SoylentNews is people
SoylentNews
A commercial malware scanner used by businesses has recently detected an outbreak of malware that came preinstalled on more than three dozen Android devices.
An assortment of malware was found on 38 Android devices belonging to two unidentified companies. This is according to a blog post published Friday by Check Point Software Technologies, maker of a mobile threat prevention app. The malicious apps weren't part of the official ROM firmware supplied by the phone manufacturers but were added later somewhere along the supply chain. In six of the cases, the malware was installed to the ROM using system privileges, a technique that requires the firmware to be completely reinstalled for the phone to be disinfected.
"This finding proves that, even if a user is extremely careful, never clicks a malicious link, or downloads a fishy app, he can still be infected by malware without even knowing it," Check Point Mobile Threat Researcher Daniel Padon told Ars. "This should be a concern for all mobile users."
Most of the malicious apps were info stealers and programs that displayed ads on the phones. One malicious ad-display app, dubbed "Loki," gains powerful system privileges on the devices it infects. Another app was a mobile ransomware title known as "Slocker," which uses Tor to conceal the identity of its operators.
The infected devices included:
- Galaxy Note 2
- LG G4
- Galaxy S7
- Galaxy S4
- Galaxy Note 4
- Galaxy Note 5
- Galaxy Note 8
- Xiaomi Mi 4i
- Galaxy A5
- ZTE x500
- Galaxy Note 3
- Galaxy Note Edge
- Galaxy Tab S2
- Galaxy Tab 2
- Oppo N3
- vivo X6 plus
Nexus 5[Removed in updated list.]Nexus 5X[Removed in updated list.]- Asus Zenfone 2
- LenovoS90
- OppoR7 plus
- Xiaomi Redmi
- Lenovo A850
Check Point didn't disclose the names of the companies that owned the infected phones.
Source: ArsTechnica
(Score: 4, Insightful) by Nerdfest on Monday March 13 2017, @08:37PM (5 children)
In other news, Windows 10 has been found to be infected with spyware and adware, and Apple devices have been found infected with iOS which strips away user rights and capabilities. I'm not even sure which is worse any more, malware of actual operating systems.
(Score: 0) by Anonymous Coward on Monday March 13 2017, @08:46PM (4 children)
Use Linux, then you only have to worry about a subset of malware and you have ultimate control over the OS, admittedly sometimes to a fault.
(Score: 1, Insightful) by Anonymous Coward on Monday March 13 2017, @08:56PM (2 children)
But... but... Android is Linux!
(Score: 3, Insightful) by Scruffy Beard 2 on Monday March 13 2017, @09:03PM (1 child)
Which is why RMS was correct to insist on "GNU/Linux" for all those years.
Now "Android/Linux" dominates, and people think it is not Linux for some reason.
(Score: 0) by Anonymous Coward on Monday March 13 2017, @10:32PM
There were those at our office who referred to our machines running busybox/uclibc boxes as using GNU/Linux, who really should have known better. Even with the rise of non-GNU Linuxes, like Alpine and Android, becoming more popular, I don't think having used "GNU/Linux" terminology would have fixed any of the confusion in the general population. Heck, we have devs complaining they cannot figure what version of glibc the production machines are running when they hit bugs in musl.
(Score: 3, Insightful) by driverless on Wednesday March 15 2017, @08:27AM
Use Linux, then you only have to worry about a subset of malware and you have ultimate control over the OS
I dunno, the systemd malware can be pretty hard to remove, it almost seems to integrate itself into the OS so you can't crowbar it out again.
(Score: 2) by goody on Monday March 13 2017, @09:04PM (3 children)
Not really. It should be a concern for those buying products from suppliers with sloppy supply chains.
(Score: 0) by Anonymous Coward on Tuesday March 14 2017, @03:45AM (2 children)
Well, let's see: It's probably not the OEMs or the problem would be widespread rather than generally limited to a couple of companies. It's probably not the carriers or the problem would be widespread rather than generally limited to a couple of companies. Odds are, then, it's something injected in transit, targeting those companies.
Who do we have documented evidence of intercepting computers equipment in transit, manipulating/infecting it, then setting it on its way? Let's see, it's a three-letter name, belongs to an increasingly-fascist country...
(Score: 2, Insightful) by anubi on Tuesday March 14 2017, @06:36AM
If anything, we need some mechanism to read and make a digest of the operating system so we can verify its a OEM load.
When I was first coming online with PC's, BIOS was usually shipped in a pair of UV-EPROMS ( i.e. 27128 and up ), which were programmed using a high voltage on a special EPROM writer. The high voltage required to program the part was not available on the EPROM socket on the motherboard. It was very common to identify the parts by their checksum, as one was the "LOW" byte, and the other one was the "HIGH" byte. I thought these were quite secure and could be trusted. Not only that, I was actually made privy to the source code in them... matter of fact the standard IBM BIOS Source Code was printed in the "IBM AT Technical Reference" binder, along with all the schematics of the hardware. Just about like an Arduino documentation package - but quite a bit more sophisticated.
I was sure hoping it would stay that way, as I knew no matter what happened to the software, the BIOS could not be corrupted. Even if you did suspect your BIOS, it could be accessed from hardware and you could checksum it to see what you had - with a program you probably wrote yourself... in assembler. Or, lacking that, a bunch of DEF SEG's, and PEEK loops in GWBASIC would do in a pinch.
( IIRC, the ROM BIOS was at (F000:C000) at the upper address space of the PC, which was why we had a "hole" in the address space between 640K and 1MB. "A Megabyte of memory should be enough for Anyone" did not last for long. Soon thereafter, 16MB, then it seemed the sky was the limit.)
I sure liked the way we used to start up a machine, with a hardware reset vector that went to a predefined address and started executing from there. It was completely neutral and verifiable as to exactly what the machine was to execute upon startup ( which was usually a loader to bootstrap in the operating system, but if you wanted the whole machine to do nothing but "hello-world" like an Arduino upon power-up, that was fine, too. ) And, given an EEPROM programmer, a decent primer on how to write assembler for a machine consisting of nothing but hardware.
But things did not stay that simple for long. When I saw the first flash-based boot BIOS coming out, I knew right then and there we were in trouble.
Seemed all the copyright people got so worked up trying to keep some kid from sharing some song that they have taken steps to work with Congress to insure the ignorance of the masses to how this stuff works. The deluge of malware that no-one seems to understand sure seems to prove my point. Its almost like a bunch of firemen setting fires so they can get paid to put them out, starting more fires elsewhere while on the way to put the current crop out to guarantee future employment.
While our Congress sits around with that shit-eating grin on their face, shaking the hands of lobbyists pushing this crap on us.
I want so much for our stuff to be public to the extent we can know what is in it. Personally, I would lobby for Congress to consider anything not revealed to be a "trade secret", and as such, not coverable by either patent or copyright.
I wish there was some physical switch on the phone which would reconfigure the USB port to HOST, and place USB at the top of the BOOT order.... so that the contents of the phone's operating system could be verified, or updated, via USB files *By The Owner of the Phone*. Not this sneaky behind your back when it finds an open connection to the internet kind of thing. If this thing is going to be writable, I would love to be able to back up a known trusted copy , as well as have a known trusted copy of a completely independent file verifier to vet the phone's code.
If I want to update my phone or install an app, let me visit the phone's manufacturer and get the new program load as a file. Have SHA and MD5 digests provided so one can vet his file. Download to phone. If you are still concerned, boot the phone on trusted USB stick ( which can be vetted on other machines ) and have it vet the contents of the phone's memory without running the phone's OS.
All this "background updating" has gotten so out of hand one would be hard pressed to tell if anything streaming through the back door is legitimate or not.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Insightful) by goody on Tuesday March 14 2017, @02:53PM
Riiiiight. The US government is intercepting truckloads of equipment, opening each box up, reprogramming each phone with fairly easily detected malware written by third parties, repackaging without any signs of tampering, and sending them on their way, and of the hundreds or thousands of employees necessary to pull this off, each one is keeping quiet about the whole operation. A more plausible explanation is that it's just crappy supply chain company operations with poor practices and lousy quality control.
(Score: 2) by jmorris on Monday March 13 2017, @09:16PM
added later somewhere along the supply chain
That is "please don't sue me" for "added by the carrier, either at the head end or by a massive infection of the systems at the retail end." And since the article seemed determined to omit the info on where it was found, I'd say it was not the U.S. or first world. Saying it was in India or somewhere kills most of the more valuable clicks and reblogs in the first world.
(Score: 0) by Anonymous Coward on Monday March 13 2017, @09:23PM (1 child)
You're posting outdated material.
From TFA:
(Score: 2) by takyon on Monday March 13 2017, @09:49PM
dun
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Insightful) by Anonymous Coward on Monday March 13 2017, @10:18PM (2 children)
All the modern OSes are malware themselves. All of them are fashioned after Google's business model.
Here's an idea. OS and apps that priortize on privacy. It may not achieve mass adaptation, but it can commend premium for those who care, like luxury brands. After all, privacy in these days are the ultimate luxury.
(Score: 0) by Anonymous Coward on Monday March 13 2017, @11:21PM (1 child)
Do you mean that they can charge a premium for the apps/OS? If so, that sounds like it would be proprietary software. You can charge for free (as in freedom) software, but people could just get it from someone distributing zero-cost binaries. If you honestly think that proprietary software--which denies users their freedoms and gives complete control to the developers--would do a good job of protecting people's privacy, then you are wrong. We need a Free Software phone OS developed by someone who does not have a vested interest in trashing user privacy (like Google does), and the modems in the phones need to be free as well.
(Score: 3, Interesting) by MostCynical on Monday March 13 2017, @11:30PM
Business models for making money from mobile devices:
1. apps
2. Apps with in-app purchases
3. Handset sales
4. Air/data time
5. Your data
As 4 and 3 decline, and people fill up their time and phones with apps, the only "growth" is in number 5.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1) by marknmel on Tuesday March 14 2017, @02:51AM (1 child)
...and on top of that my DTEK50 got the March patch set last week.
Nice to have a decent managed device from a company that actually values security.
There is nothing that can't be solved with one more layer of indirection.
(Score: 0) by Anonymous Coward on Tuesday March 14 2017, @06:35AM
Yes, and then they pulled out of the phone business. I bought a second Passport as a backup and will look wearily at what happens with TCL/BlackBerry Mobile.