or Connect
AppleInsider › Forums › Mobile › iPhone › Millions of Android users hit by malicious data theft app
New Posts  All Forums:Forum Nav:

Millions of Android users hit by malicious data theft app - Page 2

post #41 of 211
The schadenfreude being expressed here may well haunt a few posters in the future since the report cited points out that the app concerned did exactly what it was meant to, much like the "flashlight" app from Apple's AppStore.

Both had hidden functionality that the stores' respective app police failed to spot. How did that happen? Who can say.

What it does show is that there's no guarantee on either platform that the app you downloaded, digitally signed or not, won't have a payload that does something that you didn't agree to. And that payload might conceivably compromise your personal info.

The "Flashlight" app wasn't discovered by Apple. In order to deliver its benefits to the end user, the user needed to know how to access it, and once the info was out there, it was only a matter of time before somebody blogged it. That's how Apple became aware of it, and subsequently pulled it.

Click for info.

That app, for those unfamiliar with it, enabled tethering on the iPhone. A rather innocuous payload to be sure, but still forbidden by Apple. It could quite easily have been far less benign though, and there's no guarantee that there's not a smarthone app already doing the self same thing with your privacy right now. On either platform.

However, having pointed out what ought to have been obvious to everybody who bothered reading the report, the real kicker is that my iPhone likely puts me at as much risk of data theft as any smartphone user out there, and that fact is rather less deserving of glee and much more deserving of caution. Especially using free app downloads.

Let's be careful out there.
post #42 of 211
Quote:
Originally Posted by davesw View Post

well we (iPhone owners) wouldn't know. ask DaHarder

I though you wouldn't know.

By the way, with those permissions an app can't read most of the thing the reports says.
post #43 of 211
Be safe. Use an iPhone.
post #44 of 211
Its interesting, for the past decade weve been hearing that Macs dont get viruses because their marketshare is too small to be a concern.

Yet, Macs had viruses well before Mac OS X was introduced, back when they sold a lot less units and had even less marketshare. That doesnt consider the fact that Mac sales are about double that of the average PC sale which indicates that Mac users may be a better target for thieves due to more disposable income to access.

This completely shatters that pejorative security through obscurity mantra that since Android has less marketshare than iOS devices.

Well, at least Norton has a chance to make some money on smartphones now.


Quote:
Originally Posted by Mike Fix View Post

This can/will happen to the iPhone one day. It's inevitable. But I do like the fact that there's a company doing their best to prevent such a thing from happening.

Sure, anything can happen. There are exploits in code and brilliant though unethical coders that find other ingenious ways to circumvent security, but Apple did conceive and implement a foundation that makes this harder.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #45 of 211
"When theres no limit to what Droid gets, theres no limit to what Droid does"

enough said. lol
post #46 of 211
Quote:
Originally Posted by Chopper View Post

The schadenfreude being expressed here may well haunt a few posters in the future ...

Let's be careful out there.

True enough.
Blindness is a condition as well as a state of mind.

Reply
Blindness is a condition as well as a state of mind.

Reply
post #47 of 211
The android os, the entire android market, and the whole android philosophy Are All By Design insecure.
post #48 of 211
Hmmm... Using fear to justify draconian control and censorship... I wonder if that has ever been used in the past...

post #49 of 211
Quote:
Originally Posted by Firefly7475 View Post

Hmmm... Using fear to justify draconian control and censorship... I wonder if that has ever been used in the past...


Have fun with your spyware and leave us alone.
post #50 of 211
Quote:
Originally Posted by Firefly7475 View Post

Hmmm... Using fear to justify draconian control and censorship... I wonder if that has ever been used in the past...


Yep it's better just to leave users alone in the dark like google does and call it open market, open source and so on? What are you smoking?

Which of us is the fisherman and which the trout?

Reply

Which of us is the fisherman and which the trout?

Reply
post #51 of 211
Quote:
Originally Posted by nvidia2008 View Post

Love to see the fandroids response to this...

It's overblown.
post #52 of 211
Quote:
Originally Posted by davesw View Post

The android os, the entire android market, and the whole android philosophy Are All By Design insecure.

Why? Any argument for that?
post #53 of 211
Quote:
Originally Posted by matrix07 View Post

It's overblown.

How do you say that is Mandarin?


Quote:
Originally Posted by Gwydion View Post

Why? Any argument for that?

Heres an argument that backs up his point.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #54 of 211
Quote:
Originally Posted by nvidia2008 View Post

Love to see the fandroids response to this...

"They were just using it wrong..."

Sorry... I just couldn't help it!
post #55 of 211
Quote:
Originally Posted by solipsism View Post

Heres an argument that backs up his point.

No, this thread proves nothing, mainly because is full of wrong facts. An app with that permission can't read any personal data (SMS's, bookmarks, history, voice mail passwords, etc)
post #56 of 211
Quote:
Originally Posted by davesw View Post

Have fun with your spyware and leave us alone.

But I've got the one with the Gee Bees!
post #57 of 211
Quote:
Originally Posted by Gwydion View Post

No, this thread proves nothing, mainly because is full of wrong facts. An app with that permission can't read any personal data (SMS's, bookmarks, history, voice mail passwords, etc)

You dont consider SMS messages youve written, bookmarks youve saved, history of your browser, or the actual password to access your private voicemail messages as personal? I certainly do. What if your VM password, usually a PIN number, isnt also the same as your ATM PIN number?
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #58 of 211
Quote:
Originally Posted by solipsism View Post

You dont consider SMS messages youve written, bookmarks youve saved, history of your browser, or the actual password to access your private voicemail messages as personal? I certainly do. What if your VM password, usually a PIN number, isnt also the same as your ATM PIN number?

No, I consider this personal and important data. But this data CAN'T BE READ with the permissions that this app has.
post #59 of 211
Well, I hate to agree with you, but there is no upside for Android on this one. Google needs to take a more hands-on approach to vetting apps. But since they are making nothing on the software or hardware, they have no incentive to do what Apple does, which sounds like a huge headache.

Microsoft has apparently adopted an Apple-like approach to their app store for WM7. It will be interesting to see if WM7 displaces Android over time if problems like this continue. MS could carve out a niche in which they are less restrictive than Apple (Google Voice, more carriers than just asstastic AT&T, etc.) but curate their app store to a much greater extent than Google. It will be interesting to watch how this plays out.


Quote:
Originally Posted by solipsism View Post

Im looking forward to the counterargument. I cant think of a single angle that is pro-Android on this one.



It is amazing that one modern mobile OS gets denigrate for even the simplest slip up and the other modern mobile OS can make huge errors in design that are well known to fail and barely anyone will ever know it existed despite the number of people it affects.
post #60 of 211
Quote:
Originally Posted by Gwydion View Post

No, I consider this personal and important data. But this data CAN'T BE READ with the permissions that this app has.

So you're saying, obviously, that the people who reported the app as sending this sensitive data to somebody in China are making it up. Lying, in fact. Interesting, but surprising that nobody at the black hat conference called them on it.

Unless the report was bogus and the security guys never claimed the wallpaper app actually did what's been attributed to it.

What makes you certain that the app cannot access the data claimed? Not that I'm doubting your knowledge - but thus far you're the only voice stating that position. And excuse my ignorance, Android is foreign to my experience.
post #61 of 211
Quote:
Originally Posted by Chopper View Post

So you're saying, obviously, that the people who reported the app as sending this sensitive data to somebody in China are making it up. Lying, in fact. Interesting, but surprising that nobody at the black hat conference called them on it.

Unless the report was bogus and the security guys never claimed the wallpaper app actually did what's been attributed to it.

What makes you certain that the app cannot access the data claimed? Not that I'm doubting your knowledge - but thus far you're the only voice stating that position. And excuse my ignorance, Android is foreign to my experience.

No, I'm saying that with the information we havem, that the app requests PHONE_INFO permission, it's impossible to collect SMS'S, history, etc.

Perhaps the report is incomplete.

Looking on Android Market, all the apps from jackeey have the same permissions, and none of them alow to read sensitive data.
post #62 of 211
Whats the bet this will not be on CNN, Reuters and have over 4000 articles in a week devoted to "Evil Google" and their "flawed phone"?

When will the legions of haters start flooding the airwaves with vitriol about how Google owes them big time and lawsuits, senators and David Letterman start attacking Google?

........crickets.........

To me, the truly ironic part of this whole situation is that all of an Android users personal information like text messages, emails; IM's; web history, heck even their voice calls are all already being recorded by Google and probably sold off to marketeers - nothing is ever really free - and the only difference is that the information is now going to someone in Shenzen as well as Mountain View.
..... the greatest fame comes from adding to human knowledge, not winning battles.
Paraphrased from Napolean Bonaparte, 1798
Reply
..... the greatest fame comes from adding to human knowledge, not winning battles.
Paraphrased from Napolean Bonaparte, 1798
Reply
post #63 of 211
Quote:
Originally Posted by Gwydion View Post

No, I'm saying that with the information we havem, that the app requests PHONE_INFO permission, it's impossible to collect SMS'S, history, etc.

Perhaps the report is incomplete.

Looking on Android Market, all the apps from jackeey have the same permissions, and none of them alow to read sensitive data.

Again, excuse my ignorance once more, would it not be possible for an app to run code with a different set of permissions once it was executed - an app within an app if you like?
post #64 of 211
Quote:
Originally Posted by Chopper View Post

Again, excuse my ignorance once more, would it not be possible for an app to run code with a different set of permissions once it was executed - an app within an app if you like?

No, it can't.

Also, you can't update an app with new permissions withouth asking for them
post #65 of 211
Quote:
Originally Posted by shadash View Post

Well, I hate to agree with you, but there is no upside for Android on this one. Google needs to take a more hands-on approach to vetting apps.

Not that I disagree with you, but how exactly could the vetting of apps have changed the outcome in this instance? There is nothing in Apple's process that would prevent what occurred here.

It seems the bigger problem is that the application was able to access data it shouldn't have been allowed to access, which points at a bug somewhere in the Android API, not at a flaw with their application approval process (or lack of)




Quote:
Originally Posted by shadash View Post

Microsoft has apparently adopted an Apple-like approach to their app store for WM7. It will be interesting to see if WM7 displaces Android over time if problems like this continue. MS could carve out a niche in which they are less restrictive than Apple (Google Voice, more carriers than just asstastic AT&T, etc.) but curate their app store to a much greater extent than Google. It will be interesting to watch how this plays out.

Maybe... but only if they really continue (i.e. something like this every 6 months or so). Otherwise it will be quickly forgotten.

I think WP7 will be cutting RIMs grass more than Google's.
post #66 of 211
Quote:
Originally Posted by Gwydion View Post

No, it can't.

Also, you can't update an app with new permissions withouth asking for them

OK.

Then it's somewhat baffling that nobody picked this up at the black hat conference, or alternatively, nobody has updated the original report.

I guess there's a lot more to come on this story.
post #67 of 211
Quote:
Originally Posted by Gwydion View Post

No, it can't.
Also, you can't update an app with new permissions withouth asking for them

I think that might be the point. It seems this application has been able to access phone data without the appropriate permissions. A bug in the Android security API perhaps?
post #68 of 211
Quote:
Originally Posted by lostkiwi View Post

To me, the truly ironic part of this whole situation is that all of an Android users personal information like text messages, emails; IM's; web history, heck even their voice calls are all already being recorded by Google and probably sold off to marketeers

Do you really think Google is getting a copy of every single message, IM, email and voice call made from an Android phone? \
post #69 of 211
Quote:
Originally Posted by davesw View Post

Enjoy your spyware

Well why does google let these third party troijan horses work on their phones!!! I believe the only troijan horse that needs to run on these phones is the Google one. Do we really need several troijan horses multitasking ???

Do we still need somebody else analysing speech and mail and sms on the phone to sell you personal advertisements from the big corporations???
post #70 of 211
Quote:
Originally Posted by matrix07 View Post

Soon Android users would need to install data protection app as a standard procedure much like Anti-Virus software in Windows system.

Yep! I can see it now ... "Your call cannot be connected until Kaspersky has updated its database ..."
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
post #71 of 211
Quote:
Originally Posted by FormerARSgm View Post

Wait wait wait one damn second. You're trying to tell me that an 'open', unregulated, app store might have malicious apps on it from China? And these apps would collect personal and private data then transmit it to China? NO FREAKING WAY. Google has always been known for protecting user data and sees protecting it's customers as a priority. Android is simply the safest phone OS on the market! <insert sarcastic wit here> This while story comes as no surprise.... <rolls eyes>

No surprise true! But still sooner than I expected:
post #72 of 211
Quote:
Originally Posted by Firefly7475 View Post

Do you really think Google is getting a copy of every single message, IM, email and voice call made from an Android phone? \

Sure! Read the privacy agreements. Maybe they don't do voicecalls now but you don't need to ask about the rest. Also they record your location are and stuff like that.
Their ruling is they use everything they need to make their service better. (Should I say their Ad service?)

Apple has a more sensible approach. There are 2 scenarios when Apple could get your location. For Ads the phone calculates your ZIP number, which than is transmitted to Apple. Google uses GPS coordinates for that.
The other is WIFI Hotspots. When you use a location API via any app (that you have approved) your phone automatically sends your GPS location with the BSSID and the strength of nearby Wifi Basestations to Apple. This data is transmitted completely anonymous and they can't track back where it came from. Google well just transmits everything.

edit: Link to google privacy center: here
link to apple privacy: here
PS you should read those before you buy your device...
post #73 of 211
Quote:
Originally Posted by Firefly7475 View Post

Do you really think Google is getting a copy of every single message, IM, email and voice call made from an Android phone? \

Yep, thousands of Google employees sit in vast offices listening to your voice calls.
post #74 of 211
"Android Phone Fans" have received clarification from the company.


"[Update]: MyLookout chimed in with us to clarify some details that other outlets have been reporting. Specifically, the app does collect data from your phone, but only the device’s phone number, subscriber identifier, and voicemail number fields are retrieved. SMS and browsing history are not touched by any of the apps they analyzed throughout their Blackhat conference. Your voicemail’s password is also not transmitted unless you included the password in your phone’s voicemail number field.

We’re not yet certain on what the developer’s intentions are for using the pieces of data it does send to China – so we can’t outright call it malicious – but it is collecting and sending data nevertheless. Hopefully that clears up some of the confusion everyone’s been faced with regarding the read-only property READ_PHONE_STATE that the application uses to access certain pieces of data."


So not as bad as reported, but bad nonetheless.
post #75 of 211
Quote:
Originally Posted by Rabbit_Coach View Post

Yep, thousands of Google employees sit in vast offices listening to your voice calls.

They have voice recognition. Maybe if you say Apple very often they send you more Apple Ads.
You have to remember that a lot of parts of Android are closed source and I believe there must be a reason for that. So that way your phone could do the keyword counting and only send those keywords to Google.
post #76 of 211
Quote:
Originally Posted by Chopper View Post

The schadenfreude being expressed here may well haunt a few posters in the future since the report cited points out that the app concerned did exactly what it was meant to, much like the "flashlight" app from Apple's AppStore.

Both had hidden functionality that the stores' respective app police failed to spot. How did that happen? Who can say.

What it does show is that there's no guarantee on either platform that the app you downloaded, digitally signed or not, won't have a payload that does something that you didn't agree to. And that payload might conceivably compromise your personal info.

The "Flashlight" app wasn't discovered by Apple. In order to deliver its benefits to the end user, the user needed to know how to access it, and once the info was out there, it was only a matter of time before somebody blogged it. That's how Apple became aware of it, and subsequently pulled it.

Click for info.

That app, for those unfamiliar with it, enabled tethering on the iPhone. A rather innocuous payload to be sure, but still forbidden by Apple. It could quite easily have been far less benign though, and there's no guarantee that there's not a smarthone app already doing the self same thing with your privacy right now. On either platform.

Let's be careful out there.

But the Flashlight App did exactly what it was supposed to do, although thru the back door. I already had two great Flashlight Apps but I did need a tethering App to help me consume my 2GB data plan minutes. I normally use 200-350MB /month so the months I would go over the 250MB would greatly exceed the price difference of the 2GB plan. And there are times when I want (Need) to use my laptop in the wild and this little tool in my toolbox will keep me from running to find a free WiFi hotspot
KennDDS
Reply
KennDDS
Reply
post #77 of 211
Quote:
Originally Posted by peter02l View Post

Millions affected. Not a single one complains. And no lawsuits! And yet some of these Android users (who don't even own an iPhone 4) are constantly finding a new thing about the iPhone to carp about.

Yeah exactly! Android users are a jealous bunch.
post #78 of 211
Quote:
Originally Posted by KennMSr View Post

But the Flashlight App did exactly what it was supposed to do, although thru the back door. I already had two great Flashlight Apps but I did need a tethering App to help me consume my 2GB data plan minutes. I normally use 200-350MB /month so the months I would go over the 250MB would greatly exceed the price difference of the 2GB plan. And there are times when I want (Need) to use my laptop in the wild and this little tool in my toolbox will keep me from running to find a free WiFi hotspot

You are missing his point completely and veering off on an unrelated tangent. Sure, the tethering flashlight did what it was supposed to do. But it could have just as easily have been malware and Apple again would not have known about it, nor would unsuspecting downloaders.
post #79 of 211
This is a prime example why we should not embrace open source, this widely. People use all sorts of comparisons with prisons etc. It's just hyper bowl created by Stallman and his team. While things like DRM are examples of bad closed source software, there is a lot more example's of bad 'free' (yeah right) software. Take one look at the Linux desktop, no unified desktop, no unified dev environment and worse of all different apps use different custom and 'standard' API's making some applications have no sound while others have sound. Many problems, but just a fix there, put a terminal command on your desktop for when you use Firefox... bla, bla, bla.

A lot of people think that it really is open, that you can take any software and modify it. No. You have to make sure the credits include the developers who worked on the original app and you have to make sure you contact them so they know they are having a new version of there app created, and then sometimes they might demand you work ON THERE APP. You see what I mean? A mess.

If you like your GUI to have the file browser and the music player made by completely different people then it's up to you.
post #80 of 211
Reading this is like listening to Rush Limbaugh. There's way too much spin. Look around and you will see the truth... or you can stay in your walled garden and believe whatever they feed you.

I love my Mac Pro, my Macbook Pro, my iPad and my Nano but didn't care for the iPhone.

Granted the Android Market has some huge problems but for me the flexibility I have with
my phone is well worth the problems.

The competition between these 2 formats will make both phones better.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Millions of Android users hit by malicious data theft app