I have had three issues on that matter, all in one week, so I reckon that I am slightly agitated in regards to projected presenters of misinformation with intent (also known as recruiters). If that was not enough, in the tech sector Verizon added to this with the article in the Guardian (at http://www.theguardian.com/technology/2015/apr/14/mobile-malware-report-verizon-smartphone-adnoyance). The article is interesting for more than one reason, so let’s get to it.
The title is a valid question as it states ‘Is mobile malware a lot of fuss over nothing?’, some will say yes, a lot more will say no. Yet, how much of an issue is mobile malware? That is in the end a valid question. Verizon, a telecom provider goes for the ‘adnoyance’ key. They are depending on people relying on a provider as without it there is no phone, but is malware just the annoyance of advertisement? Many, including me are not convinced.
One source http://securityxploded.com/demystifying-android-malware.php, gave us clear goods. The article is very ‘techie’, but also very clear, showing step by step the issue in play.
At step 8, we get the part where we see what is going on: “The application sends an SMS to the premium number 1066185829 with the text 921X1. In the background, it blocks any incoming delivery report from this number so that the victim does not get any response regarding the SMS that the application sends in the background. Also, the SMS is sent only once and never again so that the victim has no suspicion of what caused the SMS charges to be sent to him“, premium numbers are a lot more expensive, which could be around $0.75 for one SMS. Now many will not care, thinking it happened once. So what is the deal? Well, see what it amounts to when it is done a million times. We all funded one criminal $750,000 for being clever. When we go back to the beginning of the article we get “McAfee’s first quarter threat report [Reference 1] stated that with 6 million unique samples of recorded malware, Q1 2011 was the most active first quarter in malware history“. Now, not all of them were about money, advertisement annoyance is a chunk here, but the casual air of Verizon becomes slightly offensive, or so it should be when we consider that dozens of creative souls are trying to spike their bank account in this way.
Yet, the one-time loss of $0.75 is not really an issue for the consumers at large, but what is?
Now, I get back at the issue I illustrated a long time ago, when we suddenly got those issues with Facebook messenger. Where you were giving it the right to record Audio. Before I continue, I must be fair to Facebook to and add an article here (at http://www.androidcentral.com/facebook-messenger-permissions-not-scary-stories-might-have-you-believe), it goes over many rights and it does try to suss a few issues (in a good way). There were however a few other issues, mainly connected to Facebook messenger draining the battery in massive ways. My issue here is that if it drains the battery, what is it using the energy for? Just to keep the mobile out of a sleep state?
Gizmodo (at http://gizmodo.com/facebooks-messenger-app-logs-way-more-data-than-you-rea-1633441673) gave us this: “Ever since Facebook first started pushing users over to its standalone messaging app (whether they liked it or not), there have been cries of outrage over what’s seemed like an inordinately large amount of required permissions. And while there’s still no indication that Facebook has any sort of bad intent, the company is collecting a startling cache of data, according to security researcher Jonathan Zdziarski“.
In addition we get “In an email, Zdziarski said that Messenger is logging practically everything a user might do within the app, from what and where they tap, to how often a device is held in portrait versus landscape orientation; even time spent in the Messenger app, versus the time it spends running in the background. …”[Facebook is] using some private APIs I didn’t even know were available inside the sandbox to be able to pull out your WiFi SSID (which could be used to snoop on which WiFi networks you’re connected to) and are even tapping the process list for various information on the device,” he wrote in an email.
Now, like Jonathan Zdziarski, I feel compelled to believe that Facebook is not doing anything wrong or illegal, but they are collecting huge amounts of data, by the way, when this is transmitted, will that be taken of your monthly data allowance? Seems to me that Verizon is downplaying the pressure on the monthly data allowance bill.
Now we get back to Brightcloud, who is giving us ‘Android Malware Exposed‘ (at http://www.brightcloud.com/pdf/Android-Malware-Exposed.pdf). The paper has a part on Spyware. On page 12, they state “Other types of threats are those that spy on you or steal your data. There are a number of apps that are the equivalent to commercial keyloggers found on PCs. These apps offer their services to ‘track’ your kids, spouse or employees. These behaviors are easy to incorporate into an app and this begins with the easy task of requesting the necessary permissions. For example, requesting ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, and READ_SMS will grant you access to SMS messages and GPS location“. This is the issue. It was not the $0.75, but the massive amounts of data that mobiles are working with nowadays. How long until these malware solutions get access to some of the larger collectors like Facebook? It is not that far a leap of suspicion is it?
In addition on that same page we see: “Threats which have used these spying techniques are NickySpy, Spitmo, GGTracker and GoldenEagle. NickySpy is interesting in that it utilizes the MediaRecorder() class to turn on the microphone and discretely record and save conversations to the SD Card. It is also able to send captured data to a remote server, although this functionality is not hard wired in. Below is a snippet of the function responsible for voice recording“. Now we get to the good part. The malware can be capturing events on audio without your consent and stream it. So, it was not just about the rights, it is about the ability that is unlocked to use. We focus on the big player like Facebook and Google, but we forget that data collecting is on the minds of governments, big corporations as well as organised crime and those into identity theft.
There are millions of examples, and Verizon trivialised it as ‘adnoyance’. The truth (as I see it) is that there is an entire echelon of dangers that people remain (intentional or not) oblivious to. One of the conclusions given in the article is “Trojans will continue to be bundled in repackaged APK’s and disguised as legitimate applications. With 900,000 daily Android activations worldwide, social-engineering tactics will continue to be used to trick users into installing malware“, so that friend you know that gave you the location of that free game, might in the end not be that good a friend. Unknown to him or not, that little freebee could be the start of your data going somewhere else.
Verizon might light of an issue, as it does not harm them, but it harms their customers. Instead of heralding Common Smartphone Sense, by making sure that people only download from reputable sources only (like Google Play Store), we see trivialisation. The added sentence ‘it’s unlikely to be the source of disastrous data breaches such as the Sony hack any time soon‘ adds to the failing of this article.
Malware is an issue, malware will continue to be an issue with added dangers over time and Yes, Android (as an open platform) has a larger issue to deal with. Yet, Common Smartphone Sense could reduce the dangers by 80% which is a huge diminishment of the risk the user has. In addition ‘the company estimates that just 0.03% of mobile devices are infected with “higher grade” malicious code each week’, sounds like a small number, but that implies that it is well over 600.000 phones each week. This makes it a clear issue, not a minute part. In the end, we are at 2,000,000,000 smartphones on the planet, and as that group grows, then so will the desire from some to infect that realm with higher grade malware.
In addition, two days ago, the Business Insider (at http://www.businessinsider.com.au/thousands-of-people-can-do-sony-hack-2015-4) stated ““There are probably a couple thousand, three, four, five-thousand people that could do [the Sony] attack today,” Miller told “60 Minutes.” He went on to explain that the technology used by the perpetrators of the Sony hack isn’t a custom-made program. Instead, Miller says it can be purchased online from Russian hackers for around $US30,000“, so if that is a fact, then how is North Korea still seen as the Cyber Boogieman? This issue is a lot bigger and the Smartphone is just adding to a Cyber world that is lacking security all over the place. Telecom operators will have to change the way they play the game, the moment that they are no longer seen as simple data provider through innocent dissemination. When the telecom companies are held to account, we will see a shift, one that will be a costly one for those who allowed massive amounts of data theft to remain unmonitored.
Verizon should be ashamed of itself!