Your Android phone may be passing your texts to China

Blu phone Security firm Kryptowire discovered that at least hundreds of thousands of Android phones in the US are configured to automatically send all text messages, call logs, location information, contact lists and more to servers in China every 72 hours. This is all invisible to the end user.

In the US, the dangerous software, made by Adups, is known to be on 120,000 phones made by BLU Products. The software appears to have been designed primarily for the Chinese market and impacts in the US may have been unintentional. Adups provides the software to ZTE and Huawei, two of the largest phone makers in the world.

This is not a bug but an intentional feature of the software. It is not yet clear whether this is abusive data collection for marketing or usage data, or whether this is part of a major surveillance activity by the Chinese government. An attorney for Adups says that the software helped identify junk texts and calls and that the information (at least for BLU customers) was deleted.

Read more in this NYTimes article.

Security lessons from Pokemon Go - Catch them all!

IMG_0810 When anything big happens on the Internet, the criminals and snoops are not far behind. This time the event is Pokemon Go and there are all kinds of different threats developing in its wake from malware to tracking to physical danger. I you are not familiar with this game yet just look around next time you step outside, it is everywhere.

Criminals have jumped quickly on the piecemeal global rollout of the game. Players unwilling to wait for the official release in their countries have been looking for the game on unofficial app stores. A version with the Android trojan DroidJack has been seen which allows the attacker to take complete control of the victim’s phone and access any files or information. The vast majority of users should absolutely avoid any third party app stores. Only get your software from known and reputable sources and don’t do anything to bypass the phone’s security. The best practice is to stick with the app store that came with your phone.

Even the official version of the game raises some troubling privacy concerns. By design the application tracks you when you are using it, and you are strongly encouraged to be using it all the time. This is hardly the only application tracking you, but the privacy policy on the game is not great. Also, it is likely to be disproportionately tracking children. Always think about who has access to your information and how it can be used for and against you. The tracking data might be ok in the hands of the current company but if it is sold or stolen, you might be less happy with the people who have it.

Conventional muggers have also discovered the power of Pokemon Go to lure their victims. In the game players need to search out fixed locations called Poke Stops and Gyms. Criminals can add capabilities to these virtual constructs to make them even more interesting and attractive. If the location is dark and somewhat hidden it becomes the perfect location for an ambush. The divide between virtual and physical keeps getting narrower. Physical attacks are launched from cyberspace and cyber attacks can start with physical device access. We can’t just focus on the digital risks of tools and attacks, but must also consider how it could impact us in the the analog world.

Finally, this game is causing people to walk into the street, down dark alleys, and into rough neighborhoods without paying attention or taking appropriate care. Like distracted driving, this is another example of our immersion in the electronic realm causing us to neglect the basics of staying safe in the here and now.

I find it fascinating that one program, and a game at that, can have so many and varied security implications. Now, I am off to catch me some Pokemon, I think there are some down my driveway!

The Privacy Blog Podcast - Ep. 20: Censorship, passwords, NSLs and cash

Standard-Profile-Picture.jpgIn episode 20 of our podcast for May I talk about:

  • The need to target your privacy efforts
  • Why your secrets may not be safe with secrecy apps
  • The possibility of more light shining on National Security Letters
  • Conflicted feelings about censorship in the Russian government
  • Google and the right to be forgotten
  • What you need to do to deal with all these password breaches
  • A demonstration of a stealthy camera snooping app for Android
  • and a quick announcement about Anonymizer

Is your Android watching you?

Android-phone-with-android-guy.jpgYour smartphone's camera might be spying on you Researcher Syzmon Sidor has created an app that will stealthily activate the camera on an Android phone. The trick is bypassing the requirement in Android to have a preview window open any time the camera is active. Syzmon’s solution was to make the preview window only a single pixel.

From there, one can use the typical methods to hide the application and have it run in the background. Of course, the attacker still needs to get the app on the phone. Hiding this functionality in some useful app on the Android app store is probably the most likely course.

This would be a good argument for keeping your phone in your pocket or purse, rather than sitting on a table with an interesting view.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Privacy Blog Podcast - Ep. 14: Mobile device privacy and the anti-surveillance tent.

Standard Profile PictureThis is episode 14 of the Privacy Blog Podcast for November,2013.In this episode I talk about: How your phone might be tracked, even if it is off The hidden second operating system in your phone Advertising privacy settings in Android KitKat How Google is using your profile in caller ID and the lengths to which Obama has to go to avoid surveillance when traveling.

Easy bypass to Android App signing discovered

Infosec Institute published an article showing in detail how application signing on Android devices can be defeated.

This trick allows the attacker to modify a signed application without causing the application to fail its signature check.

The attack works by exploiting a flaw in the way signed files in the .apk zip file are installed and verified. Most zip tools don't allow duplicate file names, but the zip standard does support it. The problem is that, when confronted by such a situation the signature verification system and the installer do different things.

The signature verifier checks the first copy of a duplicated file, but the installer actually installs the last one.

So, if the first version of a file in the archive is the real one, then the package will check as valid, but then your evil second version actually gets installed and run.

This is another example of vulnerabilities hiding in places you least expect.

The Privacy Blog Podcast - Ep.6: Breaking Privacy News – Facebook “Likes” Predict Personality, Google's Wi-Fi Sniffing, and the Six Strikes Anti-Piracy Policy

In the March episode of The Privacy Blog Podcast, I’ll run down some of the major privacy news events of the last month. Learn how Facebook “Likes” can paint an extremely detailed and eerie picture of your real-life character traits. I’ll provide my take on Google’s Street View Wi-Fi sniffing controversy along with how “Do Not Track” flags are affecting the everyday Internet user. We’ll then touch on the implementation of the “Six Strikes” copyright alert system that was recently adopted by all five major ISP providers. Stay tuned until the end of the episode to hear about Anonymizer’s exciting new beta program for Android and iOS devices. Thanks for listening!