back to article Android banking trojan intercepts security texts

Developers of the SpyEye banking trojan have started bundling it with malware for phones running Google's Android operating system to intercept text messages many financial institutions use to prevent fraud, researchers said. The trojan known as Spitmo is SpyEye's first in-the-wild malware to target Android, Ayelet Heyman, a …


This topic is closed for new posts.
  1. Nights_are_Long

    It's worrying the number of app's in the unpoliced droid market place that have all kinds of funky permissions, as in really funky why would a RSS reader need access to my phone call and contacts? Why would that chess application want access to email.

    1. sabroni Silver badge


      I got a £10 payment card so I could buy some android apps and games, but everytime I see something I want I get to the install screen and it asks for permissions it doesn't seem to need. Consequently I've brought one app in the 2 months I've had the phone.

      Why can't I buy and install the apps then deny permissions I don't want it to have at run time?

      1. Anonymous Coward
        Anonymous Coward

        RE: Why can't I buy and install the apps then deny permissions I don't want it to have at run time?

        Is that not the case? Wow, then it's a "dead OS" phone for me until Apple stop being up their own arse and Google sort their shit out.

        Only allowing install if permission to texts, phonebook or whatever is given is brain dead. Even my "shitty old" Symbian asks me each time access is requested if I want it to.

    2. Eponymous Cowherd

      Odd permissions

      There are apps for rooted devices that allow you to restrict permissions. i.e. you can install an app that asks permission to access your address book, but it won't be able to when it tries. This will cause some apps to force-close, however.

      IMHO, this facility should be a basic feature of Android, and developers should code their apps such that they don't die when told to feck off when asking for a permission.

      Ideally a clean Android device should ask permission the first time an app asks for certain sensitive permissions (address book, things that cost money, SMS, location, etc). Users should be given a choice of "always allow", "never allow" or "always ask".

      With regard to permissions look at this lot:

      Your personal information

      Services that cost you money

      Your location

      Your messages

      Network communication

      Your accounts


      Phone calls

      System tools

      Now, what do you think would need all of those? Eh?

      HTC's battery widget, that's what. And, because its installed from the "HTC Hub" app, you don't get to see these unless you happen to browse the app in the Manage Applications settings screen.

  2. Gordon 10 Silver badge

    I hate to say this

    Because competition is good.

    But if this continues any IT professional worth their salt will be recommending to their non-IT literate friends and Rellies that they avoid android or will be at least loading an AV app for them.

    If only to avoid the inevitable support calls!

    Alternatively this is another great opportunity for Amazon to differentiate themselves. Imagine them advertising that their App store is malware free and locking the "kindle pad" to it.

    1. Maliciously Crafted Packet

      You would have thought so...

      but if recent history is anything to go by IT professional seem to prefer systems that are insecure and require plenty of support and configuration.

      Security issues such as stated in this article almost guarantee mainstream Android adoption into enterprise IT. BlackBerry and iOS are a little to stable for comfort.

      1. Gordon 10 Silver badge

        Slight correction

        IT professionals bosses prefer systems as you described.

  3. Martijn Otto


    And that's why everyone should install DroidWall. About every app out there asks for internet access, while many do not need it (e.g. games).

    With DroidWall, you can simply install these apps without giving them internet access. Without internet access, they have no way of sending their silly data back to their silly writers.

    1. Dan 55 Silver badge

      So what?

      Malware will just use an SMS instead if they find that Internet access is blocked.

      We really need fine-grained allow/deny controls that come with some sensible defaults to discourage developers to ask for everything as if they ask for everything they'd have to explain to the user that they need to go through ticking boxes and then they might also need to explain why (our shooty game will not run unless you allow us to access your phone number, GPS, and Internet because we sell your data on to the highest bidder).

      The closest is Symbian, but that's not shiney and new so I suppose it doesn't count. It still pops up a dialog asking me if I want to allow the app to access the Internet though.

  4. Jacqui

    LBE Privacy Guard

    is a godsend. I have maybe 100 or so aps on my phone but very few get all of the rights they wish. Pretty much all of them continue to work.

    1. Chris007

      IMHO LBE is better than DroidWall

      as it prevents other types of access from apps like the ability to send SMS, look at contacts, retrieve your IMEI or mobile number etc. After it has been installed it will then ask you to set the permissions for any newly downloaded app. For any existing app it defaults to asking the question when access to sensitive stuff is required.

      DroidWall is more granular is what it will / will not allow in networking terms (wireless / 3G) - LBE just allows it or not.

    2. thesykes
      Thumb Up


      Cheers, giving it a whirl now. Quite an eye-opener to see what permissions some apps are requesting... a few minutes clicking deny felt strangely satisfying.

  5. Ken Hagan Gold badge


    ...that banks are sending security information to smartphones.

    These are devices where the end-user can download "apps" and give them full privileges. *Of course* they are going to be targetted by the bad guys. In other news, the last twenty years called. They want their woeful record on PC security back.

  6. mantrik00

    Only install from the Android Market & go through the permissions discreetly

    Only install from the Android Market. Before installing, look for the permissions it requires. If the permissions being sought are inconsistent or over & beyond the functional requirements of the App, just don't install it. With Android, at least you know what is being accessed by an App but with any other OS you can never be sure, unless some researcher points it out. However, Google needs to monitor the Apps' permissions more discreetly.

    1. Charles 9 Silver badge

      Permissions Piggybacking?

      Just curious. Has any Android malware been found that exploits the fact that the app it's disguised as actually has a legitimate use for whatever service(s) it happens to need to do its nefarious business? What about bait-and-switches where apps that begin legitimate (and have the appropriate permissions for valid reasons) are later updated into malware but with no permissions change?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019