whitenoise

technology notes… mobile and embedded.

On apps and security .

with 2 comments

While the appstore phenomena has brought is a lot of cool utilities to your smart phone, there are side effects too. Last week saw one of the most dramatic demonstration of what many have been fearing for sometime now. Malware on Smartphone!

And with some intelligent social engineering tricks, it could invade the ecosystem in the matter of days .

evil_android_thumb Several android web pages reported of a very powerful malware that got into the Android market place. Here is how the app installs the malware.

The malware publisher (goes by name Myournet) takes some of the  popular android games and then injects root exploits into the application package and republishes the apps back. All these are variants of the original popular apps, but but they are available FREE. Within days several users download the app and install it. A detailed report is here.

How it works: The malware actually installs a rootkit and ‘steals’ all personal information on your device and sends to a remote location. Besides the malware always opens up a backdoor with your device allowing more worms/malicious code to be run.  This blog post by a mobile security firm has the gory details.

Some points to note:
* The malware’s existence was not known by Google until someone posted about it in public domain .
* While Google was (somewhat) swift to respond , the damage was done. Private data from many phones have been sent to a nefarious user. Would have been very good if the app didn’t enter the ecosystem in the first place.
* Community to the rescue : Google responded by nuking the app with its kill switch. But then the first fixes came from members of XDA.

We can be happy that though the Android market is ‘open’ Google has put in some features in platform to recover back .

How about genuine apps ? Malware isn’t the only security threats to private data. The  Freedom to tinker website had a  blog post recently on the information shared by some of the popular Smartphone apps. The author had used sniffing tools like wire shark to sniff his Android phone.

F5T0XHAF04FMXU0.MEDIUM copy[19]The Android face book app sends stuff out in the open so anyone could read your posts..  It is also possible to make bogus posts, the author says. Some things to be careful of.

Wired’s ‘open’ edition: I’ll close this blog with a note about a recent Wired magazine issue that sums it up all.Some of the wired magazine  subscribers got a ‘very personal’ edition of their copy.   It had lot of information that Wired had gleaned about the subscriber!! The editors used online browsing history, electoral records and ‘social networks’. The magazine just shows how much information we expose unknowingly.

When they do this exercise the next time, they will have yet another ‘gold mine’ of private information -your ‘smart’ phone!

[Image credit : Mobilecrunch , Prohack]

Advertisements

Written by sujai

March 12, 2011 at 9:41 pm

2 Responses

Subscribe to comments with RSS.

  1. This can be fixed by a stringent approval process. I think google can fix this easily 🙂

    /LPS

    LPS

    March 13, 2011 at 11:51 pm

    • @LPS : Welcome to Whitenoise.
      Yes.thats my point. Google has to follow stricter submission process like the iPhone Appstore approval process like: http://developer.apple.com/appstore/guidelines.html

      But I doubt it is easy to fix. That will make Android ‘more closed’ and ‘less developer friendly’ etc. And Android apps can come from anywhere..not just the market place.

      sujai

      March 15, 2011 at 8:02 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: