back to article BUSTED! Secret app on millions of phones logs key taps

An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users. In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ …

COMMENTS

This topic is closed for new posts.

Page:

Trollface

because

I think my smartphone has Carrier IQ on it.

1
0
Silver badge

See, the problem there is in your perception.... Where you say "my PC". It's not your PC, it belongs to your employer, and if you're using it for unauthorized (ie personal) purposes, the company has no obligation to ensure your personal data is safe.

0
0
Boffin

This is pretty standard set-up for a proxy server

After all, if HTTPS traffic were to be just allowed to pass untouched, that would be a pretty big hole in the purpose of a web proxy, would it not?

0
0
Bronze badge
Big Brother

All ur data is privates now

My Sprint Galaxy SII 4G pretends to let you kill the application but 'top' shows that it's still running. Nice trick. Maybe I'll have a chat with Sprint.

2
0
WTF?

WTF?

Come on reg, this is not proof and the guy is clearly lacking some chops here. Yes it's doing some analysis but at no point is he confirming what/what isn't sent back. He's just blathering on and on about syslog output which means very little - someone's stuck debug call in a keypress handler, that says nothing about the metrics they gather.

The siri hack was how this sort of thing should be done (knobble it via proxy and dump content), this proves nothing but is just a load of half baked arm waving. There isn't even a tcpdump in case the stats submission is unencrypted...

He also refers to this as a rootkit which it categorically isn't.

5
13
Anonymous Coward

@xargle

No idea why someone has downvoted you as I completely agree with your comments. At no point in the video does he show the data being transmitted anywhere off the phone. Some posted above asked who is paying for the data transmission - the answer being, until proved otherwise, no-one because no data is being transmitted.

And as to his ludicrous question as to how come it's recording "data over HTTPS", he obviously has absolutely no clue as to what HTTPS is and what it encrypts (hint: this is logging keystrokes, not data transmissions).

There are significant concerns about this app, the fact that it's installed, running, hidden, and hard to disable, but those concerns really ought to be raised by someone more qualified than this guy.

3
2
Thumb Down

read the article...

"Some posted above asked who is paying for the data transmission - the answer being, until proved otherwise, no-one because no data is being transmitted."

Err... read the quote from Mr Coward:

“Our technology is not real time,” he said at the time. "It's not constantly reporting back. It's gathering information up and is usually transmitted in small doses.”

I'd say that means data IS being transmitted. Small doses, but, definitely transmitted.

2
1
Vic
Silver badge

> hint: this is logging keystrokes, not data transmissions

No, you missed a bit.

Whilst it *is* logging keystrokes, it's *also* logging net activity - it captures the entire URL from his browser GET, despite that being a HTTPS GET (very naughty).

Then, if I understood correctly[1], it proceeds to make a cleartext transmission to the CarrierIQ server including the whole URL from above (which could very easily contain data that is supposed to be encrypted).

Vic.

[1] I might have this slightly wrong; I was making the tea at the time. I'll go have another look in a bit - once I can summon up the courage to face another 17 mins of that drawl...

0
0
Vic
Silver badge

> it proceeds to make a cleartext transmission to the CarrierIQ server

This bit isn't clear, actually.

It occurs approx 15:40 into the video. We see the URL being sent to the CarrierIQ application. We don't actually see it being transmitted to CarrierIQ servers.

The voice-over is a little misleading at that point, which might explain why I read into it a little more than is there.

So what we're left with is a spyware app which logs all URLs (including HTTPS) and might or might not do anything with that data...

Vic.

0
0

This post has been deleted by its author

its more a root&branchkit

see title

0
0
Unhappy

HTC really do want to steal your data don't they!

http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/

No wonder my Desire kept over heating. It was all the bloody key loggers hard at work :-(

0
0
Vic
Silver badge

> HTC really do want to steal your data don't they!

Actually it appears to be Sprint doing the data pilfering.

HTC are "merely" an accomplice.

Vic.

0
0

Interesting

I'd like to see the data being sent off. Right now we're only seeing local logging, I didn't spot any of the data actually being sent off to anyone.

2
2
Anonymous Coward

Read the article again

Carrier IQ says it gets transmitted. Why would they admit it if it wasn't?

3
0
Holmes

Rooted at birth

This broke a couple of weeks ago, seems it's installed on a number of devices from varying manufacturers

http://www.xda-developers.com/android/the-rootkit-of-all-evil-ciq/

1
0

Slow

I was about to post the same link. Seems El Reg has been a bit slow on the up-take with this one (it all started around Nov 14)

1
0
Anonymous Coward

El Reg has been a bit slow on the up-take with this one

True, but It's Apple's fault really.

If Apple was involved El Reg would have jumped to an article the moment a post about it appeared on some message board somewhere.

4
0
Silver badge

@Probing...

You can't have it both ways you know... El Reg goes into iphone rumour meltdown for a month before every new phone launch, gets rather tiresome to be honest. Multiple iphone stories a day isn't uncommon.

If you feed the rumour mill for free product promotion, you can't complain if the wheels keep spinning when your product does something daft.

0
0
WTF?

from their own marketing materials...

...here's what CarrierIQ says about what their software does:

- "Zero-delay" data capture.

- View application and device feature usage, such as camera, music, messaging, browser and TV

- "Task" phones dynamically over the air

Also, from screenshots in these materials, you can see that this data is available to their customers on a per-device level (IMEI displayed in software) and includes details such as date, time and duration of voice calls, IP sessions and SMS messages.

All without the user knowing a thing about it, and having no opt-out.

Nice.

6
0
Anonymous Coward

Is my HTC infected ?

I've got a HTC device on Vodafone's network. I'm thinking of moving to O2 anyway as the Vodafone network seems to have no coverage compared to my work phone on O2's network.

Anyway, I've now got to pick a new phone - is the iPhone safe from this virus? Is O2's network safe?

I certainly don't want a HTC anymore. Someone said Samsung have the same virus - Is this true?

Thank you.

1
8
Silver badge
Facepalm

@AC

Your post pretty much highlights the problem with this sort of reporting.

Many people will be a bit confused, and probably will go out and do pretty meaningless things like go and buy an iPhone "because android phones have a virus!!!".

So several answers;

1) It appears to be US-only. US carriers paid CarrierIT so they could include CarrierIT's spyware software in their phone ROM builds, supposedly to help debug customer problems.

1a) Therefore no UK networks, including O2 and Vodafone, are currently suspected.

2) It isn't in standard Android ROM builds, nor in standard manufacturer ROM builds by HTC, Samsung, LG or whoever.

3) The iPhone runs iOS which is jealously guarded by Apple (i.e. no operator variants are allowed) so it's very unlikely to have CarrierIT's spyware.

4) Blackberries and some other phones may have it though.

5) Generally I wouldn't worry too much. CarrierIT is toast, and I suspect that any plans to do anything similar now will be similarly scuppered. Buy what phone you like.

10
0
Anonymous Coward

UK no suspected? Really?

"Carrier IQ is headquartered in Mountain View, California with additional offices in Chicago, Boston, London (UK) and Kuala Lumpur (Malaysia)."

What is their London office doing then? Twiddling their thumbs?

1
0

Not sure...

...if trolling, or just stupid

http://knowyourmeme.com/photos/131351-futurama-fry-not-sure-if-x

0
2

Confirmed your assertion on HTC Desire (Germany)

This phone was purchased in Germany, and I went through it. It seems clear so it looks very much like what you are saying: this is a carrier provided custom build. Which would make sense as the vector.

I will look up CarrierIT.

0
1
Silver badge
Terminator

Gobsmacked

Now how do we get rid of the bank account data pilfering bug fucker?

One more thing. The VP of Marketing is a Coward? No matter, he's got a gob I'd like to smack.

2
0
Anonymous Coward

Careful now!

Dear Reporter, Be very careful to understand before you publish.

What you are looking at here is NOT a "log" or a record of transmissions but actually a debug print of hooks, that COULD but are NOT (yet) proven to be logged or transmitted. What this does show is that the information is being fed into the CIQ software but not that it is being used in any way shape or form. this means the app has unfettered access to snoop whether or not it is snooping is another question.

It's all very phorm like, I'm sure we will see more on this.

7
5
FAIL

Err ..

.. Mr Coward confirmed in his statement that this *IS* transferring all these data: he merely denied that this was done in 'real time' but is done in 'small doses' - i.e. batches. I'm guessing because it can't guarantee a data connection all the time.

At least they have all those bank account details so they can fund their legal defence ..

BTW - how can you tell whether your phone is running this, given that it "[bypasses] typical operating-system functions"?

1
3
Anonymous Coward

In denial much?

Even Carrier IQ admits the information gets transmitted back:

“Our technology is not real time,” he said at the time. "It's not constantly reporting back. It's gathering information up and is usually transmitted in small doses.”

1
0

no

The quote doesn't confirm it sends back all the data it has gathered. We need precise info, not media bytes.

0
1

Do not worry. I am sure some software maker will install the same stuff as 'System Service' soon to ensure it goes unnoticed. Carrier IQ was just being upfront about the name of the software. And look what they got ;)

0
0
Go

Ought to be top story?

IF this is true, almost no other story on the Register matters.

It would mean huge number of the mobile devices in the US have been utterly hopelessly compromised by malware (if they weren't already).

If so... Quibbling over SSL certificate forgery is pointless. And worrying about password security doesn't matter any more. Mobile device security (which was already questionable) has been comprehensively subverted, that's how bad it is.

It deserves to be top story. And yet, I suspect it will get no MSM coverage at all.

3
0
Silver badge
Childcatcher

Sounds like someone discovered debugging code

Oh noes, my computer has SNMP instrumention, THEY ARE SPIYAN - PANIC ATTACK (but don't forget to bump this Flatter button first!)

Seriously though, how about some data? If this were "active" in more ways than calling the tracing and debugging functionality, ceaslessly dumping stuff over the airnet (unencrypted? what?) I imagine _someone_ would have noticed.

2
2
Black Helicopters

Exactly why I tossed out my android phone and went back to an old blackberry. Blackberrys may be out of flavour, but to me they're the most trustworthy smart phone available.

0
1
Silver badge

You... do know this software is on Blackberries too?

And likely a few other types of phone.

2
0
Silver badge

Transmission not shown

Thank you - I was going to say just that.

I can see the value of a debugging application that had a copy of all keystrokes before they were given to the foreground application. The real question is what happens with that data ?

* Everything uploaded to somewhere occasionally. That would be very bad. Get all my ''secret data'' eg: passwords, bank account info, etc.

* If an application crashes and I am asked if I want to submit debug data. Kind of OK if 'no' really means NO except that it would also send secret data and most people would not think of saying no if they have entered secret data into the crashed app. Also: will it send just keystrokes for the failed app or everything that it has ?

* Data thrown away when an app terminates, the phone restarted, ...

* Who gets to see this uploaded data ? Developers, marketeers, google, CIA ?

* Where does this data go ? I would expect a lot of even non secret data to contain personal information (ref: data protection act). Exporting it out of the EU could be illegal.

We need much more information.

1
0
Silver badge

indeed

it doesnt take a stroke of genius to figure what the following key do

w w w . m y b a n k . c o . u k

r a n d y r a b b i t

1 2 3 4 5 6 7 8 q

0
0

As well as the class action approaches to resolving this, it would be good if someone could create an app that would send a load of nonsense data back to this rootkit’s servers. A bit of misinformation can come in handy sometimes in focussing minds.

0
0
Megaphone

Get a life people

Who cares if it's an iDroid, Symdows or PalmRIM.

It's a ****ing smartphone.

You don't have to defend it like your daughters virginity!

Did you buy the phone to join that particular "Gang"?

Then you really REALLY need a life.

I bought mine to make calls, listen to music and surf the web.

My last phone was Symbian, current phone is Android, next may well be Apple or Windows.

Just because you bought a particular "brand" doesn't mean you have to defend it against all comers, doesn't make you a "superior being", and definately has no effect on the size of your Member or your attractiveness to the opposite sex.

STOP BELIEVING WHAT THE MARKETING PEOPLE ARE TELLING YOU! THEY ARE ALL LIARS!

10
2
Anonymous Coward

Fail to see your relevance here

It does not matter what OS my phone is running on, if it's logging keystrokes and URLs and sending them back without my knowledge and express, specific permission, then I'm going to be mighty annoyed.

I'm also going to blame the carrier, and not the OS or phone model - it's the carrier who chooses which phones to sell and what 'custom' rubbish to put on them. (Vodafone Live drove me potty because I couldn't kill it. I don't have a Vodafone anymore.)

People do important, secret stuff on their smartphones, and employees with corporate smartphones often have company secrets on them.

Even a simple 'call list' is spying - one of the things the News Of The World was accused of is using call logs to infer scandals.

1
1
Anonymous Coward

Maybe the Analdroids were right all along and there is no battery problem on their phones. it's just all the spyware working in the background.

2
0
Silver badge

Best someone checks out ios 5.0 then ;-)

1
0
WTF?

blackberry too?

isnt blackberry supposed to be super secure? or do the US gov agencies get the version without intercept s/w on.

has anyone thought it might be added via the demand of the USA gov? they do like to intercept stuff in the 'Land of the Free' dont they?

1
0
Silver badge

Indeed. Land of the free and home of the brave... These days it's land of the spied upon and home of the scared shitless by endless terrorism hype.

0
0
WTF?

USB debugging

My god, I can't believe I actually watched the whole 17 minutes, listening to the most boring, monotonous voice imaginable!

Perhaps I could just point out a couple of things:

1 - when he showed the app properties it said data storage was zero - it can hardly be saving any keypresses, location details, text messages etc in zero bytes?

2 - absolutely NOTHING he is moaning about actually happened UNTIL he turned on 'USB debugging' - this guy has obviously never written any computer program, or tried to determine why some embedded hardware doesn't work as expected, to attempt to fix it you would turn on debugging, log keypresses, log what routines of what programs are run etc etc.

I do not see an problem here, except in the guys head.

2
4

2 -

2 - Find out what ADB Logcat is and what it does.

0
1
FAIL

1 - It depends where the app is storing it's data. I believe the memory usage in the settings screen shown just indicates memory used by the application in it's "authorised" storage area. It could look to see if an SD card is available and store it there in which case it wouldn't show up on that screen.

0
1
Jop
Devil

How long before

An app gets written that doesn't keylog or monitor anything at all so passes as a totally legit app, except it reads the CIQ log files and gets the same info anyway.

2
0
WTF?

Galaxy S2

Had a look (using a terminal app) on my S2 (running a factory Gingerbread) and not iq libs of any sort in /system/lib.

Phew?

0
0
Anonymous Coward

I see a huge class-action suit brewing..

The rootkit is only on some markets. It's put there by the telco's request in the US. No info on EU though.

I would welcome the telco's paying gargantuan fines for installing this software though.

0
1

Page:

This topic is closed for new posts.

Forums