Backdoors in Millions of Smartphones

[FrgMstr]

I was at the bank the other day, yeah, physically at the bank, and the banker-dude asked me if I had installed its banking application on my smartphone. I looked at him and asked, "Do I really look that stupid?" Wired has an article up today that outlines my paranoia about smartphones and security. Banking apps? No. Pay with my phone? No. Naked selfies? Maybe. The gist of this is that there are a bunch of apps that leave insecure ports on your smartphone.

To determine the full scope of the port problem, the Michigan researchers built a software tool they call OPAnalyzer (for Open Port Analyzer) that they used to scan the code of around 100,000 popular apps in the Google Play app store.

They found that 1,632 applications created open ports on smartphones, mostly intended to allow users to connect to them from PCs to send text messages, transfer files, or use the phone as a proxy to connect to the rest of the internet.

If you have the Wifi File Transfer, Virtual USB, or PhonePal apps on your phone, you might want to reevaluate your installation. If you want to read up on the paper yourself, the PDF is right here.

In this paper, we develop a tool called OPAnalyzer, which can systematically characterize open port usage in Android apps and effectively detect exploitable vulnerabilities. Using this tool on 24K popular Android apps, we are able to classify 99% of the mobile usage into 5 families, and identify some unique usage scenarios on mobile platform. From the vulnerability analysis performed, we find that such usage is generally unprotected. We are able to discover a bunch of new exploits causing vulnerabilities such as information leakage, denial of service, and privileged execution. We also propose countermeasures and improved practices to mitigate these problems in different usage scenarios. As a potential future work, we want to apply OPAnalyzer to analyze Android system applications to discover more critical vulnerabilities.

 

[Bandalo]

So as long as you avoid the apps connecting your PC to your phone, you avoid almost all of these problems. Easy day.

I think Android Pay (and probably Apple Pay) are far more secure than any other payment method available these days. I've been pretty impressed with the USAA Banking App for what I've used it for, deposing checks from my phone, adjusting my car insurance, etc.

It's no different from a PC IMO, you can't just install every app you see. Do your homework and only install programs you trust from developers you trust.

 

[Deleted member 245375]

I'll say it again: there is no real privacy or security anymore, and with each passing moment as each new app on any platform comes out or gets some update it really just creates entirely new vectors of attack for any number of "entities" out there looking to wreak havoc on all of us for whatever reasons they wish.

To paraphrase a very old adage: cave hominum.

(yes, I used Google Translate since I don't use Latin as a second language, roughly translated cave hominum means "human beware" ala caveat emptor aka "buyer beware")

 

[Sonicks]

I was not even remotely surprised that apps on the Google Play store were in question.

Open ports are meaningless unless the application itself gives access to specifics of the system. In the article it mentioned two of the worst offending apps: A file transfer tool and a remote control tool. Both of those need explicit access to your files and system functions and with an open port those files and functions are fair game. Outside of what the apps have access to, however, those open ports are meaningless. Also even more meaningless if there are basic user log ins on the device. So basically an open port, theoretically, can only work if the user has said app in question, unlocks their phone, and has the application running. Outside of that scenario a port scanner won't turn up anything or it would but wouldn't do anything past a simple ping.

The article didn't go into detail what open ports really do and, again, used those worst case apps to detail a doomsday scenario of an attacker gaining access to sensitive data. If you download an app that doesn't request any additional access to your files and it leaves ports open to the internet, there is no threat.

With full file system encryption and user log ins (such as on an iPhone), open ports would only let the user 'ping' your device but it will not allow any access whatsoever. I'm not worried about the data on my phone. I do mobile banking and such but I also only have about 5 additional apps on my phone that aren't the stock iPhone apps. Not to mention I do have full blind faith in Apple's strict store guidelines to prevent these types of amateur development mistakes.

 

[rezerekted]

To paraphrase a very old adage: cave hominum.

Yes, humans once lived in caves.

I trust no apps and use my, hopefully secure, browser for banking over https.

 

[viscountalpha]

I had kik mine my phone for information. Visiting facebook can also trigger mining. If you are playing to use a service you are the product.

 

[NeghVar]

yep, doing banking the old fashion is perfectly secure. No worries. Then...
https://www.rt.com/usa/192708-jpmorgan-bank-accounts-hacked/

 

[Spidey329]

yep, doing banking the old fashion is perfectly secure. No worries. Then...
https://www.rt.com/usa/192708-jpmorgan-bank-accounts-hacked/

Yeah, but it seems as if it's only going to get more expensive to do banking the old fashioned way. Everything teller based seems to have a fee these days. I'm surprised making a deposit/withdrawal with a teller doesn't have a fee yet. Quite a few of my local branches have converted half their teller windows to ATM machines - just what I want, to pay you a bunch of non-sense fees so I can do the work for you.

Kinda funny, if you look at some of the more hated companies/industries, it's the ones that have adopted the "nickel and dime" business model as standard practice - banking, airlines, and ISP's [edit - and the gaming industry].

 

[Stimpy88]

Those stupid Sheeple!