back to article First SMS Trojan for Android is in the wild

The first text message-based Trojan to infect smartphones running Google's Android operating system has been detected in the wild. Trojan-SMS.AndroidOS.FakePlayer-A poses as a harmless media player application and has already infected a number of mobile devices, Russian security firm Kaspersky Lab warns. Prospective marks are …

COMMENTS

This topic is closed for new posts.
  1. David
    Stop

    Trusted Source

    Don't you need to set your preferences to allow install from non-trusted sources or something like that? I'm pretty sure that's quite a few menu levels down so won't be something most users tick,.

    I would have thought without that it wouldn't install. Might be wrong though.

  2. It wasnt me
    Boffin

    What I dont understand....

    ..... is how this can be possible?

    Presumably the scammers have to have a legitimate account with my network provider to enable them to bill. How do they get this? Why are the networks giving money to these people. Do I just have to ask for some money?

    Shouldnt this be the easiest scam in the world to stop?

    Or am I missing something?

    1. maniglia

      no you are not wrong

      as per title, you have to enable it in a system menu

    2. Anonymous Coward
      WTF?

      Wondering that also....

      Link at Kapersky Labs seems to be down.....

      Has someone actually figured out a way to bypass the installer permissions?

      What's the SMS angle - from the description it just sounds like a link is included in the message - or is it using some sort of SMS exploit or attachment to bypass permissions and force the installation?

      Is the entire story bollocks?

      1. Anonymous Coward
        WTF?

        Multiple Protection

        The Android has multiple levels of protection to stop this from happening. You have to enable third party sources to allow this app to install and also the screen when installing shows what actions the app will do. Such as accessing the internet. So if a meadiaplayer shows as having the ability to send SMS, you would have to be stupid to allow it to install.

        1. Tigra 07 Silver badge
          FAIL

          The stupid people will always find ways of being stupid

          Step 1 - Find a suitable app for what you want

          Step 2 - read reviews

          Step 3 - Look at permissions requested

          Step 4 - Accept or Reject

          Step 5 - install or flag it for someone to look into

          It's not exactly rocket science

          Obviously social networking apps need access to lots of permissions, but some apps are asking for everything available just to offer a calculator or some other crap

        2. Anonymous Coward
          Anonymous Coward

          Meh...

          You can't fix stupid. This isn't a vulnerability of Android as much as it is social hack on the end users to get them to install the program. Now if the trojan installed ALL BY ITSELF just by clicking on a link and didn't let the user know that it was installing, THEN I would say Android has a problem, but until that happens this is not so much news as it is a press-release by Kaspersky to tell the world that they are working on a security product for Android and to scare up some interest in it.

          Nothing to see here... move along.... move along.

          1. Tigra 07 Silver badge
            FAIL

            Stupid people ignoring the warning

            The problem is, the people getting infected are stupid because they ignore the protection in place just to install anyway.

            These people will then have money stolen from them if the rogue app sends messages out.

            So all in all, this is hitting stupid people in their stupid pocket, hardly news at all.

    3. Anonymous Coward
      Stop

      SMS billing

      Nope, they don't need an account with your network provider. They likely get service from some dodgy little telco (there are many hundreds), which in turn has a relationship with an aggregator like Mblox, which in turn has a link to your network.

      The money follows that chain in the reverse direction, and everyone in the chain gets a slice, so they have little incentive to prevent or detect scamming quickly.

      It *should* be easy to stop, since the numbers are easily associated to telcos. But the regulator is not swift to act. Variants of this scam have been going on for years; when people used modems to connect to the Internet, malware would change your dial-up number to a premium-rate one.

      At least with a landline, you can ask for all premium-rate numbers to be blocked.

      1. Paul Shirley
        Flame

        mobile carriers need to stop profiting from malware

        I currently have premium SMS blocked on my giffgaff account but the block has to be on SMS+International calls. Not one or the other, it has to be both. Even where carriers allow premium SMS blocking it's obvious they really don't want you doing it.

        The whole mobile industry is corrupt to the core, they've not seen a scam they don't like, there's a slice of the action for them whatever happens. Or seen any need to protect customers.

        1. Anonymous Coward
          Anonymous Coward

          Quite

          Had this a few years ago - when a lost phone managed to rack up enormous bills to a very well known "hot country".

          The providers response ? Tough .... even though the most fundamental fraud protection measures would have prevented it.

          Ultimately though. Don't get so drunk you lose your phone and don't notice for several hours.

          and don't buy a phone from orange !

    4. Lunatik
      Boffin

      Scammer's "Hello World"

      10 Set up premium dial/SMS account using spoofed credentials

      20 Release trojan

      30 Withdraw funds as often as you can until account is shut down

      40 When Feds go looking, the trail goes dead when they find the fake ID/cloned card you used to open the account

      50 Goto 10

      Have yourself a good few of these running at any one time and be able to move fast enough and it is a reliable business model for the technically adept light-of-finger, which seem like half of China/Russia nowadays.

    5. DrXym Silver badge

      It's possible because

      a) Users are not examining the security info when they install an app

      b) Android's security model is great except it doesn't account for a) and offers no second chances

      Android really needs to implement something like UAC so that even if someone inadvertantly installs a malicious app, the phone will ask for permission before performing certain actions like dialling a number, sending a message etc. This could be tweaked per app and the default policy should be strict.

      I also think Google are not policing marketplace as much as they could. There is too much review spam there to suggest that anyone cares. This is not acceptable. I also believe that google could also be performing security audits on apps which ask for suspicious kinds of permissions (e.g. to send texts) based on their intended purpose.

      1. Anonymous Coward
        Anonymous Coward

        Second and third chance

        "b) Android's security model is great except it doesn't account for a) and offers no second chances"

        On a standard Android headset installing APKs directly is disabled and the user will be prompted when they try. That will take them into the Settings application where they must tick a box, followed by another prompt warning of the dangers.

        After all that, you'd then have to start the install again, where you will get the permissions that the application is requesting.

        If all of that doesn't trigger the question "why does a media player need to send SMSs?" then they need and are about to get a swift lesson in security.

      2. DrunkenMessiah
        Alert

        RE: It's possible because

        You seem to have missed that this app is not downloadable on the Market. It has been downloaded from some nefarious site.

        Also, Android already has the UAC type window. When you install an app you are briefed on exaclty what it can do.

        When you take that a step further and then require permission everytime an app is launched/does something, you just break the app. Who the hell wants to download an alternative SMS/Dialer app when it's going to prompt you for permissions everytime it does something. If you don't like what it's going to do, don't install it!

        1. DrXym Silver badge

          I haven't missed the point

          1. It would be trivial to upload a malicious app to Google marketplace. Its as simple as signing an APK and uploading it. The fact that one trojan wasn't is completely irrelevant.

          2. A single dialog prompt is not an adequate defence and it doesn't account for apps misusing or abusing permissions. A user has no way of distinguishing between an app that genuinely needs to be dial numbers (e.g. an address book) from one which also dial a premium number in Cameroon in the middle of the night.

          By default Android should put a dialog in between an application and an action that could cost a user money. But by default the security should be enough to protect users until they know better. If the user wishes to trust the app, then they could do so from the dialog itself (e.g. there is a button or setting accessible from the prompt which the user can loosen the policy or they can do it from the regular app settngs).

          At the moment the security is inadequate and more of these stories will keep coming until it is addressed in a meaningful way. That's not to say Android should go anywhere close to the Apple route of vetting apps, but it needs more safeguards.

          1. JJS
            Stop

            UAC

            Implementing something like UAC where it prompts the user every single time the app wants to do something considered "above and beyond" like dialing, SMS, or using data will prove just as ineffective as UAC on Windows.

            If you repeatedly throw up dialogs asking a user if they *really* want to do this, the user is just going to become trained to spam the OK button to get that distraction out of the way. Yes, they *should* be thinking to themselves about, "Why does this application require admin privileges?" or, more relevant to this story, "Why does this media player need to send SMS?" but humans are creatures of habit. They'll just keep hitting that OK button because until they get to what they wanted.

            Tangentially related, how often have you ever read an entire EULA? Even the ones that force you to "read" them, don't you just scroll right to the bottom and hit Accept? What if that EULA gave away the rights to your first born child (obvious legal restrictions preventing this notwithstanding)?

            1. DrXym Silver badge

              @JJS

              "or using data will prove just as ineffective as UAC on Windows."

              Except it is effective on Windows. Vista took a lot of heat for UAC but there is no denying that it forced applications to become good citizens by not requesting permissions (e.g. read/write access to parts of the registry) unless they strictly needed them. It served its purpose which is why prompts are relatively rare these days.

              Secondly a UAC like mechanism forces user intervention. If an app decides to send SMS messages then you will get a prompt up. If you didn't initiate this SMS sending, it should serve as a massive clue to the user that something is up. At the moment the app could send 10 messages to a £3 premium service overnight while someone was asleep and they would be none the wiser.

              Thirdly, I have already said how people could disable the prompts. Each app could be governed by a security policy - trusted, untrusted etc. If they get fed up of the prompts or wish to trust the app, the UI could make it simple to flip the security policy.

              The point being that a secure by default policy, plus the prompts when apps do naughty things will serve to make apps better citizens and provide a measure of defence which is sorely lacking at present.

              Or Google could leave it the way things are and receive a constant flow of stories about malicious apps on Android.

          2. Anonymous Coward
            Anonymous Coward

            And

            "1. It would be trivial to upload a malicious app to Google marketplace. Its as simple as signing an APK and uploading it. The fact that one trojan wasn't is completely irrelevant."

            And paying the $25 Market registration fee after each account gets banned by Google. That is going to get expensive, and quickly.

            1. DrXym Silver badge

              Wut?

              "And paying the $25 Market registration fee after each account gets banned by Google. That is going to get expensive, and quickly."

              As if a criminal will care about that. They'll pay the $25 on a prepaid card, or a stolen credit card. They'll make 100x that from suckers running their app before it gets taken down.

      3. Stephen Bungay

        Wolf Wolf!

        As in the old story of crying "Wolf"! Windows popped (pops?) up so many warnings that really were/are not necessary and many others with wording so convoluted that OK meant cancel and Cancel meant OK, that folks got numb trying to understand what was being presented to them They simply clicked on whatever they got that looked like it would take them to where they wanted to be. Now, much to their dismay, even when presented with a clearly worded and genuine warning they ignore it.

    6. benjymous

      Pretty simple

      The user installs an app that sends SMS messages to premium rate numbers - that's all. As far as the network provider can see, there's no difference between an App sent SMS and one you've manually sent yourself.

      The only person to blame is the end user. What the story doesn't make clear is that this trojan is only available from dodgy means - e.g. people downloading from "Paid apps for free!" websites or torrents, then ignoring the "This app needs permissions to send SMS messages, that could cost you money" warning that pops up when they install it.

  3. Jimmy Floyd
    Thumb Down

    I wonder how common?

    I nearly downloaded a Tetris clone the other week before wondering why it needed permission to send text messages.

    Trouble is, the warnings after you click 'Install' are not the sort of thing people will often read.

    1. Mitch Kent

      Its not that subtle

      The way android tells you what security features each app will use before you install it means that, frankly, this is a user stupidity problem. Subtly recording info and posting it over the network is hard to notice from a rogue app, but a media player that sends out premium rate sms? The warnings are on the install screen and are in red writing.

  4. GreyCells
    Alert

    Police Warning for Householders

    The police are warning that if you let a strangers into your house (who may or may not be wearing masks, striped jumpers and carry bags marked 'swag'), they may well steal your stuff.

    Duh.

  5. uninventiveheart
    Stop

    The First of Firsts

    Not only the first time a Android virus was publicized, the agency making the report, Kaspersky, OFFERS NO mobile client to scan viruses for Android.

    Yeaaah. Fat load of good that your anti-virus program can detect the signature if you can't access anything more than the phone's SD Card (when the SMS is in protected internal memory.) Sure, it gets rid of the SMS messages from non-Android devices, but c'mon.

  6. Anonymous Bastard
    Alert

    Trojans need to be manually installed

    Having developed for Android I know that non-app-store .APK files can only be installed by first tapping the "Unknown Sources" checkbox in "Application Settings" and then agreeing to the following prompt:

    "Your phone and personal data are more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these applications."

  7. Seanie Ryan
    Heart

    Mr/Mrs/Ms

    hahahaha

    when will techies learn that tech savvy users are not the same as general consumers.

    Android is a great product, but you have to have a walled garden like the iphone for average joe/josephine

    surely the desktop OS history has taught us that? although, come to think of it, the only thing techies learn is how to repeat "My view is the correct one, everyone should do as I say"

    and yes, i do appreciate the irony of giving my view here that knocks others views... ;-)

  8. James Dunmore
    FAIL

    If you really really dumb....

    .... You'll be infected. Bascially, click here for a virus or a bit of software you don't want, plus untick the trusted sources button - you deserve to be infected if you do all of that.

    I agree with @It wasnt me if the networks are aware of the scam, and lots of customers start going to the premium - simply block that number.

  9. Bob Terwilliger

    Google won't tolerate spyware on Android

    After all, spyware is *their* job.

    1. fandom
      Jobs Horns

      Of course

      That's why Mac computers, on which you can install software from any source, are always filled with viruses, trojans, spyware and the like

      1. Ian 70
        Flame

        Nahh

        that's just because it's not worth the time and effort to infect both of them

      2. Ho
        Jobs Halo

        Baloney

        You obviously know nothing about Macs. Name me one virus for OS X. You can't. The only trojans reported are from pirated software, which infects thieves, and there are only a couple of those. As far as malware, what sort of malware are you talking about?

    2. Anonymous Coward
      Happy

      It's ok

      "Google won't tolerate spyware on Android After all, spyware is *their* job."

      It's ok, this isn't the App Store, competing products are allowed.

    3. Anonymous Coward
      Anonymous Coward

      Android AV

      "Not only the first time a Android virus was publicized, the agency making the report, Kaspersky, OFFERS NO mobile client to scan viruses for Android."

      Unless a "virus" comes out that actually takes advantage of an exploit, i.e. not one that works through user stupidity, the only "AV" you need is a list of package names of dodgy apps (Android apps use the Java package name to uniquely identify.)

      Look at the installed app list once a day, prompt/uninstall any that match. Simples.

      1. uninventiveheart
        Troll

        Everything by it's name.

        So, you're basically saying you don't believe this to be a virus. The rest of the reply was unnecessary condescension. (There, there child. Linux is safe.)

        1. DrunkenMessiah
          Stop

          It's not about belief

          It's not a virus, it's a social networking trojan and that's that.

        2. Anonymous Coward
          Anonymous Coward

          No

          "So, you're basically saying you don't believe this to be a virus."

          Exactly, it qualifies as a trojan, in that it pretends to be something that it is not, but ultimately, it's just an application that functions like any other application and requests permissions like any other application.

          "The rest of the reply was unnecessary condescension. (There, there child. Linux is safe.)"

          Actually, that was unnecessary condescension. At no point did I say Linux is safe. If this had taken advantage of a bug in Android that allowed it to gain root privileges, self-replicate, or send SMSs without first asking the user for permission then it would qualify as a virus. It does non of these.

    4. uninventiveheart
      Coffee/keyboard

      When you're a Jet, you're a Jet all the way...

      Of course. Techies use words like high school jocks use fists. Amassing people who agree with you when you're right online, that there is the modern-day West Side Story.

    5. DrunkenMessiah
      Stop

      Re: Mr/Mrs/Ms

      "Android is a great product, but you have to have a walled garden"

      Absolutely agree. That's why Android, by default, does not allow you to install apps from unknown sources.

      1. Seanie Ryan
        Boffin

        @DrunkenMessiah

        ok, i'll agree with you on that one, but what if Google put one tenth of the effort that Apple put into vetting all the apps.

        They dont need to be as paranoid as apple , stopping browsers or such, but just preliminary checks that items dont contain malicious code.

        then normal norman on the street will feel a bit more confident and these stories will be few

  10. Andy Watt
    FAIL

    doesn't matter how stupid the users are...

    ... if the platform designers are stupid enough not to take account of it.

    God almightly, we've been down the "are you sure you want to do this? It's unsafe...." route a million times, and still nobody has learned. Android'll end up riddled with malware unless they close app access to code vetted apps from the app store only.

    The ability to install APKs from untrusted sources is the reason this malware exists. Ergo, get rid of that feature NOW.

    1. Steven Knox
      Stop

      Recursion

      "The ability to install APKs from untrusted sources is the reason this malware exists. Ergo, get rid of that feature NOW."

      The ability to drive a motor vehicle in excess of 30 MPH is the reason for countless numbers of deaths every year. Ergo, we should remove that feature from motor vehicles NOW.

      The problem with designing systems to protect people from their own stupidity is that nature is smarter than we are. She'll simply create more and bigger idiots, until the systems themselves are designed by the stupid, to protect the stupid from the stupid.

      There is another school of thought which holds that this has already happened.

      1. uninventiveheart
        Alert

        Put on your crash helmets, kids, we're about to reach a speed of 3!

        The only way they'll do that is if phone manufacturers get enough litigation to carry it out. The the "open phone" platform won't be so open anymore.

        If the system has to ask if you're sure you want to dial a phone number in your phone book that was manually entered by you (an untrusted source) and not confirmed by a secure update from Google's Address file that matches SMS transmitted messages or Latitude shared data, maybe we're going too far.

  11. Lunatik
    Boffin

    Hey Android dudes! I've got the fix right here

    Refine the Android security model a wee bit more and this problem would go away.

    All they need to is add another layer of user permission to application security, so that the user could explicitly block all third-party apps from certain phone functions, e.g. SMS sending.

    Even after allowing installations from non-trusted sources, if the phone is setup to block one of the required functions then the program will not install and daddy Android would let the user know why.

    If you then later wanted to install an app that you did want to send SMS then you would need to add it to a app whitelist *before* it would even install.

    Networks could even ship phones with the most risky functions blocked as default, much as they currently do with international roaming or adult web content at the SIM level.

    Surely this would keep the even the hardest of thinking, who let's face it are usually the ones bitten by such junk, a lot safer?

  12. Lamont Cranston
    Thumb Up

    More informative than the snippet I caught on the radio this morning,

    where the BBC journo claimed to have built his mobile malware with no knowledge of mobile programming. That he was assisted by an "application security firm" leads me to believe that writing a virus for mobiles is not quite as simple as he would make out.

    1. DrXym Silver badge

      Maybe he was using AppInventor

      No programming required:

      http://sites.google.com/site/appinventor/

      I don't know if it lets you hook a button to send an SMS but I suppose its possible.

      1. David Simpson 1
        Thumb Down

        Nice link

        Shame it has not launched yet !

        1. benjymous

          It's in beta

          I.e. you request an invite, and they let people in, in dribs and drabs.

    2. Anonymous Coward
      Alert

      Simpsons did it!

      Block Non-Market Applications already covers that method. Just turn it on.

      And on Android, service providers can explicitly lock out features on their devices before shipping them. Like Sprint in the US, if they disallow tethering, the Dial Up Networking button will be greyed out like it is on my Hero (they want you to buy a separate data card since that's capped at 5GB and your phone is unlimited phone-based data.)

    3. Ian Yates
      Alert

      Too fiddly

      Why not have certain permissions (any requiring external access) use a popup request system (a la UAC) the first time they need the permission, where the developer must provide a short description on what information will be sent/received.

      If the developer is found to have lied, no more app store privileges.

      The advantage to this extra step is that a tic-tac-toe game asking for 'net or SMS privileges will be obviously suspicious.

  13. Anonymous Coward
    Grenade

    Another sterling illustration...

    ...of why I will never lower my standards and resort to buying that Google Android crap.

    Google's sole purpose is to gather as much data about anything and everything as it can, and use that data to sell targeted advertising.

    Google doesn't give a flying monkey about your security, let alone trying to make its products secure. Why would it? That woudl mean wasting time on non-core business.

    1. Geoff Campbell
      Grenade

      Another sterling illustration....

      ....of why you shouldn't be trusted with advanced technology. Stick to the nice comfortable padded cell of the Apple world, and we'll get on with it without you.

      GJC

  14. MarkOne
    FAIL

    what app permissions were requested?

    surely that's the important question

  15. petur
    Thumb Down

    @Seanie Ryan

    So, having stupid users install malware (not a virus!) makes a case for a walled garden? Great.

    There are too many bad drivers on the road. Let's ban all cars and all take the bus!

    Apple Moron

    1. David Edwards

      Bad analogy

      There are a huge number of greens and road saftey campaigners working very hard indeed to make your statement into transport policy. In fact it pretty much is.

    2. Seanie Ryan
      Paris Hilton

      insecure techie i'll bet

      what makes you think I am an apple user?

      bad drivers are dealt with by being caught by the law and fined/imprisioned. Maybe you meant to suggest a financial punishment for users who are reckless with their computing devices?

      anyway, I am in no way referring to the motor industry. I am talking about the computing industry. lets try keep your arguments on that topic. Yes I believe that the average user needs controls and protection in place. Tech savvy users do not need them but to make money on volume sales, I would not target my product at them solely and would prefer to instead cater for broader market.

      Why is it so hard to accept that not everyone is a computing genius?

  16. B 9

    @petur

    Bad drivers so you ban all cars? Hardly a correct analogy. How about "poorly designed cars leading to accidents, thus vetting the cars for basic safety first which causes a reduction of accidents"? When you put it that way it doesn't seem so unreasonable, and if you could put away your blind Apple hatred for a minute maybe you could at least concede that point?

  17. Neil 13

    iPhone owner

    You're not singing anymore........

    You're not siiiiiinging anymore!

  18. Maliciously Crafted Packet

    Stupid Stupid Users

    Oh for the sake of all things holy we have been here before. Do we really want to do this again? Windows XP anyone?

    What is it with you lot, encouraging an over complicated platform to be adopted by the masses. And then calling them stupid because they don't understand how it works.

    When it comes to IT the average person is stupid.

    That doesn't mean they are stupid people it just means that they don't understand computers. Like most of us don't understand how to operate a tower crane or how to audit the accounts of a multinational company.

    What users need is a platform that provides...

    • An easy to use well designed and consistent user interface.

    • Combined with a strictly policed app store as the only source for installing third party apps and media.

    As with Linux, Android is an excellent system for the technically astute. But it is not to be recommended for mortals, it will only end in tears. They're far better off with an iPhone.

    1. Anonymous Coward
      WTF?

      Stupid Clueless Steve Jobs Fluffer

      @ Maliciously Crafted Packet

      These "stupid stupid users" obviously had enough technical nous to disable the safety features built into Android and install an application from outside the official marketplace. How does that fit in with your iTard world-view?

      1. David Edwards

        THINK!

        Look, clicking YES to "are you sure" requires no Technical Savvy.

        Understanding why you should or shouldnt Does.

        Cemeterys are full of people who were "clever enough to bypass the saftey features" and "knew what they were doing"

      2. Maliciously Crafted Packet

        Oh dear, here we go again.

        @ Stike Vomit

        Look, I know its difficult when you discover the -beloved platform that must not be criticised- is found to have a flaw.

        A flaw incidentally that makes the recent overblown antenna issues of the iPhone minuscule and far less damaging to its users by comparison.

        Those of us who have a preference for Apple iGear have had to put up with all sorts of comment-tardery and crap for years, didn't do us any harm. I'm sure you'll get over it.

        Now, to get back to your point. Just because users don't know what they are doing doesn't mean they won't dick around with the settings.

        Which is why powerful systems with access to highly sensitive personal data must be locked down to the extent that such dicking around wont expose users to the threats described in this article.

        I realise this thinking is an anathema to supporters of FOSS but what you have to understand these devices are now in the hands of wider community who are -by and large- not IT professionals.

        I do hope this is not too much to take in at what must be difficult and emotional time for the FanDroid community.

        1. Anonymous Coward
          Paris Hilton

          "Apple: Think different"

          Should actually be "Apple: Don't think, just buy our shit you fucking sheep." then?

          Glad we've cleared that one up.

      3. nation of stupid

        @Strike Vomit

        Quote:

        These "stupid stupid users" obviously had enough technical nous to disable the safety features built into Android and install an application from outside the official marketplace.

        Easy to do, go to Gameloft or similar third party websites and buy an app or game. The 'stupid stupid users' follow the instructions to enable downloading - of course there's no instructions given to change the settings back again.

        Technical nous just doesn't come into it.

    2. Anonymous Coward
      Anonymous Coward

      Understanding computers is not a pre-requisite...

      You just need to know that the only thing that should be sending messages is YOU, the user, not your media player. You don't need to be an explosives expert to know that throwing lit matches at an open gasoline tank is a bad idea, and you don't need to be an electrician to know that licking an electrical outlet is not conducive to your continued existence among the living.

  19. Anonymous Coward
    Linux

    SMS trojan

    > Trojan-SMS.AndroidOS.FakePlayer-A poses as a harmless media player application and has already infected a number of mobile devices .. Once installed ..

    How does this trojan get installed onto the device?

  20. David Edwards

    Successfull Walled Garden ?

    Games consoles.

    As far as I know, mass adoption of a programmable device by "consumers" and no malware/viruses?

    Discuss.

    (Becuase they dont hold anything of any value maybe)

    1. ThomH Silver badge

      You could make money hacking a Wii, XBox or PS3, couldn't you?

      At least the XBox has a marketplace of sorts that the average man off the street can sell in (ummm, I think, and the man probably needs to be US resident) but in any case all three have web browsers, which probably means stored passwords for banking, shopping, etc.

      I've never been sure why people are so quick to condemn the walled garden in mobile handsets but accept it almost everywhere else, including on video game consoles. I guess it's because by "people" I actually mean "people who comment on tech publications and blogs".

  21. Anonymous Coward
    Flame

    Meh

    Dear Android Owner

    Its all YOUR fault and you can purchase the new for 2010 Norton Anti-Virus tools soon.

    Sent from my IPhone

  22. corestore

    Maybe I'm being dumb but...

    If this is happening without your knowledge or consent, how on earth can you be liable for any charges resulting? That's nonsense; no legitimate telco is going to be prepared to be seen as being party to scamming their customers that openly.

    1. Dennis Price Silver badge
      Coat

      lol

      Go Blackberry!

      Sent from my Verizon Blackberry

    2. mrweekender
      Pirate

      Hmmm....

      ....clearly you've never been on an Orange contract.

  23. drag
    Grenade

    If you make something fool proof the world will make a better fool.

    ""Refine the Android security model a wee bit more and this problem would go away.""

    Ummm.... no they can't.

    Lets see how to 'infect yourself':

    1. Dive into the settings on your phone and enable the ability to install applications from third parties

    2. Visit suspicious Russian Website

    3. Locate APK file. Download it.

    4. Start the installer.

    5. Give the application permission to use SMS

    6. Shrug when it does nothing and then forget about it and do not uninstall it.

    You cannot fix stupid no matter how many layers of security you add onto a system.

    This is a 'violation of security' along the same lines as if you called 'MAFIA-R-US', inviting a heavily armed man wearing a mask to your house, open up your wall safe for him and then walk away to go get groceries is a violation of your security.

  24. Anonymous Coward
    Stop

    Not so stupid users?

    Does the Google Marketplace even exist in Russia? If it does is it limited to free apps only, which is the case for the vast majority of the Marketplace stores outside the 13 or so 'lucky' countries that have full stores? If so, wouldn't Russian drones be far more likely to look for their apps outside a non-existent or extremely limited store and wouldn't they therefore be at much greater risk by default rather than through user-stupidity?

    1. drag

      sure, whatever.

      >> Does the Google Marketplace even exist in Russia?

      No clue. If not then you can just use SlideME marketplace. Google App Marketplace is not the only game in town.

      >> If it does is it limited to free apps only, which is the case for the vast majority of the Marketplace stores outside the 13 or so 'lucky' countries that have full stores?

      That's not really that bad. The vast majority of Android Apps are free or are ad driven (or whatever). Only a small minority is pay-for. This is one of the big differences between the iPhone vs Android markets.

      >> If so, wouldn't Russian drones be far more likely to look for their apps outside a non-existent or extremely limited store and wouldn't they therefore be at much greater risk by default rather than through user-stupidity?

      If you enable installing non-market apps then, yes, your increasing your risk no matter what. There is no way to avoid this.

  25. Anonymous Coward
    Black Helicopters

    Is it me...

    Or is there some truth to the theory that trojans etc. are written in the basement of the companies peddling security products?

  26. Anonymous Coward
    Anonymous Coward

    Oh the irony!

    Just a Mac (no viruses or malware) user.

    Just an iPhone (walled garden) user.

    Just a poor, trampled on Jobsian slave really.

    Just goin' "tee hee hee"!

    Fuckwits.

    It's 'Windoze Security' all over again.

    1. Anonymous Coward
      Anonymous Coward

      Ummm.. no it's not...

      A Trojan is NOT platform independent and can be written for ANY platform because it depends on the user installing it. It holds itself out as one thing while concealing a nefarious purpose, except the purpose is revealed by Android and the stupids install it anyway!

      If we compare this Trojan to the original Trojan Horse the greeks would have put a big warning sign on the "gift" announcing that it was stuffed full of soldiers and would open at midnight to loot and pillage the city, but the sign goes unheeded.

      1. Galidron
        Boffin

        Trojans can be spread by viruses

        There have been many Trojans that do not require user interaction to install. This one does, but that doesn't have to be the case.

    2. Anonymous Coward
      FAIL

      title

      Deluded fool.

      Simples.

  27. Ned Ludd

    The price of freedom is eternal vigilance

    ...which seems a bit steep to me.

  28. Jean-Paul

    Just shows

    Android is a system for nerdy tinkerers...The majority doesn't want all these questions, can't be bothered doing all that and take responsibility themselves...

    I sound like a broken record, but Android's greatest strength the openness and flexibility is also its biggest downfall...

  29. uninventiveheart
    Joke

    Angry, angry people.

    Everyone hates MS fans, Apple hates Android users, and Android users hate themselves. Just get it over with... have a melee.

    Here's a barrel full of nail bats. Have fun.

  30. JaitcH
    WTF?

    My biggest security concern with smartphones is ...

    knowing what data is collected by the smart-phone OS issuers themselves.and what it is used for.

    Any GPS feature should be controlled by the user, including remote functions.

  31. Keith_C
    Grenade

    It's a computer. Viruses will happen.

    Untrusted .apks on Android, security vulnerabilities in iOS that means a PDF can pwn your iPhone. No-one is 'safe', but then again, life ain't 'safe'.

    Engage brain before fingers. Good advice for some of the commentards too.

  32. Anonymous Coward
    Paris Hilton

    Stupid is as stupid does...

    Question: If the iPwn with its walled garden model for security is so frikkin great, why do we see hundreds of articles about its stupid users trying to jailbreak the thing?

    Paris because... It's obvious stupid!

  33. Slx

    Network Operators have some responsibility too.

    I find it utterly ridiculous that you cannot entirely opt out of premium rate text messaging. It's a completely insecure service that is wide open to abuse.

    Also, can all of those who make money along the route i.e. network operator and the telco providing the "service" be prosecuted for being in receipt of money that is the proceed of a crime / profiting from a crime ?

  34. Iggle Piggle
    FAIL

    Linux eh!

    Just yesterday I upgraded to 2.2 on my HTC Desire. Great device an a vast improvement over my Windows Mobile 6.1 device. However the upgrade did not go smoothly. Firstly after several minutes of the first attempt it told me I did not have enough RAM free and was forced to delete a load of old apps. Then after the install it had chosen to reset my language to the local language, changed my lock the device to 5 minutes when it was previously 0 and then added a load of extra bookmarks and changed the default home page.

    Now I'm quite technically savvy and was not too flustered by this, but had this been my Mum I suspect she might well have been a little cheesed off.

    The security model where you can give a specific application permissions to perform specific tasks is great but on Android I bet the majority of users are not aware what permissions they are giving. You cannot blame the users, it is the product that is wrong for the users and not the users that are wrong for the product. As others have said, what you need is to prompt the user the first time an application wants to perform a task that will cost a premium and allow the user to grant the permission one time only, that day only, or always or never.

    I am not in favour of the jobsian totalitarian concept but I really think google need to be more proactive in preventing their product getting the same reputation as Microsoft.

    1. Anonymous Coward
      Thumb Up

      Reputation

      Well put, but I think it will!

      Then again, lots of people who should know better buy Windows computers in the certain knowledge that they have to pay the extra MS tax for Anti-lotsofthings software for years.

  35. Witty username
    Coat

    Dont install it then

    Not that big of a deal

    - Sent from...erm...firefox

  36. Giles Jones Gold badge

    Can only be fixed in the OS

    If the OS is changed to allow control of available APIs to an application then it would fix such things.

    Have a preferences panel for each app in there you can have checkboxes for:

    [ ] Internet/LAN access

    [ ] Phone access

    [ ] SMS access

    Would be pretty simple to deny access for specific applications. Obviously some advert supported applications would then need to refuse to run until Internet access was restored, but you would at least then know that application was trying to connect to the Internet and get rid of it.

    It's pretty bad that mobile security is poor on all handsets at present. I'm not sure if any of the application stores have software that reviews the application (checks for API references).

    I wouldn't imagine many developers would be happy having to submit their code for review, so reviewing the binary seems to be the only option.

  37. Anonymous Coward
    Terminator

    History repeating methinks...

    Does this story sound familiar to anyone? Replace Android for Windows, go back to the nineties and all of these statements "Android won't protect someone from their own stupidity etc" are exactly what was faced back then and in fact still facing today.

    Seems to me having that flexibility in the platform comes with a price, perhaps people should be tested on their technical know-how of the platform before being allowed to purchase one, (yes I know extreme but you get my point ..)

    PS: Your foster parents are dead..

    PPS: They aren't really but what a cracking caption for the icon.

  38. A J Stiles
    Stop

    Hmm

    Somebody needs to create a platform where all applications are 100% interpreted -- no native code allowed at all. Not even interpreter bytecode, unless generated at runtime from human-readable Source Code.

    For one thing, it would make it possible for devices to be based on any processor architecture and addressing schema, with nothing to be recompiled but the low-level stack (OS, telephony layer, language interpreter).

    For another, it would mean there would be *no* hiding place for malware, since every application would be presented in human-readable form.

  39. Fubar75

    Lame!

    So what if you install an app outside of official sources - you're on your own dude(s)! Moot point in whingeing about it...http://www.theregister.co.uk/Design/graphics/icons/comment/fail_32.png.

    Tough love must be said here... http://www.theregister.co.uk/Design/graphics/icons/comment/pint_32.png

    Oh yeah what's that expression - "a fool and his money is soon parted...."

  40. Kubla Cant Silver badge

    That's what users do

    It's no good criticising Android for being overcomplicated for the general user, as even the simplest tool carries some risk - you can cut your leg open with a flint hand-axe.

    It's also no good criticising users for failing to take proper account of the warnings displayed when apps install. That's what users do. It's the responsibility of a good UI developer to recognise this and to protect users against their own mistakes.

    It would be a good enhancement to all phone operating systems if they monitored installed apps for behaviour that is likely to cost the user money, such as repeated dialling or messaging. (The actual behavioural pattern needs to be a bit more sophisticated than this.) When an app acts suspiciously, warn the user. They'll ignore the warning of course....

    What we really, really don't want is for phones to get into the business of scareware anti-virus add-ons that maybe do nothing but eat system resources, as Windows operating systems have done.

    1. Fubar75

      Re: that's what users do....

      @Kubla Cant:

      "It's also no good criticising users for failing to take proper account of the warnings displayed when apps install. That's what users do. It's the responsibility of a good UI developer to recognise this and to protect users against their own mistakes."

      W.T.F!!!

      thanks for making coffee fly out of my nostrils...

      That's like saying to a driver to drive into a wall at 120Km/hour and crash into it... no car manufacturer will stop you from doing that... you have free will to do things spectacularly and no one has a right to dictate to you how to do so and so apart from "Please slow down" which can be easily ignored....

      A developer is not in control of the end user's handset plain and simple, the most they can do is work within the constraints such as API and use them....

      The end user ultimately makes those decisions.... no matter how lame and ignorant the decisions they make, ultimately, it's their responsibility....so .... yes tough love comes in and criticise the end user ..... LAME!!!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019