It's not really a "vulnerability" in Android if: you have to manually enable installation of unverified 3rd party software, then ignore the blatant red flag that says "this app requires access to your camera".
URRGH! Evil app WATCHES YOU WATCHING PORN, snaps your grimace
A new frontier in horror has been breached, as it has emerged that your phone can in some circumstances take a picture of you as you view porn on it, and then use that image of your grimacing face to extort money on pain of exposure. Security outfit Zscaler detected the Android app, which lures victims who assume it is a …
COMMENTS
-
-
Tuesday 8th September 2015 07:15 GMT Anonymous Coward
This is what I don't get about Fandroids (and many Linux users).
If a person downloads a dodgy bit of software from some random website, ignores the warning about downloading and running programmes from the internet, click the button to approve instalation. It Microsofts fault for allowing it to happen.
If someone downloads an app for Android, it's the users fault.
-
-
Tuesday 8th September 2015 11:06 GMT Anonymous Coward
Re: Roq D. Kasba
It's the users fault either way. You can run Windows 10 all day long clean and happy without a security suite if you don't install anything
Only until the first remote exploit for something like (say) the network stack in W10 shows up. Then someone could passively scan the network you're on to find your W10 PC, exploit it, then voila, you're done.
Not super likely for home users with with IPv4 NAT... but since IPv6 doesn't have NAT and actual end user IP's are exposed... ugh.
-
Tuesday 8th September 2015 11:42 GMT Anonymous Coward
It's the users fault either way. You can run Windows 10 all day long clean and happy without a security suite if you don't install and don't connect anything ;-)
FIFY. I would not want a Windows box near an Internet connection without anti-virus and a certainty that at least its firewall is enabled, over the years I've learned not to invest trust in Windows out of the box defaults..
-
This post has been deleted by its author
-
-
Tuesday 8th September 2015 09:17 GMT Anonymous Coward
This is what I don't get about Fandroids
It's only natural, I think. You have installed a billion shite apps on your mobile (because you can and because they enrich your life, lol), and practically ALL of those have flash a long list of what functionality on your handset they will have to access for YOU to use the app, and you have no clue what it REALLY means (and you do want to use our app, right? Click "no" if you do not not want to not un-use it. Are you sure? Do you want to cancel? Yes? Good boy).
You read carefully through the first few lists that pop up during installation, nothing bad happens. Nothing happens, nothing happens, nothing happens, you grow complacent, so you just "yeah-yeah-gimme-gimme" the new apps and then - CLICKBAIT!!!! And your willy's on the facebook, OMG, what will my boss say!?
-
Tuesday 8th September 2015 09:49 GMT Pascal Monett
@ Lost all faith
There is a big difference between a Windows platform and Android - on the Android platform the user is not admin.
In Windows, historically speaking, the user has always had all rights to the OS and hardware access because Microsoft took two decades to start understanding that that was not a good idea. So yeah, on a PC a lot of malware is there because of Microsoft, not always because of the user.
-
This post has been deleted by its author
-
-
Tuesday 8th September 2015 17:16 GMT Anonymous Coward
"If a person downloads a dodgy bit of software from some random website, ignores the warning about downloading and running programmes from the internet, click the button to approve instalation. It Microsofts fault for allowing it to happen."
That's because Android and Linux have as much security precautions as possible to prevent it.
Windows encourages users to run as admin, allowing any bad stuff to hose the system instead of just the user environment.
Linux also creates new files as non-executable and you must manually change the permissions to execute said files, double click/launch from browser WILL NOT WORK until this is done. Windows on the other hand defaults with the execute permission set meaning double clicking and running from the browser will work.
-
Wednesday 9th September 2015 06:58 GMT Anonymous Coward
To those downvoters who downvoted my post about Linux not creating new files as executable, where Windows does and that is a problem, have an example of why Linux is doing this right and Windows not.
http://www.theregister.co.uk/2015/09/08/whatsapp_security_flap/
In short: a bug in WhatsApp allows vCards to be turned into .BAT files. If a user on Windows downloads this, it takes one click of the 'Run' button to hose their system. If it was a .sh file for Linux, users would have to save the file, right-click properties, tick 'Execute' permission and then double click the file to hose their user account.
-
Thursday 17th September 2015 10:15 GMT thosrtanner
*sigh* Windows does NOT encourage users to run as admin. It throws up a box saying "this software wants to do something to your computer". And on loads and loads of websites, you see advice that tells you to
1) Switch off the access control
2) Change the permissions on <something in program files> so you can write to it
And also
3) There is still software that is released that more-or-less expects people to grant write access to places they shouldn't have to (Bethesda/Steam - Skyrim immediately comes to mind, but there are others).
With a mindset like that even with the large developers, let alone the help sites, what do you expect. If people advised you to always run as root in linux, they'd be howled down. But apparently it's Microsoft's fault that doing the same thing on windows is considered par for the course.
There are plenty of criticisms that microsoft deserves, but encouraging people to run as admin all the time is not one.
-
-
Wednesday 9th September 2015 14:45 GMT Rick Giles
This is what I don't get about Fandroids (and many Linux users).
If a person downloads a dodgy bit of software from some random website, ignores the warning about downloading and running programmes from the internet, click the button to approve instalation. It Microsofts fault for allowing it to happen.
If someone downloads an app for Android, it's the users fault.
Me thinks you need an editor, or a stream of consciousness filter...
-
-
This post has been deleted by its author
-
Tuesday 8th September 2015 12:26 GMT Anonymous Coward
Google's fault
Correct. The user should be able to prevent the app from accessing things without the app knowing that it is being prevented from accessing them: bogus address book provided to untrusted apps, and so on.
In the case of the camera you could put a sticker over the lens but that wouldn't handle the case where you have two apps running simultaneously: a trusted one that you want to use the real camera and an untrusted one that you want to receive bogus data instead (a pop video perhaps).
-
Tuesday 8th September 2015 14:34 GMT TeeCee
The source of that little issue is that the majority of those permissions that make you go "WTF does it need that for?" aren't actually required by the app at all.
There's an ever-growing list that are required by the Google crapware baked into 'em all, which is why you ain't going to see them disappearing or you being allowed to stuff them on any official devices.
I've said it before and I'll say it again. Android could be damned good, if only it were taken away from Google and their cruft was forcibly excised from it.
-
This post has been deleted by its author
-
-
-
Tuesday 8th September 2015 10:44 GMT Graham Marsden
It's not a vulnerabilty...
It's a ridiculous short-coming in security!
A user shouldn't have to "ignore the blatant red flag that says "this app requires access to your camera",", they should be able to say "I don't want ANY apps to have access to MY camera unless *I* say they can!"
The default should be opt IN, not "you can only opt-OUT by not installing the app in the first place".
-
Tuesday 8th September 2015 11:48 GMT Anonymous Coward
Re: It's not a vulnerabilty...
A user shouldn't have to "ignore the blatant red flag that says "this app requires access to your camera",", they should be able to say "I don't want ANY apps to have access to MY camera unless *I* say they can!"
The default should be opt IN, not "you can only opt-OUT by not installing the app in the first place".
I have trouble parsing that statement. Do you mean "users SHOULD ignore red flags" like asking for privileges an app doesn't need, or are you asking for new functionality that locks the camera unless explicitly enabled?
Knowing how users think (takes quite a lot of alcohol, but bear with me), that would simply yield complaints that the phone is hard to use. It would be better if Android would switch to the iOS model where permission is sought when the first access is attempted (nice, properly timed red flag there and then), and where permission can be withdrawn again for each individual resource.
If Google would push that into the next release it would fix quite a few problems in one go.
-
Tuesday 8th September 2015 14:31 GMT Graham Marsden
@AC - Re: It's not a vulnerabilty...
> are you asking for new functionality that locks the camera unless explicitly enabled?
I'm saying that that should be the *default* setting for any app. Followed by, as you say, "This app wants to access your camera, do you want to allow it?" to give you the chance to say "hang on, why does a photo slide show viewer want to take pictures right now?"
-
This post has been deleted by its author
-
This post has been deleted by its author
-
-
This post has been deleted by its author
-
-
-
This post has been deleted by its author
-
Tuesday 8th September 2015 09:26 GMT JasonB
Unchecking?
"This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device."
That's already enforced on my device. (Yes I had to check!) Does that suggest that people have made a deliberate decision to download from potentially dodgy sites?
-
Tuesday 8th September 2015 12:46 GMT Zog_but_not_the_first
Tip of the iceberg
I'll bet that loads of apps (in the store and beyond) have this capability. Maybe some apps grab all the permissions through lazy programming, but others want control of your camera etc., for a reason. The endless stream of "free" games must feature high in the "suspicious" category.
Of course some apps use "spy features" in a good cause, such as the excellent Lockwatch. I use this to demonstrate to unconvinced friends that a phone's camera has a stealth mode.
-
Tuesday 8th September 2015 17:01 GMT regprentice
In order to run the amazon appstore or another source such as humbe bundle its nescessary to make the permissions change described. Certainly while amazon were giving away a free app a day i couldnt be bothered to switch this option on and off every morningso left 'allow unknown sources' switched on as i assumed i would not be stupid enough to knowingly download anything else.
That said ive noticed a significant increase in aggressive popup ads which appear to look like the google play store offering the current popular title (that vaguely porny looking one with kate upton in the adverts). Presumably these entice you to install a malicious excecutable.
-
Wednesday 9th September 2015 03:08 GMT JimboSmith
BlackBerry PlayBook
On the PlayBook when you download an application it lists the things that the application wants access to. There is also a checkbox next to each item in the list and you can uncheck permissions you don't want the application to have. Some applications won't work without some permissions i.e. A camera app and the camera, but I like having the choice. I had assumed that Android had had that built in from the start but when I started using it I realized that was missing and I had minimal control. If I can't see a reason for an app needing permission to use something on Android I don't download that app.
-
Wednesday 9th September 2015 17:56 GMT tomturkey101
Duh! If I wanted to make some easy money by taking money from the rich to give to the poor (usually oneself),and keep a clean conscience ,I would set up a sting operation against anyone doing anything questionable.Then call them on it. Highly reminiscent of the Godfather Movie's. "You don't gotta do anything right this moment,but if at some time in the future I should call on you for a"favor",you cannot refuse me. Advice: Keep your "hand's" and your "conscience" clean. You will be much happier.