"Ars Technica is reporting that malware (specifically a remote access trojan or RAT) designed to control an Android phone's camera and audio has been found in Google's Play store."
The article explains:
"The specific RAT in Google Play was disguised as a legitimate app called Parental Control," according to Marc Rogers, principal security researcher at Lookout Mobile, a provider of antimalware software for Android phones. He doesn't know exactly how long it was available on Google servers, but he believes it wasn't long. It was downloaded 10 to 50 times.
The Parental Control trojan was built using Dendroid, a newly discovered software development tool that sells for about $300. Dendroid provides an impressive suite of features, including all the tools to build the command and control infrastructure to control RATted phones and receive audio and video captured from their mics and cameras. Dendroid also allows attackers to intercept, block, or send SMS text messages on compromised phones; download stored pictures and browser histories; and open a dialogue box that asks for passwords. It includes "binder" functions that allow the malicious code to be attached, or bound, into otherwise useful or innocuous apps.
(Score: 4, Interesting) by Ethanol-fueled on Friday March 07 2014, @06:21PM
Why all the alarmism? Don't parents nowadays enjoy spying on every little thing their kids are seeing and doing nowadays, depriving them of their privacy and independence while keeping them hopelessly dependent via unnecessary medications and gaining sympathy from other parents via Munchausen Syndrome by Proxy while medicalizing otherwise normal childhood behavior?
Because if they don't do all of the above, something bad might happen to their kids! And then they'd have to compensate for their parental guilt even more later on, by being even more overbearing!
Whew! Good thing we have TVs and X-boxes to babysit kids nowadays!
(Score: 3, Insightful) by skullz on Friday March 07 2014, @06:36PM
Waaaaaaaawo...
You either don't have kids or don't have a job and kids.
(Score: 2) by mrbluze on Friday March 07 2014, @07:00PM
People want other people's kids, that's what's disturbing.
Do it yourself, 'cause no one else will do it yourself.
(Score: 3, Insightful) by edIII on Friday March 07 2014, @07:16PM
People want certain parts of other people's kids, which is even more disturbing.
(Score: 5, Insightful) by frojack on Friday March 07 2014, @06:38PM
So you aren't at all concerned that the kids phone is back doored, and can send SMSs without permission, take photos, steal contacts, and probably turn on the microphone and send all of that information to some unknown third party totally unknown to either the kid or the parent.
The only think that bothers you is that a parent might find it necessary to monitor their kid's use of the phone at all.
Ok, then. Got it.
Discussion should abhor vacuity, as space does a vacuum.
(Score: 2, Interesting) by rts008 on Friday March 07 2014, @06:39PM
I don't think in this case it's the parents that are spying on their kids, but total strangers(that operate the command and control servers the trojan connects to.
In my opinion, this is a completely different issue than your description.
If it was the parents, then I would find it immoral and creepy, but within the bounds of the law; the kind of stuff in the article is wrong on so many levels, including legally in a lot of developed countries.
(Score: 2) by maxwell demon on Saturday March 08 2014, @06:14AM
But do they also enjoy pedophiles spying on every little thing their child does, and where it is at any moment, and if it happens to be alone? Because that's also enabled by this malware.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 5, Interesting) by frojack on Friday March 07 2014, @06:26PM
Much is made of the evasion capabilities of this app, but at the same time it was detected with less than an 100 downloads. I suspect that its toast everywhere, because once you detect Dendroid, Google can scan the entire app store for its signature, and kill it everywhere.
I find it interesting that Lookout was able to detect "Dendroid's DNA" in this program, but apparently hadn't shared that "DNA" with Google Play, because had they done so a simple scan of the market would have detected it before Lookout found it. Holding on to an discovered exploit till they can find an example of it in the play market and make headlines with it seems a tad shadey.
Lookout also makes a big deal about Dendroid's ability to evade Bouncer, by essentially hunkering down while Bouncer is running in the Google emulation harness. Which suggests some inside knowledge of that that test harness does.
Discussion should abhor vacuity, as space does a vacuum.
(Score: 5, Insightful) by emg on Friday March 07 2014, @06:34PM
Android should let you allow and disallow permissions on a per-app basis, instead of every app developer asking for everything, even when there's no legitimate need to do so.
(Score: 3, Interesting) by skullz on Friday March 07 2014, @06:39PM
Yes! If I want to disallow full network access on my egg timer app and then it crashes because it can't download the updated egg icon, my own damn fault! How about a Simple Security (existing) or Custom Security (not recommended) option so we can do what we always do and select the less trod path?
(Score: 5, Insightful) by stormwyrm on Friday March 07 2014, @07:24PM
What do apps that request full network access do when there are no available network connections? What do apps that request GPS do on devices that have no GPS antenna or are in an area without GPS signal do? I don't think these apps just crash. If your device is truly yours, you ought to be permitted to outright LIE to the apps that request these spurious permissions. They want full network access? Reply that the network is down, even though some apps might see the network up. Or put them inside a restrictive firewall where any host they attempt to access responds with a connection refused. They want GPS? Tell them the GPS is off or can't get a lock. They want to read my address book? Tell them the address book has no entries. They want to try sending text messages or making calls? Tell them my device isn't a phone but a tablet without GSM/CDMA circuitry, or pretend to go through the motions of doing this, but make it either fail (yes, that can happen even with a real device, and any app developer ought to be able to tolerate that), or send a successful reply without really doing anything. They want access to my camera? Tell them my phone doesn't have one (yes, such animals do exist), or send a completely black image to them and tell them that's what my camera sees. They want access to my microphone? Send them silence or samples from /dev/urandom as the audio stream just to fuck with them. They want access to storage? Show them an empty storage, or one with garbage files simulated on the fly. They want to write something to my storage? Return an error that my storage is full, or once again go through the motions without effect. It is possible to give responses to apps requesting sensitive permissions that should not make them crash (i.e. if the developer isn't a total bonehead), because these are legitimate failure modes that real devices can undergo for various reasons, and there really isn't any way that the app can tell whether those failure modes being reported to it are legitimate or not. What these apps do on failure is the test to see if these permissions requested really are required for its correct operation. This sort of permission control is sort of possible with a mod like XPrivacy [xposed.info] although the interface of that particular mod could do with refinement.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
(Score: 4, Funny) by unitron on Friday March 07 2014, @08:06PM
Paragraphs, man, paragraphs.
something something Slashcott something something Beta something something
(Score: 2) by ticho on Saturday March 08 2014, @06:04AM
I've been pining for something like this since my first Android 1.5 device. I'm glad someone is actually doing something about it, because I sure as hell am not diving into the cesspool that is Android development.
(Score: 5, Insightful) by edIII on Friday March 07 2014, @07:22PM
This is why I don't like or trust Android platforms (or Apple's for that matter).
It's so blindingly obvious that there should be more granularity and per-app control of all permissions. You should also have auditing capabilities too that show just what data and services each app accessed with each permission.
The only excuse they have, which is fucking flimsy to say the least, is that disabling a permission may cause app instability leading towards overall system instability.
Which leaves us back at the developer has control over my property and digital space in ways that make it difficult for me to monitor in my own domain, and to moderate with security policies that I deem fit to enact. There is never an excuse for stopping me from doing that, or wanting that. Never. Ever. Not once.
(Score: 4, Insightful) by combatserver on Friday March 07 2014, @08:52PM
"This is why I don't like or trust Android platforms..."
Why are you trusting anything with a processor?
Snowden has shown us that pretty much anything can be snooped. [leaksource.info] Assuming any level of privacy still remains plays right into their hands--you have to act as if it is all back-doored in some way. If everyone were to do this, there would be a massive shift from modern technology to more reliable means of communication, such as actually talking to people face-to-face, writing by hand on paper, etc. BUT, I suspect this is not really the sort of opinion that will hold up well on a tech-focused website.
Computers/Instant, digital-communication have their place in our modern society, but I believe they long ago exceeded the level of ubiquity that benefits humanity best--they've become a liability at the current level. All your shit be spying on you.
I hope I can change this later...
(Score: 2) by edIII on Friday March 07 2014, @10:04PM
Well asking that all hardware be immune to the various side channel attacks that exist, been demonstrated, or theorized in the known literature is asking for quite a bit.
While my Android device may be vulnerable to acoustical analysis, that has nothing to do with the developer/control centric culture that promulgates the idea that there exists something beyond my control in my hardware.
This is why DRM, at its most fundamental point, is highly unethical.
Restricting my ability to deal with permissions on a per-app per-permission basis is no different than DRM restricting my ability to enjoy analog/digital holes that are not encrypted with 3rd party methods that I don't possess the keys too.
I more strongly object to the Android permissions issue in particular, because they did have it, and then they took it away. I have to jump through hoops to gain root on my Android anyways, and then use 3rd party tools to gain control that used to be native.
(Score: 3, Interesting) by quacking duck on Friday March 07 2014, @09:29PM
Very flimsy indeed, Apple's iOS has had per-app, granular permissions for years, and recently extended to include separate per-app permissions for cell data, contacts, calendars, photos, bluetooth, and microphone, in addition to location services which has been a permission setting since almost the start. All without impacting most apps or system stability.
Google obviously has the resources to do the same, and in fact did with App Ops, but then yanked it from Android 4.4 because it "wasn't ready". They *chose* not to make it a priority, and it's one area where iOS is clearly superior to Android.
(Score: 2) by mojo chan on Saturday March 08 2014, @07:26AM
Critically though you can't block internet access on iOS. It's not even a permission, all apps just have it. On Android apps must ask for permission, and if you root your device you can firewall them individually too.
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 1) by quacking duck on Monday March 10 2014, @12:06AM
I was very careful to say "cell data", which means the app can't access the internet if it's not on wifi. It was added in iOS7, and accessed via Settings > Cellular, at the bottom is a section called "Use cellular data for". Each app lists amount of cell data it's used, and its own toggle for cell data.
On Android, if it asks lists internet access as a requested permission at install time, and you deny it, you can't install it, right? And if you *do* grant it everything it asks for and install the Android app, you can't revoke it without totally uninstalling it?
If so, then to the end user that's no different than just not installing an iOS app, just there's no checkmark on a pre-install list saying it wants internet access. It really should be assumed these days that an app wants that, to pull down ads if nothing else. And iOS (v7+) is still ahead when comparing out-of-the-box access model because you can disable cell data usage individually. Yes it only restricts one of the two internet access methods, but it's still one more than the zero options stock Android gives.
(Score: 2) by mojo chan on Monday March 10 2014, @05:27AM
By making it a permission at least you can see what apps are trying to access the net. If I see a flashlight app that needs internet access I don't install it, simple as that.
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 2) by stormwyrm on Friday March 07 2014, @11:06PM
Flimsy indeed. Obviously they do disable access to certain aspects of the system because they just plain aren't available, and app authors already ought to be able to deal with such exceptional conditions as a matter of course without their app becoming unstable. An app that needs GPS permissions shouldn't become unstable just because I go into a tunnel and lose access to the satellites, and an app requiring Internet access shouldn't become unstable if I leave a Wi-Fi zone and my provider has chosen in their infinite wisdom to cut off my mobile Internet.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
(Score: 2, Informative) by b on Saturday March 08 2014, @12:11AM
(Score: 3, Interesting) by Boxzy on Friday March 07 2014, @07:20PM
Seemingly impossible today. My laptop has a hardware wifi switch and several usb sockets so I can decide whether to webcam or not. There's no real excuse except profit to force all smartphones to rely on software switches for dangerous services like cameras. I use a touchscreen smartphone... Reluctantly. Buttons and switches FTW!
Go green, Go Soylent.
(Score: 3, Funny) by Khyber on Friday March 07 2014, @08:01PM
"He doesn't know exactly how long it was available on Google servers, but he believes it wasn't long."
Try two years. You found my exploit. Guess what? It was already patched. Why are you running outdated software, Mr. Supposed Security Researcher? Are you just now catching up with real technology?
Destroying Semiconductors With Style Since 2008
(Score: 2, Interesting) by Anonymous Coward on Friday March 07 2014, @10:59PM
RAT [wikipedia.org] means Remote Access Tool. Some are trojans; some are not. Get your shit straight, you piece of FUD.