'Fee-Deduction' Malware On Android Spotted In the Wild 169
wiredmikey writes "New malware has been discovered embedded in more than 20 Android applications circulating via various forums on the Internet which auto-dials phone numbers to incur high user fees. Dubbed BaseBridge, the malware can be embedded in legitimate applications, and during the application's installation, the malware prompts the user to upgrade. If the user chooses to upgrade, the malware is installed on the Android device under the name 'com.android.battery'. Then, another prompt would pop up to ask the user to restart the app to run it, and the malware is formally activated upon restart. Once activated, the malware can activate three malicious services — AdSmsService, BridgeProvider and PhoneService, to communicate with a control server, from which it will download a configuration file to read related information and dial calls or send out SMS messages, incurring fees for users."
Well (Score:2)
Rather selfish (Score:2, Interesting)
That is the treat of sideloading. And I wouldn't give it up for anything.
So you would doom millions to be raked over the coals by exploits like this, all so you can sideload. Awesome.
Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?
It's worked well for iOS from a security standpoint.
Re:Rather selfish (Score:5, Informative)
URL of APK (Score:3)
In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application
That or enter the URL from which the APK can be downloaded, such as through following a link in an e-mail, following a link in the web browser, or scanning a QR code. After that, the device downloads the package over Wi-Fi or cellular, and then the user can choose to install or cancel on the privilege screen. That's how, for example, Amazon Appstore for Android gets installed.
Re: (Score:2)
At least Android has "Unknown sources" (Score:3)
Re: (Score:3)
Before that you have to enable unknown sources. You can even enable it only when you are going to install something like that amazon app store and then turn it off again.
Still better than the amazon app store for iOS model, which is of course that there is not one and never will be.
Re: (Score:2)
You can even enable it only when you are going to install something like that amazon app store and then turn it off again.
But doesn't the user have to turn "Unknown sources" back on whenever installing or updating an application in Amazon Appstore?
Re: (Score:2)
Indeed.
What is needed is a way to enable installation of applications signed by $X. Then you just install their pubkey and let those applications be installed without being "Unknown".
Re: (Score:2)
So one of the malicious apps installs the key and you're back to square one.
Re: (Score:2)
No no.
The key needs to be installed in a seperate way from apps. Something done only when you want to add new markets to shop from. Sure morons will still do it for pirated apps, but nothing will stop that.
Re: (Score:2)
It needs to be separate from apps, and more importantly, not possible to do from apps.
Possibly a physical switch on the phone to enable it, or something along those lines. With massive warnings making it near impossible to do anything while it's possible to install a key.
Re: (Score:2)
If you want those free Amazon apps, you have Unknown Sources allowed, so there's that pro
Re: (Score:2)
Yeah, it's the same thing that happens now on jailbroken iPhones with hackulo.us. They host a repo for iPhone warez, and you take a pretty huge risk by installing any of it--though if you're just some kid, what do you care?
Re: (Score:2)
Let me guess - you didn't buy your phone from AT&T, did you?
Re: (Score:2)
Android is secured by default by disallowing the use of Unknown Sources. If you attempt to enable Unknown Sources for applications it will warn you about risking security. In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application to install it. So yes, Android is just as secure as iOS by default.
By your logic, Windows is also as secure as iOS by default.
Re:Rather selfish (Score:5, Insightful)
Good to know that the iphone has a similar setting, that was a good move on Apple's part. Oh, wait, it doesn't? You have to exploit security holes to enable sideloading? Huh. How about that.
Re: (Score:2)
Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?
It's worked well for iOS from a security standpoint.
Where is this "Open mode, I am not a moron" button for the iOS devices?
As far as I can tell no one gets open access, everyone is assumed to be a moron.
Re: (Score:3)
Some of us don't believe we should have to fight our device manufacturer to be able to use it. It is for primarily this reason I will never buy or recommend an iPhone or iPad.
Re: (Score:2)
Re: (Score:3)
Yes, some features on Android do require rooting, but it is possible to run non-elevated applications that are not distributed through Google's market. Rooting is also left more up to the carrier and device manufacturer. Carriers like to have devices locked, but some devices are rooted by default. Android as a whole doesn't put a lot of effort in to protecting or trying to break root and can actually always be rooted (as far as I know) through ODIN or similar flashing. The culture of carriers makes this
Re: (Score:2)
It is also worth pointing out that most rooting methods on Android seem to stay in until they are exploited by malware and then are rapidly removed. A perfect example is the rageagainstthecage vulnerability with elevation of a debugging connection that was only fixed after the Market malware issue.
Re: (Score:2)
Re: (Score:2)
The law reads that Apple can't do anything to people for jailbreaking their phones and they don't want to open themselves up to lawsuits, but their entire business model depends on iTunes sales. It is like licensing fees for video games. Their business model is to charge both the content creators and the consumers for access to the same hardware which they want to control. They make it as difficult as possible to do and it is a philosophy I hate. I also generally buy video games for PC whenever possible
Re: (Score:2)
Oh, you mean software exploits.
See, that is exactly not what was being talked about at all. Security exploits are not put in by apple just so you can own your own devices, they are mistakes. They are a defect, not a part of the model Apple choses to use.
Re: (Score:2)
Re: (Score:2)
Where is this "Open mode, I am not a moron" button for the iOS devices?
It's called jailbreaking.
... which may void your warranty (on the hardware, not just the OS) apparently: http://www.bbc.co.uk/news/technology-10836692 [bbc.co.uk]
I doubt they would have an easy way to enforce this given that if you've performed a factory reset on the device they probably can't tell it has been jailbroken (but then again if you are sending it out for repair/replacement under warranty you might not be in a position to perform such a reset).
That said, I still wouldn't compare a built-in feature with warnings about possible
Wrong (Score:2)
which may void your warranty (on the hardware, not just the OS)
You simply restore to factory OS before taking it in for hardware support.
Because if you jailbreak you have a clue. Remember?
Re: (Score:2)
which may void your warranty (on the hardware, not just the OS)
You simply restore to factory OS before taking it in for hardware support.
Because if you jailbreak you have a clue. Remember?
Could you please explain, for I am obviously clueless on this matter, how one would go about restoring the factory default OS on hardware that isn't currently working and hence needs to be sent in for warranty repair/replacement?
OK so if they just replace the device they'll not notice. But you can't guarantee that will be the case.
Re: (Score:2)
That is the treat of sideloading. And I wouldn't give it up for anything.
So you would doom millions to be raked over the coals by exploits like this, all so you can sideload. Awesome.
Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?
It's worked well for iOS from a security standpoint.
I believe the point is to have the option. Sure, if you choose to sideload, you risk malware or other bad things, but freedom comes with risk. As long as you have the choice and you are willing and able to take responsibility for your device, there is no reason to forced to live in a walled garden. However, if you are happy with what the official channel has to offer, good for you. You should stay in the garden. But just because the protected environment is good for most, that doesn't mean we should al
Re: (Score:2)
In the context of the article: It's basically like saying installation of unsigned Windows applications that don't use the Trusted Platform Module should be banned because there are infected versions on warez sites, forums and torrents. But since this is Slashdot, you probably didn't even RTFA.
Re: (Score:2)
So you would doom millions to be raked over the coals by their own mistakes, all so you can have freedom. Awesome.
There, I generalized that for you.
Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?
You would doom millions who insist they can handle security to be raked over the coals? Awesome.
Serious point here: mistakes and malware will happen no matter what. People who are competent enough to operate outside a walled garden will still make mistakes or not be informed enough, and will fall victim to malware, and walled gardens will be penetrated by malware too.
Re: (Score:2)
Re: (Score:2)
So the Apple store has never had any rogue apps find their way in?
And the Android store, likewise, has never, and will never, approve an app that is a risk?
Security by corporate moderation. I'm not at all comforted by that.
Re: (Score:2)
In my experience the only people who sideload apps are power users - most people will just get their stuff from "Android Market".
Re: (Score:2)
Re: (Score:2)
Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?
wait, you mean like the "unknown sources" button being unticked by default?
Re: (Score:2)
Or they will just use something else.
Re: (Score:2)
Not idiocy (Score:2)
Or, we could treat the real problem, personal idiocy, and educate people.
Bullshit. It's not idiocy, it's lack of understanding. And the truth is that you cannot educate people on something they have no interest in. Nor should there be a need for education, I don't have to be a structural engineer to drive over a bridge, because I know the people who made it are competent. The same should be true of OS's we use, the makers should have secured that for us as much as possible to the point where normal use
Re: (Score:2)
The same should be true of OS's we use, the makers should have secured that for us as much as possible to the point where normal users do not need any understanding or education to keep the device safe for use.
I would like to add a caveat... If I have an engineer build me a bridge, I expect it to be safe for me to drive over but if I want to poke giant holes in it to let rain through or place a roof over it I should be aware that I may be messing with it's structure and accept responsibility for the bridge failing because of my mods.
That's pretty much the way Android works now. My only issue with it is that I have little control over what type of vehicles my gardener drives over it if he shows up in a pickup and
Re:Well (Score:5, Insightful)
In my day, we called that "installing" a program. Sideloading? Really? What has the world come to? DRM-ified nonsense.
Re: (Score:2)
I like my walled garden (Score:1)
Re: (Score:2)
Re: (Score:2)
I see the truth angers the fanbois.
Have fun modding me down, been here long enough my karma won't even notice it.
Um.. so which apps (Score:5, Insightful)
Re: (Score:2)
Or a link in TFA to the original release from "NetQin Mobile".
Seriously, since I don't have the malware on my phone, this information-free story is the real malware, here.
What's the purpose of this? (Score:3)
Is it just to annoy people? What benefit do the authors receive from getting the phone to make random calls or send SMS?
Proof of concept, perhaps?
Re: (Score:2)
Is it just to annoy people? What benefit do the authors receive from getting the phone to make random calls or send SMS?
Proof of concept, perhaps?
Because they can.
Re: (Score:3)
The author's set up their own pay-by-the-minute number (like with phone sex services). They set the rate to the maximum possible amount, which is something ridiculous like $99 per minute.
Re:What's the purpose of this? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
There's loads of places where you see such numbers ... phone sex is "legitimate" in that it is legal, and people can choose to do it. There's also probably lots of more 'mainstream' applications that I'm not thinking of. Generally, it's called "pay per call".
I can't even begin to count
Re: (Score:2)
Re: (Score:2)
That sounds like a ridiculously easy way to get caught. If you wanted to catch the virus author, all you'd need to do way find out who owned the phone number.
Re: (Score:3)
Probably they get the proceeds from these calls/SMS'. Couple shell companies to an anonymous account, and you're making money well.
Re: (Score:2)
To make money.
They own the number being dialed, and above what the phone company charges the extra money all goes to them.
Re: (Score:2)
What benefit do the authors receive from getting the phone to make random calls or send SMS?
What benefit to the authors recieve from getting your computer to send random e-mails? It seems like this could be the beginning of botNet style SMS spam. So far the networks have kept it pretty clean by putting heavy filtering on the internet/SMS gateways. It doesn't make sense to spam SMS if you're paying 5 cents a message to do it. But if you can compromise devices inside that gateway, and use their 5 cents, it's a whole different story.
Apple's Steve Jobs must be smiling... (Score:3)
...though not publicly, about the chaos in Android's ecosystem. Seems that everything he predicted is coming to pass.
Folks, we need sanity on Android. Currently, it's nowhere to be seen. Who can deny that?
Re: (Score:2)
According to Google, it's "working as intended"
We've been reporting all kinds of attacks and Google assumes you'll contact the developer or write a blog post to warn others of suspicious activity and that's as far as they'll let you take it. The report is my sig is just one of many.
Re: (Score:2)
Right, we need to check mental sanity of people that activate the option to install software from outside the market after the phone showed a big warning and they install anything from any place
Re: (Score:2)
The sanity of people using Amazon? (Score:3)
Right, we need to check mental sanity of people that activate the option to install software from outside the market
As they are explicitly told to do by Amazon [amazon.com]?
It's a design feature of the platform than any mainstream alternate application stores must have you disable this block, and then any random link can install something for you. Do you really not expect a significant number of users will be getting things from Amazon given the marketing clout they have?
Re: (Score:2)
No the sanity of people installing from non respectable sources, the warning is very informative, if someone still try to save a few bucks installing applications from unknown sources, that is their problem
Re: (Score:2)
Okay, you enabled installing software from any source so that you could install the Amazon app-store. So what? You still have to go trawling round dodgy forums looking for this shit, it doesn't just magically appear on your phone or bypass the permission warnings. Or are you one of the people who complains that their machine is infected after they downloaded a crack for Photoshop and clicked "yes" to all the warning messages?
Users are dumb and can be tricked into installing malware. Is anyone surprised? Sho
Re: (Score:2)
You're right that for BaseBridge to infect your Android phone, you would have to actually dig through some shady parts of the internet.
But wasn't the DroidDream infections originating from apps on Google's Android Market?
Re: (Score:2)
Re: (Score:2)
There's sanity in Android... There's also insanity, which is installing dubious apps from sketchy sources...
Choice is yours.
Re: (Score:2)
...though not publicly, about the chaos in Android's ecosystem. Seems that everything he predicted is coming to pass.
Folks, we need sanity on Android. Currently, it's nowhere to be seen. Who can deny that?
Yeah, freedom == chaos. Oh, Steve, preserve us from the chaos of having to exercise judgment!
Re: (Score:2)
I think this is the part where we welcome our insectoid walled-garden overlords.
(Reference, [snpp.com] for the Simpsons-challenged among you.)
Re: (Score:2)
I am shocked and appalled (Score:4)
Trojans in software downloaded from sketchy websites? GTFO!
Re: (Score:2)
Chase away the Free Software and this is what you get. The gratis software becomes much less reputable even if it is inside someone's walled garden.
The entire "ecosystem" becomes remarkably more crass and predatory.
Re: (Score:2)
Chase away the Free Software and this is what you get. The gratis software becomes much less reputable even if it is inside someone's walled garden.
The entire "ecosystem" becomes remarkably more crass and predatory.
What are you talking about? It's Apple and Microsoft that chase away Free software, not Google.
Don't experiment if it's mission critical (Score:2)
I love apps on my phone, but along the way, I have to wonder, just how smart is this? My phone is for me, as for many, my primary communications device. I get loading an IM app or an invoicing app or even some Angry Birds. There comes an implicit trust there, I suppose.
I'm cool with tinkering.. that's how our modern marvels came to be. However, tinkering comes with implicit risk. The problem is people tinker and expect the mission critical stuff (like your phone making calls everytime you want, and only whe
Digital Signatures (Score:4, Informative)
Re: (Score:2)
Uh, I believe all apks are digitally signed - certainly the ones from the market are. All a signature tells you is that whoever owns the key created the software. The signature in itself doesn't tell you own owns the key, and whether they stuck nasty stuff in their software. A certificate backed by a CA can help tell you who owns the key, but not whether they stuck nasty stuff in their software. If the CA does their job well enough it can make it easier to trace down who stole your money after the fact.
Re: (Score:2)
Yup, and sites running SSL with valid certificates can host malware just fine. You just know who actually infected you with the malware (if the CA did their job well).
Plus ca change, plus ca meme chose (Score:2)
This is ultimately no different from the days of downloading trojan-laden warez from a BBS or pr0n site and getting infected with an autodialer that calls some random long-distance number through the modem.
If you're not willing to be careful about what you're installing, or where you're downloading it from, don't be surprised when your phone racks up random charges without your direct input.
In fact, today is more secure (Score:2)
In fact, today is a more secure era.
Back in the BBS and early internet days, download shit of random sites was the only way to install software. You had to choose wisely the place you got your software from. If you /.er wanted to get the latest compiler suite, you had to fetch it from somewhere. If grandma wanted a weather app or a smiley pack, she got it from the interwebs too, and caught a nice trojan while doing it.
Now, systems like Android, WebOS, etc. provide you a nice walled garden of vetted apps. So
Another scheme... (Score:2)
We could require people to develop on a specific platform to make the software easier to analyze, then have digitally signed software sold on a single walled-garden, only allow authorized software to run on the phone, with the phone provider able to take down and turn off any malware app as needed.
Oh yeah, that is called an iPhone!
Re:Glad I stuck with Windows Phone 7 (Score:4)
I know you're being facetious, but ironically in this case you're probably indirectly right. Windows Phone 7 has such a small market share that it's not worth bothering with from a malware author's perspective, while iOS and Linux (Android) are huge targets. Funny how the table's turned.
Re: (Score:2)
Re: (Score:2)
I kept hearing that Linux was immune to malware all these years here, and yet I am seeing a Linux variant in ANDROID showing holes and malware attacks left and right the past few years now.
(Has slashdot's Penguin crowd been lying to us all for all these years now? Seems so.)
Go back to your bridge.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Linux = "Immune to malware" (another /. LIE?) (Score:5, Informative)
Re: (Score:2)
A user with root explicitly installing a program IS NOT A HOLE.
Yes, but a user with root explicitly installing malware is most definitely an A HOLE.
Re: (Score:2, Insightful)
Feeding time...
I take you you use a perfect OS then? Do tell us what it is...
Re: (Score:3)
No one who's had any clue about network and OS security has ever said "Linux is immune to malware." In fact, what us Penguins have said is that it's impossible to stop a truly dedicated admin-level user from shooting himself in the foot if he's determined to do so. However, Linux's security model does a really good job of limiting the scope of the damage done by a user installing malware. Unless you are root (or equivalent) on a Linux box, *your* accou
Re: (Score:3)
The iPhone has similar issues. JB the iPhone, grab pirated apps from unknown/untrusted repos, shovel them via Installous, and there have been some really nasty things reported.
The average user is not going to be sideloading apps, and if told to by a website, he or she should be VERY wary, and be checking search engines about the app mentioned.
Re: (Score:2)
there have been some really nasty things reported.
References? While there's certainly the potential for such abuses, I haven't heard of anything in the wild to date.
Re: (Score:2)
If one visits sites like MacRumors, and looks under the iPhone hacks section, you will find a good amount of people posting about installing apps with Installous from dodgy repos. They all kinds of problems, from having to DFU restore, to corruption of other app's data, and so on.
The evidence is anecdotal (someone whining about a spotty JB iPhone that has been heavily modified could be a lot of issues), but slapping on pirated apps from repos that have not been vetted is just asking for an additional paylo
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
well, what's a dubious application?
a 'Make $$$ Fast' app.. probably
but how about something like 'Bubble Boinger'... would you be confident that *didn't* contain malware.. 'cos if you can't be sure, that's pretty much half the apps in the Market off limits to you.
Sure, if you put lots of security walls in place, the user can still be tricked into saying yes. ("restart app to apply update" says one, you say 'yes', oops. Not all malware asks 'install malware' in their popups).
So you still need to fall back on