First SMS Trojan for Android is in the wild

What I dont understand....

..... is how this can be possible?

Presumably the scammers have to have a legitimate account with my network provider to enable them to bill. How do they get this? Why are the networks giving money to these people. Do I just have to ask for some money?

Shouldnt this be the easiest scam in the world to stop?

Or am I missing something?

I wonder how common?

I nearly downloaded a Tetris clone the other week before wondering why it needed permission to send text messages.

Trouble is, the warnings after you click 'Install' are not the sort of thing people will often read.

Police Warning for Householders

The police are warning that if you let a strangers into your house (who may or may not be wearing masks, striped jumpers and carry bags marked 'swag'), they may well steal your stuff.

Duh.

The First of Firsts

Not only the first time a Android virus was publicized, the agency making the report, Kaspersky, OFFERS NO mobile client to scan viruses for Android.

Yeaaah. Fat load of good that your anti-virus program can detect the signature if you can't access anything more than the phone's SD Card (when the SMS is in protected internal memory.) Sure, it gets rid of the SMS messages from non-Android devices, but c'mon.

Trojans need to be manually installed

Having developed for Android I know that non-app-store .APK files can only be installed by first tapping the "Unknown Sources" checkbox in "Application Settings" and then agreeing to the following prompt:

"Your phone and personal data are more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these applications."

Mr/Mrs/Ms

hahahaha

when will techies learn that tech savvy users are not the same as general consumers.

Android is a great product, but you have to have a walled garden like the iphone for average joe/josephine

surely the desktop OS history has taught us that? although, come to think of it, the only thing techies learn is how to repeat "My view is the correct one, everyone should do as I say"

and yes, i do appreciate the irony of giving my view here that knocks others views... ;-)

If you really really dumb....

.... You'll be infected. Bascially, click here for a virus or a bit of software you don't want, plus untick the trusted sources button - you deserve to be infected if you do all of that.

I agree with @It wasnt me if the networks are aware of the scam, and lots of customers start going to the premium - simply block that number.

doesn't matter how stupid the users are...

... if the platform designers are stupid enough not to take account of it.

God almightly, we've been down the "are you sure you want to do this? It's unsafe...." route a million times, and still nobody has learned. Android'll end up riddled with malware unless they close app access to code vetted apps from the app store only.

The ability to install APKs from untrusted sources is the reason this malware exists. Ergo, get rid of that feature NOW.

Hey Android dudes! I've got the fix right here

Refine the Android security model a wee bit more and this problem would go away.

All they need to is add another layer of user permission to application security, so that the user could explicitly block all third-party apps from certain phone functions, e.g. SMS sending.

Even after allowing installations from non-trusted sources, if the phone is setup to block one of the required functions then the program will not install and daddy Android would let the user know why.

If you then later wanted to install an app that you did want to send SMS then you would need to add it to a app whitelist *before* it would even install.

Networks could even ship phones with the most risky functions blocked as default, much as they currently do with international roaming or adult web content at the SIM level.

Surely this would keep the even the hardest of thinking, who let's face it are usually the ones bitten by such junk, a lot safer?

More informative than the snippet I caught on the radio this morning,

where the BBC journo claimed to have built his mobile malware with no knowledge of mobile programming. That he was assisted by an "application security firm" leads me to believe that writing a virus for mobiles is not quite as simple as he would make out.

Another sterling illustration...

...of why I will never lower my standards and resort to buying that Google Android crap.

Google's sole purpose is to gather as much data about anything and everything as it can, and use that data to sell targeted advertising.

Google doesn't give a flying monkey about your security, let alone trying to make its products secure. Why would it? That woudl mean wasting time on non-core business.

what app permissions were requested?

surely that's the important question

@Seanie Ryan

So, having stupid users install malware (not a virus!) makes a case for a walled garden? Great.

There are too many bad drivers on the road. Let's ban all cars and all take the bus!

Apple Moron

SMS trojan

> Trojan-SMS.AndroidOS.FakePlayer-A poses as a harmless media player application and has already infected a number of mobile devices .. Once installed ..

How does this trojan get installed onto the device?

Meh

Dear Android Owner

Its all YOUR fault and you can purchase the new for 2010 Norton Anti-Virus tools soon.

Sent from my IPhone

If you make something fool proof the world will make a better fool.

""Refine the Android security model a wee bit more and this problem would go away.""

Ummm.... no they can't.

Lets see how to 'infect yourself':

1. Dive into the settings on your phone and enable the ability to install applications from third parties

2. Visit suspicious Russian Website

3. Locate APK file. Download it.

4. Start the installer.

5. Give the application permission to use SMS

6. Shrug when it does nothing and then forget about it and do not uninstall it.

You cannot fix stupid no matter how many layers of security you add onto a system.

This is a 'violation of security' along the same lines as if you called 'MAFIA-R-US', inviting a heavily armed man wearing a mask to your house, open up your wall safe for him and then walk away to go get groceries is a violation of your security.

Not so stupid users?

Does the Google Marketplace even exist in Russia? If it does is it limited to free apps only, which is the case for the vast majority of the Marketplace stores outside the 13 or so 'lucky' countries that have full stores? If so, wouldn't Russian drones be far more likely to look for their apps outside a non-existent or extremely limited store and wouldn't they therefore be at much greater risk by default rather than through user-stupidity?

Is it me...

Or is there some truth to the theory that trojans etc. are written in the basement of the companies peddling security products?

Angry, angry people.

Everyone hates MS fans, Apple hates Android users, and Android users hate themselves. Just get it over with... have a melee.

Here's a barrel full of nail bats. Have fun.

My biggest security concern with smartphones is ...

knowing what data is collected by the smart-phone OS issuers themselves.and what it is used for.

Any GPS feature should be controlled by the user, including remote functions.

It's a computer. Viruses will happen.

Untrusted .apks on Android, security vulnerabilities in iOS that means a PDF can pwn your iPhone. No-one is 'safe', but then again, life ain't 'safe'.

Engage brain before fingers. Good advice for some of the commentards too.

Stupid is as stupid does...

Question: If the iPwn with its walled garden model for security is so frikkin great, why do we see hundreds of articles about its stupid users trying to jailbreak the thing?

Paris because... It's obvious stupid!

Linux eh!

Just yesterday I upgraded to 2.2 on my HTC Desire. Great device an a vast improvement over my Windows Mobile 6.1 device. However the upgrade did not go smoothly. Firstly after several minutes of the first attempt it told me I did not have enough RAM free and was forced to delete a load of old apps. Then after the install it had chosen to reset my language to the local language, changed my lock the device to 5 minutes when it was previously 0 and then added a load of extra bookmarks and changed the default home page.

Now I'm quite technically savvy and was not too flustered by this, but had this been my Mum I suspect she might well have been a little cheesed off.

The security model where you can give a specific application permissions to perform specific tasks is great but on Android I bet the majority of users are not aware what permissions they are giving. You cannot blame the users, it is the product that is wrong for the users and not the users that are wrong for the product. As others have said, what you need is to prompt the user the first time an application wants to perform a task that will cost a premium and allow the user to grant the permission one time only, that day only, or always or never.

I am not in favour of the jobsian totalitarian concept but I really think google need to be more proactive in preventing their product getting the same reputation as Microsoft.

Dont install it then

Not that big of a deal

- Sent from...erm...firefox

History repeating methinks...

Does this story sound familiar to anyone? Replace Android for Windows, go back to the nineties and all of these statements "Android won't protect someone from their own stupidity etc" are exactly what was faced back then and in fact still facing today.

Seems to me having that flexibility in the platform comes with a price, perhaps people should be tested on their technical know-how of the platform before being allowed to purchase one, (yes I know extreme but you get my point ..)

PS: Your foster parents are dead..

PPS: They aren't really but what a cracking caption for the icon.

Hmm

Somebody needs to create a platform where all applications are 100% interpreted -- no native code allowed at all. Not even interpreter bytecode, unless generated at runtime from human-readable Source Code.

For one thing, it would make it possible for devices to be based on any processor architecture and addressing schema, with nothing to be recompiled but the low-level stack (OS, telephony layer, language interpreter).

For another, it would mean there would be *no* hiding place for malware, since every application would be presented in human-readable form.