back to article Why does an Android keyboard need to see your camera and log files – and why does it phone home to China?

Security biz Pentest is sounding alarms after it found an Android app it says has been downloaded 50 millions times despite being "little more than malware." UK-based Pentest said a whitepaper study [PDF] of the popular Flash Keyboard found that the Android app is "abusing" OS permissions, inserting potentially malicious ads, …

Page:

  1. This post has been deleted by its author

    1. asdf Silver badge

      Re: F-Droid only if you can

      Ok I got the hint nobody wants to hear about how much better an "insecure" software source like F-Droid (which has never had malware) is.

      1. Anonymous Coward
        Anonymous Coward

        Re: F-Droid only if you can

        "why does it phone home to China?"

        I think I prefer that to phoning home to Google...

        1. oneeye

          Re: F-Droid only if you can

          Phoning home to China leaves your phone open to being completely taken over. Any connections that cross the "Great Firewall" can be intercepted. Google is not going to install malware or sling ads on your lockscreen. This keyboard app is still in playstore, and one of the multitude of permissions is, "download files with out notice" . Helloooow? Does that alone but bother you. Perhaps it would be best if you did a little homework before embarrassing yourself.

    2. bazza Silver badge

      Re: F-Droid only if you can

      Just for sake of debate, is this actually any worse than what Google themselves snaffle? Probably not.

      1. asdf Silver badge

        Re: F-Droid only if you can

        Well requiring an open source code repository for all apps discourages the Asian scammers up front plus the apps are free. The drawback is of course a much more limited selection of fart apps (and admittedly other apps as well). To be honest a teen girl social butterfly couldn't probably get by with just F-Droid but its perfect for a back up out of warranty after market rom phone on which you don't want to have any sign on accounts.

        1. Sorry that handle is already taken. Silver badge

          Re: F-Droid only if you can

          Well requiring an open source code repository for all apps discourages the Asian scammers

          But does it discourage the Russian scammers?

          1. asdf Silver badge

            Re: F-Droid only if you can

            So far at least the answer is yes. How much of that is its not worth hacking a much smaller IT nerd centric repository where its tougher to hide shenanigans versus the much juicier Play store target its hard to say.

      2. King Jack Silver badge
        FAIL

        Re: F-Droid only if you can

        @ bazza

        Please can we stop using that stupid argument to justify things. Something is NOT fine because somebody else is doing it.

        1. bazza Silver badge

          Re: F-Droid only if you can

          @King Jack,

          @ bazza Please can we stop using that stupid argument

          Ooo, touchy! Been stung by some Android malware recently?

          As you blatantly ignored my innocent call for debate on my question, I'll kick it off.

          So what's worse? An app whose permissions are blatantly and clearly more acquisitive than necessary?

          Or Google's lengthy EULA which grants them far more rights, yet goes unread by and largely unexplained to end users?

          Google are fundamentally no more or less trustworthy than any other US company. Arguably they're less trustworthy than a European company who operate in a much stronger data protection legal environment. Google operate in a data protection legal vacuum by comparison.

          But they're just another company, and one who are on a mission to get more of your private data so as to screw more advertising revenue from that market. So far they have managed to be far more successful at it than most others so far.

          Granting them special access to ones private data is fine if that's what one wants. But having done that it's inconsistent to then whinge about an app that quite openly and clearly (by means of its permissions) tries to do the same thing but on a more limited basis. Especially as it can be avoided entirely, simply by not installing it.

          Sure, an app such as this keyboard seems particularly slimy (but then so is Google's EULA), and it is kinda crazy to install it. But millions of installers seem not too worried about the permissions that were put before their very eyes.

          Difficult Challenge For Google

          It might be that this kind of thing gets installed because people don't care, which in turn may be because they don't put anything they really care about on their phones.

          Yet Google wants them to trust their entire lives to their mobile (so they can extract advertising cues from it). However if people are deliberately withholding data from them that's going to limit how much Google can grow their business.

          And then there'll always be those people who find the whole Google-sees-everything nature of Android utterly repulsive. And given Apple's success, you have to conclude that there's a monied majority (majority as in Apple have made more money than Google) who'd rather not join Google's club. And then you get the BB10 users such as myself...

      3. Uffish

        Re: Google already snaffles stuff

        I've got a new app for you, you'll love it; it doesn't take much more than Google takes but it sends it all to me.

        1. Anonymous Coward
          Anonymous Coward

          Re: Google already snaffles stuff

          "I've got a new app for you, you'll love it; it doesn't take much more than Google takes but it sends it all to me."

          If in return it blocks stuff going to Google so that they can't target adverts at everything I do, great - you have deal...

  2. hellwig Silver badge

    No.... ok, Betteridge's law of headlines does not apply here apparently.

    I'm sure the publisher will claim ignorance. "oops, we had those things on for testing and forgot to disable them".

    The bigger question is, why would anyone use a keyboard app that requested those permissions? User education is the only way to keep users safe. Otherwise, we'll all be playing in an empty sandbox wearing safety helmets and drinking out of sippie cups, because, you know, we don't want poor Johnny to feel left out of group activities.

    Johnny here is the moron who's too stupid to know that you shouldn't install anything from China that requires internet, camera, contacts, etc... Don't be Johnny!

    1. asdf Silver badge

      >The bigger question is, why would anyone use a keyboard app that requested those permissions?

      Um because Grandma isn't an expert on app permissions which is another reason why Apple can charge the premium they do. They do a better job sippy cup or not of protecting users from their own ignorance.

      1. jzl

        Not only is Grandma not an expert on app permissions, Grandma most likely hasn't even heard of app permissions.

        1. kwhitefoot

          And even if she has she doesn't have any way or not giving the permission other than not installing the app. I have a lot of apps that require more privileges than I like to give but I can't revoke them. For instance Kitchen Timer needs rwd access to my SD card and a Latin English dictionary demand the right to read phone status (it's on a tablet without phone capability and still works so it plainly isn't a necessity).

    2. zaax

      Thats facebook then. Why facebook needs so may permissions...

    3. Anonymous Coward
      Anonymous Coward

      Totally agree.

      That's why I always use a USB keyboard with my smartphone. Along with taping over both front and rear cameras, filling the mic with bluetack, turning off location settings and disabling the network.

      1. Dadmin

        Where was your USB or bluetooth keyboard made? Is it China? Now, what would you do if there was malware built into your keyboard that could secretly activate itself at random times and also gathered and forwarded your info? Do you know how to decode a USB connection stream and monitor it for this kind of weird activity? Me neither, but that's my next security project for home; what are my Chinese keyboards doing when I'm not looking? Please continue typing, people. Nothing to fear, so far.

    4. This post has been deleted by its author

    5. DropBear Silver badge
      Unhappy

      Because there is no existing app that doesn't require ALL the existing permissions; if you want to actually install anything at all, you learn quickly to sign away your first-born (and as many more offspring as requested) without even thinking twice about it. I should know - I refuse to do that but the price I continually pay for it is basically having nothing to install. "It's the integration, stupid" - every app has bloated into getting integration with all aspects of your phone, so it asks for everything...

      1. fidodogbreath Silver badge

        "It's the integration, stupid"

        More likely: "It's the monetization, stupid."

    6. Fatman
      Joke

      RE: Johnny here is the moron

      <quote>Johnny here is the moron who's too stupid to know that you shouldn't install anything from China that requires internet, camera, contacts, etc...</quote>

      STOP talking about executive manglement in such a derogatory manner.

      </snark>

  3. Sebastian A
    Stop

    Almost every app I consider for installation

    demands access rights far exceeding what I consider reasonable for the job it's doing.

    I sometimes think that only a small fraction of users even review the permissions, and fewer even decide against installing based on that.

    I have no idea why Google yanked the Permission Manager functionality. Is it to suck up to developers who'd otherwise have to structure reasonable requests for access? Not like they're endangering their entire ecosystem by alienating a few devs who just request full access to phone/text/location for a simple flashlight app. They are however endangering their user base by allowing that bullshit to continue.

    1. Adam 1 Silver badge

      Re: Almost every app I consider for installation

      Android 6 permissions model works differently. You don't grant any permissions* until the app tries to use that feature (basically the same as iOS). You can also retrospectively revoke permissions even on legacy apps (which may cause them to crash, but my personal experience is that most of my apps survived the denial of things that are not functionally related to the app's purpose)

      * admittedly that's Google's version of any, meaning it can still do network etc.

      1. Adam Azarchs

        Re: Almost every app I consider for installation

        With android M, permissions are granted at runtime and the app gets an exception if it isn't granted the permission. Older apps still get their permissions up-front at install time, but a savvy user can disable them before first run. The reason the old K permissions manager was disabled was, put simply, because it broke too many things if you actually used it, and it broke them in unpredictable ways that were very difficult to debug.

        As stated, of course, pretty much everything has network access permissions. But pretty much every app needs those for one reason or another (at the very least for ads in the case of the flashlight apps, which why are you even installing that if you're on L or M? It's built into the OS!). And one doesn't want to ask users about a permission that every app asks for because that just contributes to people ignoring the permissions warnings.

        Unfortunately the new permissions framework on M doesn't help much since most people aren't on devices which have been upgraded to M. That's Android's real problem relative to Apple - most users don't care about permissions and privacy settings, but they do care about apps. And fewer apps get written, and they have fewer features, when only 10% of the phones have the latest OS.

        1. Barry Rueger Silver badge

          Re: Almost every app I consider for installation

          "most users don't care about permissions and privacy settings"

          I'm not sure that's true, or fair to most users.

          I think that most of us, to one degree or another, have just surrendered.

          A few decades ago people remarked on the page of dense fine print on the back of a car rental contract.

          Everyone knew it was absurd, and everyone accepted that no-one ever read it, but it was part of the deal, so you just signed.

          What's changed is that literally everything you do on-line forces you to "sign" a long, dense, and unread contract, and with apps, accept a more or less random demand for permissions.

          People just don't have hours each day to read these things.

          Even if they did, the fact remains that if you need a service like FedEx, Netflix, or any of hundreds of government sites, you have NO choice in the matter: accept the contract conditions.

          Heck, even my entirely open source computer makes me click to accept the various licences.

          1. DougS Silver badge

            Re: Almost every app I consider for installation

            I don't buy the "users have just surrendered". That may be true of Reg readers, but the average Android or iOS user doesn't really have a clue what it means when they are asked for permission to use location information. They'll just agree if asked, just like they will agree every time Windows 7 asks for permission to do something that needs admin rights, etc.

            The thing in Apple's favor is that since this sort of permission has been required forever, app writers know they can't get away with requesting ridiculous permissions, like wanting access to contacts or photos for an app which has no earthly reason for wanting it. The average user might not know why that's a bad idea, but the ones who do give one star ratings that kill it in the app store.

            Eventually the same might be true for Android, the problem is it will take many years until app writers are forced to change their ways because there will be hundreds of millions of people on Android 4.x and 5.x for years and years now. Another problem is that many Android apps simply break if a permission is denied, because they haven't been updated to expect the possibility of a permission being refused since that's so new. But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!

            1. Anonymous Coward
              Anonymous Coward

              Re: Almost every app I consider for installation

              @ Doug S

              Quote: "But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!".

              Not really Googles fault (apart from them caving to pressure), they wanted to have proper permissions management in Android from day one, but developers (of the services they were typing to attract, like FB etc) didn't want to play ball, and refused to write apps for the then new Android platform if the users could just switch on/off permissions as they (the user) wanted.

              So initial Android came with the horrible 'all in advance' model.

              Android is big enough now (by far) to force through what Google originally wanted, and I think with all the various issues the existing process has, I don't think anybody else (FB etc) can really object in anyway without making themselves look like the issue (which of course is exactly what they were/are anyway!).

            2. fidodogbreath Silver badge
              Holmes

              Re: Almost every app I consider for installation

              But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!

              Because Android is, and always has been, a user-tracking and ad-delivery system. Which should surprise exactly no one, since Google is, and always has been, a user-tracking and ad-delivery company.

              Oh, and don't discount that 'innocuous' network permission as a tracking tool. Since GPS creeps people out, many, many apps now request "View WiFi connections" instead. That returns a list (with signal strength) of all APs within range of the phone. They can cross-correlate that info to a database of AP locations, which in turn will geo-locate the device almost as precisely as GPS (at least in urban areas).

        2. fuzzie

          Re: Almost every app I consider for installation

          Now if only the permissions model was narrow enough. As I understand, and admittedly I'm not an Android developer, required permissions are auto-determined at build time by looking at the dependencies of a project. Given the interconnectedness of services and APIs, you easily end up requiring silly permissions, because some little corner of a library somewhere might need it in specific circumstances...which, of course, may well be totally irrelevant to your app.

          My pet peeve with network permissions is that I can't limit the destination. Many apps need/want network access to check for updates/configs/etc. I'd prefer to only allow them to phone home to destinations of which I approve. I've not seen Marshmallow's permissions in action, but a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated.

          1. Anonymous Coward
            Anonymous Coward

            Re: Almost every app I consider for installation

            " a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated."

            That would be good wouldn't it, as would various other possible improvements.

            I seem to remember something like that in later versions of Symbian, but it was a long time ago so I could be wrong.

            Oh well, stuff's progressed since then. Not sure which way though.

          2. Daniel 18

            Re: Almost every app I consider for installation

            "My pet peeve with network permissions is that I can't limit the destination. Many apps need/want network access to check for updates/configs/etc. I'd prefer to only allow them to phone home to destinations of which I approve. I've not seen Marshmallow's permissions in action, but a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated."

            --------------

            Unfortunately, this becomes less and less useful as malware migrates, and all you see is some anonymous commodity cloud server in the url.

            1. oneeye

              Re: Almost every app I consider for installation

              Hi,

              You might go have a look at no-root firewall apps in playstore. There are many to choose from now, and Lostnet has a geo blocking function. You can fire up these when using apps that are suspect. Or run it all the time.

              Now, for those who don't think it's a big deal about this keyboard app, then I suggest looking at how few permissions other well known keyboard apps ask for. Almost all are about half the amount.

    2. asdf Silver badge

      Re: Almost every app I consider for installation

      Cyanogenmod Privacy Guard is great for this purpose but alas after market rom.

    3. oiseau

      Re: Almost every app I consider for installation

      I once had one of these smartphone things and was appalled to see what practically anything I downloaded to install pretended to access on it. Phone records, camera, log files, etc.

      So I got rid of it.

      As I see it, the truth of the matter is that a *very* small fraction of users even *know* about permissions and fewer *have the knowledge* to act upon them.

      Even fewer decide against installing based on the permissions these freeware malware impose.

  4. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Suggestion for stories like this...

      Yeah really. The correct call is to buy a Windows Phone or Blackberry as an investment. It will probably end up being the last model either make and much like the Kin you can probably ebay it in several years as a nerd joke gift for a good amount of cash. A lack of scarcity in the wild certain won't be an issue considering both's unit numbers are now down pretty much to what they give away to employees.

      1. Unicornpiss Silver badge
        Meh

        The real solution..

        Is to pay attention to the permissions being requested by what you're installing, and the reputation and reviews of the publisher, but the same type of people that would get suspicious that someone asked for their house key and social security number on a first date can't be bothered to pay attention to what they're doing on their phone, tablet, etc. Maybe it's because our brains are wired by evolution to not think that something as innocuous as a feather touch on a phone display can set in motion an immense chain of events and repercussions. Of course anyone that has drunk texted their friends or lovers has likely come to understand this in the light of day.

        There is a great deal of freedom and flexibility with the Android platform, but you do have to consider the decisions you make, and a decent freeware AV isn't a terrible idea either. Some people may be better off in the walled garden, at least until more security is built in by default.

        1. Fatman

          Re: The real solution..

          <quote>Of course anyone that has drunk texted their friends or lovers has likely come to understand this regret it in the light of day.</quote>

          FTFY

      2. Timbo

        Re: Suggestion for stories like this...

        "Yeah really. The correct call is to buy a Windows Phone or Blackberry as an investment."

        I did something like once - I bought an Apple Newton.

        Trouble is: I don't know how much of a return I'll get on it now. Probably about -100% ;-(

    2. DougS Silver badge

      Re: Suggestion for stories like this...

      And silly AC is ignoring that many Android users paid a fat wad for devices they can't expand with SD memory and has no removable battery. Or was the Galaxy S6 just a figment of my imagination? And it wasn't the only one.

      What people like you ignore is that not everyone cares about those features as much as you do. I remember in the early days of Android when one of the touted features that Apple was missing was an FM radio. Many Android phones still include that feature, and Apple still doesn't, but I have yet to every personally meet ANYONE who uses their phone to listen to FM radio. Sure, if you want an FM radio or SD card or removable battery Android is your only choice. But don't act like these are features that everyone wants. I'd prefer not to have my performance go in the toilet since the SD interface sucks so bad compared to properly designed internal storage, thanks.

      1. Unicornpiss Silver badge

        Re: Suggestion for stories like this...

        I have used the FM radio before, though sparingly. I wouldn't call it a deal breaker by any means if it isn't there, though it seems silly to not have an app to use it if the feature is already on a chip in the phone. I would miss my IR remote though. If you buy a decent quality SD card, performance is fine. If you buy the cheapest one you can find, it won't be. A removable battery is nice, but the deal breaker for me is if the device doesn't have an SD card slot. I like storing my media on an SD card. You can preach all you want about cloud backups, but if something happens to my phone, I can just pull the card and there's my stuff, or swap the card into my next phone like a SIM, and again, there's all my stuff.

        Though even if there was no card slot, I would still prefer an Android device personally. I just like the flexibility and the UI better. I've never cared for Apple's UI design on their phones. And I don't have to use the frustrationware that is iTunes.

      2. Anonymous Coward
        Anonymous Coward

        Re: Suggestion for stories like this...

        "or SD card or removable battery Android is your only choice"

        Or you can buy a Windows Phone. My Lumia 640 has both.

        But back to Apps (and obviously being a WP user I'm hardly qualified to talk about those as there are so few on WP ;)). It seems to me that no one cares about the origin of apps, who the authors are or anything. On a Linux PC, if I was installing something, I'd be checking out the website or open source repositories or professional reviews. It seems nobody cares that the authors are unknown and can't be contacted. it seems that average joe (or janet) user just thinks apps are created in the ether somewhere by pixies and can be installed without a care. No wonder things often end badly.

  5. Anonymous Coward
    Anonymous Coward

    No worries, its not like Android has a huge share of the phone market....

    * Oh wait 80%? Ouch! I wonder how many shoppers even realize that Google is behind Android, or that M$ makes serious $ from it too. But what's the alternative? That, or post a pile of money to Apple...

    * How many consumers are aware that the Play Store is full of this sh1t? If I didn't follow these articles, I could have easily assumed, that Google would never be dumb enough to let this happen.

    * Do we see any warnings in the mass media? No its just glorified plugging of the Play store all day long, and how neat this app is, or this other one.

    * Its all very well to talk about educating users. But whose going to do it, the government? F@ck that! There needs to be accountability and responsibility here. Google should be fined megabucks for letting these apps slip through. Blaming users is just so unjust....

    * Its also increasingly tricky to find a real-world store that offers a non-Android dumb phone from a few years ago. There just isn't choice anymore. Its the same with Smart TV's. No basic models around anymore.

    * Many flavors of Android phone sold across the world (outside EU./ US), come with tracking enabled out of the store with invasive apps already installed. WTF??? Vendors should be lined up and shot for this...

    1. DougS Silver badge

      Re: No worries, its not like Android has a huge share of the phone market....

      What do you mean you never see any warnings in the mass media? I see stories about Android malware in places like Cnet all the time. Until there is some Android malware that causes real consequences for a lot of users the problem will be ignored. Look how many years Windows malware (and DOS malware before it) was around before it really got the kind of attention required for Microsoft to do something about it. It wasn't until stuff like Code Red, I.Love.You and so on all hit over a short period of time and caused a lot of problems that people took notice, and bad publicity forced Microsoft to act.

      The same will be true of Google (and Android OEMs who are part of the problem as far as not updating Android) Until it becomes a big problem, they will mostly ignore it because it isn't hurting them financially. I'm not sure why you think Google should be "fined megabucks" because of apps in the Play Store. Should Comcast be held liable if hackers use their pipes to cause trouble? Should AT&T be liable if terrorists use their phone network to call each other and plan attacks? Should HP be liable if the KKK uses their printers to print racist materials?

      1. Anonymous Coward
        Anonymous Coward

        "I see stories about Android malware in places like Cnet all the time"

        Good for you! But its warnings to the masses I'm talking about. Not sites you and I read. We don't need to read every warning anyway as our defences are already up. Its the average person in the street who needs this info, and urgently... In fact the most ignorant of all, are the staff working in stores selling this stuff. Talk about clueless...

      2. Voyna i Mor Silver badge

        Re: No worries, its not like Android has a huge share of the phone market....

        "I see stories about Android malware in places like Cnet all the time. "

        For mass media, think Facebook and the Daily Mail website. And to my mind, both of those are malware.

      3. Someone Else Silver badge
        Thumb Down

        @ DougS -- Re: No worries, its not like Android has a huge share of the phone market....

        Boy talk about red herrings!

        What do you mean you never see any warnings in the mass media? I see stories about Android malware in places like Cnet all the time.

        Uhh, Dougie...for the record Cnet != Mass Media. Call me back when NBC does an in-depth story in the Nightly News, or this becomes a story on 60 Minutes.

        Should Comcast be held liable if hackers use their pipes to cause trouble? Should AT&T be liable if terrorists use their phone network to call each other and plan attacks? Should HP be liable if the KKK uses their printers to print racist materials?

        The mind just boggles at the density of that remark.

    2. Chris 125

      Re: No worries, its not like Android has a huge share of the phone market....

      Wow, so you're upset that people are backing Google and Microsoft by buying Android, but then note that the alternative to giving them money is to give Apple money. You know that's how business works right? You give people money for a product or service, and the ones with the most successful product or service get more money.

      I don't think there's any confusion that Google are behind Android, I also don't believe most phone buyers give a crap. They probably don't even buy a phone - they get it free on contract, and the network handles the payment for the phone. So as far as they can see, they've paid Google/Microsoft/Apple absolutely nothing.

      The Google Play Store is also not "full of this shit".It's got some malicious apps, the majority are not.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019