The first text message-based Trojan to infect smartphones running Google's Android operating system has been detected in the wild. Trojan-SMS.AndroidOS.FakePlayer-A poses as a harmless media player application and has already infected a number of mobile devices, Russian security firm Kaspersky Lab warns. Prospective marks are …
What I dont understand....
..... is how this can be possible?
Presumably the scammers have to have a legitimate account with my network provider to enable them to bill. How do they get this? Why are the networks giving money to these people. Do I just have to ask for some money?
Shouldnt this be the easiest scam in the world to stop?
Or am I missing something?
Nope, they don't need an account with your network provider. They likely get service from some dodgy little telco (there are many hundreds), which in turn has a relationship with an aggregator like Mblox, which in turn has a link to your network.
The money follows that chain in the reverse direction, and everyone in the chain gets a slice, so they have little incentive to prevent or detect scamming quickly.
It *should* be easy to stop, since the numbers are easily associated to telcos. But the regulator is not swift to act. Variants of this scam have been going on for years; when people used modems to connect to the Internet, malware would change your dial-up number to a premium-rate one.
At least with a landline, you can ask for all premium-rate numbers to be blocked.
Scammer's "Hello World"
10 Set up premium dial/SMS account using spoofed credentials
20 Release trojan
30 Withdraw funds as often as you can until account is shut down
40 When Feds go looking, the trail goes dead when they find the fake ID/cloned card you used to open the account
50 Goto 10
Have yourself a good few of these running at any one time and be able to move fast enough and it is a reliable business model for the technically adept light-of-finger, which seem like half of China/Russia nowadays.
It's possible because
a) Users are not examining the security info when they install an app
b) Android's security model is great except it doesn't account for a) and offers no second chances
Android really needs to implement something like UAC so that even if someone inadvertantly installs a malicious app, the phone will ask for permission before performing certain actions like dialling a number, sending a message etc. This could be tweaked per app and the default policy should be strict.
I also think Google are not policing marketplace as much as they could. There is too much review spam there to suggest that anyone cares. This is not acceptable. I also believe that google could also be performing security audits on apps which ask for suspicious kinds of permissions (e.g. to send texts) based on their intended purpose.
mobile carriers need to stop profiting from malware
I currently have premium SMS blocked on my giffgaff account but the block has to be on SMS+International calls. Not one or the other, it has to be both. Even where carriers allow premium SMS blocking it's obvious they really don't want you doing it.
The whole mobile industry is corrupt to the core, they've not seen a scam they don't like, there's a slice of the action for them whatever happens. Or seen any need to protect customers.
Second and third chance
"b) Android's security model is great except it doesn't account for a) and offers no second chances"
On a standard Android headset installing APKs directly is disabled and the user will be prompted when they try. That will take them into the Settings application where they must tick a box, followed by another prompt warning of the dangers.
After all that, you'd then have to start the install again, where you will get the permissions that the application is requesting.
If all of that doesn't trigger the question "why does a media player need to send SMSs?" then they need and are about to get a swift lesson in security.
The user installs an app that sends SMS messages to premium rate numbers - that's all. As far as the network provider can see, there's no difference between an App sent SMS and one you've manually sent yourself.
The only person to blame is the end user. What the story doesn't make clear is that this trojan is only available from dodgy means - e.g. people downloading from "Paid apps for free!" websites or torrents, then ignoring the "This app needs permissions to send SMS messages, that could cost you money" warning that pops up when they install it.
RE: It's possible because
You seem to have missed that this app is not downloadable on the Market. It has been downloaded from some nefarious site.
Also, Android already has the UAC type window. When you install an app you are briefed on exaclty what it can do.
When you take that a step further and then require permission everytime an app is launched/does something, you just break the app. Who the hell wants to download an alternative SMS/Dialer app when it's going to prompt you for permissions everytime it does something. If you don't like what it's going to do, don't install it!
I haven't missed the point
1. It would be trivial to upload a malicious app to Google marketplace. Its as simple as signing an APK and uploading it. The fact that one trojan wasn't is completely irrelevant.
2. A single dialog prompt is not an adequate defence and it doesn't account for apps misusing or abusing permissions. A user has no way of distinguishing between an app that genuinely needs to be dial numbers (e.g. an address book) from one which also dial a premium number in Cameroon in the middle of the night.
By default Android should put a dialog in between an application and an action that could cost a user money. But by default the security should be enough to protect users until they know better. If the user wishes to trust the app, then they could do so from the dialog itself (e.g. there is a button or setting accessible from the prompt which the user can loosen the policy or they can do it from the regular app settngs).
At the moment the security is inadequate and more of these stories will keep coming until it is addressed in a meaningful way. That's not to say Android should go anywhere close to the Apple route of vetting apps, but it needs more safeguards.
Had this a few years ago - when a lost phone managed to rack up enormous bills to a very well known "hot country".
The providers response ? Tough .... even though the most fundamental fraud protection measures would have prevented it.
Ultimately though. Don't get so drunk you lose your phone and don't notice for several hours.
and don't buy a phone from orange !
As in the old story of crying "Wolf"! Windows popped (pops?) up so many warnings that really were/are not necessary and many others with wording so convoluted that OK meant cancel and Cancel meant OK, that folks got numb trying to understand what was being presented to them They simply clicked on whatever they got that looked like it would take them to where they wanted to be. Now, much to their dismay, even when presented with a clearly worded and genuine warning they ignore it.
Implementing something like UAC where it prompts the user every single time the app wants to do something considered "above and beyond" like dialing, SMS, or using data will prove just as ineffective as UAC on Windows.
If you repeatedly throw up dialogs asking a user if they *really* want to do this, the user is just going to become trained to spam the OK button to get that distraction out of the way. Yes, they *should* be thinking to themselves about, "Why does this application require admin privileges?" or, more relevant to this story, "Why does this media player need to send SMS?" but humans are creatures of habit. They'll just keep hitting that OK button because until they get to what they wanted.
Tangentially related, how often have you ever read an entire EULA? Even the ones that force you to "read" them, don't you just scroll right to the bottom and hit Accept? What if that EULA gave away the rights to your first born child (obvious legal restrictions preventing this notwithstanding)?
"1. It would be trivial to upload a malicious app to Google marketplace. Its as simple as signing an APK and uploading it. The fact that one trojan wasn't is completely irrelevant."
And paying the $25 Market registration fee after each account gets banned by Google. That is going to get expensive, and quickly.
"And paying the $25 Market registration fee after each account gets banned by Google. That is going to get expensive, and quickly."
As if a criminal will care about that. They'll pay the $25 on a prepaid card, or a stolen credit card. They'll make 100x that from suckers running their app before it gets taken down.
"or using data will prove just as ineffective as UAC on Windows."
Except it is effective on Windows. Vista took a lot of heat for UAC but there is no denying that it forced applications to become good citizens by not requesting permissions (e.g. read/write access to parts of the registry) unless they strictly needed them. It served its purpose which is why prompts are relatively rare these days.
Secondly a UAC like mechanism forces user intervention. If an app decides to send SMS messages then you will get a prompt up. If you didn't initiate this SMS sending, it should serve as a massive clue to the user that something is up. At the moment the app could send 10 messages to a £3 premium service overnight while someone was asleep and they would be none the wiser.
Thirdly, I have already said how people could disable the prompts. Each app could be governed by a security policy - trusted, untrusted etc. If they get fed up of the prompts or wish to trust the app, the UI could make it simple to flip the security policy.
The point being that a secure by default policy, plus the prompts when apps do naughty things will serve to make apps better citizens and provide a measure of defence which is sorely lacking at present.
Or Google could leave it the way things are and receive a constant flow of stories about malicious apps on Android.
Don't you need to set your preferences to allow install from non-trusted sources or something like that? I'm pretty sure that's quite a few menu levels down so won't be something most users tick,.
I would have thought without that it wouldn't install. Might be wrong though.
no you are not wrong
as per title, you have to enable it in a system menu
Wondering that also....
Link at Kapersky Labs seems to be down.....
Has someone actually figured out a way to bypass the installer permissions?
What's the SMS angle - from the description it just sounds like a link is included in the message - or is it using some sort of SMS exploit or attachment to bypass permissions and force the installation?
Is the entire story bollocks?
The Android has multiple levels of protection to stop this from happening. You have to enable third party sources to allow this app to install and also the screen when installing shows what actions the app will do. Such as accessing the internet. So if a meadiaplayer shows as having the ability to send SMS, you would have to be stupid to allow it to install.
The stupid people will always find ways of being stupid
Step 1 - Find a suitable app for what you want
Step 2 - read reviews
Step 3 - Look at permissions requested
Step 4 - Accept or Reject
Step 5 - install or flag it for someone to look into
It's not exactly rocket science
Obviously social networking apps need access to lots of permissions, but some apps are asking for everything available just to offer a calculator or some other crap
You can't fix stupid. This isn't a vulnerability of Android as much as it is social hack on the end users to get them to install the program. Now if the trojan installed ALL BY ITSELF just by clicking on a link and didn't let the user know that it was installing, THEN I would say Android has a problem, but until that happens this is not so much news as it is a press-release by Kaspersky to tell the world that they are working on a security product for Android and to scare up some interest in it.
Nothing to see here... move along.... move along.
Stupid people ignoring the warning
The problem is, the people getting infected are stupid because they ignore the protection in place just to install anyway.
These people will then have money stolen from them if the rogue app sends messages out.
So all in all, this is hitting stupid people in their stupid pocket, hardly news at all.
I wonder how common?
I nearly downloaded a Tetris clone the other week before wondering why it needed permission to send text messages.
Trouble is, the warnings after you click 'Install' are not the sort of thing people will often read.
Its not that subtle
The way android tells you what security features each app will use before you install it means that, frankly, this is a user stupidity problem. Subtly recording info and posting it over the network is hard to notice from a rogue app, but a media player that sends out premium rate sms? The warnings are on the install screen and are in red writing.
Police Warning for Householders
The police are warning that if you let a strangers into your house (who may or may not be wearing masks, striped jumpers and carry bags marked 'swag'), they may well steal your stuff.
Google won't tolerate spyware on Android
After all, spyware is *their* job.
"Google won't tolerate spyware on Android After all, spyware is *their* job."
It's ok, this isn't the App Store, competing products are allowed.
The First of Firsts
Not only the first time a Android virus was publicized, the agency making the report, Kaspersky, OFFERS NO mobile client to scan viruses for Android.
Yeaaah. Fat load of good that your anti-virus program can detect the signature if you can't access anything more than the phone's SD Card (when the SMS is in protected internal memory.) Sure, it gets rid of the SMS messages from non-Android devices, but c'mon.
"Not only the first time a Android virus was publicized, the agency making the report, Kaspersky, OFFERS NO mobile client to scan viruses for Android."
Unless a "virus" comes out that actually takes advantage of an exploit, i.e. not one that works through user stupidity, the only "AV" you need is a list of package names of dodgy apps (Android apps use the Java package name to uniquely identify.)
Look at the installed app list once a day, prompt/uninstall any that match. Simples.
Everything by it's name.
So, you're basically saying you don't believe this to be a virus. The rest of the reply was unnecessary condescension. (There, there child. Linux is safe.)
It's not about belief
It's not a virus, it's a social networking trojan and that's that.
"So, you're basically saying you don't believe this to be a virus."
Exactly, it qualifies as a trojan, in that it pretends to be something that it is not, but ultimately, it's just an application that functions like any other application and requests permissions like any other application.
"The rest of the reply was unnecessary condescension. (There, there child. Linux is safe.)"
Actually, that was unnecessary condescension. At no point did I say Linux is safe. If this had taken advantage of a bug in Android that allowed it to gain root privileges, self-replicate, or send SMSs without first asking the user for permission then it would qualify as a virus. It does non of these.
when will techies learn that tech savvy users are not the same as general consumers.
Android is a great product, but you have to have a walled garden like the iphone for average joe/josephine
surely the desktop OS history has taught us that? although, come to think of it, the only thing techies learn is how to repeat "My view is the correct one, everyone should do as I say"
and yes, i do appreciate the irony of giving my view here that knocks others views... ;-)
That's why Mac computers, on which you can install software from any source, are always filled with viruses, trojans, spyware and the like
that's just because it's not worth the time and effort to infect both of them
When you're a Jet, you're a Jet all the way...
Of course. Techies use words like high school jocks use fists. Amassing people who agree with you when you're right online, that there is the modern-day West Side Story.
"Android is a great product, but you have to have a walled garden"
Absolutely agree. That's why Android, by default, does not allow you to install apps from unknown sources.
ok, i'll agree with you on that one, but what if Google put one tenth of the effort that Apple put into vetting all the apps.
They dont need to be as paranoid as apple , stopping browsers or such, but just preliminary checks that items dont contain malicious code.
then normal norman on the street will feel a bit more confident and these stories will be few
You obviously know nothing about Macs. Name me one virus for OS X. You can't. The only trojans reported are from pirated software, which infects thieves, and there are only a couple of those. As far as malware, what sort of malware are you talking about?
Trojans need to be manually installed
Having developed for Android I know that non-app-store .APK files can only be installed by first tapping the "Unknown Sources" checkbox in "Application Settings" and then agreeing to the following prompt:
"Your phone and personal data are more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these applications."
If you really really dumb....
.... You'll be infected. Bascially, click here for a virus or a bit of software you don't want, plus untick the trusted sources button - you deserve to be infected if you do all of that.
I agree with @It wasnt me if the networks are aware of the scam, and lots of customers start going to the premium - simply block that number.
doesn't matter how stupid the users are...
... if the platform designers are stupid enough not to take account of it.
God almightly, we've been down the "are you sure you want to do this? It's unsafe...." route a million times, and still nobody has learned. Android'll end up riddled with malware unless they close app access to code vetted apps from the app store only.
The ability to install APKs from untrusted sources is the reason this malware exists. Ergo, get rid of that feature NOW.
"The ability to install APKs from untrusted sources is the reason this malware exists. Ergo, get rid of that feature NOW."
The ability to drive a motor vehicle in excess of 30 MPH is the reason for countless numbers of deaths every year. Ergo, we should remove that feature from motor vehicles NOW.
The problem with designing systems to protect people from their own stupidity is that nature is smarter than we are. She'll simply create more and bigger idiots, until the systems themselves are designed by the stupid, to protect the stupid from the stupid.
There is another school of thought which holds that this has already happened.
Put on your crash helmets, kids, we're about to reach a speed of 3!
The only way they'll do that is if phone manufacturers get enough litigation to carry it out. The the "open phone" platform won't be so open anymore.
If the system has to ask if you're sure you want to dial a phone number in your phone book that was manually entered by you (an untrusted source) and not confirmed by a secure update from Google's Address file that matches SMS transmitted messages or Latitude shared data, maybe we're going too far.
More informative than the snippet I caught on the radio this morning,
where the BBC journo claimed to have built his mobile malware with no knowledge of mobile programming. That he was assisted by an "application security firm" leads me to believe that writing a virus for mobiles is not quite as simple as he would make out.
Maybe he was using AppInventor
No programming required:
I don't know if it lets you hook a button to send an SMS but I suppose its possible.
Shame it has not launched yet !
It's in beta
I.e. you request an invite, and they let people in, in dribs and drabs.
Hey Android dudes! I've got the fix right here
Refine the Android security model a wee bit more and this problem would go away.
All they need to is add another layer of user permission to application security, so that the user could explicitly block all third-party apps from certain phone functions, e.g. SMS sending.
Even after allowing installations from non-trusted sources, if the phone is setup to block one of the required functions then the program will not install and daddy Android would let the user know why.
If you then later wanted to install an app that you did want to send SMS then you would need to add it to a app whitelist *before* it would even install.
Networks could even ship phones with the most risky functions blocked as default, much as they currently do with international roaming or adult web content at the SIM level.
Surely this would keep the even the hardest of thinking, who let's face it are usually the ones bitten by such junk, a lot safer?
Simpsons did it!
Block Non-Market Applications already covers that method. Just turn it on.
And on Android, service providers can explicitly lock out features on their devices before shipping them. Like Sprint in the US, if they disallow tethering, the Dial Up Networking button will be greyed out like it is on my Hero (they want you to buy a separate data card since that's capped at 5GB and your phone is unlimited phone-based data.)
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Analysis BlackBerry's turnaround relies on a secret weapon: Its own network
- Hire and hold IT staff in 2015: The Reg's how-to guide