
The newest threat on the official Android market - ilhackernews
https://blog.avast.com/2014/03/07/google-play-whats-the-newest-threat-on-the-official-android-market/
======
magic_haze
XPrivacy should really come installed by default with Android: the new
versions are really quite good (especially with the cloudsourcing and on-
demand bits) and really highlight how atrocious most apps are with your
personal data. And it is a hell of a lot more effective than relying on
companies like Avast to detect and remove bad actors from the market. I've
lost track of the number of times random apps (most of whom are just shells
around a website) ask permissions for my full phone number, Google and
Facebook accounts, contact info etc. for no reason at all. At this point, I'm
scared of using Android without the module. (not that ios or windows are any
better)

~~~
drdaeman
Denying permissions breaks most apps (I'd say, 8-9 out of 10 just crash due to
unhandled exceptions), so XPrivacy returns fake data (no contacts, no Internet
connection, spoofed MAC and IMEI etc.).

But, then, some companies are _really upset_ about spoofing. For example,
Swype had serious issues with that to the extent they cried they won't even be
able to release their famous keyboard if they weren't be able to get personal
data for their analytics. [1] So, CM team decided to not built any spoofing
(the only practically working solution to the problem) in.

Dancing bunnies 1 : Security 0

____

[1]: [http://www.androidpolice.com/2011/05/25/swype-cyanogenmod-
pe...](http://www.androidpolice.com/2011/05/25/swype-cyanogenmod-permission-
spoofing-could-mean-the-end-of-swype-beta-on-android/)

~~~
magic_haze
I see where the Swype folks are coming from, but it's a bit like the people
who complained against the existence of mailinator.com a decade back. Are they
seriously claiming that a company whose entire business is based on making
sense of dubious data will completely break down if its analysis service gets
some bad inputs? How do they deal with shady manufacturers who return wrong
data?

Swype is operating in a marketplace that is full of apps crying wolf and
asking for way more permissions than they need, usually for unknown purposes.
For example, I like to read The Verge and use its app[1], but it has "read
phone status and identity" and "modify or delete the contents of your USB
storage" in its manifest, which I'm not comfortable with. There is nothing
that explains what they use this information for, how long they store it, and
who they share it with. Heck, my desktop browser doesn't give theverge.com
this permission and yet the site functions just fine.

Why should I bare my personal data to the whole world just because one
developer is too lazy to implement checks on his inputs?

[1]
[https://play.google.com/store/apps/details?id=com.verge.andr...](https://play.google.com/store/apps/details?id=com.verge.android)

------
georgemcbay
Given how shady the whole premium SMS/premium number business is to begin
with, it should be made legally simple to refuse all payment on charges to
them.

eg. Say you notice you suddenly owe $100 on your phone bill due to a phone app
causing charges to your bill (or even just because you gullibly fell for a
social engineering attack), you should be able to just refuse to pay with no
repercussions other than that the premium provider will be sent a notification
that you refused to pay and then may block you via caller id from future use
of the service.

I doubt this will ever happen since politicians generally don't give a rat's
ass about consumers anymore, but it would be nice.

~~~
fungi
in aus

> Require mobile carriers to provide the option of barring premium SMS and MMS
> services on all plans from 1 July 2010. This gives consumers a choice to
> block such services;

[http://www.acma.gov.au/theACMA/premium-phone-services-
austra...](http://www.acma.gov.au/theACMA/premium-phone-services-australia-
bill-shock-i-acma)

My SIM came pre-blocked which was nice.

~~~
biafra
When I asked O2 Germany to do this, they told me they would have to block
mobile internet as well.

------
amimetic
Bear in mind it is Avast writing this post (not exactly my favourite company
at the moment, incorrectly reporting a trojan to a few users in one of my
Apps), so the alarmist perspective is motivated by their business.

If the worst they can report on is an obscure and rather obviously dodgy
looking App no longer on Google Play then there isn't much for us to worry
about.

------
Apocryphon
I thought KitKat was supposed to block apps from automatically sending SMS
messages to premium numbers?

This is a nasty piece of malware, but premium SMS scam apps are nothing new to
Android. So the article playing up the danger of this random, seemingly
single-market focused malware (Hispanophone vs. global) isn't particularly
scary.

~~~
ben1040
>I thought KitKat was supposed to block apps from automatically sending SMS
messages to premium numbers?

From the analysis posted, it's trying to bypass that by not sending an SMS to
a premium number. It's sending the phone number to a website, and whatever it
is that is running on that website is subscribing the user to a premium
service.

~~~
objclxt
Yeah, it reverse bills the SMS. Android can only block your device from
_sending_ premium rate SMS, not receiving them (how could it? It's up to your
network operator to handle that side of things).

The original idea with reverse-billing was that users could subscribe to
services such as weather updates, which would automatically send a message
once a day/week, and the user be charged upon receipt. The problem with
reverse billing is that it's clearly open to substantial abuse.

~~~
fasteo
It is a Spanish premium subscription number. To subscribe you need to opt-in,
either by web (getting a PIN code you need to enter to confirm the
subscription) or by SMS (You need to confirm by replying to a free message
from the short code).

I guess this app is going through SMS opt-in, sending the reply behind the
scenes.

------
rjzzleep
at this point i'd like to recommend cyanogenmod with privacy guard again [1]

or openpdroid [2], or both. the cool thing about openpdroid is that you can
spoof location requests too. also, i don't think any other privacy app allows
you to block requests to sim and imei info

[1] [http://www.androidcentral.com/cyanogenmod-updating-
privacy-g...](http://www.androidcentral.com/cyanogenmod-updating-privacy-
guard-20-new-features-coming-cm102)

[2] [http://www.xda-developers.com/android/openpdroid-brings-
an-o...](http://www.xda-developers.com/android/openpdroid-brings-an-open-
source-privacy-solution/)

~~~
drdaeman
I believe XPrivacy[1] looks more promising than OpenPDroid. First of all
Xposed Framework feels easier to integrate - no need to mess with full-fledged
ROM embedding, just light patch to the Dalvik and reboot.

And the things I really fancy about XPrivacy is that current versions have
learning mode (like `su` GUI prompts, configurable to automatically deny or
allow after a timeout) and yet-underdeveloped but very promising argument-
level permission controls (i.e. allows WebView's loadUrl for one URI, but not
another).

[1]: [http://forum.xda-
developers.com/showthread.php?t=2320783](http://forum.xda-
developers.com/showthread.php?t=2320783)

------
cgtyoder
Looks like it's gone from Google Play.

------
cmelbye
I'm surprised they went to those measures to get the user's phone number, it
seems like there would be much simpler and more inconspicuous ways to do so on
Android.

------
jmnicolas
It's a long time since I didn't touch Java, I don't get the instruction "break
label217;".

Is it equivalent to a "goto label217" ? (shock and horror !!!)

~~~
entropy_
That won't actually compile. Having decompiled java binaries before, the
decompiler will sometimes generate things like that. I think it happens when
there's a jump instruction it doesn't know what to do with.

~~~
jmnicolas
Thank you.

