Forgot your password?
typodupeerror
Android Security

'Fee-Deduction' Malware On Android Spotted In the Wild 169

Posted by Soulskill
from the another-day-another-threat dept.
wiredmikey writes "New malware has been discovered embedded in more than 20 Android applications circulating via various forums on the Internet which auto-dials phone numbers to incur high user fees. Dubbed BaseBridge, the malware can be embedded in legitimate applications, and during the application's installation, the malware prompts the user to upgrade. If the user chooses to upgrade, the malware is installed on the Android device under the name 'com.android.battery'. Then, another prompt would pop up to ask the user to restart the app to run it, and the malware is formally activated upon restart. Once activated, the malware can activate three malicious services — AdSmsService, BridgeProvider and PhoneService, to communicate with a control server, from which it will download a configuration file to read related information and dial calls or send out SMS messages, incurring fees for users."
This discussion has been archived. No new comments can be posted.

'Fee-Deduction' Malware On Android Spotted In the Wild

Comments Filter:
  • by JAlexoi (1085785)
    That is the treat of sideloading. And I wouldn't give it up for anything.
    • Rather selfish (Score:2, Interesting)

      by SuperKendall (25149)

      That is the treat of sideloading. And I wouldn't give it up for anything.

      So you would doom millions to be raked over the coals by exploits like this, all so you can sideload. Awesome.

      Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?

      It's worked well for iOS from a security standpoint.

      • Re:Rather selfish (Score:5, Informative)

        by nbetcher (973062) <nbetcher@gmai l . c om> on Tuesday May 31, 2011 @01:09PM (#36298916)
        Android is secured by default by disallowing the use of Unknown Sources. If you attempt to enable Unknown Sources for applications it will warn you about risking security. In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application to install it. So yes, Android is just as secure as iOS by default.
        • In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application

          That or enter the URL from which the APK can be downloaded, such as through following a link in an e-mail, following a link in the web browser, or scanning a QR code. After that, the device downloads the package over Wi-Fi or cellular, and then the user can choose to install or cancel on the privilege screen. That's how, for example, Amazon Appstore for Android gets installed.

          • by JAlexoi (1085785)
            Yet even then you have to enable Unknown Sources.
          • by h4rr4r (612664)

            Before that you have to enable unknown sources. You can even enable it only when you are going to install something like that amazon app store and then turn it off again.

            Still better than the amazon app store for iOS model, which is of course that there is not one and never will be.

            • by tepples (727027)

              You can even enable it only when you are going to install something like that amazon app store and then turn it off again.

              But doesn't the user have to turn "Unknown sources" back on whenever installing or updating an application in Amazon Appstore?

              • by h4rr4r (612664)

                Indeed.

                What is needed is a way to enable installation of applications signed by $X. Then you just install their pubkey and let those applications be installed without being "Unknown".

                • by sqlrob (173498)

                  So one of the malicious apps installs the key and you're back to square one.

                  • by h4rr4r (612664)

                    No no.
                    The key needs to be installed in a seperate way from apps. Something done only when you want to add new markets to shop from. Sure morons will still do it for pirated apps, but nothing will stop that.

                    • by sqlrob (173498)

                      It needs to be separate from apps, and more importantly, not possible to do from apps.

                      Possibly a physical switch on the phone to enable it, or something along those lines. With massive warnings making it near impossible to do anything while it's possible to install a key.

        • by tlhIngan (30335)

          Android is secured by default by disallowing the use of Unknown Sources. If you attempt to enable Unknown Sources for applications it will warn you about risking security. In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application to install it. So yes, Android is just as secure as iOS by default.

          If you want those free Amazon apps, you have Unknown Sources allowed, so there's that pro

          • Yeah, it's the same thing that happens now on jailbroken iPhones with hackulo.us. They host a repo for iPhone warez, and you take a pretty huge risk by installing any of it--though if you're just some kid, what do you care?

        • Android is secured by default by disallowing the use of Unknown Sources. If you attempt to enable Unknown Sources for applications it will warn you about risking security. In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application to install it. So yes, Android is just as secure as iOS by default.

          By your logic, Windows is also as secure as iOS by default.

      • Re:Rather selfish (Score:5, Insightful)

        by WhirlwindMonk (1975382) on Tuesday May 31, 2011 @01:14PM (#36298992)
        If only there were a setting to allow sideloading. One that's disabled by default to protect unsavvy users, but is easily enabled by people who know what they're doing/willing to accept the risks. Oh, hey, look! There it is! "Unknown Sources: Allow installation of non-market applications."

        Good to know that the iphone has a similar setting, that was a good move on Apple's part. Oh, wait, it doesn't? You have to exploit security holes to enable sideloading? Huh. How about that.
      • by h4rr4r (612664)

        Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?

        It's worked well for iOS from a security standpoint.

        Where is this "Open mode, I am not a moron" button for the iOS devices?

        As far as I can tell no one gets open access, everyone is assumed to be a moron.

      • by ArcherB (796902)

        That is the treat of sideloading. And I wouldn't give it up for anything.

        So you would doom millions to be raked over the coals by exploits like this, all so you can sideload. Awesome.

        Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?

        It's worked well for iOS from a security standpoint.

        I believe the point is to have the option. Sure, if you choose to sideload, you risk malware or other bad things, but freedom comes with risk. As long as you have the choice and you are willing and able to take responsibility for your device, there is no reason to forced to live in a walled garden. However, if you are happy with what the official channel has to offer, good for you. You should stay in the garden. But just because the protected environment is good for most, that doesn't mean we should al

      • by JAlexoi (1085785)
        Doom? Aren't you exaggerating the issue?
        In the context of the article: It's basically like saying installation of unsigned Windows applications that don't use the Trusted Platform Module should be banned because there are infected versions on warez sites, forums and torrents. But since this is Slashdot, you probably didn't even RTFA.
      • So you would doom millions to be raked over the coals by their own mistakes, all so you can have freedom. Awesome.

        There, I generalized that for you.

        Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?

        You would doom millions who insist they can handle security to be raked over the coals? Awesome.

        Serious point here: mistakes and malware will happen no matter what. People who are competent enough to operate outside a walled garden will still make mistakes or not be informed enough, and will fall victim to malware, and walled gardens will be penetrated by malware too.

      • by Spykk (823586)
        I suppose that you are ready to give up your right to install software on your own PC for the good of the public, then?
      • by rickb928 (945187)

        So the Apple store has never had any rogue apps find their way in?

        And the Android store, likewise, has never, and will never, approve an app that is a risk?

        Security by corporate moderation. I'm not at all comforted by that.

      • In my experience the only people who sideload apps are power users - most people will just get their stuff from "Android Market".

      • by Kitkoan (1719118)
        This problem requires you to allow installing 3rd party programs, something you have to choose to allow. If you choose to remove a security feature and try things that is your choice. Its the same the first smartphone virus [interrupt19.com] being on the iOS. Like this though, it required the user to disable a security feature to be able to effect you. Its not a security fault of the system, its a security fault of the user.
      • by dudpixel (1429789)

        Shouldn't the model be more of one where people who cannot manage systems have systems pre-secured for them, and the ones who can handle security can open them?

        wait, you mean like the "unknown sources" button being unticked by default?

    • Re:Well (Score:5, Insightful)

      by cHiphead (17854) on Tuesday May 31, 2011 @02:48PM (#36300172)

      In my day, we called that "installing" a program. Sideloading? Really? What has the world come to? DRM-ified nonsense.

  • Say what you will about Apple's "walled garden", but I'm kinda happy I'm inside it. That's not to say that iOS is not exploitable because it most certainly is, but it's much less likely something I purchase off the app store will contain malware like this.
  • Um.. so which apps (Score:5, Insightful)

    by bigredradio (631970) on Tuesday May 31, 2011 @01:00PM (#36298770) Homepage Journal
    It would be nice to see a list of the Apps. If there are "over 20" the list is probably not too large to post.
    • by blair1q (305137)

      Or a link in TFA to the original release from "NetQin Mobile".

      Seriously, since I don't have the malware on my phone, this information-free story is the real malware, here.

  • by yuna49 (905461) on Tuesday May 31, 2011 @01:01PM (#36298798)

    Is it just to annoy people? What benefit do the authors receive from getting the phone to make random calls or send SMS?

    Proof of concept, perhaps?

    • by thebra (707939)

      Is it just to annoy people? What benefit do the authors receive from getting the phone to make random calls or send SMS?

      Proof of concept, perhaps?

      Because they can.

    • by stoanhart (876182)

      The author's set up their own pay-by-the-minute number (like with phone sex services). They set the rate to the maximum possible amount, which is something ridiculous like $99 per minute.

      • by TheRaven64 (641858) on Tuesday May 31, 2011 @01:33PM (#36299290) Journal
        Not always. The best ones set up quite a low rate and don't make the malware call it more than once or twice. If someone gets a 50 charge on their telephone bill, then they are unlikely to query it. If they do, then the phone company will probably just give them a refund and eat the cost - they probably charge more than 50 for the call to their support line anyway. 50 doesn't sound like much, but if you get a couple of million infections then that's a huge amount of money. Ideally, they'll register a few hundred premium rate numbers and have the malware dial a random one.
      • Telephone companies allow people to set up their own pay-by-the-minute number and willingly give their customers' money to that? Is there a legitimate use for setting up one's own number like that which I'm not thinking of? I'm assuming the phone company gets a cut of the money regardless of whether it's abusive and illegal, and so things like this aren't blocked on their side of things.
        • by gstoddart (321705)

          Telephone companies allow people to set up their own pay-by-the-minute number and willingly give their customers' money to that? Is there a legitimate use for setting up one's own number like that which I'm not thinking of?

          There's loads of places where you see such numbers ... phone sex is "legitimate" in that it is legal, and people can choose to do it. There's also probably lots of more 'mainstream' applications that I'm not thinking of. Generally, it's called "pay per call".

          I can't even begin to count

        • by w_dragon (1802458)
          Here in NA any number that starts with 1-900 is a pay-by-minute type. While the adult industry is the most well-known for them they can also be used by anyone where you're going to be charged by the minute for talking to them anyway (lawyers spring to mind).
      • That sounds like a ridiculously easy way to get caught. If you wanted to catch the virus author, all you'd need to do way find out who owned the phone number.

    • Probably they get the proceeds from these calls/SMS'. Couple shell companies to an anonymous account, and you're making money well.

    • by OS24Ever (245667) *

      To make money.

      They own the number being dialed, and above what the phone company charges the extra money all goes to them.

    • What benefit do the authors receive from getting the phone to make random calls or send SMS?

      What benefit to the authors recieve from getting your computer to send random e-mails? It seems like this could be the beginning of botNet style SMS spam. So far the networks have kept it pretty clean by putting heavy filtering on the internet/SMS gateways. It doesn't make sense to spam SMS if you're paying 5 cents a message to do it. But if you can compromise devices inside that gateway, and use their 5 cents, it's a whole different story.

  • by bogaboga (793279) on Tuesday May 31, 2011 @01:06PM (#36298874)

    ...though not publicly, about the chaos in Android's ecosystem. Seems that everything he predicted is coming to pass.

    Folks, we need sanity on Android. Currently, it's nowhere to be seen. Who can deny that?

    • by nschubach (922175)

      According to Google, it's "working as intended"

      We've been reporting all kinds of attacks and Google assumes you'll contact the developer or write a blog post to warn others of suspicious activity and that's as far as they'll let you take it. The report is my sig is just one of many.

    • by robmv (855035)

      Right, we need to check mental sanity of people that activate the option to install software from outside the market after the phone showed a big warning and they install anything from any place

      • Where are my mod points when I need them. The article also for some strange reason doesn't mention that if you don't allow installation from unknown sources that this malware won't be able to install. Interesting how they leave that out.
      • Right, we need to check mental sanity of people that activate the option to install software from outside the market

        As they are explicitly told to do by Amazon [amazon.com]?

        It's a design feature of the platform than any mainstream alternate application stores must have you disable this block, and then any random link can install something for you. Do you really not expect a significant number of users will be getting things from Amazon given the marketing clout they have?

        • by robmv (855035)

          No the sanity of people installing from non respectable sources, the warning is very informative, if someone still try to save a few bucks installing applications from unknown sources, that is their problem

        • by AmiMoJo (196126)

          Okay, you enabled installing software from any source so that you could install the Amazon app-store. So what? You still have to go trawling round dodgy forums looking for this shit, it doesn't just magically appear on your phone or bypass the permission warnings. Or are you one of the people who complains that their machine is infected after they downloaded a crack for Photoshop and clicked "yes" to all the warning messages?

          Users are dumb and can be tricked into installing malware. Is anyone surprised? Sho

          • You're right that for BaseBridge to infect your Android phone, you would have to actually dig through some shady parts of the internet.
            But wasn't the DroidDream infections originating from apps on Google's Android Market?

    • by JAlexoi (1085785)
      Are all pirated iOS apps free of malware also? Or are you too lazy to even read the summary?
    • by Abreu (173023)

      There's sanity in Android... There's also insanity, which is installing dubious apps from sketchy sources...

      Choice is yours.

    • by Jonner (189691)

      ...though not publicly, about the chaos in Android's ecosystem. Seems that everything he predicted is coming to pass.

      Folks, we need sanity on Android. Currently, it's nowhere to be seen. Who can deny that?

      Yeah, freedom == chaos. Oh, Steve, preserve us from the chaos of having to exercise judgment!

      • by idontgno (624372)
        Yeah, I can picture the ants floating around in freefall:

        Freedom! Horrible, horrible freedom!

        I think this is the part where we welcome our insectoid walled-garden overlords.

        (Reference, [snpp.com] for the Simpsons-challenged among you.)

        • by idontgno (624372)
          Actually, that was a terrible reference. This [snpp.com] is a more specific and appropriate one. Or maybe another attempt to make you click one of my links. MWAHAHAHA!
  • by 0xdeadbeef (28836) on Tuesday May 31, 2011 @01:10PM (#36298930) Homepage Journal

    Trojans in software downloaded from sketchy websites? GTFO!

    • by jedidiah (1196)

      Chase away the Free Software and this is what you get. The gratis software becomes much less reputable even if it is inside someone's walled garden.

      The entire "ecosystem" becomes remarkably more crass and predatory.

      • by Jonner (189691)

        Chase away the Free Software and this is what you get. The gratis software becomes much less reputable even if it is inside someone's walled garden.

        The entire "ecosystem" becomes remarkably more crass and predatory.

        What are you talking about? It's Apple and Microsoft that chase away Free software, not Google.

  • I love apps on my phone, but along the way, I have to wonder, just how smart is this? My phone is for me, as for many, my primary communications device. I get loading an IM app or an invoicing app or even some Angry Birds. There comes an implicit trust there, I suppose.

    I'm cool with tinkering.. that's how our modern marvels came to be. However, tinkering comes with implicit risk. The problem is people tinker and expect the mission critical stuff (like your phone making calls everytime you want, and only whe

  • Digital Signatures (Score:4, Informative)

    by DaMattster (977781) on Tuesday May 31, 2011 @03:21PM (#36300502)
    I am not sure 100% that this is the answer but I think it is high time that we use digital signatures to verify the authenticity of the code. In the open source community this is done all of the time with utilities like GNUPG. Just simply use the author's public key to verify the authenticity of the code. If there is a discrepancy, then there should be a provision to discard the downloaded app. That should, at least, put a severe curb on wrapping malware in legitimate applications.
    • by Rich0 (548339)

      Uh, I believe all apks are digitally signed - certainly the ones from the market are. All a signature tells you is that whoever owns the key created the software. The signature in itself doesn't tell you own owns the key, and whether they stuck nasty stuff in their software. A certificate backed by a CA can help tell you who owns the key, but not whether they stuck nasty stuff in their software. If the CA does their job well enough it can make it easier to trace down who stole your money after the fact.

  • This is ultimately no different from the days of downloading trojan-laden warez from a BBS or pr0n site and getting infected with an autodialer that calls some random long-distance number through the modem.

    If you're not willing to be careful about what you're installing, or where you're downloading it from, don't be surprised when your phone racks up random charges without your direct input.

    • In fact, today is a more secure era.

      Back in the BBS and early internet days, download shit of random sites was the only way to install software. You had to choose wisely the place you got your software from. If you /.er wanted to get the latest compiler suite, you had to fetch it from somewhere. If grandma wanted a weather app or a smiley pack, she got it from the interwebs too, and caught a nice trojan while doing it.

      Now, systems like Android, WebOS, etc. provide you a nice walled garden of vetted apps. So

  • We could require people to develop on a specific platform to make the software easier to analyze, then have digitally signed software sold on a single walled-garden, only allow authorized software to run on the phone, with the phone provider able to take down and turn off any malware app as needed.

    Oh yeah, that is called an iPhone!

Recursion is the root of computation since it trades description for time.

Working...