back to article Two-thirds of Android users vulnerable to web history sniff ransomware

Miscreants have put together an especially pernicious strain of Android ransomware that threatens to bare your browsing history. The so-called Lockdroid ransomware brandishes overlaid popups in order to trick marks into allowing the malicious code to gain admin privileges on targeted devices. The clickjacking ruse works on …

  1. Anonymous Coward
    Anonymous Coward

    Easy solution to the scam...

    Keep one tablet just for browsing pron and nothing else...

    1. ZSn

      Re: Easy solution to the scam...

      One with a wipe-clean screen?

  2. Amorous Cowherder
    Happy

    Feel free to forward my browsing history to my family, means I won't have answer inane questions about what I've been up to recently when we have to get together for family do's, they'll have their suspicions confirmed that I'm not good enough for their daughter! Ha ha!

    1. Richard Wharram

      Your Family?

      And their daughter?

      Are you from Norfolk?

  3. tmTM

    I'll look forward to the fix

    Next time I buy a new phone, because updates to current models happen so amazingly slow.

    1. Planty Bronze badge

      Re: I'll look forward to the fix

      No fix needed. Obviously it doesn't REALLY affect anyone.

      All it does is highlight how irresponsible Symantec are and why you shouldn't trust your network security with a company that can't report risk in a responsible manner, instead replying on embarrassingly bad clickbait and scare tactics

      1. Big-nosed Pengie

        Re: I'll look forward to the fix

        Next time get a Nexus. :-)

    2. John Brown (no body) Silver badge

      Re: I'll look forward to the fix

      "Next time I buy a new phone, because updates to current models happen so amazingly slow."

      Mine's so old the next drip of pitch will happen before I get an update.

  4. Anonymous Coward
    Anonymous Coward

    Building their own coffin

    Google's failure to sort out Android security is well known. I can see the practical and commercial reasons for doing nothing for handsets that have been remaindered, and at the moment this malware is in the badlands outside the Play store. But you can see where this is heading.

    Unfortunately for Google, their failure to fully secure up even the current version, never mind the billions of older devices means that sooner or later something really nasty is going to make it into the Play store, and all hell will be let loose across millions of phones - be it ransomware, some form of APT or botnet, keylogging/bank spying, or whatever. And when that happens, Apple's cash registers will melt, as a significant proportion of people decide that whilst they don't mind Google spying on them, they simply won't tolerate its slipshod security, and indifference to older handsets.

    Personally I don't own any Apple products, and I don't like their obscene profits and limited user control. But I can see the day coming when Android is less a phone OS, and more of a malware deployment system.

    1. Lysenko

      Re: Building their own coffin

      >>I can see the practical and commercial reasons for doing nothing for >>handsets that have been remaindered

      True, but I can see reasons for the opposite as well. Android is a brand and if it gets a reputation for rampant nastiness the market isn't going to split hairs about point releases and patch versions.

      It is the same reason Flash is now unsalvageable and why Microsoft kept XP up to date for 13 years. If Google were similarly responsible they would be keeping Android 1.x devices patched past 2020.

    2. Steve Evans

      Re: Building their own coffin

      Bit unfair blaming Google... This is an issue fixed in Lollipop (5.0)... We're now on 6.0.1... So the fixed source has been available for 2 major revisions, almost a year. It's down to the manufacturer to pick up the source and apply their customization.

      Google can't do anything about pushing updates to anything except its Nexus devices. Everyone else is at the mercy of their manufacturer HTC/Samsung/LG. If your manufacturer is more interested in selling you a new device than supporting you once you have got it, I would suggest going somewhere else.

      I learnt my lesson with my first Android phone, manufactured (but barely supported) by HTC... Since then it's been Nexus all the way... Even my old Nexus 4 from the end of 2012 is safe from this exploit.

      1. Lysenko

        Re: Building their own coffin

        People measure upgrade cycles in years, not "major revisions". Android is only 8 years old. Spitting out a major version every 14 months and claiming "2 major versions" still means you're cutting loose anything more than two and a half years old (on average).

        We wouldn't have given MSFT a pass for telling us in 2009 (8 years after XP) that security patches have been available since Vista so "tough luck".

        1. LucreLout Silver badge

          Re: Building their own coffin

          means you're cutting loose anything more than two and a half years old

          Ok, taking that at face value, there seem to be lots of people upgrading their devices on a short timeline than that, for phones at least.

          We wouldn't have given MSFT a pass for telling us in 2009 (8 years after XP) that security patches have been available since Vista so "tough luck".

          Agreed, but most people update their computer when it breaks, and the same cannot be said about phones. Tablets may be different, I don't know - never had one.

        2. Ken Hagan Gold badge

          Re: Building their own coffin

          "We wouldn't have given MSFT a pass for telling us in 2009 (8 years after XP) that security patches have been available since Vista so "tough luck"."

          Er, we would if Vista had been a free upgrade.

          If I am able to upgrade to the latest Android, then having patches only in the latest Android is fine by me. The problem (as noted further up) is that even when patches are issued by Google for the version I am actually running, it is still touch and go whether my phone vendor will ever pull their corporate finger out and give it to me. (Er, the patch, that is, not the finger.)

          1. Lysenko

            Re: Building their own coffin

            >>Er, we would if Vista had been a free upgrade.

            Like the Win10 upgrade you mean? People don't seem so happy about that, even when MSFT are keeping Win7 and Win8 patches going. They don't even want *reminding* that a free upgrade is available, let alone being told it is the only way to get a security fix.

            ISPs are mostly a red herring with tablets and frequently with phones as well. I can cyanogenmod any of my Android devices. The problem is one of them (six years old) isn't supported by anything later than V2.x and another won't work with anything later than V4.x. Where are the patches? This is equivalent (in years) to MSFT terminating support for Win7 and Win8.

            Personally I don't much care (I have other devices) and I'm no MSFT fanboi (I mostly use Fedora) but credit where credit is due: MSFT never left such a huge number of insecure devices floating about without trying damned hard to avoid it (XP eol). Show me the security patches for Android 2.4 and I'll agree the ISPs are problem. While there is no patch to release, Google are the problem.

        3. Richard Plinston Silver badge

          Re: Building their own coffin

          > still means you're cutting loose anything more than two and a half years old (on average).

          Actually they don't. Android 2.3 series (Gingerbread) was continued to be developed well after 3 and 4 were delivered. It went at least to 2.3.9. It was up to manufacturers to update existing phones.

          1. Lysenko

            Gingerbread) was continued to be developed well after 3 and 4 were delivered.

            No it didn't, it got to 2.3.7 which was released 7 months after the first v3 release and before the first v4. It is also worth remembering v3 and v4 were both released in 2011 so v3 was the "current version" for considerably less than a year.

            I already cut Google the necessary slack for this: 6 versions in 8 years is every 1 year, 4 months. I mentioned 2 years, 6 months specifically to give them (over generous) credit for keeping versions alive past the introduction of successors.

            ISPs are mostly an irrelevance to tablets. It doesn't matter how you slice it, Android legacy support stinks compared to either MSFT or Linux releases and you can't blame ISPs for not deploying updates that don't exist.

            1. Richard Plinston Silver badge

              Re: Gingerbread) was continued to be developed well after 3 and 4 were delivered.

              > No it didn't, it got to 2.3.7

              Several phones and tablets are advertised as running 2.3.8, such as Samsung Galaxy Mini 7, or 2.3.9 such as:

              http://www.1949deal.com/hot-sell-3-5-inch-s5830i-android-2-3-9-wifi-dual-sim-mobile-phone.html

              2.3.9 was released in late 2012 or early 2013.

          2. davidp231

            Re: Building their own coffin

            And version 3 was tablets only.

      2. Jess

        Re: Bit unfair blaming Google

        Not really, they designed the monolithic structure.

        If the system were more modular, then they would be able to update most of it, and what was left would be hardware specific and down to the manufacturers.

        1. Richard Plinston Silver badge

          Re: Bit unfair blaming Google

          > If the system were more modular, then they would be able to update most of it,

          Much of the Google infrastructure, including WebView, is built as apps and updated from the Play Store - to anybody.

          1. Adam 1 Silver badge

            Re: Bit unfair blaming Google

            > Much of the Google infrastructure, including WebView, is built as apps and updated from the Play Store - to anybody.

            Only since lollipop...

            And how about that fix for stagefright. Did you get that through play store? Didn't think so.

            Look, they are moving the right way but it is a long road.

        2. Daggerchild Silver badge

          Re: Bit unfair blaming Google

          "If the system were more modular, then they would be able to update most of it, and what was left would be hardware specific and down to the manufacturers"

          It is modular. Including the predefined API to the hardware libraries. Modular doesn't save you. Ask yourself why people use linux Distributions when all of the components are obviously completely independent and individually updatable.

      3. Adam 1 Silver badge

        Re: Building their own coffin

        > Google can't do anything about pushing updates to anything except its Nexus devices

        I hate having to wait for Dell, Lenovo and HP to push out Windows updates after patch Tuesday.

        If the system is modular enough, the OEMs can wreck their users'experience without compromising the OS's ability to be patched.

        PS, smart move on the Nexus.

    3. Walter Bishop Silver badge
      Linux

      Re: Building their own coffin

      'at the moment this malware is in the badlands outside the Play store'

      Download malicious software from some third part site and get hacked, how is this Googles fault?

      'The malicious app must be installed manually by the user before the Trojan can perform any activities. '

      'The clickjacking ruse works on devices running versions of Android prior to 5.0 (Lollipop)'

      So, you have to visit a malicious site, download and install the app on a two year old Android phone to get 'infected'.

    4. Anonymous Coward
      Anonymous Coward

      Re: Building their own coffin

      Apple too of course. For this on Android, you need to disable device security, two levels of.

      Guess what, if you jailbreak an iPhone you can also get dknoksr nasties... Nobody is however reporting that. It's as if apple money is paying for all the Android malware scare stories.

      I know of nobody ever getting anything nasty on Android , bit I see windows devices all the time clogged up...

  5. Dan 55 Silver badge
    FAIL

    Google for the fail

    Why make it possible for any app to programatically change the device PIN or factory reset?

    Security? We've heard of it.

  6. Greg 24

    Not really an security exploit

    Maybe I've missed the point but to get infected you'd have manually turn off the security option that disables 3rd party installed apps, find this app from a torrent site or some forum and agree to the security access it requests on install.

    Now I'm no apologist for Android but which part of this is a security failing on their part? Oh, and this still won't work if you have the latest version of their software.

    Let me guess, is the only way to make sure you're protected to buy a Symantec security product for your mobile?

    1. Dan 55 Silver badge

      Re: Not really an security exploit

      No app, no matter how many permissions it has or wherever it was installed from, should be able to change the device PIN or make it factory reset.

      1. The Mole

        Re: Not really an security exploit

        Most businesses would disagree with you, they want apps to be able to perform (remotely controlled) wipes/factory resets in case a device containing sensitive data is lost.

        1. sgp

          Re: Not really an security exploit

          Indeed. People who install this deserve the consequences.

      2. Mikel

        Re: Not really an security exploit

        It seems you don't understand how operating systems work. System settings is an app.

        1. Dan 55 Silver badge

          Re: Not really an security exploit

          Yes. But it is a system app, not an app. It's pretty cruddy OS if it can't tell the difference between the two.

          Remote wipe likewise is an OS feature, not something which should be available to any app with the right permissions (although on Android apparently only apps listed in device administrators are allowed to do it, this malware gets round that).

          This didn't happen on Symbian.

          Get off my lawn.

    2. Adam 1 Silver badge

      Re: Not really an security exploit

      > Let me guess, is the only way to make sure you're protected to buy a Symantec security product for your mobile?

      To be fair, this is pretty bad malware. I would almost prefer to have Symantec installed.

    3. Anonymous Coward
      Anonymous Coward

      Re: Not really an security exploit

      +1 beer.

      Shocker, dodgy app found floating in digital public toilet does bad stuff.

  7. Captain Queeg

    Not really news?

    Is it just me or do exploits like this that require all the usual, allow untrusted sources, use non standard app store, feel like they're a user choice rather than a flaw in android.

    If a user, any user goes down this path, there's a risk that they either take because they understand it (probably most here) or they're after something for nothing - usually warez or pron.

    I don't believe it can be viewed as an android problem as the headline implies. People die messing in substations having climbed over the fence but no one blames the power companies for deceased actions in climbing the fence.

    Is this really one to land at Google's door?

  8. David Lawton

    Glad i've not got an Android device

    I know any OS does and will have holes, even the Apples. But when i look at our UTM's Threat Centre website I'm glad i have an iPhone. The word Android appears way to much in the mobile malware/virus threat list http://www.fortiguard.com/avmobilethreats , in fact it seems to be 9/10 of the threats. Androids biggest downfall is it is too open, and when it comes to something that has my mobile banking apps on and other import things, i don't care that my phone is in a walled garden eco system. I want my data to be safe.

    If devices were regularly receiving updates promptly and were supported for a reasonable amount of time (I'm frowning at your Samsung) i might be remotely interested in owning an Android device again, but as it stands i won't even consider them anymore until something changes.

    1. Greg 24
      Coffee/keyboard

      Re: Glad i've not got an Android device

      "Androids biggest downfall is it is too open" - You've left me speechless, time for the pub now I think....

      1. Charlie Clark Silver badge
        Pint

        Re: Glad i've not got an Android device

        You've left me speechless, time for the pub now I think....

        Indeed, here's one to get you started.

        1. moiety

          Re: Glad i've not got an Android device

          It's not safe outside the rubber fence; this is true. Being inside doesn't make you bulletproof either.

          Android was produced by an advertising company so security just isn't going to be their priority. Anyone who trusts it and keeps their whole life on there is probably going to drop themselves in it...sooner rather than later, most likely, Things aren't getting any more civilised out there on the WWW of late.

          My own approach is to not keep anything of importance on there and to never to use it to log into anything. That is -admittedly- a luxury that wouldn't work for many people's lifestyles; but not trusting the OS and regular backups of stuff you can't easily replace should be a part of anyone's plans; whether Android, iOS, or anything else.

          Also anyone who -in 2016- downloads an app called "Porn O’ Mania" from an untrusted source; installs it and gives it all the permissions could probably do with the lesson in digital hygiene.

  9. Anonymous Coward
    Anonymous Coward

    Malware, app.... all very similar

    "Lockdroid snaffles a user's browsing history and contacts list, before threatening to expose a victim's potentially embarrassing browsing history by forwarding it to their contacts."

    Take a look an a million different apps and you'll see they do exactly the same!

    Google even built a special permission, to get the browser history.

    So for example 'Line' grabs browser history, contacts, etc.

    So the fine line between malware and app gets ever finer!

    Here try this, go to Android, Settings, Search for "goog", there is an option "Scanning Always Available:... Let Google's location service and other apps scan for networks even when Wifi is off", usually this is enabled. Do you remember turning it on? It uses up battery to let Google spy on nearby Wifi devices.

    When you turned on location, you were given a misleading popup which you probably said "yes" to, and that gave permission to Google to spy on your location. There was no 'No' button to click, there was a 'disagree'. If you disagree it would keep asking till you agree, and after that it never asks again.

    You can't even uninstall this Google spyware, if you try to turn off "Play Services" it reverts to the factory version and uninstalls all your apps. In effect it holds 3rd party apps hostage to its spyware!

    Google Play Services:

    Directly make phone calls, read SMS, MMS, send MMS SMS, take pictures and videos (why does a play store need control of the camera?), record audio, location, modify contacts, read calls logs, read contacts, read all the sensors, read calende events plus confidential info, add voicmail, modify SD cards, disable screen lock, add accounts, set passwords, mail google, view accounts, modify system settings read sensitive log data, read internal state, change network connectivity, connect to wifi, control NFC, download files without notification, full network access, get data from Internet, view local network connections, view Wifi, All Bluetooth, Draw over other apps, control vibration, flashlight, wifi multicast, prevent phone form sleeping, read/set sync, install shortcuts, cross account access, modify system, read subscribed feeds, send sticky broadcasts, write subscribed feeds.....

    It's a piece of spyware that you are required to have installed if you want to run Android apps, and the data authorities have done nothing about it.

    Compared to that piece of Google malware, this app is tame.

    1. david bates

      Re: Malware, app.... all very similar

      Odd...I was SURE it was possible to run Android without ANY Google apps at all...In fact I thought of you installed a third-party ROM you usually had to install Google services yourself.

    2. Alistair Silver badge
      Windows

      Re: Malware, app.... all very similar

      I'm not sure what phone and version you're on where disabling Google play services is uninstalling all your apps.

      I keep GPS disabled unless I have to pull something from the store. There are some apps that tend to want it on when they're running but mostly those are FREE games that are generating revenue through GPS adds. Again, this is a user issue - User doesn't want to pay $1.99 for that app - so the app makes its money by throwing ads at the user.

      I'm also not running a stock ROM or kernel. But I'm crazy techie geeky that way.

    3. Dan 55 Silver badge

      Re: Malware, app.... all very similar

      I don't know why Play Services wants my contacts list, SMS, MMS, and so on... especially considering I already set my Google account to not synchronise anything.

      You may think that if you don't syncronise those things in your Google account then it doesn't try to access them. Not so. Privacy Guard in CyanogenMod/OS still pops up a permission request for those things on behalf of Play Services if you set everything to 'ask', repeatedly. So I set everything to 'disable'.

    4. Vic

      Re: Malware, app.... all very similar

      Directly make phone calls, read SMS, MMS, send MMS SMS, take pictures and videos (why does a play store need control of the camera?)

      "Google Play Services" isn't just the store - it's essentially a layer of OS services. They changed it to this format to try to do something about the manufacturers who wouldn't update the base OS; this way, it's upgradeable through the store. As such, all those permissions are required, because otherwise, they're denied to any OS upgrades delivered in this fashion.

      For my money, it would have been better to deliver more modularised chunks, rather than this hulking great megalith - but that's how it is; I didn't get to make the decisions. And the alternative is to go back to what the early flavours of Android did - install once, never update anything...

      Vic.

  10. Alistair Silver badge
    Windows

    Let me see here.

    1) stupid user gets pop up on some website that tells them they need an app to do something questionable

    2) stupid user follows (what must be fairly detailed) instructions from popup to:

    a) disable a security setting (sideload)

    b) connect to non-standard app "store"

    c) install questionable app

    3) stupid user gets pwnd

    4) AV review blames OS creator.

    this sounds to me like an LNF error.

    Logic not found.

    Yes, hardware vendors not keeping hardware that they've sold patched and updated is terrible. This is not something new, when was the last time your cheap as chips router got a firmware update from the vendor? It goes with the capitalist competition, sell, sell, sell, new, shiney stuff mantra, but that is systemic, and certainly not google's fault.

    Most of those here are capable of working around the 'cheap as chips, crap support' issues. The vast majority of the population expect such things to 'just work'. Thing is, if they are to 'just work' and stay managed and maintained, generally they wont be 'cheap as chips'.

  11. David Gosnell

    two thirds are surely NOT vulnerable...

    ... because at least two out of three wouldn't have a clue how to allow third-party apps on in the first place, and of those who do, a good many only allow it as a temporary measure for a specific app and lock the door firmly afterwards.

    1. Darryl

      Re: two thirds are surely NOT vulnerable...

      Yeah, it's more like two thirds of Android users who are dumb enough to permanently allow third part app installation on their phone, so probably more like 0.01% or less... But that's not as gripping a headline.

  12. sisk Silver badge

    So, word to the wise, don't go downloading porn apps from third party sites. In other words....well how many times do we have to say it. Stick to the Play Store and you'll probably be safe.

  13. Anonymous Coward
    Anonymous Coward

    WTF is a porn surfing app?

    I mean in the sense of what does a porn surfing app do that a web browser pointed at porn sites doesn't? Is there some special extra function that the one-handed-surfing brigade needs? Actually, how do they do that anyway, hold the device with one hand, prod it with the other, surely the app can't act as a third hand without having to buy a robot arm as well?

    I'm clearly failing some comprehension here. Maybe porn sites have so much text on them that the app is needed to just show the pictures of vintage cars and motorbikes?

  14. Mikel

    Misleading

    As others have said, two thirds of the people who would and could circumvent the inherent security of Android to install a sketchy app from a random anonymous source as if Android people got their apps the same way Windows people do. So, effectively nobody - and the few affected have only themselves to blame.

    Reads like an Android security success story to me.

  15. Mr.Bill

    not again

    "The malicious app is not found on Google Play...users who have Google Play installed are protected from this app by Verify Apps even when downloading it outside of Google Play."

    If you are going to post these sorts of scary stories from the security companies, can you at least mention that, as always, you cannot get the malware from the play store, the only place that 99.999% of 1st world users get apps from?

  16. DougS Silver badge

    What's the point of forwarding their browsing history?

    Who is going to read email filled with tons of URLs sent by one of your friends? I would delete that without looking at it, because I'd just assume it is some sort of spam. Even if I knew it was legit, I wouldn't care enough to look.

    If you want to scare them, how about threatening to download a bunch of child porn and email the pics from your email address directly to the FBI?

  17. Daggerchild Silver badge

    Wait.. you can do *what*?

    Windows uses Ctrl-Alt-Delete to summon a window that no program can overlay, because that is *exactly* what people were doing. Fake lockscreens trivially acquired the user's passwords, with no way of telling it was fake.

    These tricks are *ancient*. I thought all windowing systems knew kids did this. Jesus, Android, you should be ashamed of yourself. Authentication/Authorisation interaction has always required a controlled environment.

  18. Anonymous Coward
    Anonymous Coward

    OMG!

    My crush on Daisy Ridley will be revealed to all my Star Wars fandom friends!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019