Samsung's "free" Jay Z album delivered via Android spyware app

Posted:
in iPhone edited January 2014
In a promotion for its Galaxy phones, Samsung announced it would deliver a million free copies of Brooklyn rapper Jay Z's new album days before its official release. But it did so using a spyware Android app designed to track your location and harvest phone numbers you call, your device ID and which apps you use.

Jay Z Samsung app
Source: Google Play


Samsung's free Android mobile app "JAY Z Magna Carta" only works with select models, specifically the new Galaxy S 4, Galaxy S III, Galaxy Note II. But as New York Times music critic Jon Pareles wrote, "It?s an ugly piece of software."

"It?s an ugly piece of software."Samsung paid $5 million for the early distribution rights of the "Magna Carta Holy Grail" album, which ironically comes from an artist with lyrics that are "indignant about phone surveillance and bribing witnesses," Pareles stated.

The singer's 2010 track "Jay?s Back ASAP" complained, "They tap, them feds don?t play fair/They pay rats to say that they?re part of your operation."

Samsung-style Free and Open

Taking advantage of Google's "Trojan Horse" Android security model, the Samsung app simply demands access to a broad range of rights on the user's phone before allowing installation, even though all it really does is play back the album. It does not add the songs to a user's music library.

This includes tracking users' "precise GPS location." The app permissions page is so unnecessarily invasive that fellow rapper Killer Mike tweeted in response, "I read this and? 'Naw I'm cool.'"

I read this and........"Naw I'm cool" pic.twitter.com/x8fXPG1tvC

? Killer Mike (@KillerMikeGTO)


Unlike Apple's iOS, installed Android apps don't have to alert the user or ask for permission when they want to track the GPS location or access contacts or social network accounts, and there's actually provisions for apps to access users' phone call information and running apps. iOS is an app platform, not an ad platform.

Free love, NSA

Pareles added, "it demands permissions, including reading the phone?s status and identity." On Android, this includes obtaining a unique device ID that can be used by advertisers like a web cookie (but not eased by the user), but also includes collecting the user's phone number, tracking when the phone is in use on a call, and even "the remote number connected by a call."

In contrast, Apple has been incrementally working to increase users' privacy on iOS, warning developers in 2011 that they needed to stop relying upon iOS users' Unique User IDs because they would no longer be available. iOS 6 removed UUID access, effectively terminating OS-wide user tracking by ad networks.

In place of UUID, Apple's iOS 6 turned the tables to introduce an "Advertising Identifier," which serves as "a non-permanent, non-personal device identifier, that advertising networks will use to give you more control over advertisers' ability to use tracking methods."

I will tell your friends you love us

Samsung's new app "also gathers 'accounts,' the e-mail addresses and social-media user names connected to the phone," Pareles added. "When installed, it demanded a working log in to Facebook or Twitter and permission to post on the account."

In order to "unlock" lyrics within the app, users must tweet out a promo for each song on the album they want to read.

"It?s telling that Jay-Z ? who boasts regularly about his millions of sales ? and Samsung didn?t simply trust fans to post or tweet on their own," Pareles wrote.

Additionally, the app also demands permission to "retrieve running apps," which means it can "discover information about which applications are used on the device," another feature Google supports as a common permission on Android apps.

Why Samsung's "free" album app would need to track the GPS location, phone numbers, phone calls, social accounts and installed apps on users' phones is questionable enough, but even more interesting is that Android supports and enforces such invasive "app distributor's rights."

Fed-style surveillance on your open platform


"On some level, Jay-Z knows better. A streak of paranoia has been running through his lyrics for years," Pareles wrote, citing a line from ?Somewhere in America? that says, ?Feds still lurking/They see I?m still putting work in.?

"Yet now, it?s Jay-Z who?s lurking ? in my phone," he added. "Another song, 'Nickels and Dimes,' insists, 'The greatest form of giving is anonymous to anonymous.' For the gift of the album, fans aren?t anonymous to Jay-Z now. He?s another data miner, gathering more than half a million e-mail and social-media accounts. Maybe he should send us an apology."

The app's rollout wasn't without flaw either, Pareles noted. "The app didn?t deliver my album for more than hour after it was supposed to be available. Jay-Z?s sponsors at Samsung proved themselves not only intrusive, but technically inept."

With official Samsung Android apps like these, who needs malware authors?

Earlier this week, Bluebox Labs noted a security flaw that can enable anyone to surreptitiously replace a vendors' trusted installed apps with a rogue version that the Android OS can't identify as corrupted, therefore gaining widespread access to spy on the user.

However, given Samsung's first party spyware tool disguised as a free album, users don't have to worry about rogue malware developers snooping on their activities, calls, apps and location. They're already being exploited by their phone's maker and the operating system it runs, which are optimized for data collection and remote monitoring.
«1345

Comments

  • Reply 1 of 89
    mac_dogmac_dog Posts: 704member


    awesome!

  • Reply 2 of 89
    matrix07matrix07 Posts: 1,993member
    If you don't read permissions it's your fault. Oops......
  • Reply 3 of 89
    It's because Nas > Jay-Z
  • Reply 4 of 89
    droidftwdroidftw Posts: 1,009member
    If you're not paying for it; you're the product.
  • Reply 5 of 89
    Seems to be a test of what people are willing to give up for a free album. I would find it funny if they couldn't give it away because everyone rejected the permissions required to install/use it.
  • Reply 6 of 89
    richard getzrichard getz Posts: 1,142member
    This is actually very scary. A) That Google is so blatantly overt about data mining, and B) people are continually willing to give privet information away.
  • Reply 7 of 89
    ipenipen Posts: 410member


    Any pre-released free album available from Apple app store?  I'll do a search now.

  • Reply 8 of 89
    kdarlingkdarling Posts: 1,640member

    Quote:


    Originally Posted by AppleInsider View Post


     


    Taking advantage of Google's "Trojan Horse" Android security model, the Samsung app simply demands access to a broad range of rights on the user's phone before allowing installation, even though all it really does is play back the album.


    ...



    Unlike Apple's iOS, installed Android apps don't have to alert the user or ask for permission when they want to track the GPS location or access contacts or social network accounts, and there's actually provisions for apps to access users' phone call information and running apps. iOS is an app platform, not an ad platform.


     


    You cannot first say that the "app demands access" to location and contacts, and then turn around a few sentences later and claim that it did not "ask for permission".  Obviously it DID ask for permission.  


     


    As for being a crap app, I'd agree.  It smacks of a newbie developer.  It sounds like someone took a sample code framework and accidentally left in a bunch of sample permission lines that probably aren't even used.  (Or if they are, then the project manager totally failed in oversight.)


     


    In either case, this is not an Android thing.  It's a project management cluster mess.

  • Reply 9 of 89

    Quote:

    Originally Posted by AppleInsider View Post






    Jay Z Samsung app

    Source: Google Play





    Taking advantage of Google's "Trojan Horse" Android security model, the Samsung app simply demands access to a broad range of rights on the user's phone before allowing installation, even though all it really does is play back the album. It does not add the songs to a user's music library.



    This includes tracking users' "precise GPS location." The app permissions page is so unnecessarily invasive that fellow rapper Killer Mike tweeted in response, "I read this and? 'Naw I'm cool.'"




    I read this and........"Naw I'm cool" pic.twitter.com/x8fXPG1tvC


    ? Killer Mike (@KillerMikeGTO)







    Unlike Apple's iOS, installed Android apps don't have to alert the user or ask for permission when they want to track the GPS location or access contacts or social network accounts, and there's actually provisions for apps to access users' phone call information and running apps. iOS is an app platform, not an ad platform.

     


     


    Who ever wrote this article has never used an android device before. They are not aware that unlike and iOS device before downloading an app the user is greeted by the permissions of said app. That the permissions list what the app can do. Please do not say its a Trojan horse if you know what it can do. 


     


    Quote:



    • YOUR LOCATION

      APPROXIMATE LOCATION (NETWORK-BASED)


      Allows the app to get your approximate location. This location is derived by location services using network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine approximately where you are.


      PRECISE LOCATION (GPS AND NETWORK-BASED)


      Allows the app to get your precise location using the Global Positioning System (GPS) or network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine where you are, and may consume additional battery power.



    • NETWORK COMMUNICATION

      FULL NETWORK ACCESS


      Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.



    • PHONE CALLS

      READ PHONE STATUS AND IDENTITY


      Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.



    • STORAGE

      MODIFY OR DELETE THE CONTENTS OF YOUR USB STORAGE


      Allows the app to write to the USB storage.



    • YOUR APPLICATIONS INFORMATION

      RETRIEVE RUNNING APPS


      Allows the app to retrieve information about currently and recently running tasks. This may allow the app to discover information about which applications are used on the device.





    • YOUR ACCOUNTS

      FIND ACCOUNTS ON THE DEVICE


      Allows the app to get the list of accounts known by the device. This may include any accounts created by applications you have installed.



    • DEVELOPMENT TOOLS

      READ SENSITIVE LOG DATA


      Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the device, potentially including personal or private information.



    • NETWORK COMMUNICATION

      VIEW NETWORK CONNECTIONS


      Allows the app to view information about network connections such as which networks exist and are connected.


      RECEIVE DATA FROM INTERNET


      Allows apps to accept cloud to device messages sent by the app's service. Using this service will incur data usage. Malicious apps could cause excess data usage.


      VIEW WI-FI CONNECTIONS


      Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.



    • SYSTEM TOOLS

      TEST ACCESS TO PROTECTED STORAGE


      Allows the app to test a permission for USB storage that will be available on future devices.



    • AFFECTS BATTERY

      CONTROL VIBRATION


      Allows the app to control the vibrator.


      PREVENT DEVICE FROM SLEEPING


      Allows the app to prevent the device from going to sleep.



    • YOUR APPLICATIONS INFORMATION

      RUN AT STARTUP


      Allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the app to slow down the overall device by always running.





    taken directly from that app. Its not a trojan horse its clearly explaining what it can do. Better then an iOS app where the user does not have any info like this unless it wants to use gps or their contacts.

  • Reply 10 of 89
    3eleven3eleven Posts: 87member


    I swear recently there seems to be alot of articles on here "stretching". Though, like any site they are after clicks and web traffic I suppose.


    The app also apparently has you sign into your Twitter or Facebook. But this just in, if you dont agree with the permissions, don't click "accept". Amazing I know lol.

  • Reply 10 of 89
    correctionscorrections Posts: 1,404member

    Quote:

    Originally Posted by KDarling View Post


     


    You cannot first say that the "app demands access" to location and contacts, and then turn around a few sentences later and claim that it did not "ask for permission".  Obviously it DID ask for permission.  



     


    The issue is not confusing. There is a picture in the article that makes it really clear that the app quietly demands broad and unnecessary access before installation in a "EULA" style page users ignore, but then does not ask for permission after installation when it actually accesses your location, contacts, ect.


     


    This was clearly explained in the article. Your ability to be confused says more about you than the article, especially when you know what the situation is and agree that it is ridiculous.


     


    Put simply: an app shouldn't sneakily request nebulous, technically opaque "permissions" as a requirement for installation as Android does. It should clearly ask permission when it wants to do something that the user might not want it to do, in clear language the user can understand, as iOS does.


     


    A better question is: why do you have throw up a smoke screen of petty, specious arguments about every criticism of egregious flaws in Android? Is it because you want to muddy the water to make everything sound equally bad? Because it isn't.


     


    Android, as implemented by Google and Samsung, is a tweaked version of Java/Linux designed to spy on and harvest data from users while pretending to be "innovative" by throwing out half finished versions of things Apple has worked on for years. 

  • Reply 12 of 89
    sockrolidsockrolid Posts: 2,788member


    99 problems and spyware is one.

  • Reply 13 of 89
    salmanpaksalmanpak Posts: 35member


    Wow. Knew who the author was just from reading the headline. No need to read the article, actually.

  • Reply 14 of 89
    3eleven3eleven Posts: 87member

    Quote:

    Originally Posted by Corrections View Post


     


    Put simply: an app shouldn't sneakily request nebulous, technically opaque "permissions" as a requirement for installation as Android does. It should clearly ask permission when it wants to do something that the user might not want it to do, in clear language the user can understand, as iOS does.


     


     



    How is it "sneaky" when it clearly says what the app wants access to? Unless you're illiterate it's pretty straight forward.

  • Reply 15 of 89
    sockrolidsockrolid Posts: 2,788member


    Originally Posted by Richard Getz View Post



    This is actually very scary. A) That Google is so blatantly overt about data mining, and B) people are continually willing to give privet information away.


     


    Its not just creepy.  It's Google-creepy (tm).

  • Reply 16 of 89
    correctionscorrections Posts: 1,404member

    Quote:

    Originally Posted by Apple v. Samsung View Post


     


    Who ever wrote this article has never used an android device before. They are not aware that unlike and iOS device before downloading an app the user is greeted by the permissions of said app. That the permissions list what the app can do. Please do not say its a Trojan horse if you know what it can do. 



     


    Dear copy/paste troll: I love your devotion to an adware/spyware platform, but nobody is confused here. The article clearly says:


     


    "installed Android apps don't have to alert the user or ask for permission"


     


    Once you see a free app and click install, your rights end and Android begins enforcing the adware/spyware's rights.


     


    If you're cool with that, that's fine. Nobody is taking away your Android friend. The point is that throwing some opaque disclosure in a pile of text the user must "agree" to while downloading is not cool with most people. Ever heard of complains about EULA?


     


    The open source community used to care before Google came in and dictated that open source was now going to be all about harvesting the "community" for ads. You're just one of the suckers dependent upon an adware/spyware giant to deliver your iOS knockoff. 

  • Reply 17 of 89
    correctionscorrections Posts: 1,404member

    Quote:

    Originally Posted by SalmanPak View Post


    Wow. Knew who the author was just from reading the headline. No need to read the article, actually.



     


    Yes, why concern yourself with facts when you can just demonize the blogger who relayed them to you from the NYT?

  • Reply 18 of 89
    wonkothesanewonkothesane Posts: 1,404member


    Yes, the app displays a list of access rights it claims. and certainly everybody reads this and if not, it's their problem. that's why Trojans, etc are not a problem on PCs anymore. Oh wait....

  • Reply 19 of 89
    droidftwdroidftw Posts: 1,009member


    EULA's and Android's permission request screen are light years apart in length and complexity of terminology.  Drawing comparisons between the two is either being ignorant (excusable) or deceitful.

  • Reply 20 of 89
    sockrolidsockrolid Posts: 2,788member


    It's interesting how many trollish comments there are on this thread by users with 11, 33, 88 posts.


    Newbies all attacking an AppleInsider article.  Could just be the latest wave of the misguided "Yay Open!"


    crowd lashing out in anger in any and all ways after news of that "master key" Android exploit spread.


    The exploit that makes 99% of all Android devices vulnerable.  The exploit that can turn any harmless


    Android app into a malicious Trojan without changing its cryptographic signature.  Yeah.  That one.


     


    Or maybe they're getting 10 cents per post from Samsung.  You know, to attempt to discredit


    any and all negative news about Samsung and Android.  For pennies a post.  Tough job.


     


    Good luck with that, fellas. Just remember that every time you post here, you're contributing to


    AppleInsider's web traffic, which boosts its Page ranking, which increases their ad revenue.


    Thank you for helping to keep AppleInsider successful!

Sign In or Register to comment.