Inda (580031)
      You have a low user ID; you'll be fine.

      Do what everyone does. Don't install brand new apps for a month. Google the name at a later date and see if any other suckers have fallen for it first.
  • After that, it registers one ContentObserver to monitor incoming SMS messages. Inside the ContentObserver, it will delete any SMS message if it starts with the number "10." Note that the numbers such as 10086/10010 represent legitimate mobile phone service providers in China and are typically used to notify users about the services they are ordering and the information of users' current balance of their mobile phone accounts.

    .. is why is there an API that allows an app to delete incoming SMS messages ???

    • by BitZtream (692029)

      One reason would be to write an app that ignored/deleted known SMS spammers?

      I'd actually love one for my phone that would delete all the obnoxious AT&T spam text messages about new services and crap.

      • by i.r.id10t (595143)

        Having just got my first smart phone and being on AT&T, the *very first* message AT&T sent had "reply with stop to end automatic messages" at the end of it ... as have the other 3 I've gotten since (haven't told them to stop, so I'm good with that part).

    • by imunfair (877689)

      App to block/sort/filter spam or unwanted senders? I'm sure there are more creative uses but that's just the most obvious one

    • Re:The real WTF... (Score:4, Insightful)

      by AndrewNeo (979708) on Monday July 11, 2011 @01:15PM (#36722770) Homepage

      So you can replace the default SMS application?

    • why is there an API that allows an app to delete incoming SMS messages ???

      Anti-spam SMS app. Or an app for managing SMS messages in general.

    • Oh to explain the blocking of incoming SMS. One such use is what GoSMS does. If your device is out of space which is common on budget Android devices that don't have app 2 sd functionality as they an be running old versions of Android, with the stock SMS app, it notifies you that it failed to receive an SMS but has already sent an acknowledgement of receiving it to the network so the message is lost. In GoSMS, it doesn't tell the network it received it until it is saved to disk so if you run out of space
  • by Anonymous Coward

    Non-story. "The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China." If you load apps from China directly you are asking for this sort of thing. It's nearly the equivalent of going to a "Warez" site for Windows programs.

  • How about if carriers offer a free service which simply blocks "premium" SMS calls altogether?

    Sure, I won't be able to donate $10 to the Red Cross the next time there is an earthquake in a 3rd world country, but at least I'll be legally immune from paying for any that do get through.

    Think of it as 976/900-block for SMS.

    • by Anonymous Coward

      How about if carriers offer a free service which simply blocks "premium" SMS calls altogether?

      Sure, I won't be able to donate $10 to the Red Cross the next time there is an earthquake in a 3rd world country, but at least I'll be legally immune from paying for any that do get through.

      Think of it as 976/900-block for SMS.

      You can opt out for free. Just call customer support, or talk to your local store. When I signed up for Verizon I asked about that and they blocked them right there.

  • This is exactly the kind of innovative feature that the iPhone users of the world will miss out on.

    Yeah, I know, flame bait....

    • by mac84 (971323)
      The only reason no one writes this malware for iPhones is that nobody uses iPhones. Oh wait....
    • by Microlith (54737)

      I know, we should lock down ALL computers. No software from anywhere except the hardware or OS vendor's approved locations!

      This includes other OSes. Those terrible, evil Linux installations... you never know where they've been!

  • and SMS, if abuse, could drain my account!

    a year or two ago, I was with t-mobile and their PAYG plan did not have the ability to turn off sms send or receive! my balance went to nothing and I gave up on that carrier. a few years later, I checked back and now, if you call CS, they can turn sms off even if you are monthly and non-contract.

    sms is for kids. I'm a middle aged man. I have no need for this childish bullshit. I do email. if you want me, you call or you email me. email is more in my domain t

    • Texting is for people who don't have smartphones. Email, Pingchat, Y!, FB, Google+, Google Voice and many many others all use DATA, which costs much less per bit than Texting, especially if you're using WIFI (like I do).

      Texting isn't for kids, it is for poor people, which has, as a subset, most kids in it.

      BTW, I have a smartphone plan without text messaging included. It can be done, if you ask for it. They charge separately for it, they can remove the charge.

  • Those who downloaded some malware from china deserved every charge they got billed against them. Those who are crazy enough to trust the Chinese with software deserve to be hacked. Hopefully we can avoid Chinese software but sadly we can't avoid Chinese hardware....

  • in unofficial Android app markets in China.

    Just wow. And people are surprised it's a Trojan? Finding a *non*-Trojan app in a place like that, that'd be the trick!

  • Provider failure (Score:5, Insightful)

    by Anomalyst (742352) on Monday July 11, 2011 @04:05PM (#36725714)
    This a failure on the part of providers. I dont want a "notification" I dont want it at all. Part of signing up should be the ability to limit
    #SMS/day
    Block "premium" SMS messages with exception list.
    Block calls to foreign countries with an exception list
    Block toll (900) calls.
    IOW give me back control on how and how much they can shaft me.

The economy depends about as much on economists as the weather does on weather forecasters. -- Jean-Paul Kauffmann

Working...