back to article URRGH! Evil app WATCHES YOU WATCHING PORN, snaps your grimace

A new frontier in horror has been breached, as it has emerged that your phone can in some circumstances take a picture of you as you view porn on it, and then use that image of your grimacing face to extort money on pain of exposure. Security outfit Zscaler detected the Android app, which lures victims who assume it is a …

Page:

  1. as2003

    It's not really a "vulnerability" in Android if: you have to manually enable installation of unverified 3rd party software, then ignore the blatant red flag that says "this app requires access to your camera".

    1. Teiwaz
      Devil

      Where is the vulnerability

      "It's not really a "vulnerability" in Android"

      Yup, it's a vulnerability in the user (and targets the vooonerables).

    2. Anonymous Coward
      Stop

      This is what I don't get about Fandroids (and many Linux users).

      If a person downloads a dodgy bit of software from some random website, ignores the warning about downloading and running programmes from the internet, click the button to approve instalation. It Microsofts fault for allowing it to happen.

      If someone downloads an app for Android, it's the users fault.

      1. Roq D. Kasba

        It's the users fault either way. You can run Windows 10 all day long clean and happy without a security suite if you don't install anything ;-)

        1. Anonymous Coward
          Anonymous Coward

          Re: Roq D. Kasba

          It's the users fault either way. You can run Windows 10 all day long clean and happy without a security suite if you don't install anything

          Only until the first remote exploit for something like (say) the network stack in W10 shows up. Then someone could passively scan the network you're on to find your W10 PC, exploit it, then voila, you're done.

          Not super likely for home users with with IPv4 NAT... but since IPv6 doesn't have NAT and actual end user IP's are exposed... ugh.

        2. Anonymous Coward
          Anonymous Coward

          It's the users fault either way. You can run Windows 10 all day long clean and happy without a security suite if you don't install and don't connect anything ;-)

          FIFY. I would not want a Windows box near an Internet connection without anti-virus and a certainty that at least its firewall is enabled, over the years I've learned not to invest trust in Windows out of the box defaults..

        3. This post has been deleted by its author

      2. noboard

        because a lot of the past vulnrabilities didn't require that, it was "go to a website and boom", because MS insisted most things have admin privilages, people had complete control over your machine.

        Hopefully things are getting better, but their track record is terrible.

      3. Anonymous Coward
        Anonymous Coward

        This is what I don't get about Fandroids

        It's only natural, I think. You have installed a billion shite apps on your mobile (because you can and because they enrich your life, lol), and practically ALL of those have flash a long list of what functionality on your handset they will have to access for YOU to use the app, and you have no clue what it REALLY means (and you do want to use our app, right? Click "no" if you do not not want to not un-use it. Are you sure? Do you want to cancel? Yes? Good boy).

        You read carefully through the first few lists that pop up during installation, nothing bad happens. Nothing happens, nothing happens, nothing happens, you grow complacent, so you just "yeah-yeah-gimme-gimme" the new apps and then - CLICKBAIT!!!! And your willy's on the facebook, OMG, what will my boss say!?

        1. Jagged

          Re: This is what I don't get about Fandroids

          "CLICKBAIT!!!! And your willy's on the facebook, OMG, what will my boss say!?"

          - Time for a rise? ;D

        2. Rick Giles

          Re: This is what I don't get about Fandroids

          And your willy's on the facebook, OMG, what will my boss say!?

          I guess that depends on if it is impressive...

      4. Pascal Monett Silver badge

        @ Lost all faith

        There is a big difference between a Windows platform and Android - on the Android platform the user is not admin.

        In Windows, historically speaking, the user has always had all rights to the OS and hardware access because Microsoft took two decades to start understanding that that was not a good idea. So yeah, on a PC a lot of malware is there because of Microsoft, not always because of the user.

        1. This post has been deleted by its author

      5. Anonymous Coward
        Anonymous Coward

        "If a person downloads a dodgy bit of software from some random website, ignores the warning about downloading and running programmes from the internet, click the button to approve instalation. It Microsofts fault for allowing it to happen."

        That's because Android and Linux have as much security precautions as possible to prevent it.

        Windows encourages users to run as admin, allowing any bad stuff to hose the system instead of just the user environment.

        Linux also creates new files as non-executable and you must manually change the permissions to execute said files, double click/launch from browser WILL NOT WORK until this is done. Windows on the other hand defaults with the execute permission set meaning double clicking and running from the browser will work.

        1. Anonymous Coward
          Anonymous Coward

          To those downvoters who downvoted my post about Linux not creating new files as executable, where Windows does and that is a problem, have an example of why Linux is doing this right and Windows not.

          http://www.theregister.co.uk/2015/09/08/whatsapp_security_flap/

          In short: a bug in WhatsApp allows vCards to be turned into .BAT files. If a user on Windows downloads this, it takes one click of the 'Run' button to hose their system. If it was a .sh file for Linux, users would have to save the file, right-click properties, tick 'Execute' permission and then double click the file to hose their user account.

        2. thosrtanner

          *sigh* Windows does NOT encourage users to run as admin. It throws up a box saying "this software wants to do something to your computer". And on loads and loads of websites, you see advice that tells you to

          1) Switch off the access control

          2) Change the permissions on <something in program files> so you can write to it

          And also

          3) There is still software that is released that more-or-less expects people to grant write access to places they shouldn't have to (Bethesda/Steam - Skyrim immediately comes to mind, but there are others).

          With a mindset like that even with the large developers, let alone the help sites, what do you expect. If people advised you to always run as root in linux, they'd be howled down. But apparently it's Microsoft's fault that doing the same thing on windows is considered par for the course.

          There are plenty of criticisms that microsoft deserves, but encouraging people to run as admin all the time is not one.

      6. Rick Giles
        Linux

        This is what I don't get about Fandroids (and many Linux users).

        If a person downloads a dodgy bit of software from some random website, ignores the warning about downloading and running programmes from the internet, click the button to approve instalation. It Microsofts fault for allowing it to happen.

        If someone downloads an app for Android, it's the users fault.

        Me thinks you need an editor, or a stream of consciousness filter...

    3. SuccessCase

      I expect, at least as far as the non techie population are involved, landfill Android is about to enjoin quite a few high-end handsets!

    4. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Google's fault

        Correct. The user should be able to prevent the app from accessing things without the app knowing that it is being prevented from accessing them: bogus address book provided to untrusted apps, and so on.

        In the case of the camera you could put a sticker over the lens but that wouldn't handle the case where you have two apps running simultaneously: a trusted one that you want to use the real camera and an untrusted one that you want to receive bogus data instead (a pop video perhaps).

      2. TeeCee Gold badge

        The source of that little issue is that the majority of those permissions that make you go "WTF does it need that for?" aren't actually required by the app at all.

        There's an ever-growing list that are required by the Google crapware baked into 'em all, which is why you ain't going to see them disappearing or you being allowed to stuff them on any official devices.

        I've said it before and I'll say it again. Android could be damned good, if only it were taken away from Google and their cruft was forcibly excised from it.

        1. This post has been deleted by its author

    5. Graham Marsden
      Boffin

      It's not a vulnerabilty...

      It's a ridiculous short-coming in security!

      A user shouldn't have to "ignore the blatant red flag that says "this app requires access to your camera",", they should be able to say "I don't want ANY apps to have access to MY camera unless *I* say they can!"

      The default should be opt IN, not "you can only opt-OUT by not installing the app in the first place".

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not a vulnerabilty...

        A user shouldn't have to "ignore the blatant red flag that says "this app requires access to your camera",", they should be able to say "I don't want ANY apps to have access to MY camera unless *I* say they can!"

        The default should be opt IN, not "you can only opt-OUT by not installing the app in the first place".

        I have trouble parsing that statement. Do you mean "users SHOULD ignore red flags" like asking for privileges an app doesn't need, or are you asking for new functionality that locks the camera unless explicitly enabled?

        Knowing how users think (takes quite a lot of alcohol, but bear with me), that would simply yield complaints that the phone is hard to use. It would be better if Android would switch to the iOS model where permission is sought when the first access is attempted (nice, properly timed red flag there and then), and where permission can be withdrawn again for each individual resource.

        If Google would push that into the next release it would fix quite a few problems in one go.

        1. Graham Marsden

          @AC - Re: It's not a vulnerabilty...

          > are you asking for new functionality that locks the camera unless explicitly enabled?

          I'm saying that that should be the *default* setting for any app. Followed by, as you say, "This app wants to access your camera, do you want to allow it?" to give you the chance to say "hang on, why does a photo slide show viewer want to take pictures right now?"

        2. This post has been deleted by its author

        3. This post has been deleted by its author

      2. This post has been deleted by its author

    6. ponga

      Vulnerability

      To be perfectly fair, if it really can't be uninstalled, *that's* a security flaw. The rest is PEBKAC.

    7. viscount

      It doesn't help that companies like Amazon actually tell you to turn on the the third party app sources so that they can install their app store:

      http://www.amazon.com/gp/help/customer/display.html?nodeId=201482620

      As soon as a user does this they are vulnerable to rogue apps.

  2. This post has been deleted by its author

    1. Anonymous Coward
      Go

      Re: A better headline...

      Dick Turpin App Gets Users To Stand And Deliver

      Any others ?

      1. DavCrav

        Re: A better headline...

        Crims take money shot?

      2. Mutton Jeff

        Re: A better headline...

        "Rank, left flank, skank wank app tanks user rep demands banknotes, much angst"

        1. Billa Bong

          Re: A better headline...

          Mug pic from smut flick, malware takes selfie selfie

      3. Anonymous Coward
        Anonymous Coward

        Re: A better headline...

        These aren't the droid shots you're looking for, move along.

        or

        App trap porn slap over droid snap.

    2. LucreLout

      Re: A better headline...

      P0rn purveyors pernicious program publishes punters private pen1s pumping pictures.

  3. Anonymous Coward
    Anonymous Coward

    signum tempori

    higher than ever number of people lacking common sense who expose themselves, literally and metaphorically, to the rear (here front camera) entry. Fuck me, and the wish comes true.

  4. JasonB
    Meh

    Unchecking?

    "This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device."

    That's already enforced on my device. (Yes I had to check!) Does that suggest that people have made a deliberate decision to download from potentially dodgy sites?

    1. Vic

      Re: Unchecking?

      Does that suggest that people have made a deliberate decision to download from potentially dodgy sites?

      Yes.

      Vic.

      1. Uplink

        Re: Unchecking?

        Cheap Chinese Spyware Phones come with that enabled by default for some reason.

    2. Anonymous Coward
      Anonymous Coward

      Re: Unchecking?

      Does that suggest that people have made a deliberate decision to download from potentially dodgy sites?

      Of course. Close to a billion people can't possibly be wrong..

  5. Anonymous Coward
    Anonymous Coward

    If this app is on the play store then surely google are complicit

    Personally I think it is high time that all application/OS access rights are required to be justified before they can be published or the distributer is held responsible.

  6. Anonymous Blowhard

    Cue for a song...

    I think I'm turning Japanese

    http://www.youtube.com/watch?v=IWWwM2wwMww

    1. Anonymous Blowhard

      Re: Cue for a song...

      What's with the downvote? Don't you know the origins of the song?

      https://en.wikipedia.org/wiki/Turning_Japanese

  7. Anonymous Coward
    Anonymous Coward

    Front facing camera

    Lucky there isn't a down facing camera!

    But what stops me covering up the front facing camera anyway; I never take selfies.

  8. Uplink

    Draw over other apps

    When I see this permission, I think twice. Anyway, adb remove crap.app, after you find out its ID, should rid you of the ransom request. Or just long-press the power button and choose to obliterate your phone :)

  9. Tromos
    Facepalm

    What's not to trust?

    An executable offering porn? What could possibly go wrong?

    1. Anonymous Coward
      Anonymous Coward

      Re: What's not to trust?

      It'll go down. One way or the other :)

  10. kotaKat

    HAH! It's a new spin on the FBI Moneypak viruses.

    Bravo, malware devs. Bravo.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like