Forgot your password?
typodupeerror
Android China Privacy Security Your Rights Online

"SMSZombie" Malware Infects 500,000 Android Users In China 116

Posted by samzenpus
from the new-threat-on-the-block dept.
wiredmikey writes "Researchers have recently discovered a new sophisticated and resilient mobile threat targeting Android phones that is said to have infected about 500,000 devices, mainly in China. Called 'SMSZombie,' the malware is stubborn and hard to remove, but users outside of China have little to worry about with this latest discovery. The prime function of the mobile malware is to exploit a vulnerability in the mobile payment system used by China Mobile, making it of little value to the fraudsters outside of China. The malware takes advantage of a vulnerability in the China Mobile SMS Payment process to generate unauthorized payments to premium service providers, and can also remotely control the infected device. It has been spread via wallpaper apps that sport provocative titles and nude photos, and can only be removed using a lengthy process beyond the skills of a typical android user."
This discussion has been archived. No new comments can be posted.

"SMSZombie" Malware Infects 500,000 Android Users In China

Comments Filter:
  • We're not zombies!
  • by vlm (69642) on Sunday August 19, 2012 @05:47PM (#41048717)

    wallpaper apps that sport provocative titles and nude photos

    How can someone see that and not realize its gotta be a scam?

    Probably just as effective as putting up a "idiots click here please".

    The ability to be scammed is hardly limited to senior citizens.

    • Re:Obvious scam (Score:5, Interesting)

      by mlts (1038732) on Sunday August 19, 2012 @06:20PM (#41048909)

      You would be surprised how easy it would be to get stung by this by an average user [1].

      A couple months ago, I was browsing for a couple games. Looked at the game, and it demanded every right under the sun. Of course, it didn't get the second install click.

      However, it was a game with an icon that was the logo for a popular game show, so it looked "legit" enough to a user. Most Android users are not the top tier IT people who know exactly what an app should and should not be doing. They tend to see an app, tap it, and go from there.

      All and all, the Android permissions are working fine. The app couldn't do much to hide in the system, so someone removing the device admin and then the app resulted in a cleanup. Had the app had root, it could insert itself into a lot more places.

      The problem is that whomever is the curator of the app store [2] in question. There really needs to be at least two tiers with some warning about entering into Mordor for the second tier. Android needs to have default stores like Amazon's that apps are vetted to a strict code before they hit the store. Not just checked with a scanner like the Bouncer, but put up to a higher tier of rules than the free-for-all of the present Google Play store. The reason for the higher standard is to minimize the "developer banned at 9:00, app is back in the store at 10:00 under a different name", which was not uncommon.

      Android is great (and it can be argued that the OS is more secure than iOS when compared side to side [3]); it just needs a beefy gatekeeper enforcing a proper dress code. iOS's security would be significantly weakened without an active gatekeeper, and Apple has done a good job at keeping the nasties out of the Apple ecosystem.

      [1]: The Dancing Bunnies "hole" has defeated many security systems.

      [2]: I wasn't sure if it is Google or what, so using "app store" as a generic term. App Store would likely mean Apple's offering.

      [3]: iOS depends on the "jail" system completely. A rooted Android device does not lessen any security, unless the user decides to let an app through via "Superuser" that shouldn't have root.

      • Re: (Score:2, Informative)

        by stephanruby (542433)

        You would be surprised how easy it would be to get stung by this by an average user [1].

        A couple months ago, I was browsing for a couple games. Looked at the game, and it demanded every right under the sun. Of course, it didn't get the second install click.

        However, it was a game with an icon that was the logo for a popular game show, so it looked "legit" enough to a user. Most Android users are not the top tier IT people who know exactly what an app should and should not be doing. They tend to see an app, tap it, and go from there.

        Most users actually look at the number of stars and the number of downloads, and sometimes even read the reviews when the thing doesn't have a solid rating. Find me just one example of a WallPaper app, or a shady game, that hasn't been damaged in its star ratings and in its user reviews by having permissions that required access to the SMS functionality.

        In addition to that, the Google Play store also looks at the ratings and the number of installs, when deciding to display search results, thus reducing the

        • by mlts (1038732) *

          I am leery about reviews. The app I mentioned had five stars, and a ton of positive reviews. However, if you looked at the reviews, they were stuff like "Game play great!" [sic], or other pithy, fake reviews. One had to dig through a ton of the fake positives in order to find the one star "SMS spammer" items.

          • I will assume the app and reviews were on an app store or traditional aggregation website. It didn't have the ability to filter or sort by critical ratings first?

          • I am leery about reviews. The app I mentioned had five stars, and a ton of positive reviews. However, if you looked at the reviews, they were stuff like "Game play great!" [sic], or other pithy, fake reviews. One had to dig through a ton of the fake positives in order to find the one star "SMS spammer" items.

            It sounds like you were on a site like GetJar [getjar.com]. If you notice, GetJar has iPhone applications as well. And if you're willing to take the extra steps required to leave the walled garden of your OS, whether it's Android or iOS, it's ultimately your responsibility if you decide to use a badly run online App Store after that.

      • Then there is the side-effect of ads meaning that _EVERY_ app (well, the majority) has all the permissions it needs to start scanning your network at 3AM, and reporting what it finds back to china.
        Fixing this would not be that involved, but it would mean that there is some cost.
        Devs would need to write a one-line explanation for every permission.
        You'd need to have someone slightly clueful to see if all the permissions are in fact required for the features mentioned.
        This is around a 2 minute task for most ap

      • Android is great (and it can be argued that the OS is more secure than iOS when compared side to side [3])

        The Android security system itself is strong enough, but the inherent flaw is that a user is asked for permissions for everything all up front. This is terrible as novice users simply cannot really tell what they are being asked to do, and even experienced users may think some particular permission in theoretically needed.

        On iOS, permissions are asked in context, at the time the service needing permiss

        • by tlhIngan (30335)

          The Android security system itself is strong enough, but the inherent flaw is that a user is asked for permissions for everything all up front. This is terrible as novice users simply cannot really tell what they are being asked to do, and even experienced users may think some particular permission in theoretically needed.

          On iOS, permissions are asked in context, at the time the service needing permission is going to be accessed. This gives especially novice users a much stronger inkling if they should agre

      • by AK Marc (707885)
        Apps can lie to me. Why can't I lie to apps? Tell the App I agreed to all the permissions, but don't give the app those permissions. Let me choose the permissions. If it crashes, then I'll uninstall it. If it still runs neutered, then I'll leave it. I can't believe most of the apps need all the permissions they request. And I find it amusing that the customizable and open Android won't let me tell an app that it has permissions to my contact list, but is presented an empty sandbox contact folder.
        • by mlts (1038732) *

          There is an app for Android called LBE Privacy Guard which goes exactly that, where the app thinks it has the perms it wants... but doesn't.

          There is a similar app for jailbroken iPhones called PMP (Protect My Privacy). If an unauthorized app wants contacts, PMP will give gibberish, same with music. That way, the app thinks it is having a field day uploading data.

  • I'm sorry, but seriously? Two steps is beyond the skill of the typical Android user?
    Besides that, maybe they shouldn't choose "YES" when explicitly prompted for device administrator permissions for the app?
    • by schitso (2541028)
      Lengthy process, rather. I don't even know what a length process would be.
    • by the_B0fh (208483)

      yes. you obviously have not worked with end users. most people don't give a shit about how things work, as long as it works.

      • "What was that noise?" "The sound of progress, my friend."
  • So... (Score:4, Funny)

    by jamstar7 (694492) on Sunday August 19, 2012 @05:50PM (#41048745)
    THIS is the dreaded Zombie Apocalypse we're constantly warned about??
  • by rudy_wayne (414635) on Sunday August 19, 2012 @06:20PM (#41048913)

    can only be removed using a lengthy process beyond the skills of a typical android user.

    The "lengthy process" consists of:

    Go to System Settings >> Location and Security >> Select Device Administrators
    Remove "Android System Service"
    Go to System Settings >> Applications >> Manage Applications >> Android System Service
    Choose "Uninstall"

    OMG!!!

    4 steps!!!!!! It's so complicated!!!!!!!!

    • by Anonymous Coward

      If you think in terms of the type of person who would get infected with this to begin with, then unfortunately yes, it is complicated.

    • Wait wait wait.
      Can you please type slower?
      I'm confused,
  • by VTI9600 (1143169) on Sunday August 19, 2012 @06:31PM (#41048983)

    ...post a lenghty rant about miscoceptions of Android users, and quote the OP too. Unfortunately, I'm posting from an Android device and do not posess such skills.

  • by hbean (144582)
    How is that a lengthy process beyond the skill of most android users? My father could do that easily and he barely knows how to dial his android.
    • by PNutts (199112)

      It depends on whether you mean follow a script or just do it. My mother-in-law could follow the 10 screenshots but she could not independently come up with those steps. The fact that the person granted the permissions leads me to believe they may not have the technical expertise to undo their choices.

  • When is SMS just going to vanish already?
    • I've been wondering that since the 90s... SMS is a crude hack that was past due for replacement before most people ever heard of it.
    • by noh8rz7 (2706405)
      all messages sent between iphones go on imessage instead of sms. sms is dead on iphones except for communications wiith other cell phone types.
      • by dohzer (867770)
        I guess we'd should all get iPhones then. Personally the only thing stopping me is that it's an iPhone.
        • This really does seem to be an issue with some, that iPhones are iPhones, and I can understand the issue to a degree.

          1. Make a case for an iPhone with 'This is not an iPhone' printed on it.
          2. Load phone with 'Not an iPhone' skin.
          3. Sell next to Apple stores with a sign that reads 'Not iPhones'.
          4. Profit !!
    • by Threni (635302)

      When there is an alternative which is free, works on all mobile phones regardless of carrier/manufacturer, and is (almost) instant.

  • GFan is probably bad enough, but Installing an application from some random-ass website is just asking for it.

    FTFA: "the malware is being spread through online forums and has been found in several packages on Chinaâ(TM)s largest mobile app marketplace, GFan."

  • "...beyond the skills of a typical android user."

    It's 5 steps long, and at least one of those steps is essentially CTNB (click the Next button)

    Ohhh...

    I see what you did there.

The bomb will never go off. I speak as an expert in explosives. -- Admiral William Leahy, U.S. Atomic Bomb Project

Working...