or Connect
AppleInsider › Forums › Mobile › iPhone › FBI issues warning to smartphone users regarding Android malware
New Posts  All Forums:Forum Nav:

FBI issues warning to smartphone users regarding Android malware

post #1 of 103
Thread Starter 
The FBI's Internet Crime Complaint Center has issued a warning alerting users about malware that targets the Android mobile operating system.

The intelligence note from the IC3 was issued last week, and highlighted on Monday by Apple 2.0. It noted there are various forms of malware out in the wild that attack Android devices.

Two forms of malware cited by the IC3 are Loozfon, which steals information from users, and FinFisher, which can give nefarious hackers control over a user's device.

Android
Image via Android Police.


Loozfon can lure in victims by promising users a work-at-home opportunity in exchange for sending out an e-mail. Visiting a link in the e-mail will push Loozfon to the user's device, allowing the malware to steal contact details from the device's address book.

The FinFisher spyware highlighted by the IC3 allows for a mobile device to be remotely controlled and monitored from anywhere. FinFisher is installed by simply visiting a Web link or opening a text message that disguises itself as a system update.

IN addition to highlighting Loozfon and FinFisher, the IC3 intelligence note also offers users a number of safety tips to help protect their mobile device. They are:
  • When purchasing a Smartphone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.
  • Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user's personal data in the case of loss or theft.
  • With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application.
  • Review and understand the permissions you are giving when you download applications.
  • Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device. In conjunction with the passcode, enable the screen lock feature after a few minutes of inactivity.
  • Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that helps protect your device from rogue applications and malware.
  • Be aware of applications that enable Geo-location. The application will track the user's location anywhere. This application can be used for marketing, but can be used by malicious actors raising concerns of assisting a possible stalker and/or burglaries.
  • Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cell phone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime a user, application or service runs in "unrestricted" or "system" level within an operation system, it allows any compromise to take full control of the device.
  • Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
  • If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.
  • Smartphones require updates to run applications and firmware. If users neglect this it increases the risk of having their device hacked or compromised.
  • Avoid clicking on or otherwise downloading software or links from unknown sources.
  • Use the same precautions on your mobile phone as you would on your computer when using the Internet.

The presence of malware on Android has been known for some time, while Apple's tightly controlled iOS platform is far less susceptible to malware. This summer, one piece of malware did manage to slip through the cracks and was temporarily available for download on Apple's iOS App Store.
post #2 of 103
Just when I was about to get an Android phone. I think i'll just get the 5 instead.
post #3 of 103
Who cares if someone can steal my information so easy, it has sd card expansion slots, removable batteries, widgets, and you can swipe your palm to take a screenshot. Malware Shmalware.
post #4 of 103
Bahahaha! This comes to absolutely ZERO surprise. What's going to be even more pathetic are the whiny fandroids and iHaters that will spin this story in every way to label it as a paid Apple article.

When my friends and associates ask me for advice on their first smartphone, I say the same thing that I've been saying since the iPhone first came out. If you care about safety and security, Apple is the way to go. If you want uncertainty and headaches, Android's your poison.

But..but... Android is "open"!!! Yeah.. it's open all right!! Open for everyone to see!!

I'll take my walled garden any day!
post #5 of 103
Android is the new Windows
post #6 of 103
This is PC all over again.
Today 70% of PCs have malware and/or Virus.

And Google uses Linux/Unix. The most secure OS there is.
This is solved in ten minutes by Google, if they wanted it.

They need to certify that the program is malware free to have it on their app store.

The problem is that Google can't do that since they would be open for law suites. Google would be responsible to remove all pirate apps, including emulators/roms and all that fun stuff.

And one of the main selling point of Android for younger users are the free apps. There are pirate app stores on the net. Everything free for Android. And Google approves it. They only want to sell advertising and data mine.

Googles culture is the "new economies". Everything is free. Google have the worlds largest torrent linking service with their search engine. They have the worlds largest collection of pirated movies and videos on youtube. And over 90% of the apps installed on their phones are pirated. (and Android is pirated)

And its the medias job to inform the public about malware on Android and how Google earns money. They have done a real poor job of that so far.

The big question: what is google hiding?
In my country we have a legal right to know everything a company stores on their computers about a customer. I did a legal request a month ago. Google is the only company that refuses give me the data.

I hope I win in court.
post #7 of 103
Originally Posted by shompa View Post
They have the worlds largest collection of pirated movies and videos on youtube.

 

I've always been curious how Google is even allowed to operate when they refuse to actually do anything about the illegal stuff on YouTube.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply
post #8 of 103

Gee, and you can "tap" your android phone with your best friend, and get more than you bargained for.

 

By the way, does ANYONE know any actual people who have used this well-advertised "advantage" over iphones?  Neither have I.

 

Do we now need some "safe sex" cellphone ads now?

post #9 of 103
Quote:
Originally Posted by Bagman View Post

Gee, and you can "tap" your android phone with your best friend, and get more than you bargained for.

 

We need some "safe sex" ads now, for cellphone use.

 

By the way, does ANYONE  know any actual people who have used this well-advertised "advantage" over iphones?  Neither have I.


Yeah, next thing you know the FBI and CDC will tell people to refrain from inappropriate physical contact with their Scamscum phones. :)

post #10 of 103
Quote:
Originally Posted by Tallest Skil View Post

 

I've always been curious how Google is even allowed to operate when they refuse to actually do anything about the illegal stuff on YouTube.


It's funny to me... all the filesharing services (Napster, Audio Galaxy, Kazaa) ran into problems when they were providing a platform for sharing copyright material and the "we don't control the content" defense did not work.  Here we have Google making millions by serving ads while providing copyright material.  They should be sued over all those music videos, movies, tv shows, etc. that people get to watch for free.

post #11 of 103
Quote:
Originally Posted by sflocal View Post


Yeah, next thing you know the FBI and CDC will tell people to refrain from inappropriate physical contact with their Scamscum phones. :)

Actually, the most inappropriate physical activity you can do with an android cellphone is to actually use it.

post #12 of 103
Yay open!

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #13 of 103
I've had Android users look at the latest greatest app I'm using on iOS, go online and brag about how the same thing exists for Android (no, it doesn't) and end up with a trojan horse! And it's the ONLY version of that app... there IS no real one for Android. So everyone who looks for it gets the malware.

Then they spend ages trying to delete it and clear out the malware, and end up downloading some other, much worse app instead of the one they wanted. And walk away delighted with all the "choice" they have 1tongue.gif

(P.S. Really? Curly quotes created automatically by OS X break AI's new forums? I have to paste into TextWrangler to post?)
post #14 of 103
This is just bullshit. Loozfon needs to convince the user with a spam email to send out an email so that it can steal contacts data. Any app can do it on iPhone without even notifying. (Whatsapp, skype etc). There are thousands of apps using address book api, and they can easily upload the whole address book.

Stop hating Android. It's year advanced than iOS now. Try getting used to this fact.
Edited by BlackPepper - 10/15/12 at 12:47pm
post #15 of 103
Quote:
...They are:
  • When purchasing a Smartphone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.
  • Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user's personal data in the case of loss or theft.
  • With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application.
  • Review and understand the permissions you are giving when you download applications.
  • Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device. In conjunction with the passcode, enable the screen lock feature after a few minutes of inactivity.
  • Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that helps protect your device from rogue applications and malware.
  • Be aware of applications that enable Geo-location. The application will track the user's location anywhere. This application can be used for marketing, but can be used by malicious actors raising concerns of assisting a possible stalker and/or burglaries.
  • Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cell phone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime a user, application or service runs in "unrestricted" or "system" level within an operation system, it allows any compromise to take full control of the device.
  • Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
  • If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.
  • Smartphones require updates to run applications and firmware. If users neglect this it increases the risk of having their device hacked or compromised.
  • Avoid clicking on or otherwise downloading software or links from unknown sources.
  • Use the same precautions on your mobile phone as you would on your computer when using the Internet.
...

 

They forgot one....

 

       14: Buy an iPhone instead.


Edited by icoco3 - 10/15/12 at 1:48pm
post #16 of 103
Of course, no where in this article or any of its sources does it claim that this is an issue for apps in the Play Store. Most malware is found in shady, third-party stores.

Further, Dilger's claim that "FinFisher is installed by simply visiting a Web link or opening a text message that disguises itself as a system update" is misleading. Android devices block third-party app stores by default. Unless a user has gone into their security settings, they don't be able to install an app that they download from an arbitrary web page. (It's worth noting that Dilger's wording, "installed," is different from the FBI's wording, "transmitted to.")

In other words, nothing to see here, folks.
post #17 of 103
Quote:
Originally Posted by Tallest Skil View Post

 

I've always been curious how Google is even allowed to operate when they refuse to actually do anything about the illegal stuff on YouTube.

I'm not sure what you mean by "refuse to actually do anything" -- Google regularly removes content from YouTube when receive they a DMCA notice. In fact, they've been criticized for being too aggressive about pulling content.

post #18 of 103

Well just as an FYI finfisher actually has an iOS version as well as Blackberry/WinMo/Symbian versions: http://www.h-online.com/security/news/item/FinFisher-trojan-for-iOS-and-Android-sighted-1695754.html

It is actually a commerical "lawful access" trojan marketed by German firm Gamma International.

 

In both these cases these apps did not get into the Google Play/iOS Apple Store (for finfisher) but rather could only run if you sideload the binary.  Loozfon is an Android only piece of malware but did not appear in Google Play.  It was actually spread by malicious email links in spam and has thus far only been used in a campaign against female Japanese users: http://www.symantec.com/connect/blogs/loozfon-malware-targets-female-android-users

 

In the case of Loozfon, the user has to click the apk link in the e-mail, have "accept from any sources" turned on in their options AND click ok when prompted on which permissions the app should have. 

 

edit: why all the talk about "tapping"?  NFC was not the vector in any of these  and isn't mentioned at all in the article.

post #19 of 103
Originally Posted by derekmorr View Post
I'm not sure what you mean by "refuse to actually do anything" -- Google regularly removes content from YouTube when receive they a DMCA notice. In fact, they've been criticized for being too aggressive about pulling content.

 

Yeah, they pull down fair use utilizations while leaving up unedited, unchanged, illegal content.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply
post #20 of 103
Quote:
Originally Posted by shompa View Post

This is PC all over again.
Today 70% of PCs have malware and/or Virus.
And Google uses Linux/Unix. The most secure OS there is.
This is solved in ten minutes by Google, if they wanted it.
They need to certify that the program is malware free to have it on their app store.
The problem is that Google can't do that since they would be open for law suites. Google would be responsible to remove all pirate apps, including emulators/roms and all that fun stuff.
And one of the main selling point of Android for younger users are the free apps. There are pirate app stores on the net. Everything free for Android. And Google approves it. They only want to sell advertising and data mine.
Googles culture is the "new economies". Everything is free. Google have the worlds largest torrent linking service with their search engine. They have the worlds largest collection of pirated movies and videos on youtube. And over 90% of the apps installed on their phones are pirated. (and Android is pirated)
And its the medias job to inform the public about malware on Android and how Google earns money. They have done a real poor job of that so far.
The big question: what is google hiding?
In my country we have a legal right to know everything a company stores on their computers about a customer. I did a legal request a month ago. Google is the only company that refuses give me the data.
I hope I win in court.

This isn't malware being delivered via an Appstore

melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #21 of 103
Quote:
Originally Posted by Bagman View Post

Gee, and you can "tap" your android phone with your best friend, and get more than you bargained for.

 

By the way, does ANYONE know any actual people who have used this well-advertised "advantage" over iphones?  Neither have I.

 

Do we now need some "safe sex" cellphone ads now?

The original iPhone gained this feature (once the App Store was opened) through the App Store a long time ago. I remember downloading the App (Can't remember it's name now, and am at work, so can't look it up), and using it maybe once.

 

Next time I upgraded my phone, I deleted the app.

 

The only benefit to this feature in practice I have noticed is sharing Contacts. But it is a clumsy way to do it. Sending contacts via Message is far easier. It helps when you have poor service though, or are sharing your contact with someone whose number you don't have.

post #22 of 103
Quote:
Originally Posted by sflocal View Post


Yeah, next thing you know the FBI and CDC will tell people to refrain from inappropriate physical contact with their Scamscum phones. :)

 

 

OMG no more exchanging playlists by touching the backs of your Samsung phones? But that was their one exciting new feature! I mean, what would Windows Vista be without its singularly defining gimmick?

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #23 of 103
Quote:
Originally Posted by derekmorr View Post

Of course, no where in this article or any of its sources does it claim that this is an issue for apps in the Play Store. Most malware is found in shady, third-party stores.
Further, Dilger's claim that "FinFisher is installed by simply visiting a Web link or opening a text message that disguises itself as a system update" is misleading. Android devices block third-party app stores by default. Unless a user has gone into their security settings, they don't be able to install an app that they download from an arbitrary web page. (It's worth noting that Dilger's wording, "installed," is different from the FBI's wording, "transmitted to.")
In other words, nothing to see here, folks.

So the best way to experience Android's only advantage ("Openness") is to disable the openness?

 

Brilliant.

post #24 of 103
Quote:
Originally Posted by Tallest Skil View Post

I've always been curious how Google is even allowed to operate when they refuse to actually do anything about the illegal stuff on YouTube.

Such as?
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #25 of 103
Quote:
Originally Posted by BlackPepper View Post

This is just bullshit. Loozfon needs to convince the user with a spam email to send out an email so that it can steal contacts data. Any app can do it on iPhone without even notifying. (Whatsapp, skype etc). There are thousands of apps using address book api, and they can easily upload the whole address book.
Stop hating Android. It's year advanced than iOS now. Try getting used to this fact.


What brand of Kool-Aid are you chugging?

post #26 of 103
Quote:
Originally Posted by Suddenly Newton View Post

 

 

OMG no more exchanging playlists by touching the backs of your Samsung phones? But that was their one exciting new feature! I mean, what would Windows Vista be without its singularly defining gimmick?


Wait, what were the exciting features of iPhone 5? Hmmm, the calendar app has now one more column in the landscape mode... And, please don't forget, the headphone jack is on the bottom... phew....

post #27 of 103
Quote:
Originally Posted by BlackPepper View Post

This is just bullshit. Loozfon needs to convince the user with a spam email to send out an email so that it can steal contacts data. Any app can do it on iPhone without even notifying. (Whatsapp, skype etc). There are thousands of apps using address book api, and they can easily upload the whole address book.
Stop hating Android. It's year advanced than iOS now. Try getting used to this fact.

 

 

Android has Contact access in the API as well, and it even has those programs mentioned (WhatsApp, Skype).  But that isn't really what the article is about there is a line between an obvious unwanted program like the fake game that Loozfon presents and an app developer that monetizes content by selling data.  I think that is an important debate to have but not in the context of this article which is discussing malware.

post #28 of 103
Quote:
Originally Posted by dasanman69 View Post


Such as?

the entire Frasier series is up about 3 or 4 times over.  I've also watched countless operas and movies, many of which are still up.  And I haven't even been looking, really.

post #29 of 103
Quote:
Originally Posted by Tallest Skil View Post

 

Yeah, they pull down fair use utilizations while leaving up unedited, unchanged, illegal content.

Given the extremely high rate of video uploads, what do you suggest they do?

post #30 of 103
Quote:
Originally Posted by addicted44 View Post

So the best way to experience Android's only advantage ("Openness") is to disable the openness?

 

Disabling untrusted sources is hardly disabling openness. Further, it can be enabled selectively -- if you want to install a third-party app that you trust, enable the setting, install the app, then clear the setting.

post #31 of 103
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #32 of 103
Quote:
Originally Posted by addicted44 View Post
So the best way to experience Android's only advantage ("Openness") is to disable the openness?

Just like real life. Openness is good. Freedom is good. Only problem is there are a lot of bad guys out there. It would be nice if you didn't have to lock your house or your car or your computer but you do. Kids used to walk to school. Now you have to drive them so they don't get kidnapped. Credit cards were designed for convenience but are now a risk. Freedom just isn't as free as it once was. Now it is a liability. That is why Apple designed the walled garden. It is like being under house arrest in a five star hotel with really good catering, but it is still house arrest.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #33 of 103
Quote:
Originally Posted by thejenkas View Post

 

 

Android has Contact access in the API as well, and it even has those programs mentioned (WhatsApp, Skype).  But that isn't really what the article is about there is a line between an obvious unwanted program like the fake game that Loozfon presents and an app developer that monetizes content by selling data.  I think that is an important debate to have but not in the context of this article which is discussing malware.


I have no objection to access to Contacts. I said any app on iOS can steal contacts data. And they probably already have.

post #34 of 103
Originally Posted by dasanman69 View Post
Such as?

 

What do you mean, such as? Entire movies are uploaded. TV shows, music videos, links to ROMs for pirated video games or to MP3s for the music…


Originally Posted by derekmorr View Post
Given the extremely high rate of video uploads, what do you suggest they do?

 

Allow users (not just copyright holders) to flag stuff as copyright infringement and then actually act on the flags instead of ignoring every flag about something that breaks their rules.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply
post #35 of 103

Quote:
Originally Posted by shompa View Post

And Google uses Linux/Unix. The most secure OS there is.

 

Every UNIX variant is different, and each repackaged distribution of those variants is different still.  You can't make a blanket statement like "most secure" without getting a bit more specific.

 

IMO, the single most secure UNIX variant is OpenBSD because it's main focus is security ahead of everything else.  However, because ease-of-use isn't as high a priority as security, it has a fairly steep learning curve.

 
Reply
 
Reply
post #36 of 103
Quote:
Originally Posted by Tallest Skil View Post

 

What do you mean, such as? Entire movies are uploaded. TV shows, music videos, links to ROMs for pirated video games or to MP3s for the music…

 

Allow users (not just copyright holders) to flag stuff as copyright infringement and then actually act on the flags instead of ignoring every flag about something that breaks their rules.

If you allow users to flag videos for takedown you end up with things like removal of the Democratic National Convention. 

http://www.theblaze.com/stories/youtube-cautiously-praised-for-video-takedown-policy-update/

melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #37 of 103
Quote:
Originally Posted by Tallest Skil View Post

Allow users (not just copyright holders) to flag stuff as copyright infringement and then actually act on the flags instead of ignoring every flag about something that breaks their rules.

http://www.youtube.com/t/dmca_policy

post #38 of 103
Originally Posted by Gatorguy View Post
If you allow users to flag videos for takedown you end up with things like removal of the Democratic National Convention. 

http://www.theblaze.com/stories/youtube-cautiously-praised-for-video-takedown-policy-update/

 

The problem is in the automation. An automatic system can't tell fair use editing from straight up reuploading unless there's a source on which to base it or a human to make that decision. 


Originally Posted by derekmorr View Post
http://www.youtube.com/t/dmca_policy

 

And that's overly protective… of the uploaders. It'll come back to bite Google.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply
post #39 of 103
Quote:
Originally Posted by BlackPepper View Post


Wait, what were the exciting features of iPhone 5? Hmmm, the calendar app has now one more column in the landscape mode... And, please don't forget, the headphone jack is on the bottom... phew....


You forgot this?

http://www.anandtech.com/show/6324/the-iphone-5-performance-preview

iMac 21.5" 2.7 GHz (2011), 1TB HDD, 8GB RAM; iPhone 5c 16GB White; iPod Touch 4G 8GB Black; iPod Touch 2G 8GB
Reply
iMac 21.5" 2.7 GHz (2011), 1TB HDD, 8GB RAM; iPhone 5c 16GB White; iPod Touch 4G 8GB Black; iPod Touch 2G 8GB
Reply
post #40 of 103
Quote:
Originally Posted by BlackPepper View Post


I have no objection to access to Contacts. I said any app on iOS can steal contacts data. And they probably already have.

 

Well if the API has access to contacts and access to the network then it would be possible to "steal" contacts on either ecosystem.  This hypothetical scenario is actually best addressed by the App Store/Google Play model where a single company can decline to publish any software it deems to be a bad actor.  And in the cases of the malware as discussed in the artcile neither of them appeared in any appstores, finfisher never appeared on Play/iOS App Store and Loozfon never appeared on Play. But really if that is the argument is simply the ability to steal contacts then that is about equal on both platforms if the device is jail broken and the default application settings changed.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › FBI issues warning to smartphone users regarding Android malware