back to article Android Trojan taints US mobes, spews 500,000 texts A DAY

A Trojan that infects Android devices is behind an increase in text message spam in the US. SpamSoldier infects smartphones and spews out thousands of SMS messages without the user's permission. The mobile irritant is primarily spreading through texts that offer free versions of popular paid-for games such as Need for Speed: …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Will make a nice change

    from the countless 'You are entitled to thouands of pounds in light of your recent accident' or 'you are entitled to thousands of pounds due to the loans you have taken out over the past 20 years' and other stories that seem to be the content of most of the Text messages I seem to be getting at the moment.

    1. Anonymous Coward
      Anonymous Coward

      Android virus the cry of self denial.....

      Android malware?, no this cannot be, can never happen, not with an open source OS, never in a million years, impossible, obviously from the Daily Mail, the media love to make up stories, rubbish, I must have gone over my data allowance, maybe I made too many calls..........

      The cry of self denial from the ranks of Fandroids ...

      While I sit back with a smug smile on my face holding my iphone in one hand and wipe away tears of joy with the other.

      1. Eponymous Cowherd
        Gimp

        Re: Android virus the cry of self denial.....

        While I sit back with a smug smile on my face holding my iphone in one hand and wipe away tears of joy with the other.

        Well, I've heard it called a lot of things, but "wiping away the tears of joy" is a new one. Still, tissue at the ready..............

        1. Yet Another Anonymous coward Silver badge

          Re: Android virus the cry of self denial.....

          You can't get porn on an iPhone.

          Well you can - but they can't have any rounded corners

        2. Anonymous Coward
          Anonymous Coward

          Re: Android virus the cry of self denial.....

          I've never heard it called an iPhone either.

      2. JDX Gold badge
        Trollface

        Re: Android virus the cry of self denial.....

        It's OK, blame evil Google for the vulnerabilities and normalcy is restored in the Linux/FOSS camp.

      3. Yet Another Anonymous coward Silver badge

        Re: Android virus the cry of self denial.....

        So don't enable "install form untrusted sources" unless you are testing your own kernel builds

        It's up there with: never fight a land war in Asia, neverplay Poker with anybody whose middle name is "the" and don't take your trousers off and bend down in a confessional

      4. Anonymous Coward
        Anonymous Coward

        Re: Android virus the cry of self denial.....

        "While I sit back with a smug smile on my face holding my iphone in one hand and wipe away tears of joy with the other."

        Can't be that smug with an iPhone in your hand!

        How can you feel smug when your held by the hand by your OS.

        Grow a pair you yellow belly coward.

        1. JDX Gold badge

          Re: Android virus the cry of self denial.....

          You're complaining about software that makes things easier for the user? This is why FOSS software is so badly designed then - you have to prove your worth?

      5. RICHTO
        Mushroom

        Re: Android virus the cry of self denial.....

        Your iPhone with over 300 known security vulnerabilities in IOS you mean?

        Get a Windows Phone - only 1 Denial of Sevice vulnerability across all versions....

        1. The_Regulator
          Windows

          Re: Android virus the cry of self denial.....

          Get a Windows Phone - only 1 Denial of Sevice vulnerability across all versions....

          Not sure how accurate that statement is BUT definitely wayyyyy less than android or iOS.

          The "spamdroid" title definitely fits the bill when it comes to this article!!

    2. Anonymous Coward
      Anonymous Coward

      After

      After years of being made aware of malware and viruses the American brain still believes there is a great deal to be had with a free game and free installer.

      In more developed countries (UK) we are a little more suspicious when an external link and installer are concerned. Maybe it's the Duff Beer they drink....

      1. Anonymous Coward
        Anonymous Coward

        Re: After @AC

        Yes we in the UK learned our lesson during the second world war when the septic tanks came over offering chewing gum and nylons. We've had sore arses ever since and wised up to strangers offering gifts.

      2. Anonymous Coward
        Anonymous Coward

        Re: After

        "In more developed countries (UK) we are a little more suspicious..."

        Ahh, that must be why you don't have any SMS spam over there. I'd been wondering about that.

    3. Anonymous Coward
      Anonymous Coward

      Re: Will make a nice change

      Q.Q

  2. nuked
    Unhappy

    Worrying that they can only guess at the attack vector.

  3. Markl2011
    Facepalm

    Did you read the blog post, Mr Register?

    From the article..

    "SpamSoldier infects smartphones and spews out thousands of SMS messages without the user's permission."

    From the blog http://blog.cloudmark.com/2012/12/16/android-trojan-used-to-create-simple-sms-spam-botnet/

    "Then you have to grant permission to the app to do all sorts of things that no Angry Bird should ever need to do, like surfing the web and sending SMS messages"

    1. Anonymous Coward
      Anonymous Coward

      Re: Did you read the blog post, Mr Register?

      Granting permissions implies that the person using the app is experienced enough to know what all of that means.

      Here's an idea, automatically deny all privileges and then when things need to access a resource it asks for permission.

      People tend to click though all the screens on install as it is usually stupid legal mumbo jumbo.

      1. ArmanX
        Thumb Up

        Re: Did you read the blog post, Mr Register?

        It doesn't help that many well-known apps have access to things they never should - Facebook doesn't need to send SMS messages, games don't need access to my email, and why does a a file browser need access to my GPS? I've seen some explanations that make sense - a program needs permission to take pictures before it can turn on the camera flash, for instance - but many apps request full access to everything, without a single explanation of why.

        That said, I love the idea of "always off" privileges. If the app never actually tries to send an SMS, fine; if it does, I can see it, and kill it first. I'd be able to use the Facebook app again, assuming it doesn't force close when I tell it to get stuffed...

        1. RICHTO
          Mushroom

          Re: Did you read the blog post, Mr Register?

          Maybe that would fix all the virus issues on desktop OSs like OS-X and Windows? - say we make them prompt the user before it does anything that needs elevated rights? - oh wait a minute....

      2. Markl2011
        Thumb Up

        Re: Did you read the blog post, Mr Register?

        @AC 18:37

        "Granting permissions implies that the person using the app is experienced enough to know what all of that means."

        If they're not, they're probably not experienced enough to to enable the installation of 3rd party applications that's also required.

        I agree with your point about denying permissions by default though.

      3. eulampios

        would be nice idea, but...

        So you're saying that a user needs my math PhD to be able to make all the necessary calculations when they install an app. Isn't it pretty straightforward and transparent unlike a black box you get on Windows and rely on AV instead of simple logic?

        The way Google handles untrusted apps (by the definition, since g. play is no repo) is pretty nice. Every app runs in a sandbox with its own uid and joins major groups that are manifested during the install. This transparency is a relative novelty. If MS would have come with it, the world would have been very different.

        The post you're answering to just meant that John Leyden had seriously misinterpreted the facts. Not sure if can be excused for it by "lack of experience" either.

        1. Anonymous Coward
          Anonymous Coward

          Re: would be nice idea, but...

          Just run that past me again: Windows is bad, because the vast majority of malware has to be OKed by the user for install, but Android is good because the vast majority (all?) malware has to be OKed by the user for install?

          Exactly how can a general purpose Operating System be expected to ask the installing user which permissions are appropriate for it to have? You'd be there all day. Under both Windows and Linux, you have to have an appropriate privilege to install something, beit administrator/root or a lesser, more tailored ID.

          1. eulampios

            @AC

            Windows is bad in this regards, because it had neither if the two

            1) secure repositories

            2) no mechanism akin to Android where the permissions are specifically stated prior to install.

            A windows application as well as a regular GNU/Linux is a balck box. You can't figure out what it does when installing a binary file. The list of the permissions declared in the Android install is very short for a user to understand their meaning. So you saying that if a user installs a game and it has a permission to send SMS, a user can't figure it out? If he/she can't, why would she/he care some big bills for SMS?

            If you think that an AV is better than simple logic than you don't believe in education at all. Why should boys and girls get lecture about pregnancy prevention. It is so complicated they will most probably not get it...

            1. RICHTO
              Mushroom

              Re: @AC

              Wrong on both - Windows has secure repositories (Windows Store and Windows Update for instance)

              Windows Phone also can state and request permission for specific functions - e.g. track your location.

            2. The_Regulator

              Re: @AC

              Windows has: 2) no mechanism akin to Android where the permissions are specifically stated prior to install.

              on Windows Phone it specifically tells you that it needs access to whatever services that it needs to use when you install and if it needs to run in the background.

              Also, you need to download apps from the windows store to install AND funnily enough those have already been vetted by Microsoft. I think I can remember maybe one instance of something bad slipping through the cracks of the windows phone store since it launched and they immediately removed it.

              Android just by nature is a lot more open therefore a lot more susceptible to virus/malware/spam and an every day user who thinks they know what they are installing will simply just hit ok so they can load up their free angry birds or whatever it may be that they are trying to install instead of understanding what they are doing.

              1. RICHTO
                Mushroom

                Re: @AC

                Wrong - Windows Phone DOES already specifically ask for and state permissions prior to install (and / or on first execution) just like Android does for sensitive activities:

                http://allaboutwindowsphone.com/images/flow/misc/apppermission01.jpg

                I agree - open = a lot more malware given the same market share (i.e. motivation for hackers to bother attacking it). This is why Linux servers on the internet are much more likely (even taking into account market share) to be compromised than ones running Windows....

        2. Anonymous Coward
          Anonymous Coward

          Re: would be nice idea, but...

          Android = fail. You expect more from your phone containing all your critical data and simple access to all your contacts AND a method to send them.

  4. Anonymous Coward
    Anonymous Coward

    Android is the new Windows XP, flawed in design and more interested in providing lots of features and power than security.

    1. Lars Silver badge
      Pint

      Ahh

      "Android is the new Windows XP, flawed in design and more interested in providing lots of features and power than security."

      Have you forgotten that all the problems with the XP was just because it was so popular.

      1. Maliciously Crafted Packet

        Re: Ahh

        "Have you forgotten that all the problems with the XP was just because it was so popular."

        Nice one, I remember that joke too.

        1. RICHTO
          Mushroom

          Re: Ahh

          Windows XP has less than a 3rd of the vulnerabilities of OS-X....

    2. Anonymous Coward
      Anonymous Coward

      Really,does this have to be explained on every Android malware article? The user is downloading an app that showed up in an SMS from a completely untrusted site, enabling unknown sources to install it, ignoring both that warning message and the permissions warning that says their free copy of a $5 game wants to send SMSs and are then shocked when said game does send SMSs.

      This has nothing to do with Android security, every platform that let's the user decide which applications to install is vulnerable to user stupidity.

      1. Rob

        What AC 08:16 said

        There's just as many stupid Android users out there as there are iPhone users.

  5. Dana W
    Trollface

    But at least you don't have a walled garden!

    1. Anonymous Coward
      Anonymous Coward

      better than gardening in a warzone, eh?

      all jokes aside, it's worth pointing out that this still affects iphone users since they'll still have to receive all that sms spam.

      1. Anonymous Coward
        Anonymous Coward

        @AC18:56

        Wrong, iPhones are very socially aware and don't mix with the lower classes. We have a better class of spam to deal with.

      2. Anonymous Coward
        Anonymous Coward

        It does not affect iPhones - you might receive the SMS but could not install the malware

        1. Anonymous Coward
          Anonymous Coward

          "It does not affect iPhones - you might receive the SMS but could not install the malware"

          He said "iphone users", not iPhones, because the users "still have to receive all that sms spam" from the infect Android users.

          If I receive any of these spam SMSs from my friends, they'll be getting a simple one word reply that reads "idiot".

    2. Dana W
      Happy

      There is my proof, Android users have NO sense of humor.

      1. Doogie1
        Joke

        @Dana W

        "There is my proof, Android users have NO sense of humor."

        Haven't you seen the Dom Joly impersonaters with their Galaxy Notes?

  6. t20racerman
    Facepalm

    Free game did you say?

    Where is the link? Sign me up! I love free stuff :-)

  7. Alan Denman

    The nanny state has its advantage.

    Obviously apps are in a permanent boot camp with Apple so less likely there.

    With freedom comes responsibility so you need to train those Android kids and Android grannies.

    1. The_Regulator
      Trollface

      Re: The nanny state has its advantage.

      train them to buy something else!!!

  8. eulampios
    Thumb Down

    @ John Leyden: FUD or Vulnerability

    Marks are encouraged to click on a web link in a message that supposedly leads to a game installer. In reality users who open the "installer app" only succeed in infecting their handset with the SpamSoldier Trojan.

    Are you really suggesting that you get "infected" by clicking on a link with no further user's interaction, or that you're offered to install a game app that straightforwardly says it can send SMS from your phone (and maybe something else), plus if should be allowed to install from the outside of googleplay in the first place? If it is the former, you just discovered a serious Android vulnerability, if it is the latter you're spreading an FUD in a pretty bad manner. It seems to be an FUD according to your own links though.

  9. Anonymous Coward
    Anonymous Coward

    Seems the old adage of "Thick as a yank" still holds true.

  10. IR
    Thumb Up

    Gotta love those "trojans" I can avoid by

    not clicking on a link in a dodgy message

    not downloading an unknown app

    not ignoring the strange permissions it requests

    1. Anonymous Coward
      Anonymous Coward

      not running an insecure OS and apps from an insecure app store

      buying an iPhone

      1. jowlymonster

        This has nothing to do with insecurities in the OS (because the user gets to see what permissions the app is requesting *before* installing - there's no evil hackery going on) and it's nothing to do with an insecure app-store, because the infected apps are obtained by visiting FreeCrapz.ru.cn or similar.

      2. Anonymous Coward
        Anonymous Coward

        As long as you don't jailbreak..

        1. You have to change the default setting to be able to install from outside the Play store

        2. This is an install from a spam text (RTFA).

        So this would be the iphone equivalent perhaps (except this allows access to any iPhone data)

        http://abeontech.com/343-security-jailbreak-my-bank-account

        1. Anonymous Coward
          Anonymous Coward

          Re: As long as you don't jailbreak..

          What about malware IN the play store.

          1. The_Regulator
            Trollface

            Re: As long as you don't jailbreak..

            Hahaha, thats where you need to train android users to find something better!!

      3. Anonymous Coward
        Anonymous Coward

        downvoted for the truth

      4. RICHTO
        Mushroom

        But IOS has over 300 known vulnerabilities, and can be rooted just by vitising a web page!

  11. Anonymous Coward
    Anonymous Coward

    Android pwned - shirley not.

    1. Anonymous Coward
      Anonymous Coward

      All your phones (and texts and contacts) are belong to us.

  12. Anonymous Coward
    Anonymous Coward

    Apple trolls out in force I see

    Plenty of malware on iPhone's, Apple just charges you for the privilege of installing it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Apple trolls out in force I see

      It's not a troll, it is a scientific test to see if Fandroids have a sense of humour and the results are in.

      Fandroids have a sense of humour because they buy Android phones.

  13. Anonymous Coward
    Anonymous Coward

    The problem is most Android users are also the less 'techically savvy' end of the market as often they are getting the phones free (prob dont even know it's Android). Suppose the saving grace is many Android phones are not even on data plans so they may not even be able to download it.

    The harsh part is more Android users will also be on PAYG so some app going crazy and sending thousands of texts could cost you dear.

    1. Shrimpling

      From my experience everybody I know with an Android phone knows it is an android phone and has chosen it because it is better for them than an iPhone.

      If you are stupid enough to install an app from a spam text message being on PAYG would actually be better... once your credit has ran out your phone will stop sending spam messages. If you are on contract you wont notice until the end of the month when a huge bill has built up and your network wont refund you because you accepted the terms when you installed the app.

      1. Anonymous Coward
        Anonymous Coward

        You and your two geeky friends can keep their androids. Most people would have an iPhone (if they could afford it) or does not know / care what phone it is as they just 'got' it free with their contract renewal and it's probably not even on a data tariff.

    2. Eponymous Cowherd
      Thumb Down

      Tech Savvy?

      "The problem is most Android users are also the less 'techically savvy' end of the market"

      I'd say that many owners of low-end Android devices are certainly less 'techically savvy', probably on a par with the majority of iPhone users. The difference is the "walled garden" offers the iPhone users some protection. A lot of these people would, quite likely, have bought an iPhone if they could have afforded it.

      Owners of high-end Android devices, however, are probably more "tech savvy" than most iPhone users. They have, after all, made a conscious decided to pay a considerable sum on a device that is not an iPhone. they could have bought an iPhone, but didn't. The only real reason why you'd decide to buy, say, an HTX 1X+ over the similarly priced iPhone 5 is because you have looked at both and decided the HTC is the better device for you.

      A lot of iPhone 5 owners will have forked out their c£500 because the zeitgeist is that it is "the best". Very few will buy top-end Android devices without doing some research.

  14. Jimboom
    Trollface

    Maybe it's just me

    But I always check the privileges of an app before I install and have passed up installing many bits of well rated software because I didn't agree with the privileges it was wanting (why a simple game wants access to my accounts, to check network status and change system settings I will never know).

    But failing that Droidwall would hopefully stop anything that managed to slip through the net. So personally I don't see any droid users with half a brain falling for this.... oh wait, we were talking about the Yanks weren't we?

  15. Anonymous Coward
    Anonymous Coward

    "we have not yet detected SpamSoldier on any major app stores"

    Easy, do not allow non-marketplace installs! Done.

  16. Parax
    WTF?

    "without the user's permission"

    Or without the users knowledge? surely you need to accept the permissions to install or is this app bypassing the security?

    1. Anonymous Coward
      Anonymous Coward

      Re: "without the user's permission"

      "without the user's permission"

      Ecto gammat!

  17. Henry Wertz 1 Gold badge
    Thumb Up

    Thank goodness for unlimited texting?

    Thank goodness for unlimited texting, I guess? US cell cos technically offer text packages, but make the pricing intentionally unattractive so people will get unlimited texting. I feel for those who have no texting and get charged the ridiculous 20 cents a text for spams. No I have not gotten this on my phone 8-)

    As for network impact -- I recall someone doing research on this like 5 or 10 years ago, they rigged up a phone to a PC send texts as fast as possible, and at least one other phone to send and receive a few texts at a sane rate and measure if there was any slowdowns. AT&T, they aborted the test almost immediately as they found VOICE service failed (the control channel filled so thoroughly that call setups were failing.) T-Mobile did the best, they were limiting devices to about 1 text per 1.5 seconds so the phone was simply disallowed from spewing out dozens of texts a second. VZW and Sprint both had a small (couple second) slowdown. Ths all ignores the SMSCs (SMS centers) themselves bogging down of course, which is also a possibility.

  18. JassMan

    Fine the companies who pay the spammers

    If governments around the world set up registers for people to send their spam/email texts to, then fine the sponsoring company a tenner for each text collected, those companies would soon run out of money to pay to the spammers. Spammers only set up botnets on any platform because companies are unethical enough to pay for what they regard as just another advertising channel.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fine the companies who pay the spammers

      I've wondered about this for a while - trying to do antispam and take down spammers' web servers seems like a losing proposition, since there are millions of emails and dozens of servers (maybe far more?) per spammer. But someone has to get the money, in the end, and somebody's got to process it; I presume their customers aren't sending bank checks or cash, so *someone* is processing the money for them. Why aren't we going after that *one* guy rather than trying to stop a billion fucking emails?

This topic is closed for new posts.

Other stories you might like