Feeds

back to article Security boffins brew devilish Android rootkit

Computer scientists have identified a weakness in the Android mobile operating system that allows users to be tricked into silently installing hidden malware. A research team led by Xuxian Jiang at North Carolina State University discovered that they could redirect a fandroid's touchscreen taps - a technique known as …

COMMENTS

This topic is closed for new posts.
Silver badge

These thingies are called "smart phones" ...

... why, exactly?

They sure don't seem to increase the intelligence of the folks who flock to them. Sheeple, go figure ...

2
25
Anonymous Coward

Re: These thingies are called "smart phones" ...

So if someone had been educated without computers, had a PHD in mathematics and had never used a smartphone, used one for the first time but ran a trojan then you would call them stupid?

This is nothing to do with intelligence, this is all about trust levels and experience of the device you are using. The person who has never used a device before won't know what is a normal prompt and what is a dubious one. If anything, Android's differing GUI front ends makes this a little more likely as there isn't one uniform interface.

6
0
Anonymous Coward

Re: These thingies are called "smart phones" ...

If only the same could be said for "Dumb" phones

1
0
Anonymous Coward

Re: These thingies are called "smart phones" ...

@AC - I think Jake's point is that a lot of people go for the shiny-shiny without thinking. They then run the risk of discovering the drawback of not having thought properly about security, and get stung one way or another.

Whereas a smart guy might stop and think about it in the first place, realise that the shiny-shiny is just low grade unimaginative zero-intellect artificial psuedo-cool of the sort that anyone with a few hundred bucks can buy (how un-cool is that?), and choose something else with a better underlying pedigree.

The trick that Samsung and Apple have pulled is to realise that they don't care how cool / uncool their customers actually are just so long as they can fluff their egos for long enough to actually go and buy one. MS are trying the same trick but are inherently uncool (after all there's very little about Steve Balmer that anyone would find appealing). Whereas RIM are stubbornly sticking to what they do best (security, enterprise, messaging) with a thin veneer of shiny-shiny on top. Admirable, but currently not very profitable.

2
2
Silver badge
Happy

Hey, Xuxian Jiang, Googles on the phone ...

they want to know if you want a job?

1
1
Pirate

Re: Hey, Xuxian Jiang, Googles on the phone ...

If you refuse, we have other methods

1
0
PM.
Big Brother

Was Mr Xuxian's research

by chance sponsored by People's Liberation Army ?

0
6
Silver badge

Re: Was Mr Xuxian's research

Well if it was, I doubt they would broadcast it all over the bloody Internet.

Chinese name != Commie terrorist (although Fox news would have you believe otherwise)

15
1
Silver badge
Black Helicopters

Fundamental Correction added ..... I Kid U Not?

"Now that we’ve identified the problem, we can begin working on ways to protect against attacks like these," he [Xuxian] added.

Now can one begin to invisibly exploit the opportunity, Mr Xuxian.

You know it makes perfect sense. Such is the nature of the beast that feeds the greedy follies of mankind. And IT is a Super MkUltraSensitive Weapon, is IT not, which does not allow fools and their tools at the helm or really active controls, or in the engine bay.

Hence the spooky black helicopter icon, for it is bound to be bug of interest to the likes of a DARPA/IARPA/Station X

2
1
Bronze badge

Wow!

That looks pretty serious.

0
0
FAIL

... which is why...

It's a FAIL to use your smartphone to enter banking details, credit card numbers etc.

Any data which could potentially be used to defraud you - whether via rootkit, or losing your phone (or having it nicked) - should *never* be there in the first place.

Small transactions - sure, fine. Login to an App store, coupla quid, no information about your banking details should ever change hands in these transactions - unless your signing up - which shouldn't be done on your phone :)

Yes, I'm paranoid - it's *real* easy to lose a phone. It's also *real* easy for people to wijack you, unless your aware.

5
0
Anonymous Coward

Re: ... which is why...

If the manufacturers were doing a proper job there would be no greater risk in ebanking on a mobile than there is on a PC or a MAC.

The fact that Android has no really effective defences against malware just illustrates how bad an OS it is. Google really made a mess of it. Taking Linux as a starting point should have led to a reasonably secure Android, but somehow all the goodness leaked away. What were they thinking?

I take issue with your dismissal of the entire smartphone genre. For example the security model in Blackberries is well thought out and seemingly well respected. That's why it is/was the phone of choice for corporate users. With it's enforced data separation, strict software signing, remote wiping, etc. one could argue that ebanking on a Blackberry is safer than it is on a PC or MAC. WinPhone and iOS have similar pretensions, any may or may not be as successful in this regard as RIM.

0
1
Silver badge
Thumb Down

Re: ... which is why...

there would be no greater risk in ebanking on a mobile than there is on a PC or a MAC.

If that is suppose to reassure people using PCs and Macs for online banking then it shouldn't. They are just as vulnerable to clickjacking as this attack.

100 % safe isn't possible with online banking but using hardware encryption like HBCI which separates authentication entirely from the OS, is reasonable.

0
0
Meh

Am I the only one?

From quick overlook of Android API a year or two ago I remember that there was an API that allows you to read whatever is typed on a keyboard.

I was looking into this thinking that sometime I might get time to write my own keyboard.

Did the guy used API? If so, it does not look a hack to me...

Another thought - Samsung in its *wisdom* decided that people in US are speaking either American English or Spanish, hence my SGS II on Sprint does not have any other language installed, hence I am using the Go keyboard.

As soon as I installed 3rd party app with access to keyboard - no banking for me.

2
0
Bronze badge

It iS rather annoying that Korean keyboards ar not on USA-localized phones.

This is a huge hallyu wave opportunity being wasted.

0
0
Thumb Up

wow - a useful rootkit

It got rid of angrybirds wayhay, where do I get it???

0
0
Anonymous Coward

Shudda

used linux.

This is what happens when lusers choose Micro$haft.

Wait.

What?

2
6
Stop

Re: Shudda

Right. Because of a bug in the Android Framework running on top of linux, you are now blaming linux. Makes about as much sense as blaming Microsoft for bugs in Adobe Flash.

1
0
Anonymous Coward

Re: Shudda

Sense of humour failure from the Linux fanbois...

Now I know that Linux is merely a kernel that when packaged up with a bunch of other stuff can become a fairly secure operating system with a lot of good features that is very commonly called 'Linux', but a large majority of the other 6 billion people on the planet don't. Given this unavoidable misattribution of the name one has to consider the damage slack outfits such as Google with their crummy frameworks do to the 'Linux' brand and what can be done about it. Regrettably the answer to that is nothing, unless Linus and chums decide to take the kernel code out of GPL and make it purely proprietary thus enabling them to prevent cowboy outfits such as Google using the damn thing in the first place in their poorly thought out attempts to profit from the hard work that has been put into the kernel source code by the splendid and highly skilled volunteers that are the kernel devs.

Parsed that OK?

1
2
Silver badge
Trollface

Wow

Who'd've thought a thread about a massive security problem on a popular smartphone OS would be so quiet? No Google fanboys willing to put their hands up in support of their favourite company?

0
0
FAIL

Yay

for Microsoft or Apple sponsored FUD..

1
1
Silver badge
Happy

Re: Yay

Ah, there you are! What took you so long? Too busy running round with your fingers in your ears going "la la la, can't hear you!!!"?

1
1
This topic is closed for new posts.