Related
http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Mike Luttrell | Thu 29th Jul 2010, 08:30 am
A seemingly innocuous Android app that let users change their phone's wallpaper has actually been stealing private user information and may have been downloaded millions of times.
Users should be concerned if they downloaded an app from "Jackeey Wallpaper." While it does perform the functions described in the app download page, it also ends up taking the phone's Internet browser history, mobile phone number, every single text message, and voicemail password. That information is then sent to a website based in Shenzhen, China.
Click to expand...
Click to collapse
http://phandroid.com/2010/07/29/another-app-stealing-data/
[Update]: MyLookout chimed in with us to clarify some details that other outlets have been reporting. Specifically, the app does collect data from your phone, but only the device’s phone number, subscriber identifier, and voicemail number fields are retrieved. SMS and browsing history are not touched by any of the apps they analyzed throughout their Blackhat conference. Your voicemail’s password is also not transmitted unless you included the password in your phone’s voicemail number field.
We’re not yet certain on what the developer’s intentions are for using the pieces of data it does send to China – so we can’t outright call it malicious – but it is collecting and sending data nevertheless. Hopefully that clears up some of the confusion everyone’s been faced with regarding the read-only property READ_PHONE_STATE that the application uses to access certain pieces of data.
Click to expand...
Click to collapse
So no SMS, browsing history or voice mail password taken.
FOR REAL?!?!
All your data belongs to somebody else
jp_macaroni said:
http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Click to expand...
Click to collapse
Free isn't free: http://www.androidpolice.com/2010/0...t-all-your-data-are-belong-to…-somebody-else/
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
It's not like it doesn't show you the stuff when you install apps.. And this "Genome Project" thing is out of context nonsense.... 14% of free apps have access to your contacts. You realize that includes IM programs, SMS programs, Email programs, etc....
If you install a wallpaper app that requests access to your Accounts and Contacts, well....
http://www.cyrket.com/search?q=Jackeey+Wallpaper
I don't see such permissions on the 2-3 I looked through, but maybe specific ones did.
Another thing about this "lookout" app and Genome Project.. Look at the permissions on their app on the market:
Permissions: ACCESS_COARSE_LOCATION , ACCESS_FINE_LOCATION , ACCESS_NETWORK_STATE , CLEAR_APP_CACHE , DISABLE_KEYGUARD , GET_ACCOUNTS , INTERNET , MANAGE_ACCOUNTS , MODIFY_AUDIO_SETTINGS , PERSISTENT_ACTIVITY , READ_CONTACTS , READ_LOGS , READ_OWNER_DATA , READ_PHONE_STATE , READ_SMS , READ_SYNC_SETTINGS , READ_USER_DICTIONARY , RECEIVE_BOOT_COMPLETED , RECEIVE_SMS , VIBRATE , WAKE_LOCK , WRITE_CALENDAR , WRITE_CONTACTS , WRITE_SETTINGS , WRITE_SMS , WRITE_SYNC_SETTINGS , WRITE_USER_DICTIONARY , com.android.browser.permission.READ_HISTORY_BOOKMARKS , com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
What if the 'AV' software itself turns out to be the one stealing data? If anything could, it could.
we get that all apps ask for permission to allow access to our location, contacts, emails etc....but to gather our private info and sell them to China.....thats messed up.
time to sue.
That information is then sent to a website based in Shenzhen, China.
Click to expand...
Click to collapse
question:
if this app was downloaded and used by US government....would it be considered as a SPY? lol
It's a big deal, but it illustrates very well that android users are in a ffa environment without someone looking over their shoulder to protect them.
It's good and bad. Some people will call bad on google for not protecting them, but others will see it for the truth of it and know they have to cover their own ass.
Wouldnt a functional firewall app work for this?
cutting off apps access to non essential portions of data...but also from data transmitting?
Flixster is malicious??
pvillasuso said:
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
Click to expand...
Click to collapse
Woaaah now... I have used this app on almost ever ROM I flash - downloaded straight from the market each time. I've never had an indication that my information was compromised in any way... Are you 100% sure that Flixster was the culprit? That's a pretty heavy claim for what I think is a very widely used (and recommended) app.
and what about all the gmail notifiers?
More fears:
I will preface this by saying I don't know much about Android security, but to me, it's as secure as any PC.
So: what about gmail notifier apps and apps that ask for access to your gmail account?
Do they have access to your gmail password? Seems like it. So what's to stop malicious gmail notifier developers from stealing your gmail passwords and having their way with your google account, for example, grepping your mailbox for banking information.
Also think about keyboard apps, what's to top malicious keyboard developers from writing a keyboard which logs all your keystrokes to a zipfile then uploads it to a russian server for analysis of B-A-N-K and P-A-S-S-W-O-R-D and then the next keystrokes which follow that?
It doesn't end there. Picture apps which can steal your pictures. Apps which can record your phone conversations and upload the audio to servers a few hours later so you don't notice that data going on.
bwolmarans said:
More fears:
I will preface this by saying I don't know much about Android security, but to me, it's as secure as any PC.
So: what about gmail notifier apps and apps that ask for access to your gmail account?
Do they have access to your gmail password? Seems like it. So what's to stop malicious gmail notifier developers from stealing your gmail passwords and having their way with your google account, for example, grepping your mailbox for banking information.
Also think about keyboard apps, what's to top malicious keyboard developers from writing a keyboard which logs all your keystrokes to a zipfile then uploads it to a russian server for analysis of B-A-N-K and P-A-S-S-W-O-R-D and then the next keystrokes which follow that?
It doesn't end there. Picture apps which can steal your pictures. Apps which can record your phone conversations and upload the audio to servers a few hours later so you don't notice that data going on.
Click to expand...
Click to collapse
The same things are possible for a regular computer as well. You can connect to a site and it could execute a download that then snoops your keystrokes and uploads them somewhere.
The difference (so far) is that on android you have to install an app to do that.
The takehome message is to excersize caution and install apps you can verify where they come from and what they do.
This will happen more and more. Mobile is where people are doing most of there communication and beginning alot of banking.
Not just Android all mobile OS.
Like I said a zonealarm/lilsnitch like app would be of great use. Even if logging or reading they still need to communicate out. An easy low mem/bat/cpu usage app that monitors this behaviour would go along way.
This is becomming a bigger issue and we do need some type of security alert monitor!
http://www.newsfactor.com/story.xhtml?story_id=13100EVAC2WI
"Mobile apps on Android-powered smartphones and Apple's iPhone can disclose more personal data than most users realize, security vendor Lookout revealed Wednesday at the Black Hat USA 2010 conference in Las Vegas. Rather than being malicious, users often give the apps permission to access data when they are installed...."
jp_macaroni said:
http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Click to expand...
Click to collapse
Opps missed this post prior to posting my thread...
http://forum.xda-developers.com/showthread.php?t=739446
Arcarsenal said:
Woaaah now... I have used this app on almost ever ROM I flash - downloaded straight from the market each time. I've never had an indication that my information was compromised in any way... Are you 100% sure that Flixster was the culprit? That's a pretty heavy claim for what I think is a very widely used (and recommended) app.
Click to expand...
Click to collapse
100% sure , I checked out the IP involved , and it pointed directly to their website !!!
pvillasuso said:
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
Click to expand...
Click to collapse
Don't be stupid. Flixster is a 100% legitimate app. Don't bad mouth it because you fell for a phishing scam some place else.
GldRush98 said:
Don't be stupid. Flixster is a 100% legitimate app. Don't bad mouth it because you fell for a phishing scam some place else.
Click to expand...
Click to collapse
Use it then, who cares anyway ..!
Hope u get your gmail account hacked ...
samagon said:
The takehome message is to excersize caution and install apps you can verify where they come from and what they do.
Click to expand...
Click to collapse
Easy to say, but how do you 'verify where they come from and what they do'?
Since I know most of us tend to do A LOT or reading on tech sites and Android-focused blogs, you are all likely aware of the new security problem that has recently been headline news (especially on Apple sites).
In a nutshell, it is possible for malicious unsecured WiFi APs and HotSpots to steal the AuthToken from your phone when your WiFi contacts it. This AuthToken then can be used for two weeks to gain access to your Google account, which in turn may make other accounts you have vulnerable. They do this by using very common SSIDs, such as Default or Linksys, to encourage passing Android phones and/or tablets to try an connect with them. Though the connection doesn't complete, just the sniffing that takes place in advance is enough for the theft to take place.
Fortunately Android phones don't automatically try and connect to every cheap, streetcorner HotSpot they see...but they do automatically connect to WiFi APs they have been connected to before. Since these malicious APs are using very common SSIDs, it is likely your phone has connected to an AP with the same name in the past, and it will therefore query the AP, allowing the Token to be swiped.
How do we prevent this? Well, there are a few precautions that can be taken to make it less likely your poor phone gets grifted for being too trusting.
Make sure your home AP and other APs you control do not have common names. If your home AP has the SSID default, or Wireless....change it.
Keep your WiFi OFF when not using it.
Do NOT log into APs when you do not know their origin, and certainly not ones you scan for with names like Free Public WiFi. SSIDs like Evil Hacker Out to Fleece You are right out too.
If you DO log into a legit public AP (especially one with a common SSID), but it isn't one you commonly use, after you are done go into your WiFi settings and have your phone forget it.
Lastly, keep an eye on your Google account for suspicious activity. Did someone just your Google account to pay for $5000 worth of Skype calling to the Canary Islands? If so, report it (unless you got a girlfriend in the Canary Islands). Also use the security features in your gmail account to keep track of what IP numbers are logging into your mail. If someone on the other side of the country suddenly accesses your inbox, change your account details and report it to Google.
Forewarned is forearmed..and the sooner we make this scam unprofitable, the sooner it will go away and the sooner iPhone users will shut up about it.
source?
10char
kepke said:
source?
10char
Click to expand...
Click to collapse
Background on the security problem? All over the interwebs. HERE for example, or HERE.
The suggestions and commentary are my own.
In 2.3.4 this problem is fixed. Is there any chance to use the fixed files in older android versions?
Sent from my GT-I9000 using Tapatalk
HiQ123 said:
In 2.3.4 this problem is fixed. Is there any chance to use the fixed files in older android versions?
Sent from my GT-I9000 using Tapatalk
Click to expand...
Click to collapse
Might be something for the devs to consider adding to their custom ROMS.
Google on the case
In an official statement, Google has said it is already rolling-out a fix for the security flaw, which could affect all Android users, except those already running Gingerbread.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts.
"This fix requires no action from users and will roll out globally over the next few days."
Read more: http://www.techradar.com/news/phone...-security-flaw-fixing-it-957143#ixzz1N5zq1K7S
HiQ123 said:
In 2.3.4 this problem is fixed. Is there any chance to use the fixed files in older android versions?
Sent from my GT-I9000 using Tapatalk
Click to expand...
Click to collapse
So is 2.3.3 still at risk ?
google already fixed it on their servers. danger averted
Sent from my GT-I9000M
I got my N4 a couple of days ago. It's my first foray in the Android world.
The requirements that I am hoping to meet are pretty simple:
1) I want to be able to call contacts and send text messages
2) I don't want Google tracking my contact list
3) I don't want Google tracking my location
4) I don't want Google tracking my browsing history
5) I want to be able to use the Play store to download 3rd party apps. I didn't buy an N4 to use it it like a dumbphone. Logically, the Play store shouldn't require constant access to my contacts, location or browsing history.
I am making this post to get help meeting the above requirements. Despite seeming really basic, I'm running into trouble, and I think I will need frequent help. This thread can act as a journal that hopefully other people can follow.
What I did so far is immediately flashed the N4 to AOKP, and applied the OpenPDroid patches (though I've yet to use OPD). From a blank slate start, I declined to create an account, disabled location access, etc, during the startup wizard.
Adding a contact round 1
I was able to create a local, unsynced contact.
Using the Play store
I was forced to sign up for a gmail account, which is normal. I declined to "keep this phone backed up with my Google Account". I then went in Settings > Account and disabled sync for everything, including Contacts. I also disabled background sync in the power controls.
Adding a contact round 2
I am now unable to add a contact without being forced to sync it with my BS gmail account. When I click "Add Contact" in the phone app, a dialog says "Your contact will be synced with [email protected]" and my choices are either "OK", "Add other account", or to cancel out by clicking Back.
So I'm already stuck. Once a Play account is created, I am now unable to do something as basic as adding a contact without sending it to Google. Can someone tell me how to get past this obstacle?
That's how Google makes their money! Your only options are to either start using the amazon app store only or side loading apps if you don't want Google involvement. Good luck.
Sent from my Nexus 7 using xda premium
Why? Like they don't have all your information already? You freely give your information to everyone when you use the internet. Congratulations. You are not that special.
Sent from my Nexus 4 using xda app-developers app
Eurotrash: always in this sort of discussions there's people like you who essentially advocate shutting up and taking it. "That's how things are" is not an acceptable solution to my problem, or I would not have made this post. There IS a way around the creeping, and someone knows it. My last resort is blocking every Google service from accessing the Internet except Play. I'm asking here because I'm hoping there's a less extreme solution that other people can use.
Gotzadroid: I will hold out for a better solution. Amazon appstore will likely be limited. Sideloading is not possible because many devs don't provide APKs
I know you can get an app to block individual permissions of other apps: https://play.google.com/store/apps/details?id=com.stericson.permissions
It requires root. Not sure about the contacts and other stuff you wanted to block, im assuming you've disabled location services.
Why not try flashing like cm10 and not flashing gapps so no Google apps? Then just manually downloading the apps apks and sideload the ones you need?
Sent from my Nexus 4 using Tapatalk 2
Didn't think my post lacked clarity, so hopefully this will be clearer:
My ONLY problem right now (we'll leave the rest for later) is that the Phone app, an essential app if I want to use my phone for making calls, an app that isn't even part of Gapps, doesn't let me add a local contact without sharing it with Google. That's it. Forget everything else in my post.
So my simple question is, how do I add my friend Bob to my contact list, locally in phone memory or on the SIM card or whatever, without telling Google I'm friends with Bob and giving them his phone number?
MachinTrucChose said:
Didn't think my post lacked clarity, so hopefully this will be clearer:
My ONLY problem right now (we'll leave the rest for later) is that the Phone app, an essential app if I want to use my phone for making calls, an app that isn't even part of Gapps, doesn't let me add a local contact without sharing it with Google. That's it. Forget everything else in my post.
So my simple question is, how do I add my friend Bob to my contact list, locally in phone memory or on the SIM card or whatever, without telling Google I'm friends with Bob and giving them his phone number?
Click to expand...
Click to collapse
As previously mentioned, try flashing a rom without gapps
OK, try this. Make a dummy gmail account for the play store only. Get all the apps you want and then sign out of gmail. Only sign back in when you want another app. That should keep Google from syncing all your info.
Sent from my Nexus 7 using xda premium
Michealtbh said:
As previously mentioned, try flashing a rom without gapps
Click to expand...
Click to collapse
The Phone app is not a part of gapps. It came on the stock ROM before I flashed gapps on it. I didn't try it before adding gapps, are you saying it will change behavior and no longer prompt me to sync when I try to add a contact?
I gotta go to sleep, I'll do more tests tomorrow evening to test this (and wait for your reply to the above question in case you misread my posts).
If the answer to the above question is yes, this would immediately beg another question: how do I install 3rd party apps from Play without flashing gapps?
gotzaDroid said:
OK, try this. Make a dummy gmail account for the play store only. Get all the apps you want and then sign out of gmail. Only sign back in when you want another app. That should keep Google from syncing all your info.
Sent from my Nexus 7 using xda premium
Click to expand...
Click to collapse
That's what I did in the OP (2nd bolded step). I created a dummy account cause Play requires it. That became my main Google account on this phone (since I declined to set up an account prior to that). That's the account Google tries to sync my contacts to when I try to add a contact.
I looked in the Gmail app, there's no way for me to sign out. All I can do is add more accounts.
A similar thread from the galaxy nexus forums: http://forum.xda-developers.com/showthread.php?t=1589367
However, I'd also be interested in a deeper insight on why you're trying to do this. Fear of the big brother? Or just proving a point?
We know before buying an android phone that everything is tied to that Gmail address; now you want to cut that tie but maintain full functionality. Well, that probably doesn't work. And if it at the end does, why going through all that trouble? If a different platform offers all that then..
Why you bought an android phone in the first place? Just curious
Sent from my Nexus 4 using Tapatalk 2
You can try downloading or side loading the app "contacts+" then sign out of your dummy gmail account. You can get a sim to USB hub online and plug your sim into the hub and into PC to add contacts directly to sim. I don't know if there's a way to export contacts to sim anymore unless I'm guessing developers somehow add that feature. So look into CM or another well built ROM and ask some questions.
Good luck
Sent from my SCH-I605 using xda premium
MachinTrucChose said:
The Phone app is not a part of gapps. It came on the stock ROM before I flashed gapps on it. I didn't try it before adding gapps, are you saying it will change behavior and no longer prompt me to sync when I try to add a contact?
I gotta go to sleep, I'll do more tests tomorrow evening to test this (and wait for your reply to the above question in case you misread my posts).
If the answer to the above question is yes, this would immediately beg another question: how do I install 3rd party apps from Play without flashing gapps?
Click to expand...
Click to collapse
Stock rom comes with gapps already loaded.
Most custom roms come without them and they must be flashed separately. If you choose not to flash them you aren't even given an option to sign into your Google account at first boot, so there will obviously be no option to sync your contacts.
Your phone will be crippled and you'll have to find workarounds for many things. I don't think you'll be able to use Maps for example. To install apps you'll have to download and install the apks or use an alternative app market like SlideMe or Amazon
What's there to hide? They're just contacts
Sent from my Nexus 4
Google doesn't care what your Aunt Bertie's phone number is. All they use the data for is to customize ads for you, and if you're going to be seeing ads anyways they might as well be relevant to you.
Sent from my Nexus 4 using xda app-developers app
It's disappointing that the thread is taking the direction of Google advocacy rather than finding a technical solution to my problem, hopefully this post answers your questions and we can stop arguing about this.
Drakkula4 said:
You can try downloading or side loading the app "contacts+" then sign out of your dummy gmail account.
Click to expand...
Click to collapse
How do I sign out of my dummy gmail account?
Vangelis13 said:
A similar thread from the galaxy nexus forums: http://forum.xda-developers.com/showthread.php?t=1589367
However, I'd also be interested in a deeper insight on why you're trying to do this. Fear of the big brother? Or just proving a point?
We know before buying an android phone that everything is tied to that Gmail address; now you want to cut that tie but maintain full functionality. Well, that probably doesn't work. And if it at the end does, why going through all that trouble? If a different platform offers all that then..
Click to expand...
Click to collapse
Nope, not full functionality. I can avoid using all gapps. The only required Google service is the Play store, which is the primary gateway to non-Google apps. I would use Email over Gmail, Navfree over Maps, etc.
The next paragraph is meant as a reply to the 5 posts essentially saying "tinfoil hat, trust Google!".
This is supposed to be an open phone, allowing the user to do what they want, compared to the big bad iOS. That's why I bought it. Now I find out Google is insisting on taking something extremely private (my social graph) even when I don't want to give it to them. I respect my friends' privacy, and I don't want an intersection of my online and offline lives being made by some 3rd party with intentions I don't trust. The insistence is starting to creep me out. You can provide convenience and still respect basic privacy, look at Mozilla with Firefox Sync: even they don't see the data you sync. I'm not even asking for that much, just respect my wish to draw the line at real-life stuff. I guess I shouldn't be surprised, this is the company banning people using pseudonyms on Google+.
The most disappointing thing in all this, is that you have 5000 custom ROMs being developed, which mainly differ in pointless GUI BS like scroll animation speed. Not a single one of those projects thought to provide a way to make the phone usable without giving up extremely private data. AFAIK only 3 guys are working on privacy stuff, and even those guys' patches and apps don't protect you from the Eye of Google.
chrisrozon said:
Google doesn't care what your Aunt Bertie's phone number is. All they use the data for is to customize ads for you, and if you're going to be seeing ads anyways they might as well be relevant to you.
Sent from my Nexus 4 using xda app-developers app
Click to expand...
Click to collapse
What if I don't want tailored ads? Or what if I only want tailored ads by tracking the online activity I'm willing to submit to them, and I feel it should be my my right to draw a line? Many people are not comfortable seeing an intersection of online and real life activity. I am one of those people.
MachinTrucChose said:
Didn't think my post lacked clarity, so hopefully this will be clearer:
My ONLY problem right now (we'll leave the rest for later) is that the Phone app, an essential app if I want to use my phone for making calls, an app that isn't even part of Gapps, doesn't let me add a local contact without sharing it with Google. That's it. Forget everything else in my post.
So my simple question is, how do I add my friend Bob to my contact list, locally in phone memory or on the SIM card or whatever, without telling Google I'm friends with Bob and giving them his phone number?
Click to expand...
Click to collapse
Simple question deserves simple answer, only thing I can think of, go to settings > accounts > google > tap your account email address > and uncheck the things you don't want synced with google.
Hopefully it works and you will just have a local copy of everything then.
Again just flash like cyanogen mod since you have to flash gapps separate. Then don't flash gapps and your phone will have nothing to do with google.
Sent from my Nexus 4 using Tapatalk 2
I had the Google account login issues that many had in here, after contacting Joying they sent me a link to two changed files to copy onto their original firmware update. I updated with this new "firmware" and my Google account worked.
Then 2 days later (March 16th 2021) my Google account was compromised for the first time in 15 years. I only use this password for my Google account so I don't know how it was hacked but the Google Admin audit logs say the hacker just input my password.
They opened up a Google Adwords account and started selling fortnight ads, then attempted to get into my brokerage account, then logged into a dormant Etsy account and tried to do something with Square before I caught on (40min total in my account). They were quickly deleting any account change emails that came in so I wouldn't receive notices of changes.
I am highly suspicious of this new update to my head unit. The timing is spot on, and I haven't used my Google account anywhere other than my Pixel phones, Nvidia Shield, Laptop and this Joying unit.
I am very concerned now about the security of this device. I also don't understand the claim by Joying that "Google updated their servers" and that's why their firmware wasn't working with Google accounts. Smells very fishy to me, and I hope somebody that knows more about device security can help figure this out. I still have copies of the update that they sent me, but I will not be using this brand new head unit anymore with my Google Account.
I posted this thread because I have seen other comments about Google accounts being hacked and concerns about third party device security and thought it would be best to consolidate them here in one thread rather to take other threads on a tangent.
Just be aware that Joying in particular didn't have anything to do with it, they are just resellers and pass on software given to them by the actual manufacturer of the hardware, FYT. Also be aware, that data breaches are happening very often nowadays so that is also a possibility. I'm not defending the manufacturer in any way, but there's too many variables in order to single out the headunit itself. You did mention that you use this google account on your phone as well. It could be that you installed an app on your phone that stole your account information as well. Also a new "virus" has been discovered that disguises itself as a system update that can steal your info. Info here: https://www.androidpolice.com/2021/...retends-to-be-a-system-update-for-your-phone/
Only way to know for sure if it was the headunit itself is to use a new dummy Google account on it and see if it gets taken over as well. Also, I don't see the purpose of needing to login to Google on these devices anyways since we're not using them like phones and, me in particular, I don't consume streaming media on it so i don't give it network access at all. These new units have spotty GPS reception at best and sometimes i find myself forced to use Android Auto anyways so the only streaming media consumed is straight from my phone.
What I can recommend you do is install a firewall app on your headunit and monitor where it tries to connect and determine if it needs to access it or not. To put yourself at ease, I would change your password and enable 2 step authentication on your account.
Let us know if you decide to sideload a firewall app and post your results. With that info, we can take this concern up to Joying/Teyes/etc and have them press their supplier for information. I can assure you that with the proper evidence, the resellers will put some effort into fixing this wrongdoing, since they wouldn't want to tarnish their reputation and possibly lose out on some sales.
I was also hacked in mid March soon after installing a joying unit and connecting to my google account. The hacker opened a google ads account and used a credit card associated with my google account to charge 260 dollars to my visa. They would have charged more but my limit on the card is low for just this reason. Visa had to cancel my card and send me a new one. I never even connected the hack in my mind to the joying head unit until explorer_200 happened to post his experience, but this seems like far to much of a coincidence given that we both have had the same experience at the same time and all we have in common is the joying unit.
I agree that it may not be something joying knows about, but its probably a good idea to see how many have been affected by this hack. For now I will be setting up a locked down google account just for the joying box and my head unit will only be connected to apps that are no real risk to my passwords and personal data.
I need to login to google to use voice commands and google assistant as well.
explorer_200 said:
I posted this thread because I have seen other comments about Google accounts being hacked and thought it would be best to consolidate them in one thread.
Click to expand...
Click to collapse
Could you please link to these other comments. Right now there is just your say so which is a sample size of one. Not doubting what you are saying, but correlation is not necessarily causation.
6KayZee9 said:
I never even connected the hack in my mind to the joying head unit until explorer_200 happened to post his experience, but this seems like far to much of a coincidence given that we both have had the same experience at the same time and all we have in common is the joying unit.
Click to expand...
Click to collapse
That is flawed logic.
Allow me to use similar thinking in another way.
I notice that everytime I go outside when it is raining, there are people with umbrellas. I deduct that it is too much of a coincidence to see people with umbrellas when it is raining to think they are not linked. I don't see these same people carrying umbrellas when it is not raining. I can only conclude that the umbrellas are causing the rain.
You say that you and one other have the same head unit and have been hacked therefore it is the headunit's fault. DO a survey on how many people with Samsung phones were hacked yesterday and get back to me to let me know if the number was greater than two.
We can then move on from there.
Once bitten, twice shy... learn or get burned.
If you had a secure password that you managed well until 2 days ago that should narrow down your list of suspects substantially.
Time to take out the trash...
Results are all that matter; take out anything that might have been involved. The napalm method.
Overkill yes, but it's effective.
Breaching your Google account is completely unacceptable and I go nuts on anything/one that was potentially involved.
explorer_200 said:
I had the Google account login issues that many had in here, after contacting Joying they sent me a link to two changed files to copy onto their original firmware update. I updated with this new "firmware" and my Google account worked.
Then 2 days later (March 16th 2021) my Google account was compromised for the first time in 15 years. I only use this password for my Google account so I don't know how it was hacked but the Google Admin audit logs say the hacker just input my password.
They opened up a Google Adwords account and started selling fortnight ads, then attempted to get into my brokerage account, then logged into a dormant Etsy account and tried to do something with Square before I caught on (40min total in my account). They were quickly deleting any account change emails that came in so I wouldn't receive notices of changes.
I am highly suspicious of this new update to my head unit. The timing is spot on, and I haven't used my Google account anywhere other than my phone and this Joying unit.
I am very concerned now about the security of this device. I also don't understand the claim by Joying that "Google updated their servers" and that's why their firmware wasn't working with Google accounts. Smells very fishy to me, and I hope somebody that knows more about device security can help figure this out. I still have copies of the update that they sent me, but I will not be using this brand new head unit anymore with my Google Account.
I posted this thread because I have seen other comments about Google accounts being hacked and thought it would be best to consolidate them in one thread.
Click to expand...
Click to collapse
If you're not using MFA/2FA on your account(s) expect it be a matter of time until your account(s) be compromised again.
The joying update is what I would call purely coincidence and post hoc (Post hoc ergo propter hoc.)
Exactly this, without hard evidence that the Joying/Teyes/etc update is the cause of your Google account getting hacked, this is all pure coincidence. So far I'm aware of only 2 reports of accounts getting hacked, @explorer_200 and @6KayZee9. I've been lurking "the other" forum and i haven't seen any reports there either. Get some evidence to back up your claims and then start pointing fingers and have fyt (the software comes from them) be held accountable.
gamer765 said:
Exactly this, without hard evidence that the Joying/Teyes/etc update is the cause of your Google account getting hacked, this is all pure coincidence. So far I'm aware of only 2 reports of accounts getting hacked, @explorer_200 and @6KayZee9. I've been lurking "the other" forum and i haven't seen any reports there either. Get some evidence to back up your claims and then start pointing fingers and have fyt (the software comes from them) be held accountable.
Click to expand...
Click to collapse
It's not so much as proving anything as it is plugging the most probably source(s) of the leak to prevent it from ever happening again for the user.
If that means never using the software even the hardware, it's a small price to pay.
An OS reload may also be good idea at this point on all potentially infected devices and another password reset. Go nuts... this could get real messy if it's in the data drive and gets into the backups.
The perp may only target high value targets and leave the smaller fish be giving the illusion the site, software or whatever is safe.
blackhawk said:
Once bitten, twice shy... learn or get burned.
If you had a secure password that you managed well until 2 days ago that should narrow down your list of suspects substantially.
Time to take out the trash...
Results are all that matter; take out anything that might have been involved. The napalm method.
Overkill yes, but it's effective.
Breaching your Google account is completely unacceptable and I go nuts on anything/one that was potentially involved.
Click to expand...
Click to collapse
Have you considered aliens? Or ghosts? They both fit in with your assumptions thus far.
I guess you failed statistics 101. Your conclusion is flawed. You have failed to take into account the number of hackers in the world that were active 2 days ago and you have failed to take into account all the other apps you have attached to your account / sideloaded onto other devices that have access to that account.
Do that and then you are starting to get somewhere.
By all means change your password. But don't attempt to pass off your unsubstantiated claim as fact or anywhere in the realms of probability without some data to back it up.
ludditefornow said:
I guess you failed statistics 101. Your conclusion is flawed.
By all means change your password. But don't attempt to pass off your unsubstantiated claim as fact or anywhere in the realms of probability without some data to back it up.
Click to expand...
Click to collapse
If every 1 in 1k accounts gets hacked by an unscrupulous site or device and you're that one, you're still statistically 100% boned
The OP should suspect the use of their Google password; it's probably the most recent sites it was used on or the device.
I'd purged both, no remorse...
blackhawk said:
If every 1 in 1k accounts gets hacked by an unscrupulous site or device and you're that one, you're still statistically 100% boned
Click to expand...
Click to collapse
What does that have to do with the subject at hand? The ramification from being hacked has nothing to do with how one was hacked based on the OP.
And besides, the OP wasn't 100% boned as you put it. It was less than an hour before they realised and steps were taken to counter the hack. They had a couple of hundred dollars put on a card that will be reversed no doubt.
So that is another statistic failure. Friendly advice. Stop posting about stats in anyway until you get the fundamentals of them right
ludditefornow said:
What does that have to do with the subject at hand? The ramification from being hacked has nothing to do with how one was hacked based on the OP.
And besides, the OP wasn't 100% boned as you put it. It was less than an hour before they realised and steps were taken to counter the hack. They had a couple of hundred dollars put on a card that will be reversed no doubt.
So that is another statistic failure. Friendly advice. Stop posting about stats in anyway until you get the fundamentals of them right
Click to expand...
Click to collapse
You're the one that wanted a go at me.
Is that all you got?
All my data is redundantly* backed up without Google but some use it to back up everything.
Some have a lot to lose in just a couple minutes with a hacked Google account.
Don't trivialize it... on my account
Boy you guys are grumpy, neither of us are saying anything is definitively joyings fault, however its a much bigger coincidence when you consider that neither of us ever had a problem til now and ive had gmail since soon after it came online. Here is an alternate hypothesis I have carwebguru on my head unit as well. Maybe both explorer_200 and I have it on our head units and that code is the true culprit. Other than that all my apps ive had for a long time. Im not really sure that I believe this is all that sophisticated unless its on a huge scale since they only got a few hundred from visa and or google. And for that they have some pretty powerful entities who may now be taking an interest. We are just sending all this up the flag pole to see how many salute...
blackhawk said:
You're the one that wanted a go at me.
Is that all you got?
All my data is redundantly* backed up without Google but some use it to back up everything.
Some have a lot to lose in just a couple minutes with a hacked Google account.
Don't trivialize it... on my account
Click to expand...
Click to collapse
I'm not trivalizing being hacked at all. I think you need to reread my posts. Because your response tells me you haven't understood them.
Wow. I didn't expect this to be a controversial thread. I've seen a few posts in here from people who have gone through the code on these units and found Chinese URL's that don't appear to have any uses. I am not definitively saying anything here, but Reddit is full of people wary of running Android on these devices because they have such huge potential to be compromised.
I am VERY careful with my Google account information online. I am highly aware of phishing schemes, and haven't used an external device other than my Pixel2, Pixel4, Laptop, Nvidia Shield, to log into Google in over 5 years.
The attack was similar in both of our cases, and happened within a few days of us logging into Google with a new Joying head unit (that had verified Google Login issues from a 2021 firmware update)
Anyways... I've changed my Google password 3 times since this happened, and am monitoring my Google audit log multiple times per day. So far so good, but unfortunately I won't be using this head unit with my Google account going forward
After activating my Google account on the new Navifly headunit, I received a notification from Google that I need to change all passwords (about 350 pieces). In addition, all contacts from the phonebook (on the mobile phone) and automatic backup have disappeared. I deactivated the account on headunit, but it didn't help. I plan to contact Google to see if they can help me.
nenadhebiv said:
After activating my Google account on the new Navifly headunit, I received a notification from Google that I need to change all passwords (about 350 pieces). In addition, all contacts from the phonebook (on the mobile phone) and automatic backup have disappeared. I deactivated the account on headunit, but it didn't help. I plan to contact Google to see if they can help me.
Click to expand...
Click to collapse
This doesn't make any sense.
I'll say it again; enable 2fa/mfa on your Google account.
If not using multifactor authentication or doing questionable things like accepting apps access to your Google account, expect to be compromised.
nenadhebiv said:
After activating my Google account on the new Navifly headunit, I received a notification from Google that I need to change all passwords (about 350 pieces). In addition, all contacts from the phonebook (on the mobile phone) and automatic backup have disappeared. I deactivated the account on headunit, but it didn't help. I plan to contact Google to see if they can help me.
Click to expand...
Click to collapse
Actually I lost all my Google contacts as well with the Joying unit, but I found out it had to do with the bluetooth syncing from my phone to the head unit. You've gotta disable it.
Search for "head unit deleted all my Google Contacts" and you'll see lots of threads.
Hi all,
Redmi Note 7 MIUI 12. 5.1.0 Stable Global
Account 1 primary
Account 2 secondary
Problem :
When I go to Playstore I see an update for Android System webview, and when I go to the app, I see a message that this app is associated with my secomdary account, not the primary I use with Playstore.
I can't find any way to change this, and looking on the net many other people have the same. problem. The solutions offered will not work with Android 10, because (new in 9-10) if the primary google account is removed then all apps and settings for that account will also be removed, not what I want.
Is there a safe solution to this problem, that does not involve removing my account(s)?
I tried contacting Google support at
[email protected] which is the email offered by Playstore for developer contact, only to get a reply that I have written an email address no longer monitored.
And in all the post on support.google.com Google never answers any of the people with this problem.
Thank you in advance
Jan
Give WebView Magisk module a try. I don't whether it can fix it to be honest.