Security boffins brew devilish Android rootkit Computer scientists have identified a weakness in the Android mobile operating system that allows users to be tricked into silently installing hidden malware. A research team led by Xuxian Jiang at North Carolina State University discovered that they could redirect a fandroid's touchscreen taps - a technique known as …
So if someone had been educated without computers, had a PHD in mathematics and had never used a smartphone, used one for the first time but ran a trojan then you would call them stupid?
This is nothing to do with intelligence, this is all about trust levels and experience of the device you are using. The person who has never used a device before won't know what is a normal prompt and what is a dubious one. If anything, Android's differing GUI front ends makes this a little more likely as there isn't one uniform interface.
@AC - I think Jake's point is that a lot of people go for the shiny-shiny without thinking. They then run the risk of discovering the drawback of not having thought properly about security, and get stung one way or another.
Whereas a smart guy might stop and think about it in the first place, realise that the shiny-shiny is just low grade unimaginative zero-intellect artificial psuedo-cool of the sort that anyone with a few hundred bucks can buy (how un-cool is that?), and choose something else with a better underlying pedigree.
The trick that Samsung and Apple have pulled is to realise that they don't care how cool / uncool their customers actually are just so long as they can fluff their egos for long enough to actually go and buy one. MS are trying the same trick but are inherently uncool (after all there's very little about Steve Balmer that anyone would find appealing). Whereas RIM are stubbornly sticking to what they do best (security, enterprise, messaging) with a thin veneer of shiny-shiny on top. Admirable, but currently not very profitable.
"Now that we’ve identified the problem, we can begin working on ways to protect against attacks like these," he [Xuxian] added.
Now can one begin to invisibly exploit the opportunity, Mr Xuxian.
You know it makes perfect sense. Such is the nature of the beast that feeds the greedy follies of mankind. And IT is a Super MkUltraSensitive Weapon, is IT not, which does not allow fools and their tools at the helm or really active controls, or in the engine bay.
Hence the spooky black helicopter icon, for it is bound to be bug of interest to the likes of a DARPA/IARPA/Station X
It's a FAIL to use your smartphone to enter banking details, credit card numbers etc.
Any data which could potentially be used to defraud you - whether via rootkit, or losing your phone (or having it nicked) - should *never* be there in the first place.
Small transactions - sure, fine. Login to an App store, coupla quid, no information about your banking details should ever change hands in these transactions - unless your signing up - which shouldn't be done on your phone :)
Yes, I'm paranoid - it's *real* easy to lose a phone. It's also *real* easy for people to wijack you, unless your aware.
If the manufacturers were doing a proper job there would be no greater risk in ebanking on a mobile than there is on a PC or a MAC.
The fact that Android has no really effective defences against malware just illustrates how bad an OS it is. Google really made a mess of it. Taking Linux as a starting point should have led to a reasonably secure Android, but somehow all the goodness leaked away. What were they thinking?
I take issue with your dismissal of the entire smartphone genre. For example the security model in Blackberries is well thought out and seemingly well respected. That's why it is/was the phone of choice for corporate users. With it's enforced data separation, strict software signing, remote wiping, etc. one could argue that ebanking on a Blackberry is safer than it is on a PC or MAC. WinPhone and iOS have similar pretensions, any may or may not be as successful in this regard as RIM.
there would be no greater risk in ebanking on a mobile than there is on a PC or a MAC.
If that is suppose to reassure people using PCs and Macs for online banking then it shouldn't. They are just as vulnerable to clickjacking as this attack.
100 % safe isn't possible with online banking but using hardware encryption like HBCI which separates authentication entirely from the OS, is reasonable.
From quick overlook of Android API a year or two ago I remember that there was an API that allows you to read whatever is typed on a keyboard.
I was looking into this thinking that sometime I might get time to write my own keyboard.
Did the guy used API? If so, it does not look a hack to me...
Another thought - Samsung in its *wisdom* decided that people in US are speaking either American English or Spanish, hence my SGS II on Sprint does not have any other language installed, hence I am using the Go keyboard.
As soon as I installed 3rd party app with access to keyboard - no banking for me.
Sense of humour failure from the Linux fanbois...
Now I know that Linux is merely a kernel that when packaged up with a bunch of other stuff can become a fairly secure operating system with a lot of good features that is very commonly called 'Linux', but a large majority of the other 6 billion people on the planet don't. Given this unavoidable misattribution of the name one has to consider the damage slack outfits such as Google with their crummy frameworks do to the 'Linux' brand and what can be done about it. Regrettably the answer to that is nothing, unless Linus and chums decide to take the kernel code out of GPL and make it purely proprietary thus enabling them to prevent cowboy outfits such as Google using the damn thing in the first place in their poorly thought out attempts to profit from the hard work that has been put into the kernel source code by the splendid and highly skilled volunteers that are the kernel devs.
Parsed that OK?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
