Feeds

back to article Android glitch allows hackers to bug phone calls

Computer scientists have discovered a weakness in smartphones running Google's Android operating system that allows attackers to secretly record phone conversations, monitor geographic location data, and access other sensitive resources without permission. Handsets sold by HTC, Samsung, Motorola, and Google contain code that …

COMMENTS

This topic is closed for new posts.

how do they record it on android?

I'd like to know how do they record phone conversations on Android, I tried and could't find a way to code it. A lot of architects, lawyers... have to record phone conversations because they can be contractual but as far as I know an android app can't tap an actual conversation.

If someone knows how to do this please tell me.

0
0

@ IkerDeEchaniz

... which is the main reason why I use a Nokia Symbian phone. There's numerous software to automatically record calls (even when talking with a bluetooh headset). The manual even explains how to do it using the inbuild recorder app (which involves way too much user interaction to be usefull but it does work too).

Funny thing is that many dumbphones from Sony-Ericsson and Nokia can do it too (simply assign one o/t shortcut-options to the recorder and up you go) while most of these super duper dual core suposedly 'smart-'phones can't.

Anyway perhaps this 'hack' is the solution to your need.

0
5
Anonymous Coward

Well they're being as vaige as ever with stuff like this, but I presume by record phone calls, they mean the local microphone only, i.e. only your side of the phone call.

0
0
Silver badge

It's in the Documentation, look up "android.media.MediaRecorder".

I found this from a quick google search which should take care of it for you ...

http://www.benmccann.com/dev-blog/android-audio-recording-tutorial/

and of course, the android documentation.

http://developer.android.com/guide/topics/media/index.html

[/rtfm]

0
0
Ru

I've been told that there's at least one decent call recording app for android; "dsoft callrecorder", apparently. I've not tried it myself, mind you.

0
0
Silver badge

@Miek

I believe he has RTFM'ed. Did you RTFOP? The issue isn't recording audio from the microphone, that's a piece of piss as your links show.

The problem is recording telephone *conversations*. It's very easy to get the audio feed from the Microphone (as per usual), but getting the other side of the conversation is damn tricky.

In some situations the microphone will pick up the audio coming from the ear piece and echoing through the phone internals, but this is not ideal, and subject to the designs of the handset and background noise. It's also completely useless the moment an ear piece is used.

Without a way to tap directly into both sides of the audio, a call recorder as the OP described is not possible.

1
0

This post has been deleted by a moderator

Thumb Down

iPhone anyone?

Nah, I had one, it kept destroying itself every time I updated it, most unusable turd ever.

1
4
Anonymous Coward

This bug doesn't tip the scales enough for me to want to enter that ecosystem.

Thanks for the suggestion though. :P

0
1
Anonymous Coward

there are more options

So is this going to be a daily update what's the latest Android vulnerabiliy? Windows phone for me. Best of both (or all) worlds.

0
0
Silver badge
Big Brother

Given the choice between freedom with risks and apparent safety with such restrictions as imposed by, for instance, apple, I think I prefer the freedom.

But google is not perfect...

13
3

I agree

but, and favour Android, but there is always that little moment of tension as you install a random APK, review what it says it can access and... well I never quite trust it'll be 100% accurate.

I guess the advantage of the Apple App store is that somebody has genuinely checked it for me..

3
1
Bronze badge
Big Brother

Ah for the good old days ...

... when Microsoft had undocumented API's to stifle competition from "their" developers.

Same thing, wasn't it ?

Google and Apple need the ethically bankrupt as much as the ethically bankrupt need them. How Libertarian of them.

0
8
Anonymous Coward

This has nothing to do with undocumented APIs.

3
0
Anonymous Coward

Given the choice of being spied on 24/7 by Google and having to trust them not to sell every piece of information they have to anyone and everyone. I'll judge them by the past actions and avoid them.

1
2

A title is optional

"Given the choice between freedom with risks and apparent safety with such restrictions as imposed by, for instance, apple, I think I prefer the freedom."

What freedom?

Seriously. What freedom? The freedom that Android users always talk about seems pretty illusory to me.

I opted not to get one of the new iPhones, trading in my iPhone instead for an HTC Sensation with Froyo. Different jailer, same jail--the only difference is that the walls around Android's garden are largely invisible.

Yes, it's true there's no single central authority telling developers what apps they can and can't publish. Instead, there are several--the telcos. They're not (necessarily) as strict as Apple, but make no mistake about it--they can and do control what runs on your phone.

And even what you're allowed to do with it. Remember when HTC announced they'd released tools to root their formerly bootlocked phones? There's a caveat...if the telcos permit it. Mine doesn't. There is currently no way for me to root my Sensation, because the telco I'm with forbids it. (There was, briefly, a version of Easy Fre3vo's temporary root that worked with my phone. HTC released a patch that blocked it.)

Look, I like my Android phone. From a hardware perspective, I think my Sensation is actually demonstrably superior in many respects to the iPhone 4s one of my friends just got. But seriously? Android users need to quit drinking the Kool-Aid. Android is designed to put power in the hands of the customer--but the customer is the telco, not you. You can find plenty of Android apps that feature the sorts of jiggling body bits you won't find on an iPhone, but if you seriously believe that nobody controls your phone, you're deluded. If your phone is totally open, it's not because Android is inherently open--it's because your particular handset maker and telco have chosen to allow it to be.

Sorry to be a bizzkill.

8
1

Reply AC 09:36

> being spied on 24/7 by Google

These vulnerabilities are brought in by the manufacurer software layers on top of Android so it isn't Google doing the spying.

In fact it isn't *anyone* doing any actual spying in all likelihood but it isn't Google creating the possibility.

2
0
Black Helicopters

USA?

You must be in America as UK telcos either have no power over what we do on our phones or they just don't enforce.

Sure, if you get an Orange branded phone it will have some Orange branded software pre-installed (and probably unremovable), but buy an unbranded phone and you're good to go.

Even from digging through my gf's Orange San Fran, they only bunged some marketing rubbish on it; Vodafone used to try some awful stuff with their 360 abomination (pre-Android), but they've largely given up with that; and my friends O2 Android only had a light theme applied.

From all of the comments similar to yours, I have to assume it's different with telcos in the USA.

In the UK we have laws that allow us to unlock phones from carriers (they can only charge an admin cost) or bring a phone to an existing one.

Apart from fair-use policies (normally around tethering), I've never seen a telco here bother about what people do with their contract.

1
0
Silver badge

I said "But google is not perfect". Did you miss that? The inability to appreciate understatement is a woeful lack. I choose android nt because it *is* the idea, but because it's a step closer. For me it's actually a leap backwards compared to my previous phone (n900, which still works but was starting to fall apart) and I would have got the N9 if I could have afforded it, but I can't. I make do.

At least there's the option to replace th stock firmware with something more free. That's another step in the right direction.

By and large I have the abiity to do what I want with my phone with relatively little fuss. Without even having to go through the palaver of rooting I have an sshd, web server and numerous other applications that you can't get on the iphone without jailbreaking. I can take the risk of instaling apps from elsewhere. I can do a great deal of tinkering.

Google is not perfect. Android is closer to the ideal.

Given the choice between no freedom and allegedly illusory freedom that is, nevertheless, closer to the ideal, I still choose the latter.

2
0
Ru
Trollface

"the telcos"

You're obviously in the wrong part of the world. I use my own mobile devices rather than a network provided one; the upfront cost is higher but the long term cost is significantly reduced. It carries no operator branding, I've root access and I can switch network and change the OS version freely.

I can understand that if you live under a corporate oppression the freedom offered by Android is a little hollow, but out here in the free world we don't have that sort of issue.

0
0
Silver badge

@Audrey S. Thakery

Clearly you haven't analysed the Google terms and conditions and privacy statements. Read them (very carefully mind - being careful to untangle all the deliberate misdirection) and you will realise Google reserve the right to read all the material you post via their servers. Mail, Google Docs, everything. Google docs is specifically designed to ensure your documents remain open to Google (they resisted allowing PDF storage as long as they could because PDF's can be encrypted and so locked from prying eye's). You see their whole business model depends on targeted advertising, which means it is predicated on finding as much out about you as they can. They are categorically not in the business of protecting your privacy and only pay privacy issues sufficient lip service as they judge will keep a lid on user outrage.

0
0
Devil

Thankfully I use Cyanogenmod. There are so many Android-related issues like this that I don't even have to think about, assuming my trust in them isn't misplaced (hasn't yet proven to be!).

6
0
Anonymous Coward

TrustNo1

You need to watch more X-Files!

Trust is a terrible thing to waste and should be reserved for those who've proved they're worthy of it, young Grasshopper!

0
0
Silver badge

Nexus?

If this is due to the crap which "manufactures add to enhance the stock firmware" then how are the Nexus phones leaking anything, given that they're supposed to be stock Android?

1
0
Anonymous Coward

From a quick glance of the paper this attack seems to exploit any app that has the necessary privilege.

My guess is even stock Android has to have at least some of these priviledged apps, but the more you have the greater the risk.

0
0

Actually it appears to be that there are applications installed on these phones that expose an unprotected public interface for doing things that are usually protected by the permissions system. For instance rather than getting permission to make a call, a malicious application could just broadcast a particular message (for which it doesn't need permission) and the rogue application picks up the message and makes the call.

The Nexus rogue application doesn't actually sound too serious. Apparently a malicious app can uninstall the com.svox.langpick.installer application! Which sounds like it stops you installing voices for the speech synthesiser.

1
0
Anonymous Coward

Indeed that seems to be true, on the Nexus phones it's a minor issue. On the HTCs however it's a bloody nightmare, those phones grant just about everything bad privacy-wise.

The Samsung "just" lets it rogue app make calls, while the Motorola allows the present GPS location to be obtained.

1
0
Anonymous Coward

Hmm, but their Nexus S was running 2.3.3 {February '11}, since when there has been a slew of fixes - the current OTA firmware is 2.3.6. The Moto's and HTC they tested were also still running Froyo or earlier, not current releases.

0
0
Anonymous Coward

@AC 9:35

Not entirely correct: the HTC Wildfire S used was running Gingerbread 2.3.2 and had the same issues with camera, location and audio access.

As for Froyo, the Android Market dashboard still shows 40% of the users were using it in the past 14 days...

0
0
Stop

Wait, isn't that the Intent

Hang on,

I'l admit I didn't even read the paper, but from your summary it seems like this exploit is done using the Intent system which allows applications to ask other applications to handle a task for them. This is by design and the whole purpose of the Intent interface.

While I see that this, if no permission is required, is a security issue the flexibly you get from a system that can do this, for me, outweighs the risk. If anyone is that concerned it is fairly trivial to decompile applications to see what they are up to,

0
0
Boffin

Yes, some of this is exploited using Intents that apps have exposed and it is a powerful mechanism but as the paper says it's not tightly controlled on some of the applications. If an application is exposing a function that requires permission, the application (or ideally Android itself) should check that the requester has sufficient authority. It's the equivalent of locking your front door but leaving your windows open.

And your statement that "If anyone is that concerned it is fairly trivial to decompile applications to see what they are up to" is quite frankly ridiculous. Are you seriously suggesting that the average Android user would be able to decompile and understand what an application is doing?

1
0

Shut up and buy phones every year. Don't worry about these little things.

5
1
Anonymous Coward

Surely you mean every six months?

1
0
Silver badge

Surely it's worth kicking up a fuss so that these things will be fixed by next year? It's just an unfortunate family of software bugs so it's not like there's anybody arguing the opposite case, we just need to make manufacturers aware that we care.

0
0
Anonymous Coward

Oh noes...call Lord Leveson now!

Someone is listening to hours and hours and hours of my 'Hi Honey I'm on the train messages.

I feel violated that someone other than the dozens of people also in the carriage also in earshot can hear my private communications.

The humanity!

Who do I sue and where can I pick up my hundred million quid?

1
5
Silver badge

It's not the content, it's the presumption. They have no right to assume they can record my blathering innanities to my wife. The "it's in public" defence doesn't work - there is no logic in assuming that all phone calls take place in a public space.

1
0
Anonymous Coward

Nothing to see here

Another day, another Android exploit.

2
4
Anonymous Coward

Dispite security concerns, I still prefer open to DEAD SHUT. I'll download what I want, not what I'm allowed, like a small child! (Hmm, seems apt)

1
0
Anonymous Coward

and that includes

Malware

Android is open to a point, but it's also open to abuse from Malware and carrier spyware.

What ever you do, don't bank online using your phone

0
0
Anonymous Coward

Amen brother!

All I ask is that you don't ask to be allowed to connect any of your tech kit to my networks!

0
0

But...

Presumably in order to install this rogue app you have to enable "allow installation of non-market sources"? Upon doing so you get a suitable warning regarding this, so is this really such a big deal?

2
1
Anonymous Coward

No

Rogue apps can be easily added to the official Android market, there's no actual checking by Google, only when a problem is reported.

1
1
Boffin

A what call?

I was very surprised to hear that some people actually use smart phones for making actual phone calls.

0
0

This post has been deleted by its author

Anonymous Coward

Hilarious

The difference in the general tone of posts responding to this article vs posts responding to any given article about an iOS flaw is amazing. Apple-mocking is so deeply ingrained in the average Reg commentard that if it's an Apple story all you get is pages upon pages of vacuous cackling. Come the serious Android security flaw, though, and the first poster wants to know if he can write an app to do what's done in the exploit, and someone tells him maybe the exploit is his answer. Love it.

0
0
Silver badge
Big Brother

Why bother?

Write you malware, have it ask.

MOST USERS WILL LET IT DO WHATEVER IT WANTS ANYWAY.

Seriously, people are stupid. Time and time again, we see people clicking to let apps do whatever they want on there computer. They don't read the message, they just click.

0
0
This topic is closed for new posts.