I have it it too, it sent an SMS full of encrypted data to a US number, and didn't delete the SMS afterwards. It's an EE M9.
So, EE. Who IS this app on your HTC M9s sneakily texting, hmm?
EE has assured a customer that a pre-installed app found on new HTC M9 from the mobile operator is simply anti-fraud software. However, both customer Barney Scott and an independent security expert remain unconvinced by this explanation, arguing that even if the app isn't malicious, it's at best badly designed and unwanted. …
COMMENTS
-
-
Monday 1st June 2015 21:08 GMT Anonymous Coward
I have it it too, it sent an SMS full of encrypted data to a US number, and didn't delete the SMS afterwards. It's an EE M9.
It's time you filed a complaint with the Information Commissioner's Office then, for a very simple reason: this app disclosed personal information about you without your explicit permission. In case you're wondering what the personal information is, it's your mobile number.
There have been various attempts at building databases of mobile phone numbers, such as the Facebook and Google messages that providing them with your mobile number would make your account "more secure" - the real gain is getting your number because it follows you everywhere. The reason they use an SMS is because that makes the number absolute instead of whatever you store in the phone (which you can deny access to).
-
-
Monday 1st June 2015 12:08 GMT Paul Shirley
SMS not so stupid a choice
SMS is harder to block than using data, that could be enough to justify use in a genuine security app. Would increase the chance of stolen devices managing to dial out before being wiped.
Whether this is a genuine helpful app is the problem. Certainly looks incompetently programmed if it's leaving copies of messages around.
-
Monday 1st June 2015 12:16 GMT Vimes
Using a foreign company for purposes internal to the network isn't new.
Not so long ago some telcos were using Bluecoat for their filtering system. Bluecoat is based in the US and even when the filtering is switched off the websites were still receiving shadoow requests from Bluecoat IP addresses in the US.
-
-
Monday 1st June 2015 13:20 GMT Velv
"It’s simply not correct to say that customers are not informed, it’s explained in the contract people sign."
Really? Just been through the T&Cs on the website and couldn't find it (although I didn't use a fine tooth comb, so I'm happy to be corrected, and if it's that hidden, it probably breaches the rules on fair conditions within T&Cs). Or perhaps there's a special contract for the HTC
-
Monday 1st June 2015 13:59 GMT Anonymous Coward
Crapware
The EE version of the Xperia Z3 I received also included the non-removable adware (although not the dodgy-sounding "fraud prevention" app). Fortunately I was previously familiar with Flashtool and XperiaFirm utilities so was able to upgrade my handset to "Generic" non-carrier firmware with a different set of pre-installed software, but fewer non-removable apps (mainly Vine/Facebook if memory serves). I was then able to remove the EE pre-installed software. No root required as it's official software.
Is there a similar tool for HTC?
-
Monday 1st June 2015 14:50 GMT Anonymous Coward
If you think ..........
...... that the only thing your Smarter-Than-U phone is doing is calling home to China you'd better learn to look again. How about you develop a skill called MITM and watch what your phone really does. As in YOU ARE ALREADY PWN'd!!!!!!
POST /userlocation/v1/reports/1605150082?devicePrettyName=SAMSUNG-SM-N900A........
Host: www.googleapis.com..................
[{"location":{"approximatelyStationary":true,"horizontalAccuracyMeters":146,
"latitudeE7":377144316,"longitudeE7":-xxxxxxxxxx},
"readingInfo":{"batteryCondition":{"charging":"usb","level":75,"scale":100,
"voltage":4056},"source":"wifi","wifiScans":[{"mac":163309631168576,
"strength":-48},{"isConnected":true,"mac":66064160513366,"strength":-48,
"wifiAuthType":"wpaPsk"}
-
Monday 1st June 2015 14:59 GMT holozip
I also discovered this recently, exactly the same means - dodgy SMS stuck in my outbox. I spent some time pulling it apart and am less than impressed. They set the initialisation vector for AES (used to secure messaging) to all zero's:
http://i.imgur.com/mbUUl9D.png
That's the secure way to do encryption, right? (note, it's actually used that way, the 'default' isn't over-ridden later)
The American company is AbsoluteSoftware (https://www.absolute.com).
-
Monday 1st June 2015 16:18 GMT Terry 6
Where it ends
From go, it seems, we've allowed the makers and sellers of smart phones to supply them stuffed with what ever sh*t they have wanted to impose on us, that could not be removed by ordinary users.
Installing crapware is a time(dis)honoured practice in computers.
Making the stuff unremovable is a different matter. If we wanted the stuff we would not try to remove it. But this hasn't been seen as a good reason to stop them locking it into the devices.
It's like buying a house and being told that we couldn't change the curtains or empty the wardrobes.
-
Tuesday 2nd June 2015 05:28 GMT Shadow Systems
Just wondering...
1. Does anyone have their Contract handy to go over & search for where it says you've agreed to such conditions? If your contract does NOT, in fact, state that your phone will contain such "security" then return the machine as compromised & *KEEP RETURNING IT* until they provide one that isn't thusly "enhanced".
2. I'd like to know what would happen if someone over there went into a store to buy such a handset, got right up to the point of handing over the cash, & then asked quite plainly "Does this phone contain any software that contacts a corporation outside of the EU?" If they say no then pimp slap the putz with a copy of this article & call them liars to their face. Bonus points for handing copies of the article to all the other customers on your way out. If they say that it does, ask *exactly* whom it contacts, why it does so, what data it transmits, & how it pertains to your Privacy Laws governing the dissemination of PII. If they can't or won't answer, slap them with the article & call them something nasty.
3. If you already have one of these phones, is it possible to return it to the store & ask them to remove the unwanted software? If you claim that the application keeps locking up the phone & stopping it from sending/receiving text/calls & you want it removed, then wouldn't they have to remove the broken software or else replace the unit as defective? Because I'd stand there at the counter, unwrap the fresh phone right there in front of them, fire it up & see if that app tried to phone home. Sudden appearance of a text message in the outbox you can prove you didn't make? Oops, sorry but that's a Defective Device & I'll need another one. Lather, rinse, repeat. Until they either provide you with a phone that doesn't do it or they refund all your money &
tell you to GTFO of the store.
Don't mind me, I'm just a Creatively Vindictive Bastard & would love to be on that side of the Pond so I could make some poor CounterSchmuck's life a little miserable by making them admit that the phone is compromised, they're screwing us over, and we can either Like It Or Fuck Off.
-
Tuesday 2nd June 2015 21:12 GMT Alan Brown
a few issues
1: EE's contracts say "you must accept all terms and conditions", then bury this deep in the fine print.
"Unfair terms in consumer contracts 1999" kicks in - and the fact that they don't have a severability clause means that if the contract is voided they can't recover the phone.
2: Computrace is spyware - unauthorised and foisted on everyone. It phones home and EE/samsung are engaging in a mutual fingerpointing exercise.
Being unauthorised spyware it falls foul of both the Misuse of Computers Act _and RIPA.
3: Absolute Software (the people who make computrace) make it clear that it's supposed to be installed by device owners.
I could see someone who wanted to make serious trouble for EE demand its removal and then file criminal charges when they refuse to do so.