<quote>
Software released for attacking Android phones

Percoco said it took about two weeks to build the malicious software that 
could allow criminals to steal precious information from Android 
smartphones.

"There are people who are much more motivated to do these things than we 
are," he added.

The tool is a so-called root kit that, once installed, allows its developer 
to gain total control of Android devices, which are being activated by 
consumers at a rate of about 160,000 units per day, according to Google.

"We could be doing what we want to do and there is no clue that we are 
there," Percoco said.

</quote>

http://news.yahoo.com/s/nm/20100730/wr_nm/us_hackers_android 

"Ezekiel" <Me@Not-there.com> writes:

> <quote>
> Software released for attacking Android phones
>
> Percoco said it took about two weeks to build the malicious software that 
> could allow criminals to steal precious information from Android 
> smartphones.
>
> "There are people who are much more motivated to do these things than we 
> are," he added.
>
> The tool is a so-called root kit that, once installed, allows its developer 
> to gain total control of Android devices, which are being activated by 
> consumers at a rate of about 160,000 units per day, according to Google.
>
> "We could be doing what we want to do and there is no clue that we are 
> there," Percoco said.
>
> </quote>
>
> http://news.yahoo.com/s/nm/20100730/wr_nm/us_hackers_android 

The Android loony fringe point out that when you install an app it tells
you what its going to do. Most people (all) just hit "ok". I mean what
does "access data" mean to you when installing a mail app for instance.

"Hadron" <hadronquark@gmail.com> wrote in message 
news:i317d0$gg8$1@news.eternal-september.org...
> "Ezekiel" <Me@Not-there.com> writes:
>
>> <quote>
>> Software released for attacking Android phones
>>
>> Percoco said it took about two weeks to build the malicious software that
>> could allow criminals to steal precious information from Android
>> smartphones.
>>
>> "There are people who are much more motivated to do these things than we
>> are," he added.
>>
>> The tool is a so-called root kit that, once installed, allows its 
>> developer
>> to gain total control of Android devices, which are being activated by
>> consumers at a rate of about 160,000 units per day, according to Google.
>>
>> "We could be doing what we want to do and there is no clue that we are
>> there," Percoco said.
>>
>> </quote>
>>
>> http://news.yahoo.com/s/nm/20100730/wr_nm/us_hackers_android
>
> The Android loony fringe point out that when you install an app it tells
> you what its going to do.

And of course if someone is distributing a malware app they'll be honest and 
tell you that the app is going to steal information from you.


> Most people (all) just hit "ok". I mean what
> does "access data" mean to you when installing a mail app for instance.


 

Ezekiel wrote:
> <quote>
> Software released for attacking Android phones
> 
> Percoco said it took about two weeks to build the malicious software that
> could allow criminals to steal precious information from Android
> smartphones.
> 
> "There are people who are much more motivated to do these things than we
> are," he added.
> 
> The tool is a so-called root kit that, once installed, allows its
> developer to gain total control of Android devices, which are being
> activated by consumers at a rate of about 160,000 units per day, according
> to Google.
> 
> "We could be doing what we want to do and there is no clue that we are
> there," Percoco said.
> 
> </quote>
> 
> http://news.yahoo.com/s/nm/20100730/wr_nm/us_hackers_android

From the reports I have read, the root kit is a kernel module and has to be 
intentionally installed as root for it to work. This is not like installing 
and running a normal application with user privileges.

Writing the Linux kernel module root kit is the easy part. It is relatively 
easy to port an existing one or write a new one one. Finding and exploiting 
a root escalation vulnerability is much more difficult.

For this root kit to be of any use as malware it needs a trojan application 
that exploits some root escalation vulnerability, either automatically or 
with some user intervention, and installs the root kit with root privileges.

I did a *quick* search about rooting Android (because I'm thinking of an 
Android phone for my next phone, once this one dies, and want root access to 
the device). All examples I read where not of practical use for a trojan 
application.

If someone knows of Android root escalation exploits (either automatic or 
with some user assistance), please post a link to it.

Regards.

Hadron wrote:
> Ezekiel writes:
>> <quote>
>> Software released for attacking Android phones
>>
>> Percoco said it took about two weeks to build the malicious software that
>> could allow criminals to steal precious information from Android
>> smartphones.
>>
>> "There are people who are much more motivated to do these things than we
>> are," he added.
>>
>> The tool is a so-called root kit that, once installed, allows its
>> developer to gain total control of Android devices, which are being
>> activated by consumers at a rate of about 160,000 units per day,
>> according to Google.
>>
>> "We could be doing what we want to do and there is no clue that we are
>> there," Percoco said.
>>
>> </quote>
>>
>> http://news.yahoo.com/s/nm/20100730/wr_nm/us_hackers_android
> 
> The Android loony fringe point out that when you install an app it tells
> you what its going to do. Most people (all) just hit "ok". I mean what
> does "access data" mean to you when installing a mail app for instance.

In Android, each application run with a user ID exclusive to that 
application. Each application can't normally access other applications files 
or root files.

Without exploiting some vulnerability to escalate privileges, a mail 
application will not have access to any other data but it's own.

Regards.

Ezekiel wrote:
> Hadron wrote:
>> The Android loony fringe point out that when you install an app it tells
>> you what its going to do.
> 
> And of course if someone is distributing a malware app they'll be honest
> and tell you that the app is going to steal information from you.

Security should not depend on the user's "OK" clicks or the applications' 
developers honesty. Restrict both the user and the applications. Otherwise, 
security will be an illusion.

Regards.

Lusotec <nomail@nomail.not> writes:

> Ezekiel wrote:
>> Hadron wrote:
>>> The Android loony fringe point out that when you install an app it tells
>>> you what its going to do.
>> 
>> And of course if someone is distributing a malware app they'll be honest
>> and tell you that the app is going to steal information from you.
>
> Security should not depend on the user's "OK" clicks or the applications' 
> developers honesty. Restrict both the user and the applications. Otherwise, 
> security will be an illusion.
>
> Regards.

"should not".

You are joking right?

On 2010-07-31, the following emerged from the brain of Hadron:
> Lusotec <nomail@nomail.not> writes:
>
>> Security should not depend on the user's "OK" clicks or the
>> applications' developers honesty. Restrict both the user and the
>> applications. Otherwise, security will be an illusion.
>>
>> Regards.
>
> "should not".
>
> You are joking right?

Why would he be joking? He's right. It shouldn't. A user should be
able to click all he wants without the risk of having his system
compromised. Give him only enough rope to hang himself.

-- 
BOFH excuse #260:

We're upgrading /dev/null

TomB <tommy.bongaerts@gmail.com> writes:

> On 2010-07-31, the following emerged from the brain of Hadron:
>> Lusotec <nomail@nomail.not> writes:
>>
>>> Security should not depend on the user's "OK" clicks or the
>>> applications' developers honesty. Restrict both the user and the
>>> applications. Otherwise, security will be an illusion.
>>>
>>> Regards.
>>
>> "should not".
>>
>> You are joking right?
>
> Why would he be joking? He's right. It shouldn't. A user should be
> able to click all he wants without the risk of having his system
> compromised. Give him only enough rope to hang himself.

I despair at your inability to read at times.

"should not" is NOT the same as "does not".

Apps can and DO access private data as a result of being installed and
the user selecting "ok" to seemingly innocuous access prompts.

If you have an Android phone I am amazed you dont know this. If you
don't then I am somewhat baffled as to your contribution.

"Lusotec" <nomail@nomail.not> wrote in message 
news:i31bhe$18q$1@news.eternal-september.org...
> Ezekiel wrote:
>> <quote>
>> Software released for attacking Android phones
>>
>> Percoco said it took about two weeks to build the malicious software that
>> could allow criminals to steal precious information from Android
>> smartphones.
>>
>> "There are people who are much more motivated to do these things than we
>> are," he added.
>>
>> The tool is a so-called root kit that, once installed, allows its
>> developer to gain total control of Android devices, which are being
>> activated by consumers at a rate of about 160,000 units per day, 
>> according
>> to Google.
>>
>> "We could be doing what we want to do and there is no clue that we are
>> there," Percoco said.
>>
>> </quote>
>>
>> http://news.yahoo.com/s/nm/20100730/wr_nm/us_hackers_android
>
> From the reports I have read, the root kit is a kernel module and has to 
> be
> intentionally installed as root for it to work. This is not like 
> installing
> and running a normal application with user privileges.
>
> Writing the Linux kernel module root kit is the easy part. It is 
> relatively
> easy to port an existing one or write a new one one. Finding and 
> exploiting
> a root escalation vulnerability is much more difficult.
>
> For this root kit to be of any use as malware it needs a trojan 
> application
> that exploits some root escalation vulnerability, either automatically or
> with some user intervention, and installs the root kit with root 
> privileges.
>
> I did a *quick* search about rooting Android (because I'm thinking of an
> Android phone for my next phone, once this one dies, and want root access 
> to
> the device). All examples I read where not of practical use for a trojan
> application.
>
> If someone knows of Android root escalation exploits (either automatic or
> with some user assistance), please post a link to it.
>
> Regards.
>

Ask someone who went to the conference to give you a copy of theirs.


<quote>
Defcon hackers release Android rootkit, total control of smartphone possible

The annual Defcon conference usually brings with it a handful of suprises 
and cool hacks/devices. We've already seen the best conference badge design, 
but now we're seeing a rather worrying release for anyone owning an Android 
smartphone.

In a bid to highlight a security flaw in the Android OS, two attendees have 
released a rootkit that can be used to infiltrate an Android smartphone. 
Once installed a user will have no idea it is there and can take full 
control of the device. All your data is open to being stolen and your 
handset used for a hacker's gain.

The rootkit is being handed out on DVD to attendees at Defcon. Google has 
yet to respond to the news and the distribution.

</quote>

http://www.geek.com/articles/mobile/defcon-hackers-release-android-rootkit-total-control-of-smartphone-possible-20100730/


 

"Lusotec" <nomail@nomail.not> wrote in message 
news:i31bhe$18q$1@news.eternal-september.org...
> Ezekiel wrote:
>> <quote>
>> Software released for attacking Android phones
>>
>> Percoco said it took about two weeks to build the malicious software that
>> could allow criminals to steal precious information from Android
>> smartphones.
>>
>> "There are people who are much more motivated to do these things than we
>> are," he added.
>>
>> The tool is a so-called root kit that, once installed, allows its
>> developer to gain total control of Android devices, which are being
>> activated by consumers at a rate of about 160,000 units per day, 
>> according
>> to Google.
>>
>> "We could be doing what we want to do and there is no clue that we are
>> there," Percoco said.
>>
>> </quote>
>>
>> http://news.yahoo.com/s/nm/20100730/wr_nm/us_hackers_android
>
> From the reports I have read, the root kit is a kernel module and has to 
> be
> intentionally installed as root for it to work. This is not like 
> installing
> and running a normal application with user privileges.
>
> Writing the Linux kernel module root kit is the easy part. It is 
> relatively
> easy to port an existing one or write a new one one. Finding and 
> exploiting
> a root escalation vulnerability is much more difficult.
>
> For this root kit to be of any use as malware it needs a trojan 
> application
> that exploits some root escalation vulnerability, either automatically or
> with some user intervention, and installs the root kit with root 
> privileges.
>
> I did a *quick* search about rooting Android (because I'm thinking of an
> Android phone for my next phone, once this one dies, and want root access 
> to
> the device). All examples I read where not of practical use for a trojan
> application.
>
> If someone knows of Android root escalation exploits (either automatic or
> with some user assistance), please post a link to it.
>
> Regards.
>

Ask somone who attended the conference to give you a copy of theirs.


<quote>
Defcon hackers release Android rootkit, total control of smartphone possible

The annual Defcon conference usually brings with it a handful of suprises 
and cool hacks/devices. We've already seen the best conference badge design, 
but now we're seeing a rather worrying release for anyone owning an Android 
smartphone.

In a bid to highlight a security flaw in the Android OS, two attendees have 
released a rootkit that can be used to infiltrate an Android smartphone. 
Once installed a user will have no idea it is there and can take full 
control of the device. All your data is open to being stolen and your 
handset used for a hacker's gain.

The rootkit is being handed out on DVD to attendees at Defcon. Google has 
yet to respond to the news and the distribution.

</quote>

http://www.geek.com/articles/mobile/defcon-hackers-release-android-rootkit-total-control-of-smartphone-possible-20100730/

 

Hadron wrote:
> Lusotec writes:
>> Ezekiel wrote:
>>> Hadron wrote:
>>>> The Android loony fringe point out that when you install an app it
>>>> tells you what its going to do.
>>> 
>>> And of course if someone is distributing a malware app they'll be honest
>>> and tell you that the app is going to steal information from you.
>>
>> Security should not depend on the user's "OK" clicks or the applications'
>> developers honesty. Restrict both the user and the applications.
>> Otherwise, security will be an illusion.
> 
> "should not".

Yes, Security should not depend on the user's "OK" clicks or the 
applications' developers honesty. Restrict both the user and the 
applications. Otherwise, security will be an illusion.
 
> You are joking right?

Why do you think I'm joking? Do you disagree why my statement?

Regards.

TomB stated in post 20100731175101.249@usenet.drumscum.be on 7/31/10 8:55
AM:

> On 2010-07-31, the following emerged from the brain of Hadron:
>> Lusotec <nomail@nomail.not> writes:
>> 
>>> Security should not depend on the user's "OK" clicks or the
>>> applications' developers honesty. Restrict both the user and the
>>> applications. Otherwise, security will be an illusion.
>>> 
>>> Regards.
>> 
>> "should not".
>> 
>> You are joking right?
> 
> Why would he be joking? He's right. It shouldn't. A user should be
> able to click all he wants without the risk of having his system
> compromised. Give him only enough rope to hang himself.

Recent example of where I hung myself... felt like a fool in doing so.  I
was looking for some Flash development tools and downloaded them from some
"safe" sources.  This was on Win 7 where I almost always make a snapshot
before installing software just in case it blows up on me.  Well, in this
case I figured the software was from a source I thought was trustworthy
(though I did not really check it out... mistake number one) and I did not
make a snapshot of the VM (mistake number two).  I then installed the
software and decided I did not like it... so I uninstall it.  A few minutes
later Win 7 started having ads pop up.  I ran Ad-Aware and AVG.  Ad-Aware
found some malware and suggested I reboot after the cleanup.  Windows did
not reboot... it was dead.

Arg! I used the Win 7 media to try to fix it... but it could not.  And to
re-install the OS means you have to re-install essentially all software.
Which I did.  Luckily I only have a handful of apps on Windows... I am
*very* happy OS X is not built like that.  Even if I killed the OS or had
some malware do it, I would only have to re-install the OS and a few
programs / drivers (Adobe Creative Suite, my third party mouse driver and a
few others).  

Windows not only gives the user enough rope to allow the user to hang
himself, it then makes it so recovery is a pain in the neck.  So to speak.
:)  A good reminder to me of two things: 1) Make snapshots!  2) Windows has
some serious and absurd flaws in its basic design!


-- 
[INSERT .SIG HERE]

Lusotec <nomail@nomail.not> writes:

> Hadron wrote:
>> Lusotec writes:
>>> Ezekiel wrote:
>>>> Hadron wrote:
>>>>> The Android loony fringe point out that when you install an app it
>>>>> tells you what its going to do.
>>>> 
>>>> And of course if someone is distributing a malware app they'll be honest
>>>> and tell you that the app is going to steal information from you.
>>>
>>> Security should not depend on the user's "OK" clicks or the applications'
>>> developers honesty. Restrict both the user and the applications.
>>> Otherwise, security will be an illusion.
>> 
>> "should not".
>
> Yes, Security should not depend on the user's "OK" clicks or the 
> applications' developers honesty. Restrict both the user and the 
> applications. Otherwise, security will be an illusion.
>
>> You are joking right?
>
> Why do you think I'm joking? Do you disagree why my statement?
>
> Regards.

Of course I dont disagree. I assumed you were joking for stating the
bleeding obvious which is, however, nothing to do with reality. Of
course apps "should not" allow access to private data to naughty
apps. But they do. They need it to be "apps" ... its my WHOLE point of
the ignored prompts users click through when they install a new app.

Hadron posted this message in ROT13 encoding:

> TomB <tommy.bongaerts@gmail.com> writes:
>
>> On 2010-07-31, the following emerged from the brain of Hadron:
>>> Lusotec <nomail@nomail.not> writes:
>>>
>>>> Security should not depend on the user's "OK" clicks or the
>>>> applications' developers honesty. Restrict both the user and the
>>>> applications. Otherwise, security will be an illusion.
>>>>
>>>> Regards.
>>>
>>> "should not".
>>>
>>> You are joking right?
>>
>> Why would he be joking? He's right. It shouldn't. A user should be
>> able to click all he wants without the risk of having his system
>> compromised. Give him only enough rope to hang himself.
>
> I despair at your inability to read at times.
>
> "should not" is NOT the same as "does not".
>
> Apps can and DO access private data as a result of being installed and
> the user selecting "ok" to seemingly innocuous access prompts.
>
> If you have an Android phone I am amazed you dont know this. If you
> don't then I am somewhat baffled as to your contribution.

"Hadron" knows it well, since he comes from the Windows world, where
malicious apps are *legion*.

-- 
FORTUNE'S PARTY TIPS		#14

Tired of finding that other people are helping themselves to your good
liquor at BYOB parties?  Take along a candle, which you insert and
light after you've opened the bottle.  No one ever expects anything
drinkable to be in a bottle which has a candle stuck in its neck.

Hadron posted this message in ROT13 encoding:

> Lusotec <nomail@nomail.not> writes:
>
>> Hadron wrote:
>>> Lusotec writes:
>>>> Ezekiel wrote:
>>>>> Hadron wrote:
>>>>>> The Android loony fringe point out that when you install an app it
>>>>>> tells you what its going to do.
>>>>> 
>>>>> And of course if someone is distributing a malware app they'll be honest
>>>>> and tell you that the app is going to steal information from you.
>>>>
>>>> Security should not depend on the user's "OK" clicks or the applications'
>>>> developers honesty. Restrict both the user and the applications.
>>>> Otherwise, security will be an illusion.
>>> 
>>> "should not".
>>
>> Yes, Security should not depend on the user's "OK" clicks or the 
>> applications' developers honesty. Restrict both the user and the 
>> applications. Otherwise, security will be an illusion.
>>
>>> You are joking right?
>>
>> Why do you think I'm joking? Do you disagree why my statement?
>>
>> Regards.
>
> Of course I dont disagree. I assumed you were joking for stating the
> bleeding obvious which is, however, nothing to do with reality. Of
> course apps "should not" allow access to private data to naughty
> apps. But they do. They need it to be "apps" ... its my WHOLE point of
> the ignored prompts users click through when they install a new app.

Especially on Windows.

-- 
One nice thing about egotists: they don't talk about other people.

On 7/31/2010 10:49 AM, Lusotec wrote:
> Ezekiel wrote:
>> Hadron wrote:
>>> The Android loony fringe point out that when you install an app it tells
>>> you what its going to do.
>>
>> And of course if someone is distributing a malware app they'll be honest
>> and tell you that the app is going to steal information from you.
>
> Security should not depend on the user's "OK" clicks or the applications'
> developers honesty. Restrict both the user and the applications. Otherwise,
> security will be an illusion.


An Android rootkit will allow attacker's full remote access to do 
anything they want with the phone.

Android == Linux == insecure by design.

DFS wrote:
> Lusotec wrote:
>> Ezekiel wrote:
>>> Hadron wrote:
>>>> The Android loony fringe point out that when you install an app it
>>>> tells you what its going to do.
>>>
>>> And of course if someone is distributing a malware app they'll be honest
>>> and tell you that the app is going to steal information from you.
>>
>> Security should not depend on the user's "OK" clicks or the applications'
>> developers honesty. Restrict both the user and the applications.
>> Otherwise, security will be an illusion.
> 
> An Android rootkit will allow attacker's full remote access to do
> anything they want with the phone.

*After* it is installed! And by the way, "allow attacker's full remote 
access to do anything they want" is common for root kits, not just this one.

The articles that talk about this root kit have no indication of how the 
root kit is installed on the system.

Is it installed by an application running with normal privileges? Does it 
use some root escalation exploit? Does it require user intervention (other 
than the normal application install)? Does the installer need root access 
from the start?

The existence of the root kit by it self is no indication of insecurity.

> Android == Linux == insecure by design.

Android's kernel is Linux but Android != Linux.

And you still have not shown a single example of "insecure by design" for 
Linux.

Regards.

On Sat, 31 Jul 2010 08:59:00 -0400, "Ezekiel" <Me@Not-there.com>
wrote:

>
><quote>
>Software released for attacking Android phones
>
>Percoco said it took about two weeks to build the malicious software that 
>could allow criminals to steal precious information from Android 
>smartphones.
>
>"There are people who are much more motivated to do these things than we 
>are," he added.
>
>The tool is a so-called root kit that, once installed, allows its developer 
>to gain total control of Android devices, which are being activated by 
>consumers at a rate of about 160,000 units per day, according to Google.
>
>"We could be doing what we want to do and there is no clue that we are 
>there," Percoco said.
>
></quote>
>
>http://news.yahoo.com/s/nm/20100730/wr_nm/us_hackers_android 


I guess that confirms the theory that when Linux/Open Source desktops
become popular enough to attack, IOW more than the current 1 percent
of market, the hackers will start the ball rolling.

What happened to the many eyes theory?

I notice the Linux loons are circling the wagons already!

Bwaaaaaaaaaaaaaaaaaaaaa!

P.S I like the Android, I'm just making a comparison.

On 7/31/2010 3:16 PM, Lusotec wrote:
> DFS wrote:
>> Lusotec wrote:
>>> Ezekiel wrote:
>>>> Hadron wrote:
>>>>> The Android loony fringe point out that when you install an app it
>>>>> tells you what its going to do.
>>>>
>>>> And of course if someone is distributing a malware app they'll be honest
>>>> and tell you that the app is going to steal information from you.
>>>
>>> Security should not depend on the user's "OK" clicks or the applications'
>>> developers honesty. Restrict both the user and the applications.
>>> Otherwise, security will be an illusion.
>>
>> An Android rootkit will allow attacker's full remote access to do
>> anything they want with the phone.
>
> *After* it is installed! And by the way, "allow attacker's full remote
> access to do anything they want" is common for root kits, not just this one.
>
> The articles that talk about this root kit have no indication of how the
> root kit is installed on the system.
>
> Is it installed by an application running with normal privileges? Does it
> use some root escalation exploit? Does it require user intervention (other
> than the normal application install)? Does the installer need root access
> from the start?
>
> The existence of the root kit by it self is no indication of insecurity.

The fact that it can be used remotely to destroy the system is.




>> Android == Linux == insecure by design.
>
> Android's kernel is Linux but Android != Linux.

huh?  For months the entire cola "advocacy" group has been claiming 
Android == Linux.




> And you still have not shown a single example of "insecure by design" for
> Linux.

I have several times.

DFS wrote:
> Lusotec wrote:
>> DFS wrote:
>>> Lusotec wrote:
>>>> Ezekiel wrote:
>>>>> Hadron wrote:
>>>>>> The Android loony fringe point out that when you install an app it
>>>>>> tells you what its going to do.
>>>>>
>>>>> And of course if someone is distributing a malware app they'll be
>>>>> honest and tell you that the app is going to steal information from
>>>>> you.
>>>>
>>>> Security should not depend on the user's "OK" clicks or the
>>>> applications' developers honesty. Restrict both the user and the
>>>> applications. Otherwise, security will be an illusion.
>>>
>>> An Android rootkit will allow attacker's full remote access to do
>>> anything they want with the phone.
>>
>> *After* it is installed! And by the way, "allow attacker's full remote
>> access to do anything they want" is common for root kits, not just this
>> one.
>>
>> The articles that talk about this root kit have no indication of how the
>> root kit is installed on the system.
>>
>> Is it installed by an application running with normal privileges? Does it
>> use some root escalation exploit? Does it require user intervention
>> (other than the normal application install)? Does the installer need root
>> access from the start?
>>
>> The existence of the root kit by it self is no indication of insecurity.
> 
> The fact that it can be used remotely to destroy the system is.

That is nonsense. That fact that a remote terminal "can be used remotely to 
destroy the system" should make it obvious why that is nonsense.

>>> Android == Linux == insecure by design.
>>
>> Android's kernel is Linux but Android != Linux.
> 
> huh?  For months the entire cola "advocacy" group has been claiming
> Android == Linux.

That is obviously false!

>> And you still have not shown a single example of "insecure by design" for
>> Linux.
> 
> I have several times.

Not one single time, not one example!

I have posted a dozen examples of "insecure by design". Can you post just 
*one* that applies to Linux or GNU/Linux?

Regards.

Ezekiel wrote:
> Ask somone who attended the conference to give you a copy of theirs.

Unfortunately, I don't know anyone that has attended the conference.

Regards.