I thought it was a measured analysis, and it was nice to see disassembled and decompiled code. But the last bit is strange: 'Creating' phrases with hexadecimal numbers is not new. And in many cases such things have been noticed in different malicious applications.
Many applications do that for sanity checks, I don't think it's any kind of indication of malware. It's a common technique to have some "magic number" that you can recognize to make it less likely that a transfer of data has some kind of corruption [1]. The benefit of using a number like 0xdeadbeef over, say, 0x1857de89 is that you can tell at a glance if the first one is correct.
[1] Yes, one should use error codes and do this the real way. Not everyone does.
As far as malware goes, this isn't really that bad. (EDIT: it doesn't e.g. steal your credit card info [unless you keep that info in your contacts list])
It's simply an app that uploads your address book to a remote server. Up until recently, it was considered industry standard to do that.
The only thing this app does different is that the server then sends SMS messages to the numbers it uploads from your address book.
All this really is showing is that Apple should've made iOS from the beginning ask the user for permission before allowing an app to access the address book. After iOS 6, this app won't do anything.
I think you're downplaying this. The illegitimate use of the address book is being masked by a legitimate use - even if permission is asked for it will likely be granted. What is essentially impossible to control except through manual app verification processes (and very hard even then) is what is done with the data once the app has access to them.
As a total aside, if you are an AT&T customer you can just forward SMS spam to 7726 (SPAM) and they take care of it - I'm not affiliated with AT&T (just a customer) and I wish they would publicize this stuff more.
Thanks for the information about reporting spam text messages, I had never heard about it. I just received some spam text the other day and ended up reporting it through the FCC, but reporting straight to your mobile operator on the phone is much nicer.
From MikeS1_VZW
We have heard our customers on this, and we have launched a new program
to help with SPAM. Take one (or several) of the SPAM messages and
forward it to 7726 (which spells SPAM). This is a new process. Once you
forward the message to 7726, you will get a reply text message asking
the identity of the SPAM sender (the "From" address in the SPAM message
you received). Once received, you will get a "Thank-you" message from
the 7726 number. We will investigate on the back end.
The messages you send to and receive from the 7726 number are free of
charge. This is a brand new program we are testing, and it just started
on 09/1/11. Please make this common practice when receiving SPAM
messages. This is not to be confused with alerts though. If you get
alerts (something you signed up for), you should reply STOP to the
message received before going the whole 7726 route.
Great info, but given that carriers are paid for every message I receive, I doubt their commitment to fighting text spam.
Here's what I want: a whitelist. If I want to add you to my whitelist, I put my phone into "receiving" mode. I get your text, confirm adding you, then go back into normal mode, where texts from anyone not on the list are rejected and I don't pay for them.
Expensive, yeah. It should be free, actually; my whole gripe is that I don't want to pay to receive messages I didn't even want. It doesn't help if I have to pay not to receive them.
But it does sound useful. And if it gets mindshare, competition could make it cheaper or free.
It would be nice if phones had an option to treat text messages differently if the number isn't in your phone book. I wouldn't care about text message spam so much if it went to a spam folder and didn't alert like a regular text message.
I think you just described how Facebook handles email...
But I agree with you for the most part a distinction between known senders and unknown senders would be great. The only exception to this that I can think of personally, is for things like the Google 2-factor auth messages which appear to be sent from random numbers (in addition to being random numbers!).
I think it's just a very fine hair to split that this is malware yet everything before wasn't. This software does not actively do anything else than many apps on the store. It does not contain any malicious code (by itself). Pretty much every app with ads uploads as much information about you as it can. Is broadcasting SMS spam to the gathered data what makes an app malware?
Honestly, all malware "isn't really that bad" by the metrics you're using. Maybe it sends spam. Maybe it hogs your CPU. A few will crash your machine or break it in some obvious way. This one happened to steal your personal data (and attempt to steal that of your contacts').
You're right though, that it's basically exposing a hole in the OS security metaphor. Two really: the address book was unprotected and the application review process didn't work.
> Honestly, all malware "isn't really that bad" by the metrics you're using. Maybe it sends spam. Maybe it hogs your CPU. A few will crash your machine or break it in some obvious way. This one happened to steal your personal data (and attempt to steal that of your contacts').
I was thinking more of "this will not steal my credit card" (unless you keep that info in your address book) type of malware. But, yes. I get your point.
Isn't this a trend in biology? Where less virulent strains of viruses out-perform more severe ones because they don't kill their hosts? Ebola is its own worst enemy because it kills its hosts, and kills them relatively quickly. I seem to recall reading that influenza or typhoid had become less dangerous in the last 100 years or so and they were attributing it to this, but I'm coming up blank on the google searches.
The problem is - this is a contact list manager - so you would expect to give permission to this app to access your contact list.
Ideally apple has contact information for this developer, and, presuming the Developer violated some license with regards to what they can do with user data, Apple can now take legal steps against this developer.
But this is a contact list management application. It requires access to the address book. Any sandbox that would have been created would have allowed the application access to the contacts, even with the most stringent permissions.
I feel like this is missing the forest for the trees. What is the value of a curated app ecosystem like Apple's to the consumer if they cannot prevent malware from winding up on consumers' devices?
"The value a curated app ecosystem" is that Apple's app reviewers greatly, greatly reduce the chance of malware or crapware winding up on consumers' devices.
Few processes in practice are 100% effective. One, or a even few, failures does not indict the idea of curation, but rather, in my mind at least, reinforces its value.
Of course, as others have mentioned, software protections of the Address Book would be nice, and are coming (though I'm not sure they would have stopped this app from doing its thing).
That’s a false dichotomy. Preventing absolutely every piece of malware would be great, but merely preventing very nearly every piece of malware is also nice. You only have to compare Google’s and Apple’s stores to see that Apple’s approach is more effective (not much), though clearly not perfect. (Apple had the ability to remotely pull malware right from the beginning, clearly showing that they never believed the review process to be perfect in preventing malware.)
Whether that trade-off is worth it is a completely different question (I think it is not – Apple should allow users to install whatever they want, they can even make enabling that needlessly complicated, but they should allow it.) but if you are immediately jumping to the conclusion that Apple’s curated approach is devoid of value because one piece of malware made it through your analysis of the situation is lacking and populist.
This is a good rebuttal, but it remains to be seen whether Apple can actually prevent "nearly every piece of malware" from getting through. To be quite honest, I'm not even the slightest bit familiar with their review and approval process, but I have difficulty believing it can continue to scale without introducing security holes.
> All this really is showing is that Apple should've made iOS from the beginning ask the user for permission before allowing an app to access the address book. After iOS 6, this app won't do anything.
Agreed.
Re: the rest, well, it depends on who controls the remote server. The action itself might not be so worrisome, but what the action enables could be, IMO.
This article is total linkbait. They redefine "malware" to create a sensationalized headline. The article never mentions what the consumer facing features were suppose to be. It could have had a legitimate use, but also this privacy violating code. This is more properly an app that violates user privacy - which is not something new or particularly newsworthy - and not malware.
- How can a 3rd party send a message that appears to be from the user that ran the program?
- Why can't someone have the same control over SMS as they can over email? (Filter based on trust, spam control)
I'd also be interested to know what sort of filtering is done by mobile operators. I'm guessing there is some, (based off of pacaro's comment), but do these features differ by operator? Is there a standard?
That was a really interesting analysis. A malware scam with a global reach. A phone designed in California, malware written in Russia or former soviet Republic, and Banking routed through Singapore. I gained a wealth of knowledge.
Many applications do that for sanity checks, I don't think it's any kind of indication of malware. It's a common technique to have some "magic number" that you can recognize to make it less likely that a transfer of data has some kind of corruption [1]. The benefit of using a number like 0xdeadbeef over, say, 0x1857de89 is that you can tell at a glance if the first one is correct.
[1] Yes, one should use error codes and do this the real way. Not everyone does.