Stealthy Google Play Apps Recorded Calls and Stole Emails (arstechnica.com) 55
An anonymous reader quotes Ars Technica:
Google has expelled 20 Android apps from its Play marketplace after finding they contained code for monitoring and extracting users' e-mail, text messages, locations, voice calls, and other sensitive data. The apps, which made their way onto about 100 phones, exploited known vulnerabilities to root devices running older versions of Android.... As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger. The now-ejected apps also collected messages sent and received by Whatsapp, Telegram, and Viber, which all encrypt data in an attempt to make it harder for attackers to intercept messages while in transit... To conceal their surveillance capabilities, the apps posed as utilities for cleaning unwanted files or backing up data.
Google reports that the malicious apps also had these functions:
Google reports that the malicious apps also had these functions:
- Call recording
- VOIP recording
- Recording from the device microphone
- Location monitoring
- Taking screenshots
- Taking photos with the device camera(s)
- Fetching device information and files
- Fetching user information (contacts, call logs, SMS, application-specific data)
12 hours later an antivirus provider reported two more Google Play apps could surreptitiously steal text messages by downloading a malicious plugin -- and that the apps had already been downloaded at least 100,000 times.
Re: (Score:1)
No, this story was about, only apps can app you up the app.
Re: (Score:2)
Remember ActiveX? There were a lot of things wrong with the design, but one of the worst things that it did, from a security perspective, was condition users to hit 'okay' to dialog boxes saying 'this bit of untrusted code needs complete access to your computer, allow?' Android has done the same thing: encouraged users to accept that every app needs complete access to your call log, browsing history, text message history, and so on.
iOS is somewhat better in this regard, because apps are expected to start
Re: (Score:2)
iOS is somewhat better in this regard, because apps are expected to start with no permissions and prompt for permissions that they need as they need them.
I'm pretty sure the OS is prompting for permission and not the App.
Re: (Score:2)
Re: (Score:2)
Looks like someone might have in the comments [arstechnica.com].
Why is this possible? (Score:4, Interesting)
Honest question: Why is it possible for application A from company X to access information from application B from company Y? I could understand if they were both from company X and were signed with the same certificate but it's nothing like that! No application should EVER have full system access.
Re: (Score:2)
My phone runs the very latest version of Android which now asks for permissions each time the app is run, rather than once at installation time. Each time I start the MLB app it demands to know my location, which I deny, yet it still runs just fine.
The best defense is to run the minimum assortment of apps to get the job done. And delete apps that you no longer use for whatever reason.
Re: Why is this possible? (Score:2)
That's great if your manufacturer and carrier can be bothered to update your phone to the latest version. Otherwise you're stuck with what was preinstalled. You can install a third party ROM but then you run the risk of bricking your phone and in any case you can't expect non-technical people to do that.
Re: (Score:1)
Because Android's permissions system is complete BS. It's designed to make collecting data about the user as easy as possible while giving them the smallest amount of control over it so they can avoid lawsuits.
"Take it or leave it" is their motto. In official Android versions you can't say I don't want to grant this permission or disable access after installation. Heck some apps will crash if this hap
Re: (Score:2)
Why don't you RTFSummary?
The apps, which made their way onto about 100 phones, exploited known vulnerabilities to root devices running older versions of Android....
Finger nail polish (Score:2)
Just how often does one take a selfi? I don't trust any forward facing camera.
I use Finger nail polish to cover it as it's almost permanent - used to use electrical tape.
Re: (Score:3)
Re: (Score:2)
Me? Never. I had to ask someone for assistance when I had an occasion where I needed to
But for other people, you obviously don't go out very much - they take selfies so often, you wonder why they don't just use video mode. Or why front facing cameras continue to take a back seat to the rear facing one, because people seem to take photos only using the front facing one.
Utility software lol (Score:2)
I mean I guess they could have hid this in a game app, but it would have been more questionable why it wanted all of those permissions.
They should just ban cleanup/AV/nonsense utility scumware as a category from their stores, these things aren't really needed on such locked down mobile OS. They might have had some value in the day of like Windows 95 but now they are just the computer equivalent of a scummy mechanic charging an old lady for 'turn signal fluid'.
Re: (Score:2)
One trick scummy app authors use is to copy a legitimate game's marketing material and art, then create an app that does nothing but "hang" on the loading screen, in the meantime trying to game the ad system to earn some free money.
Unfortunately, this hurts the reputation of the legitimate game and its developers, as often the malware authors simply steal the name along with the art assets.
So many who've never heard of flurry.com (Score:2)
You too can obtain this ability, just sign up and pay the cost.
I can't view the site as it's in my Routers block file, but it used to be google now appears to of been taken over by Yahoo.com
You need to opt out of flurry.com, twice Google flurry.com requires a number only your phone has. Yahoo a opt out google will take you to a selection you can turn off.
Re: (Score:2)
A Yahoo opt out requires you to do this with your phone.
This is why I don't install apps on my phone. (Score:2)
Okay fine, I have two: Rocket Player and one for local highway traffic provided by the city.
That's it, though. All the other apps that are installed came with the phone. I should probably remove those...
Read the TOS's (Score:2)
I do.
The best TOS I've encountered was the one for Angry Birds Rivio.com at the time. It told one everything it was going to do with your data it was the 2% overseas that I never caught or yet to of figured out. It also led me to flurry.com.
Samsung HDTV's - their TOS tells you they will be recording everything you do and keeping it, While it's meant to predict your needs, I know of two /. articles of Samsung having to tell people they can hear everything you say.
Google Needs to ix this (Score:5, Insightful)
Two things wwould fix this:
1. Instead of being "Google Play" or "Everything else" the user should be able to say: I trust Google Play, F-Droid, and APK Pure only.
2. All the handset makers need to provide support for Vanilla Stock Android VIA Lineage OS or Similar. Cough up Driver APKs, and stop allowing handset makers to bake Malicious software like ADUPS in the System area.
Re: (Score:2, Funny)
Thank god you only said it twice, you almost summoned him.
More proprietary malware, more reason to distrust. (Score:5, Interesting)
This means no matter how much skill Android users possess Android users can't usefully investigate and fix the leveraged vulnerabilities themselves should they wish to do so or hire someone to do so on their behalf. The most they could do is write an exploit which demonstrates the bug, report the bug with the exploit program, and hope the proprietor takes corrective action. Upgrading to another version of proprietary software is no real fix as it could (at best) mean trading in fixes for these bugs in for other bugs the users are prevented from usefully investigate and fix. The user being rather helpless to improve their own situation or help their community all along the way. This is how proprietary (read: non-free, user-subjugating) software treats its users.
All complex software has bugs, proprietary OSes and apps are no exception, but as the GNU Project points out [gnu.org], "The difference between free software [gnu.org] and nonfree software is in whether the users have control of the program or vice versa [gnu.org]. It's not directly a question of what the program does when it runs. However, in practice nonfree software is often malware, because the developer's awareness that the users would be powerless to fix any malicious functionalities tempts the developer to impose some.". Since there aren't any free software tracker (none might be possible so long as the phone network insists on proprietary control over the user's device) this is also an opportunity to learn to say no to proprietary control and do without a tracker (and, yes, particularly given the context of this thread it is proper to call them 'trackers' and not 'cell phones' or 'mobile phones', names which help obscure the main reason organizations want users to get these devices and install apps in the first place).
Re: (Score:1)
Google created this mess in the first place. Now I'm seeing tablets and phones where you're not allowed to root and as such I don't even want it anymore. Things that I used to be able to do, I'm not allowed to do anymore and I'm not dictated by Google or Apple how I'm supposed to do things. And now with the years going by, there is a huge mess of applications that are not even supported anymore on both Apple's store and Googles play store, which in itself is creating another security nightmare.
A decade ago,
Sorry to trouble you, but, um ... (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2)
Sorry to trouble you, but, um ... what are the apps? What are they named?
Or better yet, what are the publishers named.
Also, 20 apps out of how many hundreds of thousands?
Can someone please remind me again.... (Score:1)
Re: (Score:2)
These snuck over the wall and into the garden. Apple has no gate, but Google at least let's you open the gate and install from sources other than the Google Play Store. That's not what happened here, though.