Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Android Google Privacy Security Software

Stealthy Google Play Apps Recorded Calls and Stole Emails (arstechnica.com) 55

An anonymous reader quotes Ars Technica: Google has expelled 20 Android apps from its Play marketplace after finding they contained code for monitoring and extracting users' e-mail, text messages, locations, voice calls, and other sensitive data. The apps, which made their way onto about 100 phones, exploited known vulnerabilities to root devices running older versions of Android.... As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger. The now-ejected apps also collected messages sent and received by Whatsapp, Telegram, and Viber, which all encrypt data in an attempt to make it harder for attackers to intercept messages while in transit... To conceal their surveillance capabilities, the apps posed as utilities for cleaning unwanted files or backing up data.
Google reports that the malicious apps also had these functions:
  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)

12 hours later an antivirus provider reported two more Google Play apps could surreptitiously steal text messages by downloading a malicious plugin -- and that the apps had already been downloaded at least 100,000 times.


This discussion has been archived. No new comments can be posted.

Stealthy Google Play Apps Recorded Calls and Stole Emails

Comments Filter:
  • by Gravis Zero ( 934156 ) on Saturday July 29, 2017 @03:32PM (#54905495)

    Honest question: Why is it possible for application A from company X to access information from application B from company Y? I could understand if they were both from company X and were signed with the same certificate but it's nothing like that! No application should EVER have full system access.

    • by Anonymous Coward

      Why is it possible for application A from company X to access information from application B from company Y?

      Because Android's permissions system is complete BS. It's designed to make collecting data about the user as easy as possible while giving them the smallest amount of control over it so they can avoid lawsuits.

      "Take it or leave it" is their motto. In official Android versions you can't say I don't want to grant this permission or disable access after installation. Heck some apps will crash if this hap

    • by Kjella ( 173770 )

      Why don't you RTFSummary?

      The apps, which made their way onto about 100 phones, exploited known vulnerabilities to root devices running older versions of Android....

  • Just how often does one take a selfi? I don't trust any forward facing camera.

    I use Finger nail polish to cover it as it's almost permanent - used to use electrical tape.

    • by Ogive17 ( 691899 )
      I'm not really into the selfie movement but I do use my front facing camera at least once a month. When my wife or I is traveling, we use it to video chat. And if our travels have one of us somewhere the time zone difference doesn't allow the evening video call, sending a quick "selfie" with our 4 year old is a good way to send a note of affection.
    • by tlhIngan ( 30335 )

      Just how often does one take a selfi?

      Me? Never. I had to ask someone for assistance when I had an occasion where I needed to

      But for other people, you obviously don't go out very much - they take selfies so often, you wonder why they don't just use video mode. Or why front facing cameras continue to take a back seat to the rear facing one, because people seem to take photos only using the front facing one.

  • I mean I guess they could have hid this in a game app, but it would have been more questionable why it wanted all of those permissions.

    They should just ban cleanup/AV/nonsense utility scumware as a category from their stores, these things aren't really needed on such locked down mobile OS. They might have had some value in the day of like Windows 95 but now they are just the computer equivalent of a scummy mechanic charging an old lady for 'turn signal fluid'.

    • One trick scummy app authors use is to copy a legitimate game's marketing material and art, then create an app that does nothing but "hang" on the loading screen, in the meantime trying to game the ad system to earn some free money.

      Unfortunately, this hurts the reputation of the legitimate game and its developers, as often the malware authors simply steal the name along with the art assets.

  • You too can obtain this ability, just sign up and pay the cost.

    I can't view the site as it's in my Routers block file, but it used to be google now appears to of been taken over by Yahoo.com

    You need to opt out of flurry.com, twice Google flurry.com requires a number only your phone has. Yahoo a opt out google will take you to a selection you can turn off.

  • Okay fine, I have two: Rocket Player and one for local highway traffic provided by the city.

    That's it, though. All the other apps that are installed came with the phone. I should probably remove those...

  • I do.

    The best TOS I've encountered was the one for Angry Birds Rivio.com at the time. It told one everything it was going to do with your data it was the 2% overseas that I never caught or yet to of figured out. It also led me to flurry.com.

    Samsung HDTV's - their TOS tells you they will be recording everything you do and keeping it, While it's meant to predict your needs, I know of two /. articles of Samsung having to tell people they can hear everything you say.

  • by Zombie Ryushu ( 803103 ) on Saturday July 29, 2017 @04:11PM (#54905681)

    Two things wwould fix this:

    1. Instead of being "Google Play" or "Everything else" the user should be able to say: I trust Google Play, F-Droid, and APK Pure only.

    2. All the handset makers need to provide support for Vanilla Stock Android VIA Lineage OS or Similar. Cough up Driver APKs, and stop allowing handset makers to bake Malicious software like ADUPS in the System area.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Thank god you only said it twice, you almost summoned him.

  • This means no matter how much skill Android users possess Android users can't usefully investigate and fix the leveraged vulnerabilities themselves should they wish to do so or hire someone to do so on their behalf. The most they could do is write an exploit which demonstrates the bug, report the bug with the exploit program, and hope the proprietor takes corrective action. Upgrading to another version of proprietary software is no real fix as it could (at best) mean trading in fixes for these bugs in for other bugs the users are prevented from usefully investigate and fix. The user being rather helpless to improve their own situation or help their community all along the way. This is how proprietary (read: non-free, user-subjugating) software treats its users.

    All complex software has bugs, proprietary OSes and apps are no exception, but as the GNU Project points out [gnu.org], "The difference between free software [gnu.org] and nonfree software is in whether the users have control of the program or vice versa [gnu.org]. It's not directly a question of what the program does when it runs. However, in practice nonfree software is often malware, because the developer's awareness that the users would be powerless to fix any malicious functionalities tempts the developer to impose some.". Since there aren't any free software tracker (none might be possible so long as the phone network insists on proprietary control over the user's device) this is also an opportunity to learn to say no to proprietary control and do without a tracker (and, yes, particularly given the context of this thread it is proper to call them 'trackers' and not 'cell phones' or 'mobile phones', names which help obscure the main reason organizations want users to get these devices and install apps in the first place).

    • by Anonymous Coward

      Google created this mess in the first place. Now I'm seeing tablets and phones where you're not allowed to root and as such I don't even want it anymore. Things that I used to be able to do, I'm not allowed to do anymore and I'm not dictated by Google or Apple how I'm supposed to do things. And now with the years going by, there is a huge mess of applications that are not even supported anymore on both Apple's store and Googles play store, which in itself is creating another security nightmare.

      A decade ago,

  • by cascadingstylesheet ( 140919 ) on Saturday July 29, 2017 @08:06PM (#54906585) Journal
    Sorry to trouble you, but, um ... what are the apps? What are they named?
    • BINGO! 20 aps, 12 more aps, I would like to see if I have any installed. {Would it be a good idea if Google could cause their removal automatically? I would guess that most /. would say no}
    • by mjwx ( 966435 )

      Sorry to trouble you, but, um ... what are the apps? What are they named?

      Or better yet, what are the publishers named.

      Also, 20 apps out of how many hundreds of thousands?

  • ... why Apple's walled garden is such a bad thing?
    • These snuck over the wall and into the garden. Apple has no gate, but Google at least let's you open the gate and install from sources other than the Google Play Store. That's not what happened here, though.

God made the integers; all else is the work of Man. -- Kronecker

Working...