4million people downloaded data-stealing Android app - Nexus One General

http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Mike Luttrell | Thu 29th Jul 2010, 08:30 am
A seemingly innocuous Android app that let users change their phone's wallpaper has actually been stealing private user information and may have been downloaded millions of times.
Users should be concerned if they downloaded an app from "Jackeey Wallpaper." While it does perform the functions described in the app download page, it also ends up taking the phone's Internet browser history, mobile phone number, every single text message, and voicemail password. That information is then sent to a website based in Shenzhen, China.
Click to expand...
Click to collapse

http://phandroid.com/2010/07/29/another-app-stealing-data/
[Update]: MyLookout chimed in with us to clarify some details that other outlets have been reporting. Specifically, the app does collect data from your phone, but only the device’s phone number, subscriber identifier, and voicemail number fields are retrieved. SMS and browsing history are not touched by any of the apps they analyzed throughout their Blackhat conference. Your voicemail’s password is also not transmitted unless you included the password in your phone’s voicemail number field.
We’re not yet certain on what the developer’s intentions are for using the pieces of data it does send to China – so we can’t outright call it malicious – but it is collecting and sending data nevertheless. Hopefully that clears up some of the confusion everyone’s been faced with regarding the read-only property READ_PHONE_STATE that the application uses to access certain pieces of data.
Click to expand...
Click to collapse
So no SMS, browsing history or voice mail password taken.

FOR REAL?!?!

All your data belongs to somebody else
jp_macaroni said:
http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Click to expand...
Click to collapse
Free isn't free: http://www.androidpolice.com/2010/0...t-all-your-data-are-belong-to…-somebody-else/

Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !

It's not like it doesn't show you the stuff when you install apps.. And this "Genome Project" thing is out of context nonsense.... 14% of free apps have access to your contacts. You realize that includes IM programs, SMS programs, Email programs, etc....
If you install a wallpaper app that requests access to your Accounts and Contacts, well....
http://www.cyrket.com/search?q=Jackeey+Wallpaper
I don't see such permissions on the 2-3 I looked through, but maybe specific ones did.
Another thing about this "lookout" app and Genome Project.. Look at the permissions on their app on the market:
Permissions: ACCESS_COARSE_LOCATION , ACCESS_FINE_LOCATION , ACCESS_NETWORK_STATE , CLEAR_APP_CACHE , DISABLE_KEYGUARD , GET_ACCOUNTS , INTERNET , MANAGE_ACCOUNTS , MODIFY_AUDIO_SETTINGS , PERSISTENT_ACTIVITY , READ_CONTACTS , READ_LOGS , READ_OWNER_DATA , READ_PHONE_STATE , READ_SMS , READ_SYNC_SETTINGS , READ_USER_DICTIONARY , RECEIVE_BOOT_COMPLETED , RECEIVE_SMS , VIBRATE , WAKE_LOCK , WRITE_CALENDAR , WRITE_CONTACTS , WRITE_SETTINGS , WRITE_SMS , WRITE_SYNC_SETTINGS , WRITE_USER_DICTIONARY , com.android.browser.permission.READ_HISTORY_BOOKMARKS , com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
What if the 'AV' software itself turns out to be the one stealing data? If anything could, it could.

we get that all apps ask for permission to allow access to our location, contacts, emails etc....but to gather our private info and sell them to China.....thats messed up.
time to sue.

That information is then sent to a website based in Shenzhen, China.
Click to expand...
Click to collapse
question:
if this app was downloaded and used by US government....would it be considered as a SPY? lol

It's a big deal, but it illustrates very well that android users are in a ffa environment without someone looking over their shoulder to protect them.
It's good and bad. Some people will call bad on google for not protecting them, but others will see it for the truth of it and know they have to cover their own ass.

Wouldnt a functional firewall app work for this?
cutting off apps access to non essential portions of data...but also from data transmitting?
Flixster is malicious??

pvillasuso said:
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
Click to expand...
Click to collapse
Woaaah now... I have used this app on almost ever ROM I flash - downloaded straight from the market each time. I've never had an indication that my information was compromised in any way... Are you 100% sure that Flixster was the culprit? That's a pretty heavy claim for what I think is a very widely used (and recommended) app.

and what about all the gmail notifiers?
More fears:
I will preface this by saying I don't know much about Android security, but to me, it's as secure as any PC.
So: what about gmail notifier apps and apps that ask for access to your gmail account?
Do they have access to your gmail password? Seems like it. So what's to stop malicious gmail notifier developers from stealing your gmail passwords and having their way with your google account, for example, grepping your mailbox for banking information.
Also think about keyboard apps, what's to top malicious keyboard developers from writing a keyboard which logs all your keystrokes to a zipfile then uploads it to a russian server for analysis of B-A-N-K and P-A-S-S-W-O-R-D and then the next keystrokes which follow that?
It doesn't end there. Picture apps which can steal your pictures. Apps which can record your phone conversations and upload the audio to servers a few hours later so you don't notice that data going on.

bwolmarans said:
More fears:
I will preface this by saying I don't know much about Android security, but to me, it's as secure as any PC.
So: what about gmail notifier apps and apps that ask for access to your gmail account?
Do they have access to your gmail password? Seems like it. So what's to stop malicious gmail notifier developers from stealing your gmail passwords and having their way with your google account, for example, grepping your mailbox for banking information.
Also think about keyboard apps, what's to top malicious keyboard developers from writing a keyboard which logs all your keystrokes to a zipfile then uploads it to a russian server for analysis of B-A-N-K and P-A-S-S-W-O-R-D and then the next keystrokes which follow that?
It doesn't end there. Picture apps which can steal your pictures. Apps which can record your phone conversations and upload the audio to servers a few hours later so you don't notice that data going on.
Click to expand...
Click to collapse
The same things are possible for a regular computer as well. You can connect to a site and it could execute a download that then snoops your keystrokes and uploads them somewhere.
The difference (so far) is that on android you have to install an app to do that.
The takehome message is to excersize caution and install apps you can verify where they come from and what they do.

This will happen more and more. Mobile is where people are doing most of there communication and beginning alot of banking.
Not just Android all mobile OS.
Like I said a zonealarm/lilsnitch like app would be of great use. Even if logging or reading they still need to communicate out. An easy low mem/bat/cpu usage app that monitors this behaviour would go along way.

This is becomming a bigger issue and we do need some type of security alert monitor!
http://www.newsfactor.com/story.xhtml?story_id=13100EVAC2WI
"Mobile apps on Android-powered smartphones and Apple's iPhone can disclose more personal data than most users realize, security vendor Lookout revealed Wednesday at the Black Hat USA 2010 conference in Las Vegas. Rather than being malicious, users often give the apps permission to access data when they are installed...."

jp_macaroni said:
http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Click to expand...
Click to collapse
Opps missed this post prior to posting my thread...
http://forum.xda-developers.com/showthread.php?t=739446

Arcarsenal said:
Woaaah now... I have used this app on almost ever ROM I flash - downloaded straight from the market each time. I've never had an indication that my information was compromised in any way... Are you 100% sure that Flixster was the culprit? That's a pretty heavy claim for what I think is a very widely used (and recommended) app.
Click to expand...
Click to collapse
100% sure , I checked out the IP involved , and it pointed directly to their website !!!

pvillasuso said:
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
Click to expand...
Click to collapse
Don't be stupid. Flixster is a 100% legitimate app. Don't bad mouth it because you fell for a phishing scam some place else.

GldRush98 said:
Don't be stupid. Flixster is a 100% legitimate app. Don't bad mouth it because you fell for a phishing scam some place else.
Click to expand...
Click to collapse
Use it then, who cares anyway ..!
Hope u get your gmail account hacked ...

samagon said:
The takehome message is to excersize caution and install apps you can verify where they come from and what they do.
Click to expand...
Click to collapse
Easy to say, but how do you 'verify where they come from and what they do'?

Related

Chrome2Phone -- Exploitable?

Had the thought that perhaps the new feature, to send your nexus a direct link from your computer, might be exploitable by some unfriendly people.
What do you all think the risks are, if any?
If it can tell your phone to open the browser and launch a website, whats to stop someone from telling your phone to buy ten thousand copies of Conan the Barbarian, or destroying itself and catching on fire. Kidding of course, but you get what i mean.
Very difficult. It'd be just as likely as someone stealing your Gmail account.
Mmm, ok. Thought I would ask
It has the potential, under the right circumstances, to be used for evil though! EVIL!
I'm not entirely sure, but from what I understand all intents go through google servers. I assume google is doing checks for malicious behaviour on their end.
Don't you have to register a phone to a gmail account and be logged into that account to send to the phone?
Haven't tried the app myself make it wouldn't make sense any other way ;-)
You have to be logged in. And i thing info is sendt via google servers, so unless someone steals your google account, i think you should be safe
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
chromiumcloud said:
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
Click to expand...
Click to collapse
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
I believe that Google are running a closed beta at present too, so the only people that can write apps that use cloud messaging will have been vetted by Google.
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
ludo218 said:
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
Click to expand...
Click to collapse
All of the messages go through the Google servers
As I understand, the application engine part of the extension (which runs on google application engine) register itself to "the cloud" using google api. Anyone should be able to use these api, no?
It most certainly could be exploited. I can think of a javascript exploit that would work right now.
However the consequences of an exploit are severely limited by the security model that Android uses. Something can not run in another security context unless you allow it to.
The day "Chrmoe2Phone" asks for root access is the day it should be removed from your phone. Until then they most it could do is tell an app to do something that you've already allowed that app to do (which could arguably be undesirable things).
The user needs to explicitly permit all security privileges in Android remember (read that app install page with security details!). If it can do something, you've permitted it to do so.
tanman1975 said:
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
Click to expand...
Click to collapse
That is true, but if i recall correctly, when you choose a phone number link from the browser, it will bring the number up in your dialer application, but you must initiate the call with the green call button, so there is a level of security there.
actually this could be a pretty nifty security feature. Is the phone gets stolen how great would It be to able to enable the gps, camera or mic? Given proper security protocols of course...
@tanman1975
Didn't think of that one. T'would be a very powerful tool against the robbers out there. Nice.

How the hell did Google get my entire contact database?

Some of you are aware of how "paranoid" I am, and refuse to have my Calendar and Contact synced via google.
Just before I did my firmware upgrade today, I used an application in the market place called MyBackup, but I carefully avoided choosing to backup to local (SD card) and not Online.
After I flashed the new firmware and made the restore, I discoverd to my horror that all my contacts are now having the symbol "g" within a square, which I understood to be indicative of the fact that these contact are now also stored in Google's server somewhere, and none of the contact are coming from my phone! So, MyBackup restored my entire contact database from my phone to the cloud rather than my phone? There is not single contact entry on my phone now. Everything I have is shown to be from Google.
Anyone knows how the hell could this happen? Is MyBackup a sneaky program which steal all these information and put it to the cloud without my consent?
I'm really really pissed
Now I'm forced to put in dummy tel number and address, birthday to all my contact and let Google get the false data, before abandoning Google phone platform all together. THIS IS EVIL, SNEAKY, UNETHICAL !!!
You really are paranoid .
I don't think MyBackup Pro actually stores all your contacts on some Google server - I think the app just assumes they are Google contacts. I've stopped using it for backing up contacts for a different reason: because it duplicates everything when restoring it - a real PITA. And by everything I mean everything - linked contacts become multiple independent contacts, some of them without any details and impossible to delete without a factory reset. I'm actually using Kies for that now (ironic, no? ).
Do you have a Google account for using the phone with? The simple thing do is to log in there and check whether your contacts are actually in there. If not then they probably aren't.
If you are that paranoid perhaps put the phone into airplane mode when you backup?
I think you are being a bit paranoid here. Besides google might just keep changelogs on the contact which would render you attempt with dummy info useless.
I just checked. I don't see any entry under contact when I signed in. Whew!
But please explain to me why all my contacts now are displayed under the google heading? (You know the display option in contact lets us select contact on the SIM, Phone, or Google?), now all my entries are under google. Yet, I don't see any thing there (yet?)
According to this thread, I think there's still a possibility that my details has already been taken without my permission, although it's not reflected in the contact list in google account.
I'm confused...
To anyone of you thinking that I'm paranoid, one day you will know I'm right. The world just isn't as innocent as you think.
I have to very seriously re-evaluate whether I would want an Android phone. It's way too open, anyone can take information from me, since there is no QA done on the market place applications.
Think someone's had a bit too much wacky tobacco.
GOT you info
I could be wrong but all my contact say Google except the one i use my HTC Sync to transfer my work email from Outlook.
By the way i can see all of your contacts. You were too late!!!
eaglesteve said:
To anyone of you thinking that I'm paranoid, one day you will know I'm right. The world just isn't as innocent as you think.
I have to very seriously re-evaluate whether I would want an Android phone. It's way too open, anyone can take information from me, since there is no QA done on the market place applications.
Click to expand...
Click to collapse
Ok, for starters,
1) The [G] means they have been imported into your Google account. Probably, as mentioned by your backup. Go to Google Contacts and you can wipe them. But no, I don't believe they took them without your permissions.
2) What makes your email addresses so valuable? Do you honestly believe Google cares? Hahaha... Clearly, you don't know anyone who works at Google. I met a bunch and they really are all legends, and they know your rights. They are normal people, not politicians. This is in comparison to Apple people I know, who I post stuff to on their facebook wall, they remove it secretly and tell me by email that they didn't want their manager to see it.
3) If you are concerned about privacy, why can you trust the "MyBackup" program. did you install an applications which isn't open source?
Perhaps you should get a dumb phone or hack up your own firmware and remove Google's services?
You should also consider avoiding entering ANY google account if you don't trust them. Why did you enter them in the first place? To enter the market where Google could track your downloads, your location and your firmware? Seriously, I strongly urge you to sell your Android phone if you don't trust them. Instead, get a dumb phone. I however believe my contacts list is useless to Google, so have no problems sharing information with them
i don't know about that backup program you are using.
however, if you are concerned about the contacts @ google.
just login to your google account, and select DELETE all contacts, in your account.
then it'll be all gone
you can do the same for all the emails too.
once deleted they will no longer have your data on their servers.
eaglesteve said:
Some of you are aware of how "paranoid" I am, and refuse to have my Calendar and Contact synced via google.
Just before I did my firmware upgrade today, I used an application in the market place called MyBackup, but I carefully avoided choosing to backup to local (SD card) and not Online.
After I flashed the new firmware and made the restore, I discoverd to my horror that all my contacts are now having the symbol "g" within a square, which I understood to be indicative of the fact that these contact are now also stored in Google's server somewhere, and none of the contact are coming from my phone! So, MyBackup restored my entire contact database from my phone to the cloud rather than my phone? There is not single contact entry on my phone now. Everything I have is shown to be from Google.
Anyone knows how the hell could this happen? Is MyBackup a sneaky program which steal all these information and put it to the cloud without my consent?
I'm really really pissed
Now I'm forced to put in dummy tel number and address, birthday to all my contact and let Google get the false data, before abandoning Google phone platform all together. THIS IS EVIL, SNEAKY, UNETHICAL !!!
Click to expand...
Click to collapse
It's BackupPro when it restores the contacts it assigns them as Google. I made the mistake of backing-up and restoring contacts with this and spent the next hour wondering how I've got contacts with 3 Google entries when I was expecting only two.
I have no problem syncing all my data with Google's servers, but I want to remember everyone that the right of privacy is an absolute requirement for a working democracy.
If eaglesteve does not want his data being stored at a central repository then he has every right to freak out when it appears as if his contacts were synced with Google's Servers.
Of course, if he should believe that Google is after him personally, well, then this is probably a bad sign of paranoia
flamingpitofhell said:
You really are paranoid .
Click to expand...
Click to collapse
I thought the same until I saw he's in Australia.... the government over there is screwed up big time. The crap they are trying to do to their Internet is appalling.
I'm also paranoid about the same...i did this to solve (ive not an english firmware so will try to give simmilar instructions):
go to contacts -> menu -> more -> import/export and save all contacts to a vcard on SD, and connect to pc and save that vcard on pc.
Go into settings -> privacy -> "erase all data" (dunno how its called on english firmware)
then i chose to erase data on SD also after unmounting it.
After that i restarted phone without simcard and with volup+home+power i cleared cache and hard reseted it.
After that the phone boots with factory settings and without simcard and keep it that way and connect to internet via wireless after booting.
Then i checked if i had no contacts, there were none so all okay... went to menu, definitions -> "accounts and sincronization" and i added my google account, but i unchecked first the auto sync and data in second plan above (the options above, dunno how they are called in english firmware). Then the google account was added. Then i disabled wireless and checked the options i disabled in last step (the auto sync and the other), i opened the google account i added in last step and disabled all syncs there (sync calendar, contacts and gmail).
After that i went to contacts and restored all contacts via the vcard, all are stored on phone after that (via the same import/export option).
As a final option i went to my gmail and deleted all contacts synced... now the phone is not syncing with google in any way but i can use the market because i have a google acc added...
dunno if i explained myself well, it worked for me that way.
I'd love to hear some worst case scenarios of what you think might happen if mr google checks your contacts and finds your mate Fred's email address.
And also why you'd think anyone would want to know your contacts.
are you worried that your network provider has a log of who you called and when?
if they find Fred's address, Fred is effed.
Sent from my GT-I9000 using XDA App
well.... i dont like to give my info/data away, just really when needed.... some years ago maybe not, but today, google and other companies have so much info about so much people around the world, and you dont even know if they use it or not, you are not there to check... they can for example see the places you visit more because of gps tracking, if people in some zone visit shoppings a lot and at what times, who your friends are and if they use android and gmail also (by contacts), and assemble strategies for their business based on that, because all we are giving is free info about what we do, who we are, who our friends are....that, for business activities is very valuable. And im not talking about gmail, with all valuable info about everyone, they are able to see all your info since you have all stuff stored on their servers and they dont need to tell to you anything about it and you dont even know they maybe will do it... i may be wrong, but thats my point of view, i didnt had that oppinion since a friend i have, erased all his mails from gmail telling me "google can use all my info for marketing purposes or another stuff"...
They give us free services, but there is no such things as free services... we pay with info to improve their business, thats my point of view...
I'm not concerned with the email of my friends. I'm concerned that their photos, address, birthday, spouse's name, children's name, telephone number, work place number, fax number, and everything is on the cloud, which means any hacker could get it, and the consequence would be serious. It's not giving MY details away. It's giving my friend's details away, and I don't want to do that to my friends.
In Australia, we have this thing called the Privacy law. You just can't come around and grab my wifi address, email login password, and claim that you make a mistake unintentionally. All these data stealings are deliberate.
For those of you saying that it's not a big deal, could you all in your next post show me your real photos, address, name, telephone numbers, birthday, spouse's name, children's name, and the other typical contact info on this forum.
So, now they grabbed my contact without my consent. Have they also grabbed my eWallet password file and are now cracking it?
I can't believe you guys are not seeing problem here.
Nuf said.
as long as google don't try to sell me anything they can do what they want with my data.
I'm pretty sure my bank and credit card company know more about me than google and their sales and junk mail are certainly more annoying than anything google ever did to me.
Sent from my GT-I9000 using XDA App

my hotmail account has been spamming people

Long story short i have my hotmail, along with other accounts setup in my evos email client, awhile back I noticed I sent myself an email about diet crap that I personaly did not send and so I dismissed it.
Well tonight I had over a hundred mailer daemon unable to reach address blah blah in my email inbox I check my sent box and sure enough my account has been mailing random people crap about diet stuff.
Anyways i heard Android has some exploits that could be leading to our phones being related in a exploit.
I changed my email password and it stopped doing this temporarily but it started right back up again after a while.
Can this be Related to my phone at all?
Sent from my PC36100 using XDA App
It's probably not your phone.
It's far more likely that you (or someone else in your household) clicked something you shouldn't have on a website, and have a keylogger on your computer now.
Or if you're... Uneducated enough to be running an open WiFi network (or, even more facepalm-worthy, connected to one that doesn't belong to you, and mooching off it), then someone could be picking up your plaintext passwords.
But really, biggest chance is you've got some malware on your computer. Congrats!
Your biggest issue is that you are still using hotmail...
- Changed your hotmail password from a virus-free computer or your EVO's browser.
- Run AntiMalware and an antivirus on your computer.
- Switch to Gmail
Problem solved.
well, i know about wlan encryption and i use wpa2 personal, i also know how to crack wep
i also know about keystroke loggers, i do use them and know how to detect software versions of them
somehow my girlfriend somehow gets a copy forwarded to her of email i reply to, even though there is no trace of a setting for this anywhere that i can find, which i always found suspicious and it doesn't happen all the time. she could be spying or maybe its from when we tried to link our outlook calendars and something broke
i use hot-mail because until recently i have had zero problems and i created this hotmail account back in 2001 on my dream cast before i even knew how to turn on a pc, and now i run a computer repair shop, so it kinda has sentimental value, so i want to fix this, not throw it away. also i have many other email address for work and school purposes so email isn't nothing new to me.
last night i had my gf change my password on my hotmail account because i was on my evo and hotmail.com kept sending me to their mobile site and i couldn't see any settings for change password and she had her laptop in her lap. maybe her laptop is the culpti but i doubt it, i will check into it though.
today i changed my password to my hotmail on my work computer. i will allow my evo access to the new password for the sake of tying to figure out where the culprit is and only changing one thing at a time.
thanks for the replies i really was hoping to hear that someone has less then public information about hotmail email servers them selves being hacked. because i have friends with hotmail accounts that started spamming me not too long before my account starting spamming others.
i guess i'll use this thread to keep notes on this situation, but thanks for the replies
zeuzinn said:
- Changed your hotmail password from a virus-free computer or your EVO's browser.
- Run AntiMalware and an antivirus on your computer.
- Switch to Gmail
Problem solved.
Click to expand...
Click to collapse
yep all I had to do was change my email on another SAFE PC and then I was good to go. But dont discount adware programes and all.
DL and run/update
Malware bytes, Super antispyware and update and load spyware blaster. You'll be good to go.
spybot/teatimer ftw
drmacinyasha said:
It's probably not your phone.
It's far more likely that you (or someone else in your household) clicked something you shouldn't have on a website, and have a keylogger on your computer now.
Or if you're... Uneducated enough to be running an open WiFi network (or, even more facepalm-worthy, connected to one that doesn't belong to you, and mooching off it), then someone could be picking up your plaintext passwords.
But really, biggest chance is you've got some malware on your computer. Congrats!
Click to expand...
Click to collapse
Please don't be politically correct. :|
Stupid not uneducated. He says he knows all this, so uneducated wouldn't apply.
...
Sorry, I'm very blunt. :|
Well my hotmail accounts were still spamming people, also my yahoo account started to join in on the fun.
I changed passwords on both accounts to something very lone Qiu no dictionary words and used numbers and symbols. And about a day later low and behold I am spamming people again.
Focusing in on my hotmail account, I can see the sent folder, in my web based GUI, I can see all these emails that my account has been sending.
I have probably have questionable apps on my phone so I thought I'd wipe my phone. Well, its been 4 days since I have had any problems.
While I can't confirm my suspecion, I can suggest as a possibility that my phone had something that was pulling my passwords and sending them out to someone or something that would inturn log into my accounts and spam away.
I don't have time to really look into this any more thoroughly but I thought I'd document my observations.
Sent from my PC36100 using XDA App
potna said:
well my hotmail accounts were still spamming people, also my yahoo account started to join in on the fun.
I changed passwords on both accounts to something very lone qiu no dictionary words and used numbers and symbols. And about a day later low and behold i am spamming people again.
Focusing in on my hotmail account, i can see the sent folder, in my web based gui, i can see all these emails that my account has been sending.
I have probably have questionable apps on my phone so i thought i'd wipe my phone. Well, its been 4 days since i have had any problems.
While i can't confirm my suspecion, i can suggest as a possibility that my phone had something that was pulling my passwords and sending them out to someone or something that would inturn log into my accounts and spam away.
I don't have time to really look into this any more thoroughly but i thought i'd document my observations.
Sent from my pc36100 using xda app
Click to expand...
Click to collapse
STOP using pirated apps. That's my guess.
It was most likely an app that requests permissions to your contacts and email. There are a lot of shady apps out there and google needs to step up with this crap.
I always avoid them but it's ridiculous how many apps (themes and stupid stuff) request information.
Well surprise surprise, it was most likely an app I got from the market that was stealing my info. Not that I can confirm it, but most of the replies implied I was an idiot and that it couldn't possible be my phone. I eventualy got an email from Google saying I had installed something from the mArket that was infected.
So it was not that I'm stoopid ignorant, it wasnt that i was using hotmail, it wasnt that my pc was infected.
It was my phone all along.
Maybe there is a thread about this already, but I bet my topic.was created first and I thought I'd bring this thread to a conclusion.
Sent from my PC36100 using XDA App
I hate to say it but if you downloaded an app that infected your device with malware you still are pretty stupid. Not trying to be an a**hole here but if you actually researched the app before downloading it you could have advoided it altogether. Common sense is still the best antivirus.
Sent from my PC36100 using XDA App
This isn't malware on your phone. It's been a huge issue with hotmail for the past couple of weeks. People who use the same pass across multiple sites usually are the most vuln. Also happens when you get phished.
I have a friend thats has the same thing going on with his hotmail...hasn't been using it at all and all of a sudden I'm getting emails from him sending me links to increase my penis length...and god knows I don't need that..
I wouldnt dismiss it being non-phone related. I recently have been having it happen on my hotmail account as well and I have not logged into my hotmail account on a computer in years only have it on my phone to setup craigslist ads, Redbox rentals and small stuff like that and use gmail for important stuff. I dont have any Pirated apps or anything just normal stuff 12 or so games and 15 or so other market apps.
Same thing happened to my hotmail a while back. I changed my password and it solved the problem.
Sent from my rooted HTC EVO using the xda app!
alright guys stop calling the op stupid and learn ya something yourselves. Even legitimate apps were affected read the news every once in awhile and you would know. This is just one of the many articles on the topic.
http://m.cnet.com/Article.rbml;jses...fVH2Mtw**?nid=20039881&cid=null&bcid=&bid=-83
Sent from my Supersonic Evo using Xda-app.
Last-Chance said:
This isn't malware on your phone. It's been a huge issue with hotmail for the past couple of weeks. People who use the same pass across multiple sites usually are the most vuln. Also happens when you get phished.
Click to expand...
Click to collapse
Exactly, it happened with my hotmail account a few months ago, and I havent used my hotmail in months.
alright guys stop calling the op stupid and learn ya something yourselves. Even legitimate apps were affected read the news every once in awhile and you would know. This is just one of the many articles on the topic.
Click to expand...
Click to collapse
Unless you login to hotmail from your phone's browser, there is no way one of these apps could get your hotmail info.
i swear, i dont know why i take peoples opinions so damn seriously around here...but for the sake of my sanity and the general level of competence of reading and having accurate postings with good conclusions here i go again.
there were a handful or legitimate applications on the market than were infected.
i already changed my email passwords and it ddint help
when i formatted/re flashed rom...it stopped
i later received some notification of some market tool that Google automatically installed and ran and "fixed the issue"
i received an email from Google telling me about a phone tied to my gmail account may have been infected, but i already solved my issue my self, so their fix didn't apply.
how the hell can you people some how twist this into "op is dumb, or stupid"?
now for a bit of my SPECULATION, and its only that, its not my opinion thrown at you as fact, as so many here love to do.
what are the odds that all of us android users just happen to have our email accounts hacked? whats the one thing all of us email user have in common on these boards....android. just saying
btw, more than just my hotmail account was hacked.
here are some urls that the idiots wont read, talking about what i have been trying to say
http://www.google.com/search?q=Droi...s=org.mozilla:en-US:official&client=firefox-a

[Q] Using a Nexus 4 without sending every private piece of info to Google

I got my N4 a couple of days ago. It's my first foray in the Android world.
The requirements that I am hoping to meet are pretty simple:
1) I want to be able to call contacts and send text messages
2) I don't want Google tracking my contact list
3) I don't want Google tracking my location
4) I don't want Google tracking my browsing history
5) I want to be able to use the Play store to download 3rd party apps. I didn't buy an N4 to use it it like a dumbphone. Logically, the Play store shouldn't require constant access to my contacts, location or browsing history.
I am making this post to get help meeting the above requirements. Despite seeming really basic, I'm running into trouble, and I think I will need frequent help. This thread can act as a journal that hopefully other people can follow.
What I did so far is immediately flashed the N4 to AOKP, and applied the OpenPDroid patches (though I've yet to use OPD). From a blank slate start, I declined to create an account, disabled location access, etc, during the startup wizard.
Adding a contact round 1
I was able to create a local, unsynced contact.
Using the Play store
I was forced to sign up for a gmail account, which is normal. I declined to "keep this phone backed up with my Google Account". I then went in Settings > Account and disabled sync for everything, including Contacts. I also disabled background sync in the power controls.
Adding a contact round 2
I am now unable to add a contact without being forced to sync it with my BS gmail account. When I click "Add Contact" in the phone app, a dialog says "Your contact will be synced with [email protected]" and my choices are either "OK", "Add other account", or to cancel out by clicking Back.
So I'm already stuck. Once a Play account is created, I am now unable to do something as basic as adding a contact without sending it to Google. Can someone tell me how to get past this obstacle?
That's how Google makes their money! Your only options are to either start using the amazon app store only or side loading apps if you don't want Google involvement. Good luck.
Sent from my Nexus 7 using xda premium
Why? Like they don't have all your information already? You freely give your information to everyone when you use the internet. Congratulations. You are not that special.
Sent from my Nexus 4 using xda app-developers app
Eurotrash: always in this sort of discussions there's people like you who essentially advocate shutting up and taking it. "That's how things are" is not an acceptable solution to my problem, or I would not have made this post. There IS a way around the creeping, and someone knows it. My last resort is blocking every Google service from accessing the Internet except Play. I'm asking here because I'm hoping there's a less extreme solution that other people can use.
Gotzadroid: I will hold out for a better solution. Amazon appstore will likely be limited. Sideloading is not possible because many devs don't provide APKs
I know you can get an app to block individual permissions of other apps: https://play.google.com/store/apps/details?id=com.stericson.permissions
It requires root. Not sure about the contacts and other stuff you wanted to block, im assuming you've disabled location services.
Why not try flashing like cm10 and not flashing gapps so no Google apps? Then just manually downloading the apps apks and sideload the ones you need?
Sent from my Nexus 4 using Tapatalk 2
Didn't think my post lacked clarity, so hopefully this will be clearer:
My ONLY problem right now (we'll leave the rest for later) is that the Phone app, an essential app if I want to use my phone for making calls, an app that isn't even part of Gapps, doesn't let me add a local contact without sharing it with Google. That's it. Forget everything else in my post.
So my simple question is, how do I add my friend Bob to my contact list, locally in phone memory or on the SIM card or whatever, without telling Google I'm friends with Bob and giving them his phone number?
MachinTrucChose said:
Didn't think my post lacked clarity, so hopefully this will be clearer:
My ONLY problem right now (we'll leave the rest for later) is that the Phone app, an essential app if I want to use my phone for making calls, an app that isn't even part of Gapps, doesn't let me add a local contact without sharing it with Google. That's it. Forget everything else in my post.
So my simple question is, how do I add my friend Bob to my contact list, locally in phone memory or on the SIM card or whatever, without telling Google I'm friends with Bob and giving them his phone number?
Click to expand...
Click to collapse
As previously mentioned, try flashing a rom without gapps
OK, try this. Make a dummy gmail account for the play store only. Get all the apps you want and then sign out of gmail. Only sign back in when you want another app. That should keep Google from syncing all your info.
Sent from my Nexus 7 using xda premium
Michealtbh said:
As previously mentioned, try flashing a rom without gapps
Click to expand...
Click to collapse
The Phone app is not a part of gapps. It came on the stock ROM before I flashed gapps on it. I didn't try it before adding gapps, are you saying it will change behavior and no longer prompt me to sync when I try to add a contact?
I gotta go to sleep, I'll do more tests tomorrow evening to test this (and wait for your reply to the above question in case you misread my posts).
If the answer to the above question is yes, this would immediately beg another question: how do I install 3rd party apps from Play without flashing gapps?
gotzaDroid said:
OK, try this. Make a dummy gmail account for the play store only. Get all the apps you want and then sign out of gmail. Only sign back in when you want another app. That should keep Google from syncing all your info.
Sent from my Nexus 7 using xda premium
Click to expand...
Click to collapse
That's what I did in the OP (2nd bolded step). I created a dummy account cause Play requires it. That became my main Google account on this phone (since I declined to set up an account prior to that). That's the account Google tries to sync my contacts to when I try to add a contact.
I looked in the Gmail app, there's no way for me to sign out. All I can do is add more accounts.
A similar thread from the galaxy nexus forums: http://forum.xda-developers.com/showthread.php?t=1589367
However, I'd also be interested in a deeper insight on why you're trying to do this. Fear of the big brother? Or just proving a point?
We know before buying an android phone that everything is tied to that Gmail address; now you want to cut that tie but maintain full functionality. Well, that probably doesn't work. And if it at the end does, why going through all that trouble? If a different platform offers all that then..
Why you bought an android phone in the first place? Just curious
Sent from my Nexus 4 using Tapatalk 2
You can try downloading or side loading the app "contacts+" then sign out of your dummy gmail account. You can get a sim to USB hub online and plug your sim into the hub and into PC to add contacts directly to sim. I don't know if there's a way to export contacts to sim anymore unless I'm guessing developers somehow add that feature. So look into CM or another well built ROM and ask some questions.
Good luck
Sent from my SCH-I605 using xda premium
MachinTrucChose said:
The Phone app is not a part of gapps. It came on the stock ROM before I flashed gapps on it. I didn't try it before adding gapps, are you saying it will change behavior and no longer prompt me to sync when I try to add a contact?
I gotta go to sleep, I'll do more tests tomorrow evening to test this (and wait for your reply to the above question in case you misread my posts).
If the answer to the above question is yes, this would immediately beg another question: how do I install 3rd party apps from Play without flashing gapps?
Click to expand...
Click to collapse
Stock rom comes with gapps already loaded.
Most custom roms come without them and they must be flashed separately. If you choose not to flash them you aren't even given an option to sign into your Google account at first boot, so there will obviously be no option to sync your contacts.
Your phone will be crippled and you'll have to find workarounds for many things. I don't think you'll be able to use Maps for example. To install apps you'll have to download and install the apks or use an alternative app market like SlideMe or Amazon
What's there to hide? They're just contacts
Sent from my Nexus 4
Google doesn't care what your Aunt Bertie's phone number is. All they use the data for is to customize ads for you, and if you're going to be seeing ads anyways they might as well be relevant to you.
Sent from my Nexus 4 using xda app-developers app
It's disappointing that the thread is taking the direction of Google advocacy rather than finding a technical solution to my problem, hopefully this post answers your questions and we can stop arguing about this.
Drakkula4 said:
You can try downloading or side loading the app "contacts+" then sign out of your dummy gmail account.
Click to expand...
Click to collapse
How do I sign out of my dummy gmail account?
Vangelis13 said:
A similar thread from the galaxy nexus forums: http://forum.xda-developers.com/showthread.php?t=1589367
However, I'd also be interested in a deeper insight on why you're trying to do this. Fear of the big brother? Or just proving a point?
We know before buying an android phone that everything is tied to that Gmail address; now you want to cut that tie but maintain full functionality. Well, that probably doesn't work. And if it at the end does, why going through all that trouble? If a different platform offers all that then..
Click to expand...
Click to collapse
Nope, not full functionality. I can avoid using all gapps. The only required Google service is the Play store, which is the primary gateway to non-Google apps. I would use Email over Gmail, Navfree over Maps, etc.
The next paragraph is meant as a reply to the 5 posts essentially saying "tinfoil hat, trust Google!".
This is supposed to be an open phone, allowing the user to do what they want, compared to the big bad iOS. That's why I bought it. Now I find out Google is insisting on taking something extremely private (my social graph) even when I don't want to give it to them. I respect my friends' privacy, and I don't want an intersection of my online and offline lives being made by some 3rd party with intentions I don't trust. The insistence is starting to creep me out. You can provide convenience and still respect basic privacy, look at Mozilla with Firefox Sync: even they don't see the data you sync. I'm not even asking for that much, just respect my wish to draw the line at real-life stuff. I guess I shouldn't be surprised, this is the company banning people using pseudonyms on Google+.
The most disappointing thing in all this, is that you have 5000 custom ROMs being developed, which mainly differ in pointless GUI BS like scroll animation speed. Not a single one of those projects thought to provide a way to make the phone usable without giving up extremely private data. AFAIK only 3 guys are working on privacy stuff, and even those guys' patches and apps don't protect you from the Eye of Google.
chrisrozon said:
Google doesn't care what your Aunt Bertie's phone number is. All they use the data for is to customize ads for you, and if you're going to be seeing ads anyways they might as well be relevant to you.
Sent from my Nexus 4 using xda app-developers app
Click to expand...
Click to collapse
What if I don't want tailored ads? Or what if I only want tailored ads by tracking the online activity I'm willing to submit to them, and I feel it should be my my right to draw a line? Many people are not comfortable seeing an intersection of online and real life activity. I am one of those people.
MachinTrucChose said:
Didn't think my post lacked clarity, so hopefully this will be clearer:
My ONLY problem right now (we'll leave the rest for later) is that the Phone app, an essential app if I want to use my phone for making calls, an app that isn't even part of Gapps, doesn't let me add a local contact without sharing it with Google. That's it. Forget everything else in my post.
So my simple question is, how do I add my friend Bob to my contact list, locally in phone memory or on the SIM card or whatever, without telling Google I'm friends with Bob and giving them his phone number?
Click to expand...
Click to collapse
Simple question deserves simple answer, only thing I can think of, go to settings > accounts > google > tap your account email address > and uncheck the things you don't want synced with google.
Hopefully it works and you will just have a local copy of everything then.
Again just flash like cyanogen mod since you have to flash gapps separate. Then don't flash gapps and your phone will have nothing to do with google.
Sent from my Nexus 4 using Tapatalk 2

[Q] Textsecure integration?

https://whispersystems.org/blog/cyanogen-integration/
The client logic is contained in a CyanogenMod system app called WhisperPush, which the system hands outgoing SMS messages to for optional delivery. The Cyanogen team runs their own TextSecure server for WhisperPush clients, which federates with the Open WhisperSystems TextSecure server, so that both clients can exchange messages with each-other seamlessly. All of the code involved throughout the entire stack is fully Open Source.
"All of the code involved throughout the entire stack is fully Open Source."
So any possibility of seeing this in omnirom?
SHAWDAH said:
https://whispersystems.org/blog/cyanogen-integration/
The client logic is contained in a CyanogenMod system app called WhisperPush, which the system hands outgoing SMS messages to for optional delivery. The Cyanogen team runs their own TextSecure server for WhisperPush clients, which federates with the Open WhisperSystems TextSecure server, so that both clients can exchange messages with each-other seamlessly. All of the code involved throughout the entire stack is fully Open Source.
"All of the code involved throughout the entire stack is fully Open Source."
So any possibility of seeing this in omnirom?
Click to expand...
Click to collapse
Hmm.
1) All of it would have to get reviewed for security. I know pulser has looked at some of CM's other solutions and found vulnerabilities.
2) Since it sounds like it needs some server infrastructure, it would take some time and planning before we could get it up and running.
TextSecure definitely looked interesting until seeing that it requires gapps.
wkwkwk said:
TextSecure definitely looked interesting until seeing that it requires gapps.
Click to expand...
Click to collapse
Yea its stupid, he partially justifies it here https://github.com/WhisperSystems/TextSecure/issues/127
He also said this
"If you want alternatives to things like GCM, you have to either build them or help the people that are. I would love to use a different push service, but they don't exist.
Likewise, if we want an alternative to Play, we have to build it. What exists now (f-droid) has a centralized trust model, so we're building something else."
Entropy512 said:
2) Since it sounds like it needs some server infrastructure, it would take some time and planning before we could get it up and running.
Click to expand...
Click to collapse
For whatever it is worth, Moxie Marlinspike has said that Open WhisperSystems has a TextSecure server that they will let other ROMs use. Sadly I am unable to link, but /r/Android/comments/1shejv/as_of_today_cyanogenmod_is_integrating/cdxlnck should give you the info and context you're after. I hope that helps alleviate some concerns, or at least makes this somewhat more doable--I would love to see this adopted much more widely!
I just wish they could add return receipt functionality, and fall back to SMS if data delivery doesn't provide one in a reasonable time frame.
palpitations said:
For whatever it is worth, Moxie Marlinspike has said that Open WhisperSystems has a TextSecure server that they will let other ROMs use. Sadly I am unable to link, but /r/Android/comments/1shejv/as_of_today_cyanogenmod_is_integrating/cdxlnck should give you the info and context you're after. I hope that helps alleviate some concerns, or at least makes this somewhat more doable--I would love to see this adopted much more widely!
I just wish they could add return receipt functionality, and fall back to SMS if data delivery doesn't provide one in a reasonable time frame.
Click to expand...
Click to collapse
Ok, that's useful.
I'll let pulser do final judgement on this. He's our resident tinfoilhatter.
I got myself a tinfoil wide-brim to match my duster...
I'll have to get a 4.4 capable phone in the future so I can get OMni.
Entropy512 said:
Ok, that's useful.
I'll let pulser do final judgement on this. He's our resident tinfoilhatter.
Click to expand...
Click to collapse
Resident tinfoil hat responding to duty...
The issue I've seen with this system (and I must say, it is good that work is done on this, and I commend that it has been done) is the implementation.
Once again, a solution has been made, which is smart, has good features, but is crippled in the security area, due to making things "easy to use".
The specific issue is that, from what I can see, at least right now, there is no way to tell if a message is going to be sent encrypted or unencrypted. It's no good knowing AFTER the fact - you need to know before it is sent how it will be sent.
Additionally, if you are using encryption, from what I can see, the message is actually sent over the internet. This means there is a central repository of users stored on a server somewhere. That is centralisation, centralisation is bad... As I raised back at the time, there are side-information risks.
While the new implementation may well eliminate some of these, I am not convinced this system provides the level of anonymity that some may desire. My worry is that since the original idea was conceived, where a user's phone number being available to CM was not seen as a concern, that any solution has been architected without considering every aspect of security.
Securing correspondence via SMS would be very nice to have done properly. But this is simply a "hook", that takes what you *think* is an SMS, and sends it over the internet. There are plenty of people in the world (particularly developing nations), where they have poor, or limited, access to the internet. SMS can be a lifeline for them.
There are also many places (some incredibly large), which regularly and routinely block internet services they disagree with (not at all looking at China here...) - it is important that any system works worldwide, and is resistent to easy "blocking".
I would personally prefer to see the actual messages sent over SMS... That means if you have no internet connection, you can still send the SMS. And you can do so ENCRYPTED, rather than unencrypted.
At the end of the day though, until you can tell 100% whether something will be sent encrypted or unencrypted, you can't trust a system. The server operator may also gain useful metadata in this case (though not ideal, your carrier already gets metadata for SMS).
Tl;dr, it looks nice, but we need to look at everything here, and consider that not everyone has internet access all the time. After key-exchange is complete (I would like offline key exchange via NFC and QRcode (on the screen) as well, for in-person identity verification), we need to ensure that a user can securely communicate without internet connectivity.
Until then, this is just a smaller rival to iMessage. And hey, maybe that's a good thing... But for my money, it's not a secure SMS system...
Thoughts welcomed.
pulser_g2 said:
Resident tinfoil hat responding to duty...
The issue I've seen with this system (and I must say, it is good that work is done on this, and I commend that it has been done) is the implementation.
Click to expand...
Click to collapse
Great criticism Pulser but surely this system (even with its flaws) is better than traditional SMS, where everything you send and receive is logged by your carrier?
slashslashslash said:
Great criticism Pulser but surely this system (even with its flaws) is better than traditional SMS, where everything you send and receive is logged by your carrier?
Click to expand...
Click to collapse
The thing is, since everything is sent via the Internet, there are plenty of other existing ways to send encrypted messages over the Internet where *you can be sure the message is encrypted*.
Pulser touched on my initial concern (which I held off on voicing until he chipped in) - To determine whether to send a cleartext SMS or send the SMS via an Internet message, the app needs to know whether the recipient is "enabled" with this service. There are two ways to do this:
1) The sender explicitly configures the app to say that recipient Y is capable of receiving encrypted SMS
2) The app does some form of peer-to-peer negotiation
3) The app sends data associating your phone number with an account on another service to a centralized server. This appears to be what CM's solution is doing. Which is kind of silly - This is an app for extremely privacy-conscious people, that is enabling widespread data collection of mappings between a users' phone number and other accounts.
Stay away from this app and developer, who in my view, has been compromised. In the latest release (which I compiled about an hour ago), he removed the ability of the user to regenerate identity key. In the last couple of releases, the app would crash unless you allow it to use the internet. He also introduced Google Cloud Pushing services, which means that everyone who is using textsecure will be recorded in centralized Google/Nsa database. That is if you compiled the app from the source. If you download the app from the store, you wouldn't be able to use it at all without Google account and GSF. Having GSF defeats any encryption as every keystroke is recorded and regularly submitted Home (Google/NSA). Stay away and look for alternatives. I am checking Tinfoil sms app.
optimumpro said:
Stay away from this app and developer, who in my view, has been compromised. In the latest release (which I compiled about an hour ago), he removed the ability of the user to regenerate identity key. In the last couple of releases, the app would crash unless you allow it to use the internet. He also introduced Google Cloud Pushing services, which means that everyone who is using textsecure will be recorded in centralized Google/Nsa database. That is if you compiled the app from the source. If you download the app from the store, you wouldn't be able to use it at all without Google account and GSF. Having GSF defeats any encryption as every keystroke is recorded and regularly submitted Home (Google/NSA). Stay away and look for alternatives. I am checking Tinfoil sms app.
Click to expand...
Click to collapse
Stop spreading this your uninformed opinion everywhere.
I answered each and every one of your "arguments" in your original thread:
http://forum.xda-developers.com/showpost.php?p=51818980&postcount=10

Categories

Resources