Submitted by Kaspersky has announced in this article the first trojan specific for Android. “The new malicious program penetrates smartphones running Android in the guise of a harmless media player application. Users are prompted to install a file of just over 13 KB with the standard Android extension .APK. Once installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.”
“Here, install this package”
“What does it do?”
“Oh, that’s not important. Just install it. Look, it’s shiny”
“Sure!”
…
“ZOMG! Stuff is happening! It’s teh trojanz!”
Really? This is news?
Well, when you let every single application to get to your users w/o the minimum control this is what happens.
Yea, like other mobile applications stores could check that you application behaves bad only the third sunday of the month, without source code access no store checks before distribution is perfect
By the way this applications was not distributed on the Android Market, people need to enable the setting to install apps from other places, and still Android warn the user you will give access to the app to send SMSs
But at least in a market you can track the guy who put it there.
There is no anonimous developer, if he does something wrong then you can track him and put him in jail for cyber fraud.
Edited 2010-08-12 00:05 UTC
I prefer the freedom of a system where anybody can develop anything, even if it comes at the price that morons will install malicious applications.
I don’t care about morons.
Exactly. When you install an app on an Android phone (either inside the marketplace or outside), it pops up a dialog and lists all the permissions that the app will have access to. So if you install a media player, wallpaper, or whatever that has access to send SMS messages or to make phone calls, it’s really hard to fault the system for that. It’s like people on Windows who will double click on a file named lady_gaga_naked_.jpg.exe, and Windows always gets the blame for that.
The Apple approach is to close off the system in order to try and protect idiots from themselves, and I don’t see anything ethically wrong with that. But I would rather be on a more open system, because I don’t like Steve Jobs dictating what I am allowed to install. If I had an iPhone or iPad, I would jailbreak in a heartbeat, and then I would be at the same risk. (But on iOS, it would probably be worse because AFAIK, it doesn’t tell you when you install app what kinds of permissions it has.)
I figure if you have just a little bit of common sense, you should be alright.
Edited 2010-08-12 02:41 UTC
There’s a fallacy here.
What if we’re not talking about a malicious media player, but let’s say Handcent SMS decides to send some messages by itself? You must give the SMS sending permission to the application, it makes sense for the user, but after the installation you can’t track how the permission is used.
And how is more important than what.
The problem is that there is no way to analyze behavior without disassembling the software or reviewing the source code (Google and Apple don’t have a right for either – and in case of remotely controlled apps, it might not be enough), or pestering the user at every SMS sending attempt (see how Java ME works for untrusted MIDlets).
But if you have a better idea, do tell.
Edited 2010-08-12 07:14 UTC
I prefer the freedom of a system where anybody can develop anything, even if it comes at the price that morons will install malicious applications.
I don’t care about morons.
^aEURoeTwo things are infinite: the universe and human stupidity; and I’m not sure about the the universe.^aEUR
-Albert Einstein
Keep in mind that it’s usually the morons’ devices (PCs, phones) that cause spam, botnets, trojans, brute force attacks, standards violation, data espionage, network load and trouble, and workarounds to get standard things working (that we took for granted many years ago) – all the criminal shit and its side effects. So finally, developers and advanced users suffer from the crap that comes from morons’ (hijacked) devices – morons that insist on having to own all the new shiny things they have no clue about…
So? There’s nothing that can be done to stop any of this from happening, open platform or not (since there’ll always be exploits and security holes).
Criminals always existed and always will, be it in meatspace or in cyberspace.
Besides, none of the things you mentioned ever affected me directly except spam, and even that is a thing of the past because gmail’s spam filter is that good.
In regards of sotware, there is nothing to do, correct.
This is where hard punishment could help – primarily against the criminals, but maybe also secondary, in a milder form, against those who help then by being careless, ignorant, or stupid.
The problem is that there is no relation between what a person can do (includes common sense, intelligency, ability of considerations and so on) and how much money the person has in order to obtain a “dangerous device”. Also, “dangerous device” doesn’t just include PCs and phones, but merely every kind of tool imaginable, as tools are usually doing what their owner uses them for. In this way, even raising prices doesn’t improve the situation, as in many cases, rich people are also morons (and sometimes even criminals). By changing the rules of in which case a person could buy a device, you hardly could do anything positive – in fact, it’s rather negative for the people prohibited to own a certain device.
Please: Do NOT confuse the word-wide email traffic with gmail! There’s much more out there.
If you would be right, all (!) users would need to switch to gmail and use ONLY this solution, relying on the “good” spam filter.
Please consider also that there’s lots of traffic caused by spam mail. Spam filters usually work after the MTA – this is, when the message has already been accepted by the mail server; THEN the filter starts acting. So the filter does not help anything against spam traffic. Increasing traffic on a constant bandwith leads to WHAT? Correct, lower overall transfer speed. And maybe THAT will be something you’ll notice in its effects (slower data transfer rates, lower content quality, longer waiting periods, maybe even higher traffic consumption bills).
A filter is good, and it helps, but it does not solve the basic problem.
Exactly. Why dumb down the tech just for the fools who will inevitably do stupid things with it? People will always suffer for being idiots whether it’s in the real world or on the Internet.
Let’s keep our systems open, please.
I thought identity theft was a fairly common cybercrime.
Well, the news is that it is the first found. And will become worst.
Then suppose the trojan was in an app that uses SMS, like… something that sends messages to a group when an alarm is triggered. The SMS ability is needed and is part of original concept of that app.
If the app is open source, the trojan may be inserted, compiled and binary may be posted in an alternate repository – or the original, remember recent IRC server incident.
People – me included – tends to think “it will not happen to me”. Sometimes I test open source programs and there is no guarantee that it is virus free, I am assuming the risk and using the RPMs.
This ain’t just Google’s week.
Unlike the PC, the Phone has calling and texting that following basic standards and is always linked to a person account where they can get billed for.
Perhaps reason for the iPhone store wasn’t as evil as we though.
Except there have been apps that get into the app store and don’t do what they say as well.
The first link I opened in a google search.
http://www.forbes.com/feeds/ap/2010/07/28/general-technology-hardwa…
Edited 2010-08-11 22:05 UTC
You mean, nobody test them before put them on the marked? That’s a pretty low quality control.
But that sounds like an argument for better isolation of applications, not a defense for the Android.
An open platform comes with trade-offs, it’s deluded to think that having an open platform will have ideal results in all areas.
No, there are no trade-offs for openness. There are trade-offs for security, for instance the lack of openness in some regards. Of course, as Apple has proven time and time again, it’s not their security that leads to their lack of openness, and their lack of openness doesn’t give greater security.
If you have a town with a police force there will not be no crime or criminals, but there will be less crime than compared to a town with no police force.
A completely open platform is the best in terms of malicious exploits.
Consider the Debian Stable repository. All the packages are open source, and everybody can see what they contain. How many malicious exploits have been snuck into Debian Stable in it’s over 15 years of existence? I can’t think of a single one. When you have “many eyeballs on the guts,” it’s very difficult to pass an exploit through the repository.
On the other hand, consider the many malicious exploits have made it into Apple’s closed system that has only existed for three years. Here’s a new one that is just emerging today: http://www.sbsfaq.com/?p=2165 Looks a bit dangerous for Iphone users.
Furthermore, when an exploit appears outside of an open source repository (or when a bug appears), the many eyeballs usually fix it very quickly, compared to the slower, closed, proprietary counterparts.
Edited 2010-08-12 17:03 UTC
What you are saying only applies if the source is in a repository. But the source on Apps in the Android store do not have to be shared. So what you are saying does not apply since you would never see the source to the malicious apps in question and the app does not have to break security in Android or use a hole in Android to steal info.
Also if you read the link you sent this seems to affect Active Sync users through a tool from the Telcos have. It has been seen on the iPhone but could apply to any phone with Active Sync.
Also there was a HUGE SSH flaw in Debian a few years back that affected Debian and all it’s derivatives. So even Debian can have security issues. But you are right if you have the source and have time to code check (Debian takes forever to put out updates so you can code check forever!)
Edited 2010-08-12 17:32 UTC
Captain, as I already said, this secure condition applies to completely open repositories, such as Debian Stable. Therefore it doesn’t apply to Apple nor to most of the current Android phone repositories.
Please re-read the article. The second sentence mentions that the exploit “may be an ongoing hack on the iPhone OS.”
Furthermore, the last sentence of the article recommends that one “remove Credit card numbers from iTunes accounts, change your passwords and update to OS 4.0.2.”
Sounds like Apple-specific/Iphone-specific cracking to me.
Wow! Only a single major flaw in over 15 years of existence! That’s not worth the risk! /s
Compare that to the number malicious apps and serious exploits found on the Iphone, which has only existed for three years.
Also, as I recall, the Debian SSH flaw was a discovered bug — not malicious crack.
Edited 2010-08-12 18:20 UTC
The who article makes little sense and I am not seeing any actual security orgs talking about the issue in the article. You would think that if this was a big issue people who track security issues would pick up on it but I am not seeing that.
Also what the article says is “One part is Malware and gets into possibly Microsoft Exchange servers or at the very least gets into ActiveSync and starts cultivating usernames and passwords and the other part sends Flash SMS^aEURTMs to random phones whose numbers are stored in your favorites in your Phone PIM data.”
So I am not seeing how this would be an issue with your iPhone if you are not using Exchange? Just sounds a little strange. So how would you be affected on your phone if the Malware does not get on an Exchange server and get usernames and passwords?
Not saying that the iPhone can’t be hacked, this just sounds sketchy. If it comes for a more reliable source then I might be more inclined to be worried about it.
And yes the Debian hole was huge. 18 years or whatever the security hole in SSH made the public and private keys on SSH on all Debian machines guessable and passwords used with SSH readable.
As I mentioned in my original post, this is a situation that is emerging just today.
It is getting a little tiresome having to repeat myself.
In the comments below the article, someone has already posted a confirmation of the problem and said that that article is, so far, the only report of he could find.
It wouldn’t be a problem if one is not using Exchange nor Active Sync. Obviously, some people do, hence, the article and the confirmation comment below it.
However, it sounds like it wouldn’t be an issue with non-Apple phones using Exchange and Active Sync.
Of course, the Iphone has been hacked and cracked several times, and, also, malicious apps have made it into the Iphone repository.
The article is straightforward and gives examples. Someone commented with a confirmation comment. What’s “sketchy.”
Suit yourself.
Yes. But Apple and Windows have had a greater number of such huge holes, and they usually take a long time to plug them.
In addition, Debian patched the bug before it could be exploited.
Furthermore, the Debian bug was not an malicious exploit that had been snuck into the Debian Stable repository. If you go back and read my original post, I argued that not even a single malicious exploit has made it into that Debian repository during it’s entire existence. A bug/hole is different.
On the other hand, malicious programs have definitely infiltrated Apple’s closed, “secure” apps store, within it’s short 3-year life.
Edited 2010-08-12 20:24 UTC
Hummmm still searching the around and have not heard one other mention of the post you put up.
And come on anyone can post a blog and get someone to go “Yo man I had that happen to me too!” That does not make an active hack.
Yes you are pretty spot on about the Debian stuff. But the iPhone hack may need a better example.
A system that checks apps for malicious code before releasing them to the public (even if not perfect) will be by definition more secure than a system that does not check.
If you like Androids “openness” and don’t like Apple’s App Store for being “closed” then lower security is one of the costs you will have to bear.
You can’t check for malicious code in general. It would be trivial to get an app like this into the Apple app store (assuming it had a legitimate reason to use the SMS API).
Free apps from android AND iphone do more than they should and can access things it shouldn’t need to.
My point was that both the open market and the closed app store suffer from the same thing.
Allow me to quote my self:
But at least in a market you can track the guy who put it there.
There is no anonimous developer, if he does something wrong then you can track him down and put him in jail for cyber fraud.
So I couldn’t sign up to be an Apple Developer as Tyler Durden and put my address as 537 Paper St and keep my anonymity?
Remaining anonymous on the Internet is VERY easy.
No, you have to pay money using a credit card to register as a developer. Obviously it wouldn’t be impossible to steal a credit card / live in mexico / whatever, but it isn’t as simple as using giving fake contact details.
But not to the same degree. if someone checks apps before they are released for malicious code it is obvious that they will find and block more malicious code than if no one checks the apps code before release.
Neither Apple nor Google have access to the code for any apps in their store. The best Apple can do is check which APIs you use. Google go one better make you state which you use.
Apps like the one in this article aren’t a problem (who would install a media player that wants to send texts?), but as someone else said here, you could think of an app that had a legitimate reason to do so.
Do you remember the time of standard telephone line modems? an application could simple dial the commands to the serial port (ATDT….) and call an expensive number, and you know, your phone line is tied to you for payment. Even today some people still use standard computers as faxes
Ops.
Edited 2010-08-11 21:42 UTC
Special?
Android – 1
iPhone – 0
They’re ahead on the scoreboard! They’re winning the game! That free and open philosophy is obviously working really well for them.
Go Google go!
(Problem Exists Between Phone And Shoes)
Sure, you can install some malware on your Android phone if you’re silly enough to install an unknown app through SMS. At least Android can’t be fully rooted through a PDF.
Heh…some “newly-free” iPhoners probably consider that a _feature_
I like my HTC Incredible anyway. If anything I’d prefer Android to be _more_ open. If I had an iPhone it would be jailbroken, so I don’t know that I’d gain anything in the security department.
People like us who are techy always say “We love freedom and we know what to do etc” But in reality Google is not selling to us. 99% of the people who have Android phones are mom and pops, normal people who expect that a company like Google would not sell them something that is insecure cause it’s “Open and Free” You still paying $200 plus for your phone, it’s not “free” to your pockets.
The other issue here is that people keep saying the App will tell you what it going to have permission to. Not true. Yes it does tell you that the App will have DIRECT permissions to say contacts and SMS etc. BUT Apps in Android can gain permissions from other Apps! So when you install the Game I make and it does not say that it’s going to access your SMS, in the background it’s possible to have the App use that function from another App that does have SMS permissions! SAY WHAT? That’s nuts!
Also I saw someone say that a Developer can not hide that puts Apps in the Android Market. Please I can sit in my house, use my neighbors WiFi to sign up for a developers account, pay my $25 fee to get in from a fake Pay Pal account and then post anything I want and it would be tracked to my neighbors house.
Anyway if Google does not tighten down then there are going to be serious issues. These at the same things that battered Windows Mobile and Blackberry. Open to any Apps, Sideloading etc.
Windows Mobile has malware, but Blackberry as far as I know does not. Blackberry apps are fairly secure, an unsigned app can’t do *anything* without you giving it permission to do it, Blackberrys have runtime security inherited from JavaME.
Wrong!
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&e…
Hmm, there is malware for Blackberry after all.
However, the user has to give it permission to access SMS, and if it’s unsigned, has to do that every time it runs.
Na, once you side load an app and give it permission you are screwed on any platform.
http://www.securecomputing.net.au/News/159209,us-cert-warns-of-malw…
On top of that you can actually hide apps on a BB. So you can install an app and it can install other apps in the background and you wont know it.
Symantec also has published one:
http://www.symantec.com/business/security_response/writeup.jsp?doci…
The app sends phone location to a server. Not so harmful at this point, bu was classified as a trojan.
As I said, it will become worst.
The transport/delivery application is the only thing new here. Android is not the only affected mobile OS. The actual trojan is the same OLD SMS trojan that has been around for years – (Trojan-SMS.J2ME.RedBrowser.a) http://www.securelist.com/en/descriptions/old113394
I really wish blogs would stop regurgitating this crap without doing at least a little journalism.
Again ..
Same old SMS trojan (circa 2006), New delivery system. The delivery caters to Android, because the application with the payload was written for Android.
But the Trojan and what it does is old news.
There! Was that so hard?
Just to bring home my point … there are a total of 561 named SMS sending trojans for mobile devices.
http://www.securelist.com/en/descriptions?behavior=trojan-sms
Everything from Symbian, to iPhone, to WinMo have been affected by these trojans…nothing new except that now Android is also a target.
As you said, the trojan itself may be old, but being now targetting Android, it IS an Android issue.
There are a lot of “new” viruses around that are variations of old ones. Seeing they moving from one platform to another is bad too.
And it was not from a blog, original story is from Kaspersky, an anti-virus maker.
I never said it originated from a Blog, I said blogs are merely regurgitating the same story without fact checking. Kaspersky’s shit stinks too .. so don’t go thinking for one minute they can’t make a mistake.
The big mistake here is that .. this trojan is just the same old trojan re-wrapped 561 times with 561 different names. Each of these does the exact same thing … sends premium SMS texts primarily using Russian SMS short codes. So if you are not on a Russian network there is little chance you will get charged the toll charges.
See a detailed and accurate analysis of this old trojan with a new name: http://jon.oberheide.org/blog/2010/08/10/dexcode-teardown-of-the-an…
Anyone may make mistakes. But this news is about the first virus found specifically for Android, no one is saying it is unique – as it was not mentioned also that it is or not a new fashion of an old virus.
I saw the link you posted. The description gave me the impression that the virus itself may be a proof of concept or an app made only for fun. That part of “Hello Android from Netbeans” looks like the author of this virus is learning how to program. So, it may be written by anyone.
Anyway, what we have here is an example of a malicious software working on the most uncontrolled part of system – the user. Imagine a program of “phone admin” wich message is “May I take care of your phone ?” meaning having controll of whole device. I know a lot of people that will give it the rights.
Theoretical democracy : you are innocent and can do wtf you want, unless proven guilty or interfering with other people’s rights.
Modern democracy : as long as you’re able of doing something dangerous, there’s no way you won’t do it. That’s why we have to confiscate 2″ knife and Allen keys at airports, have soldiers carrying assault rifle in rail stations, and have an unknown third-party check our computer software before we use it.
This is what comes to my mind when reading this discussion…
Edited 2010-08-15 23:46 UTC