or Connect
AppleInsider › Forums › Mobile › iPhone › New Android malware could produce Chinese botnet, harvest personal data
New Posts  All Forums:Forum Nav:

New Android malware could produce Chinese botnet, harvest personal data - Page 2

post #41 of 70
Quote:
Originally Posted by JakeBarnes View Post

So most AMERICAN Android users have little to worry about?

What utter BS.

People who use the popular, supported, centralised Marketplaces would have less to worry about trojans being injected onto popular apps. Those Marketplaces are not available everywhere and the app distribution method is more prone to corruption. The trojan in question arose in China and I see it being more problematic in countries where the app store is not so readily available.

Quote:
Originally Posted by JakeBarnes View Post

I want to know the apps I download have been through Apple's rigorous clearing process. Nerds who've bought Google's PR garbage may call that a walled garden. I call it safe computing.

Of course Apple's method is safer for the end user but Google are right too that it is restrictive. I like the security that Apple's method allows. I don't like having to jailbreak it to run an emulator or customise it.
post #42 of 70

deleted


Edited by MacRulez - 5/4/12 at 12:50pm
post #43 of 70
Quote:
Originally Posted by MacRulez View Post

This is a good argument for Mac OS X to become curated as well.

Except on OS X, we have a large number of users using "Little Snitch" or other such software who would catch such a thing in an instant and it would be front page news on every tech related news site and several mainstream media sites.
post #44 of 70

deleted


Edited by MacRulez - 5/4/12 at 12:49pm
post #45 of 70

deleted


Edited by MacRulez - 5/4/12 at 12:49pm
post #46 of 70
Quote:
Originally Posted by nvidia2008 View Post

Secondly, more pertinently, is that the issue is not that "An SMS app needs access to SMS". The point is that once you have granted permission that app can then send SMS's behind your back without you knowing. Apple's iOS and App Store has various layers that prevent this sort of thing. From private API use, to some level of human-checking of apps and a reasonably robust review and rating system.

Quote:
Originally Posted by tonton View Post

No, we're pointing out that there's no security when that SMS application, which may in fact have a legitimate need to access your SMSes, can also read them all, archive them, mine them for information like your friends' contact details, and sell those details or use them for spamming purposes.

They can search your SMSes for other details like credit card numbers and passwords, if you're stupid enough to send those things over SMS communications.


The example shown was for a SMS application that provided (by the looks of it) a conversation like of you SMS messages, allowing you to read them, and send them. It needs read and write access to your SMS messages, without it, it won't work.

Sure they may have written backdoor code it it, but so could anyone in the Apple world as well, Apple doesn't check code to approve an app, apps have been approved before by Apple that broke the Apple rules, they don't do anything it until after the fact.

And it you are going to moan about permissions, choose an app that doesn't actually need that functionality.


Quote:
Originally Posted by nvidia2008 View Post

With no screening process, how on Earth can you be sure these things aren't happening right now?

As I have said, even with Apples screening process rogue apps can and will get through.
post #47 of 70
Quote:
Originally Posted by tonton View Post

Except on OS X, we have a large number of users using "Little Snitch" or other such software who would catch such a thing in an instant and it would be front page news on every tech related news site and several mainstream media sites.

Please provide usage statistics for Little Snitch. I don't know anyone that uses this program, especially at the price they are asking
post #48 of 70
Quote:
Originally Posted by JakeBarnes View Post

So most AMERICAN Android users have little to worry about?

What utter BS.

I want to know the apps I download have been through Apple's rigorous clearing process. Nerds who've bought Google's PR garbage may call that a walled garden. I call it safe computing.

Not really. Today, this moment? Yes, no problem. A few days or weeks from now? I wouldn't feel so fat, dumb and happy. The technique is in the field and if Chinese Android App stores can be tricked into uploading malwar-ized legitimate apps, so can non-Chinese Android App stores.
.
Reply
.
Reply
post #49 of 70
Quote:
Originally Posted by tonton View Post

The point is that you never know when or why they're doing it. There is no data security whatsoever once you give permission. And there's no app screening process, so there's no way to know which apps might have a secret back door. It's really scary, actually, especially when your most personal data is in the mix.

I'm very happy with the level of control under iOS, TYVM. I don't need the security mess that is Android.

Well, Apple is getting sued because it is alleged that Apple's screening process is deficient and that allows all kinds of apps to be getting all kinds of personal information.

Also the problem is compounded by jailbreaking/unlocking. You should be grabbing the source code for the jailbreaking/unlocking yourself, inspect them line by line so that you know that nobody is putting a back door on your iphone, and compile the jailbreaking program yourself...
post #50 of 70

deleted


Edited by MacRulez - 5/4/12 at 12:49pm
post #51 of 70
I'm surprised it took this long for someone to create a botnet with Android phones. The Android Weedpatch is ripe for this kind of exploit.

Android top apps are mostly task killers now, but in the future there might be a boom in anti-malware apps. Just like there was a boom in anti-virus software on Windows. Google doesn't care. All they want is eyeballs on ads. You are what Google sells to advertisers. You're just a number to Google.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #52 of 70
Quote:
Originally Posted by jfanning View Post

Please provide usage statistics for Little Snitch. I don't know anyone that uses this program, especially at the price they are asking

You do now. And it has allowed me to uncover at least one attempted malware javascript that tried to get out on a port other than 80 which I allow Safari to have.

It also puts a kibosh on some apps phone home behavior.
.
Reply
.
Reply
post #53 of 70
Ever wondered what such a Trojan-like botnet (as seen by the Chinese authorities) could be "useful" for?
post #54 of 70
Quote:
Originally Posted by SockRolid View Post

I'm surprised it took this long for someone to create a botnet with Android phones. The Android Weedpatch is ripe for this kind of exploit.

The problem is that there is NO botnet. Security software vendors says it COULD be a botnet

Quote:
Originally Posted by SockRolid View Post

Android top apps are mostly task killers now, but in the future there might be a boom in anti-malware apps. Just like there was a boom in anti-virus software on Windows. Google doesn't care. All they want is eyeballs on ads. You are what Google sells to advertisers. You're just a number to Google.

False, since 2.0 task killers hasn't been necesary.
post #55 of 70
Quote:
Originally Posted by Gwydion View Post

The problem is that there is NO botnet. Security software vendors says it COULD be a botnet

No, but it just became almost trivial to propagate one. And we all know nature abhors a vacuum.
.
Reply
.
Reply
post #56 of 70
Quote:
Originally Posted by Hiro View Post

No, but it just became almost trivial to propagate one.

Trivial propagate? Exactly like in OS X.
post #57 of 70
Quote:
Originally Posted by jfanning View Post

Please provide usage statistics for Little Snitch. I don't know anyone that uses this program, especially at the price they are asking

I love stupid comments like this. No one has access to these kind of statistics outside the developer(s), and I'm sure you know that.

Quote:
Originally Posted by Hiro View Post

You do now. And it has allowed me to uncover at least one attempted malware javascript that tried to get out on a port other than 80 which I allow Safari to have.

It also puts a kibosh on some apps phone home behavior.

I use Little Snitch and at least a couple friends (that I know of) use it as well.

We desperately need an (official) app like this for iPhone/iPodTouch. I know there are options available through "back channels", but maybe we need some kind of petition for this...

I would not dream of using a computer hooked up to the net without Little Snitch (or an equivalent?). Try it out for a couple weeks and see how much your apps phone home and/or other random or unknown places. Fortunately, for LS users, it's merely an attempt to do so.

On your desktop/laptop, apps have nearly unlimited access to your personal information. Anyone who considers all apps to be 100% trustworthy is a fool. That's just not the way the real world operates. The majority are honest, but it only takes one bad egg to spoil things.
No Matte == No Sale :-(
Reply
No Matte == No Sale :-(
Reply
post #58 of 70
Quote:
Originally Posted by Gwydion View Post

Trivial propagate? Exactly like in OS X.

How so. In OS X the software will need to ask for a password to have the kinds of system access the Android malware has and VERY few apps should ever need a password, so this is a major red flag if it is unexpected. The Android app doesn't even need a password, it gets its permission merely from the fact you agreed to download it. And once it's there it can download and install other stuff without ever having to ask. That's a pretty big difference.
.
Reply
.
Reply
post #59 of 70
Quote:
Originally Posted by Hiro View Post

How so. In OS X the software will need to ask for a password to have the kinds of system access the Android malware has and VERY few apps should ever need a password, so this is a major red flag if it is unexpected. The Android app doesn't even need a password, it gets its permission merely from the fact you agreed to download it. And once it's there it can download and install other stuff without ever having to ask. That's a pretty big difference.

Meeec, to download the app you must agree to the permissions, if you don't agree the permissions you can't download or install the app.

And no it can't download and install stuff withouth asking your permission.
post #60 of 70
Quote:
Originally Posted by nvidia2008 View Post

Nope, you just download any app and it has access to do pretty much anything it wants to do.

Honestly, just look at those permissions for simple apps... Any rational person would question
the whole scheme of Android permissions. The dialog box should just read:

"Would you like to give everything about yourself away to everyone and anyone? Click OK to proceed.
Oh, BTW, we will have full access to making your phone do whatever we want without you knowing.
"



Ummmmm of course Handcent SMS needs permission to receive and send SMS msgs, that's what the app does. Find better examples please.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #61 of 70
On iOS there is App already built-in SMS app, so anything I download that MAY ask for permission to my SMS will NOT to downloaded. It's simple folks. On android they have to downloaded everything, even apps to help the os to give functionality that we take for granted on iOS, poor bastards, bu they chose this , so let them suffer.
Also app killer is required for those that have old versions o he android os, wow what a wonderful advertisement !
post #62 of 70
Quote:
Originally Posted by White Rabbit View Post

On iOS there is App already built-in SMS app, so anything I download that MAY ask for permission to my SMS will NOT to downloaded. It's simple folks. On android they have to downloaded everything, even apps to help the os to give functionality that we take for granted on iOS, poor bastards, bu they chose this , so let them suffer.
Also app killer is required for those that have old versions o he android os, wow what a wonderful advertisement !

Nice try
post #63 of 70
Quote:
Originally Posted by Gwydion View Post

Meeec, to download the app you must agree to the permissions, if you don't agree the permissions you can't download or install the app.

Right. That's not the problem though.

Quote:
And no it can't download and install stuff withouth asking your permission.

Right in a narrow definition, but wrong in the big picture. How many users are going to refuse a request to update an app they already have on the phone? Sure the phone makes the request, but the malicious software is reinstalling whatever the hell it wants in response to that OK.

This is a big problem where everything including the totally innocuous stuff needs the same OK as dangerous stuff. The user is defenseless to determine which is which.
.
Reply
.
Reply
post #64 of 70
Quote:
Originally Posted by Hiro View Post

Right. That's not the problem though.



Right in a narrow definition, but wrong in the big picture. How many users are going to refuse a request to update an app they already have on the phone? Sure the phone makes the request, but the malicious software is reinstalling whatever the hell it wants in response to that OK.

Meeec another time, the request is fot the actual applications that is installed or removed, not for the app that has started the request.
post #65 of 70
Quote:
Originally Posted by Gwydion View Post

Meeec another time, the request is fot the actual applications that is installed or removed, not for the app that has started the request.

Are you really that slow? App A, the "starter" maliciously modified app gets loaded. Eventually it generates the update for App B message. When App B gets updated it wasn't the App B you thought it was, it is the App B with the nasty malicious payload grafted onto it. And its maliciousness has all the permissions of the original App B.

It is classic permissions escalation without any out of the ordinary messages to queue you that there is anything funny going on.

If App A had network permissions that exchange isn't even necessary, you could be in possession of a zombie bot. That easy.
.
Reply
.
Reply
post #66 of 70
Quote:
Originally Posted by Hiro View Post

Are you really that slow? App A, the "starter" maliciously modified app gets loaded. Eventually it generates the update for App B message. When App B gets updated it wasn't the App B you thought it was, it is the App B with the nasty malicious payload grafted onto it. And its maliciousness has all the permissions of the original App B.

It is classic permissions escalation without any out of the ordinary messages to queue you that there is anything funny going on.

If App A had network permissions that exchange isn't even necessary, you could be in possession of a zombie bot. That easy.

Slow? No, perhaps not so ignorant of the way Android permission work.

But it's easier for you to talk about something you don't know nothing than inform a little, isn't?
post #67 of 70
Quote:
Originally Posted by Blah64 View Post

I love stupid comments like this. No one has access to these kind of statistics outside the developer(s), and I'm sure you know that.

If that is your thoughts then your entitled to them, but if you love stupid comments, then why didn't you reply to the person who made the claim...

Quote:
Except on OS X, we have a large number of users using "Little Snitch" or other such software who would catch such a thing in an instant and it would be front page news on every tech related news site and several mainstream media sites.


After all, how can they claim that "we have a large number of users using "Little Snitch" without knowing the stats.
post #68 of 70
Quote:
Originally Posted by Hiro View Post

You do now. And it has allowed me to uncover at least one attempted malware javascript that tried to get out on a port other than 80 which I allow Safari to have.

It also puts a kibosh on some apps phone home behavior.

Congrats, I'm glad you like it, personally I don't think it is worth the NZ$105 they charge for the family licence
post #69 of 70
Quote:
Originally Posted by White Rabbit View Post

On iOS there is App already built-in SMS app, so anything I download that MAY ask for permission to my SMS will NOT to downloaded. It's simple folks. On android they have to downloaded everything, even apps to help the os to give functionality that we take for granted on iOS, poor bastards, bu they chose this , so let them suffer.

There's already a built-in SMS/MMS app on Android phones as well (as opposed to the iPhone where users had to wait over a year for MMS to be available). The Handcent app is an alternate SMS client (you know, one of those things that would never appear on the iTunes App Store because it "duplicates functionality" and iPhone users are apparently too stupid to realize that an app they intentionally downloaded and installed is different than the built-in app).
post #70 of 70
Great, it is so cool to be open.

"Apple sells premium products at premium prices to premium customers." Cheapskates need not apply 

Reply

"Apple sells premium products at premium prices to premium customers." Cheapskates need not apply 

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › New Android malware could produce Chinese botnet, harvest personal data