Android Data Stealing App Downloaded By Millions 335
Posted
by
CmdrTaco
from the nobody-is-safe dept.
from the nobody-is-safe dept.
wisebabo writes "A wallpaper utility (that presents purloined copyrighted material) 'quietly collects personal information such as SIM card numbers, text messages, subscriber identification, and voicemail passwords. The data is then sent to www.imnet.us, a site that hails from Shenzen, China.'"
Why would you need it (Score:1, Interesting)
Do you really need to know the name of the app in order to avoid it? I think that you should know well enough to avoid wallpaper apps! Those (and screensavers) were something like number 1 way for viruses to spread on computers in the late 90s or so. The same people who fell for those then can now afford expensive phones and fall again for the same scam.
Re:I'm confused... (Score:4, Interesting)
Wallpapers aren't just static images.
The wallpaper I have here, changes colour depending on the time of day.
You can even show a view adjusted for the weather where you are.
Re:Developers Bitch (Score:3, Interesting)
The tethering app wasn't discovered because it was extremely difficult to trigger - it required very specific network settings, a multi-step setup process, and tapping different colors in a specific pattern just to enable the tether. Very different from discovering an app is sending your data off wholesale.
The hidden tethering app is only going to be discovered via thorough code decompilation and analysis. Sending chunks of data to a random server for no appreciable purpose can be found easily via tcpdump.
Re:Thats it! (Score:3, Interesting)
There's absolutely no reason that this should be the case. I can't speak for Windows Mobile, but the Symbian kernel has a capability model that makes it relatively easy to protect against this kind of thing. Applications, by default, can only read a few system locations (shared libraries and so forth) and can only write into their own directory. Each shared library and each application has a set of capability bits. A shared library can only be loaded by processes that have all of the capability bits that the library has (so, for example, if your app doesn't have the SMS capability, it can't load shared libraries that require it). If you install a wallpaper app, and it has the capabilities to inspect arbitrary directories, system configuration, and so on, then you'd expect to know something is wrong. Unfortunately, the Symbian UI sucks so badly that it probably doesn't actually tell you this...
Interestingly, OS X also has quite a nice subsystem for running untrusted code. On recent versions, there are predefined sandbox settings for preventing writes, preventing Internet access, and preventing writes outside /tmp. It's not used much on the desktop (not at all for untrusted code, where it would be most useful), but it might be used on the iPwn.
Re:I'm confused... (Score:2, Interesting)
Android allows you to do more, but at the cost of a little extra complexity. I think an average user can handle it, I know a lot of people with average intelligence that have no problem with it. It's the users that aren't so smart that may have a hard time with it. Those users may want to consider an iPhone.
Who is behind it? (Score:1, Interesting)
Administrative Contact Name: Ice Ysl
Administrative Contact Organization: 1sters
Administrative Contact Address1: china
Administrative Contact City: shenzhen
Administrative Contact State/Province: guangdong
Administrative Contact Postal Code: 86
Administrative Contact Country: China
Administrative Contact Country Code: CN
Administrative Contact Phone Number: +7.5526814587
Administrative Contact Email: iceskysl@gmail.com
A google search on iceskysl@gmail.com comes up with a surprising number of hits. No fake email here.
Android Intent is so powerful and great. [google.com]
Our boy has been busy on the Android [csdn.net]
And it goes on...
Re:I'm confused... (Score:3, Interesting)
There is a lot of FUD in these stories (Score:3, Interesting)
Check out the manifest permissions [macrumors.com] on the apps in question. It is the last item that is the problem.
!Storage
modify Delete
!Your location
coarse (network-based) location
!Network communication
full Internet access
!Phone calls
read phone state and identity
The permission only allow the app to read the IMEI number of your phone (your hardware's unique identifying number), your phone number, and your currently programmed voice-mail number. If you hard coded your voice-mail password as part of your voice-mail number, then they have that too.
They shouldn't be stealing this info, and Google should separate "read phone state" from "read identity", but the stories on this app stating that your SMS's, contacts and grandmother's girdle being stolen and sent to China just plain wrong.
Re:I'm confused... (Score:3, Interesting)
Android allows you to do more, but at the cost of a little extra complexity. I think an average user can handle it, I know a lot of people with average intelligence that have no problem with it. It's the users that aren't so smart that may have a hard time with it. Those users may want to consider an iPhone.
It's not about smartness but intuitiveness. Apple doesn't want the user to have to learn a new OS (the different types of permissions, etc.) to be able to use his/her phone. The user should just be able to pick it up and do a task with as little interference as possible. We used to call this KISS and it's actually a lot harder to do correctly than to just offer up a bunch of options and configurations to the user. I picked up an android phone in a store the other day and my first thought was how busy the user interface was.