New Android Trojan Fakes Device Shut Down, Spies On Users 118
An anonymous reader writes A new Android Trojan that tricks users into believing they have shut their device down while it continues working, and is able to silently make calls, send messages, take photos and perform many other tasks, has been discovered and analyzed by AVG researchers. They dubbed it, and AVG's security solutions detect it as PowerOffHijack.
not-a-bug; wont-fix (Score:5, Funny)
Re: (Score:3)
Re: (Score:1)
Re:not-a-bug; wont-fix (Score:4, Insightful)
This sounds much more like something the Chinese government would do
It sounds more like something an anti-virus company like AVG would make up to get publicity and boost sales. If this was something real, they should name the app (they don't) and/or describe a plausible mechanism. An Android app can detect a hard power down (so that it can save data or whatever) but it cannot stop or delay it. So the only way it could work is to trick the user into releasing the power button too early.
Re: (Score:2)
exactly. this little detail ...
That's because the malware, after having previously obtained root access
the app has to have root to work. how did it get root? my guess is that it's a an app that masquerades as an app that requires root, and it fools the user into granting root privs to the app. if that's what happened, the users deserve their fate.
Re: (Score:2)
Re: (Score:2)
The Android permissions system is broken. When you see the list of permissions an app claims it needs, you don't know what it's going to do with those permissions. You're expecting people to look over a list and figure out whether everything looks reasonable for any use of the permissions in that app in an unknown context. I can't look at such a list and be confident with it, and I know a lot more about this stuff than most people.
I much prefer the iOS system, which asks permission for specific action
Re: (Score:2)
i'm assuming there is no vulnerability. that'd be the real story. if there's a root vulnerability, you can do almost anything. you don't need to fool the user, you just sit in the background and download all of their pictures and data and scan memory for credit cards and passwords ... and so on.
Re: (Score:2)
I keep a set of cheap amplified speakers on my desk. It's the kind with a tattletale buzz when a cell phone is too close. It's hard to be stealthy in a field full of bushes full of bells.
Re: (Score:1)
Re: (Score:1)
Is it an Ad for AVG?
The other Ad, chances of catching this approaches 0 if you don't screw the security on your device up?
Re: (Score:3)
Re: (Score:2)
or if it's embedded in a stupid game app on the Google Play store.
Re: (Score:3)
Re: (Score:3, Insightful)
yes actually, but the NSA has been caught doing the last few times in a row, its not ignorant ot make that assumption.
With a track history like the NSAs, it's not even an assumption. It's more like a statistical certainty.
Re: (Score:2)
There is no better reason then to stiff up your lip, and write backdoors for no one. The best practice for dealing with the NSA just happens to be best practice for dealing with the GCHQ, Russian FSB, and whatever the chineese, french, or any other nation state has.
1. blow the whistle on everything. Don't ever spy exlusively for any powerful institution.
2. don't write backdoors for anyone
3. don't weaken crypto for anyon
This is why..... (Score:5, Insightful)
If you really need privacy, you pull the phone battery....and if you might need privacy, you don't buy a phone that can't have its battery pulled.
Not really any solutions, as long as people are walking around with what amount to wireless microphones in their pockets this will always be a potetial problem.
Re:This is why..... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:1)
Re: (Score:3)
In theory I agree, in practice, this requirement is imposed by the intersection of the other stated requirement "privacy" and the necessary capabilities of the device known as a "smart phone".
You can't really have a device that does what a smart phone does and isn't a privacy risk without some sort of hard power disconnect.
You could, otoh, leave the phone in another room, or lock it inside a soundproof box. There are many solutiuons but none of them involve "hit the soft off switch and put it in your pocket
Re:This is why..... (Score:4, Insightful)
I think you hit on the solution: A hard power switch.
And better yet, also add: A hard microphone switch and a physical shutter for the cameras. I wouldn't mind having a hard radio switch and/or GPS switch too.
No software can work around that when you need real privacy.
Re: (Score:1)
The article wasn't very clear, but most phones have a hard shutdown that works almost the same as a battery pull if you hold the power button for 10-20 seconds that would most likely bypass anything like this virus.
Still inconvenient and untrustworthy. I really wish physical buttons that physically disconnect parts of devices would make a comeback. I would love to be able to flip a switch and know for certain that my camera/microphone were off, or to disconnect power rather than opening my phone and pulli
Re: (Score:1)
Components with moving parts cost money. This is why having a touchscreen quickly leads to having only a touchscreen.
Not disagreeing with you, BTW. If you want to form a club for the preservation of actual controls you can feel (along the lines of CAMRA) sign me up as member 2.
Re: (Score:2)
The problem with a Big Red Button on a phone is that it will be pushed by accident. My desktop sits there, with the front panel controls out of easy reach, and the cats don't try to get too friendly with it, so a BRB is just fine. My phone sits in my pocket all day, and I touch various parts of it as I pull it out, use it, drop it and try to catch it, take something else out of that pocket, whatever. I don't want to have my phone turn off when I don't want it to. I don't want to be able to touch someth
Re: (Score:3)
Re: (Score:2)
Re:This is why..... (Score:5, Funny)
They could have an untrustworthy mobile hidden in an orifice. Best don the latex and do a thorough cavity search!
Re: (Score:2)
Re: (Score:2)
I have friends on the other side of the planet. I can be loud if I want to but I doubt I could shout hard enough for them to hear me.
Re: (Score:2)
Android's tend to have removable batteries. iPhones don't.
Android's have this malware. iPhones don't.
Re: (Score:2)
Android devices that have not been rooted do not have this malware. You can't catch it just by turning on "Unknown sources".
Re: (Score:2)
I thought "unknown sources" was enough to allow third party app stores (assuming that it hasn't actually reached Google Play yet), from reading this [digitaltrends.com]. Am I mistaken?
Re: (Score:2)
You are not mistaken.
However, this virus apparently and logically also needs root access. Unknown sources does not grant it that. Rooting your phone does.
It needs both to work.
Re: (Score:2)
This is one of the things that pisses me off about droids as awell. I bought the fucking hardware, its my phone. If I break it, I buy a new one. So why don't I have access to the root acount. I don't want to run everythng as root, but I shouldn't need an exploit to get it and run apps that need it.
And maybe, if they designed with that access in mind, and didn't make people use exploits to get root access....maybe if they stopped treating it like hardare I was borrowing instead of buying we could have mechan
Re: (Score:2)
I actually agree with some of the sentiment of the manufacturers. Most users can't handle root so you shouldn't give it to them. Manufacturers can't just work with nerds who can handle it. Ordinary users will mess things up and complain to the manufacturer about it.
However it should be a setting like "unknown sources" where those that choose it can activate it. At their own risk of course.
Re: (Score:1)
If you really need privacy, you pull the phone battery....and if you might need privacy, you don't buy a phone that can't have its battery pulled.
Not really any solutions, as long as people are walking around with what amount to wireless microphones in their pockets this will always be a potetial problem.
Or at the very least, don't run any apps outside of the designated ecosystem that at least have provisions to theoretically mitigate malware like this. It's really the equivalent of downloading random installers from torrent links on the pirate bay, and then going "oh shit windows is so insecure!" when you get hacked and your banking passwords get stolen.
Re: (Score:2)
It's probably in apps that are either copies of or otherwise masquerading as good ones. Listing them would just serve to hurt the makers of the actual real apps while not acomplishing much as the malware pedler's would just quickly adapt by copying someone else's app. It's better just to inform the marketplaces to pull the offenders and publish articles like this to remind people to be careful of what they install in general.
Re:Don't be silly (Score:5, Insightful)
I think its fair to say that it takes a user to install it first, linux has pretty much always had trustworthy repositories, Google not so much.
I love some of the things you can add to chrome but there seems to be little to no security checking of what an app or extension does. That does worry me.
Re: (Score:2)
WTF? (Score:4, Funny)
Why is it so damned easy for malware to get root access, and so damned annoying for me to get it?
And, quite honestly, by how annoying and intrusive AVG was becoming when I got away from it ... do we have another source which confirms this?
I'm just not sure I trust them to be quite honest.
Re: (Score:2)
Re: (Score:3)
Look, if I want to build my fucking phone in a kit ... well, actually, I don't want to build my phone in a kit, which is my damned point.
So first I need to find an exploit for my phone, hope it works, hope it has no chance of bricking my phone (which no matter what anybody says is non-zero), then I need to download a ROM, then I need to recreate all the functionality I need, and then I need to hope it works. Then I need to do who knows what to keep it running.
Sorry, but no.
I've looked into rooting both my
Re: (Score:2)
It all comes to your choice in phones and if they have a locked boot loader (or an unlockable one) or not. Phones without one like Nexus devices, Google Play Editions, or my personal favorite the Moto X Developer Edition are simple to root and don't even require ROMing. My Verizon Moto X Dev has even stayed rooted through 3 Over The Air updates without having to do anything special.
Re: (Score:2)
Re: (Score:2)
I've looked into rooting both my phone, and my tablet ... and both of them sound like they're a lot more nuisance than it's worth.
having a custom ROM and rooting are orthogonal. i have a Nexus 10 that's rooted but's running the stock firmware and continues to get OTA updates. that being said, you are mostly right about running a custom ROM. the result is a loss of an hour of your life and a device that's almost always less stable.
Re:WTF? (Score:5, Informative)
There is nothing to see here. The malware doesn't get root. It's just a normal app that simulates shutdown, like those lame joke apps we used to write back in the day that mimic the DOS format command output or Netware login screen. The user has to be simultaneously knowledgeable enough to enable app installation from sources other than Play and extremely dumb to install an app requiring so many permissions and from a dubious source.
The malware doesn't do anything a normal app can't. No exploits, it just makes the screen completely black and starts sending text messages (which the user gave it permission to do), while hoping you don't press the home key and discover the ruse.
Re: (Score:3)
Why is it so damned easy for malware to get root access, and so damned annoying for me to get it?
In this case, the phone must already be rooted, and the user must be willing to grant root permission to the application. In other words, this is essentially a surveillance app for your spouse/girlfriend/boyfriend/children, where you must have physical access to their device for you to be able to install the trojan.
After all, why else would the AVG vendor not give us the name of the app?? And why else does the AVG vendor vaguely says that the app "applies for the root permission" when it goes down to the ab
Re: (Score:2)
I'd say that Avast is best among the free Windows options and that the free version is specifically a better product than the paid one. One of the paid modules is god-awful for system performance.I only install the Virus and Web Shields and the Browser Cleanup and Rescue Disk options. The rest is just fluff and my local mail gateway will check emails anyway.
Microsoft Security Essentials on Windows 7 is more of an antimalware tool than functional antivirus and testing has shown it to be progressively less ef
Re: (Score:2)
I think the MVPS.org hosts file is a good idea for everyone on every device, but anyone using Windows 8+ should know that if the Windows Defender Service is enabled (and I've seen system updates re-enable it), Windows 8 will ignore the content of your hosts file.
My standard protection list is: Adblock+ with Easylist, Malware Domains and Fanboy's Annoyances subs (I also use Warning removal and turn off unobtrusive ads) for every browser on every user account. I actually impregnate the default user account on
Re: (Score:2)
I'm more likely to use Spybot's, on systems that support it. That's mostly out of laziness. It's actually possible to do both. Spybot will append its list to whatever is already present, but functionally they're close enough that I don't bother.
Re: (Score:3)
The only AV products I've found which actually do anything are SpywareBlaster and Malwarebytes, because MB actually blocks by IPs, and SpywareBlaster doesn't actively run, but sets kill bits and blocklists in browsers.
However, with an adblocking browser extension, Web based malware should never hit your system in the first place, and with click to play functionality, should not have a chance of being activated... and with a VM or sandbox, even if the browser does get compromised, it won't get past that.
As f
Re: (Score:2)
MBAM does have an AV module in its paid product, but I think you're not making a distinction between anti-malware and anti-virus applications.The two things are distinct and primarily differentiated by whether or not the software in question tries to spread itself to other files or computers. I agree that anti-malware is much more important because it is much more commonplace, and in my experience there is no single tool that is actually worthwhile for both types of protection, but Windows machines do need
Son don't try Aptoid (Score:2)
You may Save a few bucks using pirated software but you'd better stay with the original Play store even if it costs you some dollars to register your app and at lest you make a developer happy for his job
Re: (Score:2)
Some Android devices don't have licensed access to the Play Store, including anything that runs FireOS and tits-knows how many generic devices that somehow manage to get random retail distribution. You can tell people "Don't buy those things." but what do you say to the people who already own them?
In some cases (e.g. Firefox), an APK will be available from the developer, but because of the way Android works, there's every possibility that even a random developer's packaging (e.g. Pushbullet) will rely on Go
Re: (Score:2)
F-Droid doesn't have free apps, and a lot of developers of apps on Play Store appear unwilling to put their apps on Amazon.
Re: (Score:2)
You can get about 85% functionality from loading four specific APKs to get some Google apps on a FireOS device. You can also root it and load the full suite at the cost of your warranty. But some apps sourced from the Play store use Google components that won't work without Google licensing even if they themselves are not products of Google.
Many Android devs simply don't publish their apps on Amazon. I'm not a mobile dev, so I don't know why that's a problem, but it is.
You can tell people not to use third p
Not new (Score:3)
Re: (Score:2)
Of course that's been counted by the fact they won't let you pull the friggin battery anymore.
My favorite old-school phone hack (Score:2)
At about the peak of analog phones, most would have a dumb message on the screen, usually the maker's name or the carrier name. You could often change this message but almost nobody did, but the displays were so primitive that informational messages usually appeared in the same place and type, like "NO SERVICE".
The fun thing to do was to change the message from "Airtouch Celluar" to "NO SERVICE" and enjoy the hilarity when people picked up their phone and wondered why it wasn't working.
Yes, most phones sho
HijackOff (Score:2)
Re: (Score:2)
OffJacker or OffJack.
It needs Root to work (Score:1)
As the article state it needs Root to do it.
And it do not say how you gets it.
So it's some code that need root access to mess with your phone.
So you properly just need to root your phone. And install an app that you have downloaded from some suspected webpage.
So is it a Trojan or just a feature from a rouge app/programmer?
Do not root your phone if you do not have any idea what you are doing and installing apps from every that you find.
That will work ... (Score:2)
FUD anyone? (Score:3)
That's because the malware, after having previously obtained root access
how did it get root? either the device was rooted and the user granted the app root privs (duh!), or they've discovered a hack to gain root on non-rooted devices. if it was the latter, we'd be hearing a lot more about it, and faking a phone shutdown is the least of our concerns.
3th party app markets (Score:2)
These things always happen to people who are using 3th party app stores, besides f-droid (which only has open source android apps), what could the possible reason be to use 3th party app stores? what apps are on there that you can't find on the play store?