Forgot your password?
typodupeerror
Cellphones Security

Android Data Stealing App Downloaded By Millions 335

Posted by CmdrTaco
from the nobody-is-safe dept.
wisebabo writes "A wallpaper utility (that presents purloined copyrighted material) 'quietly collects personal information such as SIM card numbers, text messages, subscriber identification, and voicemail passwords. The data is then sent to www.imnet.us, a site that hails from Shenzen, China.'"
This discussion has been archived. No new comments can be posted.

Android Data Stealing App Downloaded By Millions

Comments Filter:
  • I'm confused... (Score:5, Insightful)

    by mcgrew (92797) * on Thursday July 29, 2010 @12:07PM (#33070376) Homepage Journal

    A wallpaper APP? Why would you need an app? It can't just display a jpg as wallpaper?

  • Unfortunately (Score:4, Insightful)

    by wraithguard01 (1159479) on Thursday July 29, 2010 @12:08PM (#33070394) Homepage
    This is one good reason to have a unified app service, where all the apps are first vetted before they are released. I think mozilla's addon collection is a good model to follow.
  • by jsnipy (913480) on Thursday July 29, 2010 @12:10PM (#33070428) Journal
    this is a job for common sense. Whenever you install an app it shows you what it is requesting accessing to. If you see a 'wallpaper of the day' app wants access every aspect of your phone, you might reconsider installing it.
  • Re:News flash! (Score:2, Insightful)

    by bonch (38532) on Thursday July 29, 2010 @12:13PM (#33070490)

    Well, part of the news here is the comparison to Apple's heavily-controlled store model. Would this have happened on the iPhone? Would the app have even been approved?

  • by Coopjust (872796) on Thursday July 29, 2010 @12:13PM (#33070492)
    Even if they're told exactly what the app will have access to [wordpress.com], people will click through anything.
  • by geminidomino (614729) on Thursday July 29, 2010 @12:13PM (#33070500) Journal

    No, you don't need the name in order to avoid it, but it might be useful, I dunno, to see if one already HAS it.

    Just sayin'.

  • Re:I'm confused... (Score:3, Insightful)

    by Vintermann (400722) on Thursday July 29, 2010 @12:14PM (#33070522) Homepage

    Never mind that, why would you need a wallpaper app that requests permission to make phone calls?

    Really, there's no helping some people.

  • by Anonymous Coward on Thursday July 29, 2010 @12:15PM (#33070538)

    Common sense is the worst possible defense for the average user. If you want Android phones to have a tiny amount of market share among technically skilled users, that's fine. If you want a large number of Android phones available to, used by and recommended by the average user then showing such warnings is near completely useless.

    Dancing bunnies, man. Dancing bunnies.

  • by Xaedalus (1192463) <Xaedalys@[ ]oo.com ['yah' in gap]> on Thursday July 29, 2010 @12:16PM (#33070562)

    When I read TFA, I saw the part where 47% of Droid apps use third party coding, and 23% of Apple apps also use it. Then I realized, there's no safe place to hide. I like my walled garden, but even that has leaks.

  • by mdm-adph (1030332) <mdmadph@gmail . c om> on Thursday July 29, 2010 @12:19PM (#33070598) Homepage

    As we've seen from the "colored flashlight app that's really a tethering app," I don't know why people are still putting their trust in Apple's "approval" process as far as safety is concerned. They obviously don't check the code behind an app -- today it's a tethering app, tomorrow it's one that's sending your data to China (if it doesn't already exist, and I'd be surprised if it didn't).

  • by abigor (540274) on Thursday July 29, 2010 @12:23PM (#33070688)

    You mean they'd have to wait for approval by the App Store? An interesting proposal!

  • by BitZtream (692029) on Thursday July 29, 2010 @12:25PM (#33070728)

    ... The name of the app is the second most important factual peice of information that should have been gathered. Second only after the fact that it does it.

    Yes, it would be useful to know what it is called. Some non-geeks who bought into the whole 'the droid is better than the iphone' bullshit who don't realize its better for geeks, not idiots may download and install the app.

    Some of those people I may know, and if I simply knew the name I could tell them not to do it.

    Instead, I have to say 'the droid is known to have data stealing apps and no I can't tell you which ones suck ass, just get yourself an iPhone so apple can protect you, its far easier on all of us'

    What the fuck is wrong with you?

  • Re:Unfortunately (Score:5, Insightful)

    by AndrewNeo (979708) on Thursday July 29, 2010 @12:40PM (#33070980) Homepage

    Excuse me? I somehow doubt you've ever submitted an addon to Mozilla before. I have, and a real person does indeed check your code.

    From the Editor's Guide [mozilla.org]:

    Every line of add-on code must be reviewed. The code validator can't detect all possible security or code quality issues, so we must always be in the lookout for bad code.

  • Re:I'm not (Score:1, Insightful)

    by Anonymous Coward on Thursday July 29, 2010 @12:45PM (#33071060)

    I'm not convinced that such an app would necessarily be caught by Apple's model. Apple doesn't even really review the source code; there was a tethering app disguised as a flashlight app that made it to the app store and stayed there until the media brought attention to it.

    The iOS App Store approval process might not have caught this; but there is a non-zero probability it might have. Of course, given the problems with the approval process, there is also a non-zero possibility that Apple might have unintentionally blocked it for reasons having nothing to do with security. In any case, it would be interesting for Apple to release statistics on how many malware apps the App Store has blocked.

    The current Android app distribution system, totally lacking any security review, has a zero probability of catching malware. Anyone with a brain knew that this was a significant possibility inherent in the more open model that Google has championed. However, this presents Google with a serious potential long-term problem--if Android phones are perceived as being insecure, it will impact sales. The market reaction will be interesting the first time somebody having a heart attack tries to dial 911 on an Android phone and dies because the phone said "u bin pwned noob!" instead of calling the rescue squad.

    Fans of Android can mock Apple for its antenna woes and screwy app approval process (and rightly so); but if Android ends up being constantly hacked, it will hurt the Android platform far more than Apple's antenna and App Store problems. Nobody wants to have to download and manage anti-virus apps or firewalls onto their cell phone. That would make Apple look prescient for establishing a system that offers at least some promise of blocking malware from the iPhone ecosystem.

  • by mlts (1038732) * on Thursday July 29, 2010 @12:55PM (#33071266)

    There is the problem: People like you, me, and almost all Slashdot readers would click "no" if a generic fart app requires a slew of security privs (power, Net, access to SMS, access to contacts, ability to kill other apps, etc.), or even worse, prompted for root privs via su.

    However, the dancing bunny problem strikes here. Joe Sixpack will click "Install" to install a cool app, only to find all his contacts being spammed with "I need $900 ransom" notices, a sky high SMS bill because the app grabs a list of phone numbers and starts sending out text messages with ads on it, maybe even drained bank accounts if he left his banking info and passwords in the Web browser.

    I think Google made one mistake with Android, and that was assuming all users would be clued Linux types who know basic UNIX sanitation. I worry though, if there are more bad apples in the bunch that Android would be start being known as a hive for malware just because there is nothing stopping Joe Sixpack from installing a "pr0n viewer app" that reams his phone.

    I like the walled garden idea, with a way to hop out, that is foreboding to a nontechnical person, but for someone with half a clue, wouldn't pose a problem. For example, the "oem unlock" command with the N1 phones and the warning staying to say buh-bye to the phone's warranty if the user wants to continue. Something to make Joe Sixpack not want to do it and actually pass on watching the dancing bunnies.

  • Re:I'm confused... (Score:4, Insightful)

    by socz (1057222) <socrates@[ ]ttobsd.org ['ghe' in gap]> on Thursday July 29, 2010 @01:04PM (#33071506) Homepage Journal
    Well, what was interesting *to me* was that when I sent the program to the emulator, i left it blank! So I hadn't even made any changes to the default and it was asking for permission. In my mind, if it does nothing, why does it need access?
  • Re:Unfortunately (Score:5, Insightful)

    by diamondsw (685967) on Thursday July 29, 2010 @01:30PM (#33072066)

    Amazing what a gets a +5 Informative these days. Adding links?

    The first example was due to a developer "hacking" accounts (i.e., guessing passwords).
    The second example is the same story as the first, from a different source.
    The final example is the only one that holds any water. And that allowing crap apps through, not malicious ones.

  • by diamondsw (685967) on Thursday July 29, 2010 @01:37PM (#33072214)

    Such reporting wasn't disallowed until very recently. There was a very good reason for it as well - developers then got that data back so they could tell how many people were still on old OS versions, what the uptake was on a new OS, and could plan their features and releases accordingly.

    The only reason Apple got upset is it revealed prototype OS versions in their lab as a side effect.

  • Re:Unfortunately (Score:1, Insightful)

    by Anonymous Coward on Thursday July 29, 2010 @01:41PM (#33072292)

    That wasn't malware. It was copycat apps and someone hacking some iTunes accounts to purchase non-malware apps that had been approved for the app store. Kind of apples and oranges isn't it? Don't get me wrong, the hacking of people's iTunes accounts in order to make purchases was horrific. (Although I'm still not quite sure how he got their passwords) But the worry with Android is that it'll replace Windows as the next attack vector for malware writers. After all already many people access their bank more on their phones than their desktops.

  • Re:I'm not (Score:3, Insightful)

    by HeronBlademaster (1079477) <heron@xnapid.com> on Thursday July 29, 2010 @02:48PM (#33073708) Homepage

    What malicious apps have gotten through Apple's approval process? I'm open to any links you may have. Don't bother linking to the guy who hacked into iTunes accounts and used them to buy his otherwise legitimate app -- the app itself was not malicious, so there's no reason to blame the approval process for the incident.

    You say "tethering apps" as if that's a bad thing. The app didn't steal any data, or use any APIs that could reveal the user's personal data. Apple checks all submissions against their list of approved APIs... an app that steals personal data would have to use unapproved or custom APIs and would therefore be rejected from the app store.

    I'm not saying Apple's approval process is perfect, but it *is* set up to catch malicious data-stealing apps.

  • Re:Unfortunately (Score:3, Insightful)

    by c0d3g33k (102699) on Thursday July 29, 2010 @02:57PM (#33073890)

    I've come nowhere near Mr. Job's ass. I am no Apple fan by a long shot (I've never purchased an Apple product in my life) and have no interest in going where the (reality distorted) sun does not shine.

    Your evidence is that malicious apps can exist in an environment where vetting takes place. You have not demonstrated that vetting has no effect on the number of malicious apps a person is exposed to. Nor have you demonstrated that the vetting was effective in your example. You might have demonstrated that Apple's vetting could use some improvement - I'll grant you that.

    I am claiming that an *effective* vetting process will *REDUCE* the number of malicious apps a user is exposed to, not that it will necessarily eliminate them entirely. So an effective vetting process is worth pursing, because in its absence, there is NO BARRIER to the presentation of malicious apps to the user, and a user will experience more of them.

    Ok, the volley is in your court. I await your reasoned and logical response.

  • by HeronBlademaster (1079477) <heron@xnapid.com> on Thursday July 29, 2010 @03:00PM (#33073930) Homepage

    The approval process didn't do any good when data was stolen from Apple users a month or two ago. A bunch of people were charged for apps they never bought, and several apps were removed from the app store, but a full explanation from Apple was never offered.

    So I guess you think that it's totally irrelevant that a) the stolen data had nothing to do with the app approval process, and b) the data was not stolen by the approved apps?

    Yeah, let's blame the approval process for something to which it is completely unrelated. *eye roll*

  • Re:Gee, if only... (Score:3, Insightful)

    by DeskLazer (699263) on Thursday July 29, 2010 @04:19PM (#33075290) Homepage
    you apparently missed the comments in the threads above; things have still snuck by the apple store folk. the only real way to catch this stuff is be conscious of what you're installing, and report suspicious items.

    from user -kyz:
    Apple is doing an equally bad job of protecting its ecosystem.

    There have been several customer-data-grabbing iPhone apps, and these have only been yanked after members of the public alerted Apple to them.

    Pinchmedia: http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html [blogspot.com]

    Storm8: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail??blogid=150&entry_id=51077 [sfgate.com]

    MogoRoad: http://www.theregister.co.uk/2009/09/30/iphone_security/ [theregister.co.uk]

    Smuggling tethering past the censors: http://top10.com/mobilephones/news/2010/07/app_smuggles_tethering_onto_iphone/ [top10.com]


    the moral of the story is, it doesn't matter if it's closed or open-source. the end user is still the difference maker.
  • Re:Unfortunately (Score:2, Insightful)

    by cmorriss (471077) on Thursday July 29, 2010 @05:06PM (#33076094)

    Right. Because that's worked [independent.co.uk] so [thenextweb.com] well [cnn.com]. Keep in mind that these refer to apps that made it through the vetting process.

    Actually, your examples do in fact prove how well the process is working.

    Not one of the apps you describe scammed people out of money or information. They are all examples of developers using other methods to get their apps to the top of the store list to get more people to buy them.

    If that's the best you can come up with, then I think that speaks volumes to how good a job Apple is actually doing.

  • Re:Thats it! (Score:3, Insightful)

    by w0mprat (1317953) on Thursday July 29, 2010 @05:49PM (#33076650)

    and write your own compiler.

    Your compiler can't compile itself!

    Personally I prefer to tap the bits into the hard drive platter with a magnetized sewing needle, that way I know it's safe... oh wait... what about the HDD's firmware?

  • Re:I'm confused... (Score:3, Insightful)

    by CharlyFoxtrot (1607527) on Thursday July 29, 2010 @06:11PM (#33076934)

    This is what Apple figured out : KISS, keep it simple and stupid. The user (even the ones that understand it) shouldn't be bothered with this shit, if you're going to sell apps through a store you might as well do quality control at that point by a third party. Of course that approach comes with its own set of well publicized drawbacks and no approach has a 100% success rate.

In order to dial out, it is necessary to broaden one's dimension.

Working...