Every week we talk to leaders in the field of
Android security about the threats they're seeing in the wild. This week
we take a look at three different kinds of questionable apps: some that
transmit your password unencrypted, one that's a Trojan version of a
popular game, and several that spy on your spouse.
Bloons TD 5 Trojan
Fans of tower defense games are probably familiar with the Bloons series, where you take the role of monkey commandos bent on destroying parades of balloons. F-Secure says that on the Chinese third-party Baidu app store a Trojanized version of the game has been masquerading as the real deal.
Not all apps are available internationally, which drives some users to seek out not-so-legal alternatives. Other downloaders simply don't want to pay full price for popular apps. Whatever the reason, the bad guys know that a free version of a must-have game will get some downloads.
The Trojanized Bloons TD 5 requests a slew of extra device permissions that the original does not require. These include the ability to view fine-grain location information, install shortcuts, and access alert windows, among others.
It gets worse: F-Secure says that the Trojan app downloads executable content from a malicious website. "The content can be anything," said F-Secure. "It's up to the malware author."
Just another reminder that you should always, always, always download legit, for-pay copies of apps.
Unencrypted Fantasy Football Passwords
From Bitdefender, we received a tip on four apps that transmit unencrypted user data—specifically passwords. "In our opinion, it is unacceptable for any app, regardless of its purpose, to transmit personal data without encryption," Bitdefender told SecurityWatch. "It is particularly dangerous to people who use the same passwords for the apps as for social networking, email, and other sensitive accounts."
Among these were a card game app called Texs HoldEm Poker Deluxe Pro, a ticket booking assistant called Wizzair Search and Price Alerts, and an alternative reality game called Watch Dogs Live. The most interesting, and disconcerting, of the apps profiled by Bitdefender was the popular CBS Sports Fantasy Football app, which has been downloaded between 100,000 and 500,000 times and carries a great deal of authority with the CBS name.
If the password is not encrypted on the device before it's sent to servers for authentication, then it's relatively easy for attackers to intercept the authentication information. But the risk isn't that your Fantasy Football account might be compromised (though I am sure that's a big deal for some), rather that attackers could find other accounts where you've reused the same password and username combination.
Spyware For Jealous Lovers
Appthority tipped us to three pieces of spyware, which is effectively legal-ish malware. The applications can do a number of things, from tracking calls and texts to finding the precise location of the device. What's interesting about them is that they're marketed towards individuals who want to spy on their significant others.
Several of these apps are available on Google Play are merely downloaders which, once installed, retrieve packages of spyware, install them on the target device, and then hide their presence. Boyfriend Tracker, for instance, downloads the MSpy package and can send call logs, SMS texts, e-mails, contact information, recorded audio, recorded video, geo-location, and Facebook chat logs to MSpy servers.
Similarly, an app called "SMS, Whatsapp & Locate Spy" downloads the spytomobile software package to gather most of the same information as MSpy. The SpyBubble app, on the other hand, uses its own spying software to gather info from infected devices and is disconcertingly targeted at parents, spouses, and employers.
Not only are these spy apps gross and invasive, but they place the personal information of the victims on the server of another company. Before you think about installing one of these on someone's phone, consider that whatever information is gleaned will also be stored by a third party.
Avoiding these applications is tricky, since they require someone to take hold of your phone and install them. Our traditional advice for avoiding malware simply doesn't apply when someone wants to infect your device. The best course of action would be to set up a device passcode and not share it with anyone—perhaps even change it periodically. Fortunately, many of these apps will get caught by security software, so be sure to scan your device often.
Alternatively, you can invest the time and effort into a healthy, communicative relationship which doesn't require installing dangerous spyware onto phones.
Bloons TD 5 Trojan
Fans of tower defense games are probably familiar with the Bloons series, where you take the role of monkey commandos bent on destroying parades of balloons. F-Secure says that on the Chinese third-party Baidu app store a Trojanized version of the game has been masquerading as the real deal.
Not all apps are available internationally, which drives some users to seek out not-so-legal alternatives. Other downloaders simply don't want to pay full price for popular apps. Whatever the reason, the bad guys know that a free version of a must-have game will get some downloads.
The Trojanized Bloons TD 5 requests a slew of extra device permissions that the original does not require. These include the ability to view fine-grain location information, install shortcuts, and access alert windows, among others.
It gets worse: F-Secure says that the Trojan app downloads executable content from a malicious website. "The content can be anything," said F-Secure. "It's up to the malware author."
Just another reminder that you should always, always, always download legit, for-pay copies of apps.
Unencrypted Fantasy Football Passwords
From Bitdefender, we received a tip on four apps that transmit unencrypted user data—specifically passwords. "In our opinion, it is unacceptable for any app, regardless of its purpose, to transmit personal data without encryption," Bitdefender told SecurityWatch. "It is particularly dangerous to people who use the same passwords for the apps as for social networking, email, and other sensitive accounts."
Among these were a card game app called Texs HoldEm Poker Deluxe Pro, a ticket booking assistant called Wizzair Search and Price Alerts, and an alternative reality game called Watch Dogs Live. The most interesting, and disconcerting, of the apps profiled by Bitdefender was the popular CBS Sports Fantasy Football app, which has been downloaded between 100,000 and 500,000 times and carries a great deal of authority with the CBS name.
If the password is not encrypted on the device before it's sent to servers for authentication, then it's relatively easy for attackers to intercept the authentication information. But the risk isn't that your Fantasy Football account might be compromised (though I am sure that's a big deal for some), rather that attackers could find other accounts where you've reused the same password and username combination.
Spyware For Jealous Lovers
Appthority tipped us to three pieces of spyware, which is effectively legal-ish malware. The applications can do a number of things, from tracking calls and texts to finding the precise location of the device. What's interesting about them is that they're marketed towards individuals who want to spy on their significant others.
Several of these apps are available on Google Play are merely downloaders which, once installed, retrieve packages of spyware, install them on the target device, and then hide their presence. Boyfriend Tracker, for instance, downloads the MSpy package and can send call logs, SMS texts, e-mails, contact information, recorded audio, recorded video, geo-location, and Facebook chat logs to MSpy servers.
Similarly, an app called "SMS, Whatsapp & Locate Spy" downloads the spytomobile software package to gather most of the same information as MSpy. The SpyBubble app, on the other hand, uses its own spying software to gather info from infected devices and is disconcertingly targeted at parents, spouses, and employers.
Not only are these spy apps gross and invasive, but they place the personal information of the victims on the server of another company. Before you think about installing one of these on someone's phone, consider that whatever information is gleaned will also be stored by a third party.
Avoiding these applications is tricky, since they require someone to take hold of your phone and install them. Our traditional advice for avoiding malware simply doesn't apply when someone wants to infect your device. The best course of action would be to set up a device passcode and not share it with anyone—perhaps even change it periodically. Fortunately, many of these apps will get caught by security software, so be sure to scan your device often.
Alternatively, you can invest the time and effort into a healthy, communicative relationship which doesn't require installing dangerous spyware onto phones.
The method still good enough but nowadays there are a lot of more an easier ways to do it. For example this one https://spyontextmessages.net/. It is stable and has not let me down
ReplyDeleteNowadays, tracking your mobile phone has become very popular internet service. For the last two days, I was looking for the best one, which I will use permanently. My friend recommended me to try this one http://copy9.com/whatsapp-spy/. I hope you will like it too.
ReplyDeleteA spyware remover will detect and remove the spywares from your PC as well as protect your PC from further infection. Hack a Phone in Singapore
ReplyDelete