If you recently received a suspicious SMS message inviting you to view pictures, beware. Click through and you might be seeing your FB photos on a hot-or-not ranking site
The openness of the Android operating system and the slowness of security updates from various manufacturers is opening the door to hackers, malware and other harmful programs that take advantage of the gap in the system. Having been quiet for some time, it appears the issue of Android’s open policy toward its Play Store and its consequent vulnerability is once again attracting attention.
According to Itay Katz and Avi Shulman, security researchers at the information security company called Shine, a new malware app called Pixer is traulling for pictures from its userbases social profiles and featuring them on its app. According to Play Store statistics the app has already managed to mislead its way to achieving 1-5 million downloads. Aside for being completely worthless (its does not function in any way as a dating site or social network), the app applies a rather aggressive and misleading way to spread itself with the sole intention of increasing its user base and ad revenue without offering much in return.
Accessing your info whether you like it or not
“We recently received a number of complaints about a strange SMS with an invitation to view pictures. One can understand the difficulty to resist, especially when the message comes from a close friend, “Says Katz, “Our suspicion increased when we clicked on the link and we were sent to install an app called Pixer from Google’s app store. The app as it’s presented on Google Play has the feel of a picture app like Picasa or the like.”
After installing the app users brows through the photos of people who fell into the trap. If you authorize the application to access your Facebook account the app actually uploads all your FB pictures to the app. This includes even your friends’ photos that were posted to your page. All this is done without any explicit permission, ostensibly to keep the content fresh with new photos and to attract more users to download the app.
In addition, the application will ask you to send a confirmation SMS to your entire contact list, with a link to install the application. There’s now option to filter your list.
“Few bother to read the Permissions page. A quick look confirmed our suspicion that when the application requests permission to send SMS messages on your behalf and to access your personal and social information. Users tend to confirm each message that pops up after the install, especially when it looks like a long and involved process. Add to this a picture of a pretty girl in the background and people are clicking through without giving it much thought. This is the basic operational function of the app. It exists to spread through your contacts – your boss, babysitter, aunt – all of them.
If you recall, this not the only case in which the above words have appeared on malware style apps delivered through Android’s Play Store. Only last July, the security company Bluebox Security announced that its security researchers have uncovered the “master key” of Android, which could allow hackers to turn any Android app into malware without drawing attention from the operating system or the application’s developer. The malware itself allows hackers to remotely monitor and collect information about the device, such as phone calls and messages.
Similarly, earlier this year security researchers discovered a botnet the broadly infected over one million users in China with a Trojan virus that infiltrated their smartphones via their Android OS. The botnet allowed attackers to manipulate infected smartphones for their own purposes.
Considering the large number of app stores (other than Google Play) who carry Android apps but aren’t forced to meet a certain level of standard expected of a Google run operation, the danger of malware style Android apps is a significant one. Before accessing and installing any app on an Android smartphone that does not originate from Google’s official Play Store, it is imperative that users check the reliability of the link and the sender. In general it’s a good idea to avoid opening links that come unannounced through SMS or social networks without verifying them first.
Photo Credit: Shutterstock/ mobile malware