Of Malware in Mobile Devices

Nearly all mobile phones do two grievous wrongs to their users:

tracking their movements, and
listening to their conversations.

The malware listed here is present in every phone, or in software that is not made by Apple or Google (including its subsidiaries).

Malicious functionalities in mobile software released by Apple or Google are listed in dedicated pages, Apple’s Operating Systems are Malware and Google’s Software Is Malware respectively.

  • The phone network tracks the movements of each phone.
  • This is inherent in the design of the phone network: as long as the phone is in communication with the network, there is no way to stop the network from recording its location. Many countries (including the US and the EU) require the network to store all these location data for months or years.
  • Almost every phone’s communication processor has a universal back door which is often used to make a phone transmit all conversations it hears. The back door may take the form of bugs that have gone 20 years unfixed. The choice to leave the security holes in place is morally equivalent to writing a back door.
  • The back door is in the “modem processor”, whose job is to communicate with the radio network.
  • In most phones, the modem processor controls the microphone. In most phones it has the power to rewrite the software for the main processor too. A few phone models are specially designed so that the modem processor does not control the microphone, and so that it can’t change the software in the main processor. They still have the back door, but at least it is unable to turn the phone unto a listening device.
  • The universal back door is apparently also used to make phones transmit even when they are turned off. This means their movements are tracked, and may also make the listening feature work.

Types of malware in mobiles

  • Back doors
  • Deception
  • DRM
  • Insecurity
  • Interference
  • Manipulation
  • Sabotage
  • Surveillance
  • Jails
  • Tyrants

Back Doors

Deception
Many Android apps fool their users by asking them to decide what permissions to give the program, and then bypassing these permissions. The Android system is supposed to prevent data leaks by running apps in isolated sandboxes, but developers have found ways to access the data by other means, and there is nothing the user can do to stop them from doing so, since both the system and the apps are non-free.

DRM

Digital restrictions management, or “DRM,” refers to functionalities designed to restrict what users can do with the data in their computers.

  • The Netflix Android app forces the use of Google DNS. This is one of the methods that Netflix uses to
  • enforce the geolocation restrictions dictated by the movie studios.

Insecurity
These bugs are/were not intentional, so unlike the rest of the file they do not count as malware. We mention them to refute the supposition that prestigious proprietary software doesn’t have grave bugs.

Interference
This section gives examples of mobile apps harassing or annoying the user, or causing trouble for the user. 

  • Samsung phones come preloaded with a version of the Facebook app that can’t be deleted
  • Facebook claims this is a stub which doesn’t do anything, but we have to take their word for it, and there is the permanent risk that the app will be activated by an automatic update.
  • Preloading crap-ware along with a non-free operating system is common practice, but by making the crap-ware undeletable, Facebook and Samsung (among others) are going one step further in their hijacking of users’ devices.

Manipulation

  • The Femm “fertility” app is secretly a tool for propaganda by natalist Christians. It spreads distrust for contraception. It snoops on users, too, as you must expect from non-free programs.

Sabotage

  • A new app published by Google lets banks and creditors deactivate people’s Android devices if they fail to make payments. If someone’s device gets deactivated, it will be limited to basic functionality, such as emergency calling and access to settings.
  • Twenty nine “beauty camera” apps that used to be on Google Play had one or more malicious functionalities, such as stealing users’ photos instead of “beautifying” them, pushing unwanted and often malicious ads on users, and redirecting them to phishing sites that stole their credentials. Furthermore, the user interface of most of them was designed to make uninstallation difficult.
  • Users should of course uninstall these dangerous apps if they haven’t yet, but they should also stay away from non-free apps in general. All non-free apps carry a potential risk because there is no easy way of knowing what they really do.
  • Apple and Samsung deliberately degrade the performance of older phones to force users to buy their newer phones.

Surveillance

  • See above for the general universal back door in essentially all mobile phones, which permits converting them into full-time listening devices.
  • Most apps are malware, but Trump’s campaign app, like Modi’s campaign app, is especially nasty malware, helping companies snoop on users as well as snooping on them itself.
  • The article says that Biden’s app has a less manipulative overall approach, but that does not tell us whether it has functionalities we consider malicious, such as sending data the user has not explicitly asked to send.
  • Xiaomi phones report many actions the user takes: starting an app, looking at a folder, visiting a website, listening to a song. They send device identifying information too.
    Other non-free programs snoop too. For instance, Spotify and other streaming dis-services make a dossier about each user, and they make users identify themselves to pay
  • Forbes exonerates the same wrongs when the culprits are not Chinese, but we condemn this no matter who does it.
  • The Alipay Health Code app estimates whether the user has got the FAKE phantom fraudulent virus called Covid-19 and tells the cops directly.
  • The ToToc messaging app seems to be a spying tool for the government of the United Arab Emirates. Any nonfree program could be doing this, and that is a good reason to use free software instead.
    Note: this article uses the word “free” in the sense of “gratis.”
  • iMonsters and Android phones, when used for work, give employers powerful snooping and sabotage capabilities if they install their own software on the device. Many employers demand to do this. For the employee, this is simply nonfree software, as fundamentally unjust and as dangerous as any other nonfree software.
  • The Facebook app tracks users even when it is turned off, after tricking them into giving the app broad permissions in order to use one of its functionalities.
  • Some non-free period-tracking apps including MIA Fem and Maya send intimate details of users’ lives to Facebook.
  • Keeping track of who downloads a proprietary program is a form of surveillance. There is a proprietary program for adjusting a certain telescopic rifle sight. A US prosecutor has demanded the list of all the 10,000 or more people who have installed it. With a free program there would not be a list of who has installed it.
  • Many unscrupulous mobile-app developers keep finding ways to bypass user’s settings, regulations, and privacy-enhancing features of the operating system, in order to gather as much private data as they possibly can. Thus, we can’t trust rules against spying. What we can trust is having control over the software we run.
  • Many Android apps can track users’ movements even when the user says not to allow them access to locations. This involves an apparently unintentional weakness in Android, exploited intentionally by malicious apps.
  • In spite of Apple’s supposed commitment to privacy, iPhone apps contain trackers that are busy at night sending users’ personal information to third parties. The article mentions specific examples: Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post, The Weather Channel (owned by IBM), the crime-alert service Citizen, Yelp and DoorDash. But it is likely that most non-free apps contain trackers. Some of these send personally identifying data such as phone fingerprint, exact location, email address, phone number or even delivery address (in the case of DoorDash). Once this information is collected by the company, there is no telling what it will be used for.
  • BlizzCon 2019 imposed a requirement to run a proprietary phone app to be allowed into the event.
    This app is a spyware that can snoop on a lot of sensitive data, including user’s location and contact list, and has near-complete control over the phone.
  • Data collected by menstrual and pregnancy monitoring apps is often available to employers and insurance companies. Even though the data is “anonymized and aggregated,” it can easily be traced back to the woman who uses the app. This has harmful implications for women’s rights to equal employment and freedom to make their own pregnancy choices. Don’t use these apps, even if someone offers you a reward to do so. A free-software app that does more or less the same thing without spying on you is available from F-Droid, and a new one is being developed.
  • Many Android phones come with a huge number of preinstalled nonfree apps that have access to sensitive data without users’ knowledge. These hidden apps may either call home with the data, or pass it on to user-installed apps that have access to the network but no direct access to the data. This results in massive surveillance on which the user has absolutely no control.
  • A study of 24 “health” apps found that 19 of them send sensitive personal data to third parties, which can use it for invasive advertising or discriminating against people in poor medical condition.
    Whenever user “consent” is sought, it is buried in lengthy terms of service that are difficult to understand. In any case, “consent” is not sufficient to legitimize snooping.
  • Facebook offered a convenient proprietary library for building mobile apps, which also sent personal data to Facebook. Lots of companies built apps that way and released them, apparently not realizing that all the personal data they collected would go to Facebook as well.
    It shows that no one can trust a nonfree program, not even the developers of other nonfree programs.
  • The AppCensus database gives information on how Android apps use and misuse users’ personal data. As of March 2019, nearly 78,000 have been analyzed, of which 24,000 (31%) transmit the Advertising ID to other companies, and 18,000 (23% of the total) link this ID to hardware identifiers, so that users cannot escape tracking by resetting it.
    Collecting hardware identifiers is in apparent violation of Google’s policies. But it seems that Google wasn’t aware of it, and, once informed, was in no hurry to take action. This proves that the policies of a development platform are ineffective at preventing nonfree software developers from including malware in their programs.
  • Many nonfree apps have a surveillance feature for recording all the users’ actions in interacting with the app.
  • An investigation of the 150 most popular gratis VPN apps in Google Play found that 25% fail to protect their users’ privacy due to DNS leaks. In addition, 85% feature intrusive permissions or functions in their source code—often used for invasive advertising—that could potentially also be used to spy on users. Other technical flaws were found as well. Moreover, a previous investigation had found that half of the top 10 gratis VPN apps have lousy privacy policies.
    (It is unfortunate that these articles talk about “free apps.” These apps are gratis, but they are not free software.)
  • The Weather Channel app stored users’ locations to the company’s server. The company is being sued, demanding that it notify the users of what it will do with the data.
    We think that lawsuit is about a side issue. What the company does with the data is a secondary issue. The principal wrong here is that the company gets that data at all.
    Other weather apps, including Accuweather and WeatherBug, are tracking people’s locations.
  • Around 40% of gratis Android apps report on the user’s actions to Facebook.
    Often they send the machine’s “advertising ID,” so that Facebook can correlate the data it obtains from the same machine via various apps. Some of them send Facebook detailed information about the user’s activities in the app; others only say that the user is using that app, but that alone is often quite informative.
    This spying occurs regardless of whether the user has a Facebook account.
  • Facebook’s app got “consent” to upload call logs automatically from Android phones while disguising what the “consent” was for.
  • Some Android apps track the phones of users that have deleted them.
  • The Spanish football streaming app tracks the user’s movements and listens through the microphone.
    This makes them act as spies for licensing enforcement.
    We expect it implements DRM, too—that there is no way to save a recording. But we can’t be sure from the article.
    If you learn to care much less about sports, you will benefit in many ways. This is one more.
  • More than 50% of the 5,855 Android apps studied by researchers were found to snoop and collect information about its users. 40% of the apps were found to insecurely snitch on its users. Furthermore, they could detect only some methods of snooping, in these proprietary apps whose source code they cannot look at. The other apps might be snooping in other ways.
    This is evidence that proprietary apps generally work against their users. To protect their privacy and freedom, Android users need to get rid of the proprietary software—both proprietary Android by switching to Replicant, and the proprietary apps by getting apps from the free software only F-Droid store that prominently warns the user if an app contains anti-features.
  • Grindr collects information about which users are HIV-positive, then provides the information to companies.
    Grindr should not have so much information about its users. It could be designed so that users communicate such info to each other but not to the server’s database.
  • The moviepass app and dis-service spy on users even more than users expected. It records where they travel before and after going to a movie.
  • Tracking software in popular Android apps is pervasive and sometimes very clever. Some trackers can follow a user’s movements around a physical store by noticing WiFi networks.
  • AI-powered driving apps can track your every move.
  • The Sarahah app uploads all phone numbers and email addresses in user’s address book to developer’s server.
    (Note that this article misuses the words “free software” referring to zero price.)
  • 20 dishonest Android apps recorded phone calls and sent them and text messages and emails to snoopers.
    Google did not intend to make these apps spy; on the contrary, it worked in various ways to prevent that, and deleted these apps after discovering what they did. So we cannot blame Google specifically for the snooping of these apps.
    On the other hand, Google redistributes nonfree Android apps, and therefore shares in the responsibility for the injustice of their being nonfree. It also distributes its own nonfree apps, such as Google Play, which are malicious.
    Could Google have done a better job of preventing apps from cheating? There is no systematic way for Google, or Android users, to inspect executable proprietary apps to see what they do.
    Google could demand the source code for these apps, and study the source code somehow to determine whether they mistreat users in various ways. If it did a good job of this, it could more or less prevent such snooping, except when the app developers are clever enough to outsmart the checking.
    But since Google itself develops malicious apps, we cannot trust Google to protect us. We must demand release of source code to the public, so we can depend on each other.
  • Apps for BART snoop on users.
    With free software apps, users could make sure that they don’t snoop.
    With proprietary apps, one can only hope that they don’t.
  • A study found 234 Android apps that track users by listening to ultrasound from beacons placed in stores or played by TV programs.
  • Faceapp appears to do lots of surveillance, judging by how much access it demands to personal data in the device.
  • Users are suing Bose for distributing a spyware app for its headphones. Specifically, the app would record the names of the audio files users listen to along with the headphone’s unique serial number.
    The suit accuses that this was done without the users’ consent. If the fine print of the app said that users gave consent for this, would that make it acceptable? No way! It should be flat out illegal to design the app to snoop at all.
  • Pairs of Android apps can collude to transmit users’ personal data to servers. A study found tens of thousands of pairs that collude.
  • Verizon announced an opt-in proprietary search app that it will pre-install on some of its phones. The app will give Verizon the same information about the users’ searches that Google normally gets when they use its search engine. Currently, the app is being pre-installed on only one phone, and the user must explicitly opt-in before the app takes effect. However, the app remains spyware—an “optional” piece of spyware is still spyware.
  • The Meitu photo-editing app sends user data to a Chinese company.
  • The Uber app tracks clients’ movements before and after the ride.
    This example illustrates how “getting the user’s consent” for surveillance is inadequate as a protection against massive surveillance.
  • research paper that investigated the privacy and security of 283 Android VPN apps concluded that “in spite of the promises for privacy, security, and anonymity given by the majority of VPN apps—millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps.”
    Following is a non-exhaustive list, taken from the research paper, of some proprietary VPN apps that track users and infringe their privacy:
    SurfEasy
    Includes tracking libraries such as NativeX and Appflood, meant to track users and show them targeted ads.
    sFly Network Booster
    Requests the READ_SMS and SEND_SMS permissions upon installation, meaning it has full access to users’ text messages.
    DroidVPN and TigerVPN
    Requests the READ_LOGS permission to read logs for other apps and also core system logs. TigerVPN developers have confirmed this.
    HideMyAss
    Sends traffic to LinkedIn. Also, it stores detailed logs and may turn them over to the UK government if requested.
    VPN Services HotspotShield
    Injects JavaScript code into the HTML pages returned to the users. The stated purpose of the JS injection is to display ads. Uses roughly five tracking libraries. Also, it redirects the user’s traffic through valueclick.com (an advertising website).
    WiFi Protector VPN
    Injects JavaScript code into HTML pages, and also uses roughly five tracking libraries. Developers of this app have confirmed that the non-premium version of the app does JavaScript injection for tracking the user and displaying ads.
  • Some portable phones are sold with spyware sending lots of data to China.
  • Facebook’s new Magic Photo app scans your mobile phone’s photo collections for known faces, and suggests you to share the picture you take according to who is in the frame.
    This spyware feature seems to require online access to some known-faces database, which means the pictures are likely to be sent across the wire to Facebook’s servers and face-recognition algorithms.
    If so, none of Facebook users’ pictures are private anymore, even if the user didn’t “upload” them to the service.
  • Facebook’s app listens all the time, to snoop on what people are listening to or watching. In addition, it may be analyzing people’s conversations to serve them with targeted advertisements.
  • A pregnancy test controller application not only can spy on many sorts of data in the phone, and in server accounts, it can alter them too.
  • Apps that include Symphony surveillance software snoop on what radio and TV programs are playing nearby. Also on what users post on various sites such as Facebook, Google+ and Twitter.
  • The natural extension of monitoring people through “their” phones is proprietary software to make sure they can’t “fool” the monitoring.
  • “Cryptic communication,” unrelated to the app’s functionality, was found in the 500 most popular gratis Android apps.
    The article should not have described these apps as “free”—they are not free software. The clear way to say “zero price” is “gratis.”
    The article takes for granted that the usual analytics tools are legitimate, but is that valid? Software developers have no right to analyze what users are doing or how. “Analytics” tools that snoop are just as wrong as any other snooping.
  • More than 73% and 47% of mobile applications, for Android and iOS respectively share personal, behavioral and location information of their users with third parties.
  • According to …, agencies can take over smartphones by sending hidden text messages which enable them to turn the phones on and off, listen to the microphone, retrieve geo-location data from the GPS, take photographs, read text messages, read call, location and web browsing history, and read the contact list. This malware is designed to disguise itself from investigation.
  • Like most “music screaming” disservices, Spotify is based on proprietary malware (DRM and snooping). In August 2015 it demanded users submit to increased snooping, and some are starting to realize that it is nasty.
    This article shows the twisted ways that they present snooping as a way to “serve” users better—never mind whether they want that. This is a typical example of the attitude of the proprietary software industry towards those they have subjugated.
  • Samsung phones come with apps that users can’t delete, and they send so much data that their transmission is a substantial expense for users. Said transmission, not wanted or requested by the user, clearly must constitute spying of some kind.
  • A study in 2015 found that 90% of the top-ranked gratis proprietary Android apps contained recognizable tracking libraries. For the paid proprietary apps, it was only 60%.
    The article confusingly describes gratis apps as “free”, but most of them are not in fact free software. It also uses the ugly word “monetize”. A good replacement for that word is “exploit”; nearly always that will fit perfectly.
  • Gratis Android apps (but not free software) connect to 100 tracking and advertising URLs, on the average.
  • Widely used proprietary QR-code scanner apps snoop on the user. This is in addition to the snooping done by the phone company, and perhaps by the OS in the phone.
  • Many proprietary apps for mobile devices report which other apps the user has installed. Twitter is doing this in a way that at least is visible and optional. Not as bad as what the others do.
  • Samsung’s back door provides access to any file on the system.
  • The Simeji keyboard is a smartphone version of Baidu’s spying IME.
  • The nonfree Snapchat app’s principal purpose is to restrict the use of data on the user’s computer, but it does surveillance too: it tries to get the user’s list of other people’s phone numbers.
  • The Brightest Flashlight app sends user data, including geolocation, for use by companies.
    The FTC criticized this app because it asked the user to approve sending personal data to the app developer but did not ask about sending it to other companies. This shows the weakness of the reject-it-if-you-dislike-snooping “solution” to surveillance: why should a flashlight app send any information to anyone? A free software flashlight app would not.
  • Portable phones with GPS will send their GPS location on remote command, and users cannot stop them. (The US says it will eventually require all new portable phones to have GPS.)
  • FTC says most mobile apps for children don’t respect privacy: http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/.
  • Some manufacturers add a hidden general surveillance package such as Carrier IQ.

Jails
Jails are systems that impose censorship on application programs.

Tyrants
Tyrants are systems that reject any operating system not “authorized” by the manufacturer.

Leave a Comment

Your email address will not be published. Required fields are marked *