Is it just me?
Why would one install banking software on a mobile device easily misplaced on the train or down the pub in the first place?
A new Trojan banker for Android is capable of wiping compromised smartphones as well stealing online banking credentials, security researchers are warn. The Mazar BOT Android malware is read using booby-trapped multi-media messages. If installed, the malware gains admin rights that give it the ability to do almost anything …
I previously used smaller, local institutions because I liked their low fees.
However, after I had moved to a larger bank, I scanned my old bank, and several other local (smaller) banks with the Qualsys TLS scanner at ssllabs.com.
Surprisingly, my old bank scored an "F" as did several smaller peers.
I do like using the ssllabs.com scanner before I put in a credit card or otherwise exchange sensitive information. Smaller firms often fail badly with security.
Ever considered this is a Stagefright-based exploit, meaning the Install dialogue never appears? Instead, the malware rides the MMS straight through to System, gains root permissions, and goes from there all without your knowledge? Remember, many phones are prone to Stagefright AND at EOL meaning they'll never be patched to fix the exploit.
Quote from the article:
"The Mazar BOT Android malware is read using booby-trapped multi-media messages. If installed, the malware gains admin rights that give it the ability to do almost anything with a victim's phone." (Emphasis mine)
Multimedia messages means MMS, and an Android exploit using MMS at this point probably means it's a Stagefright exploit, unless you can point where it says otherwise.
one could read the text and think that one could be infected just by receiving/opening an mms.
Is that "completely impossible" or "not yet"?
I'm sticking to using my desktop along with a completely non-networked code-generating gizmo that my bank sent me. Also to shopping only with credit cards, where the legal onus is on the credit provider to prove that it was I who spent the money, in a court of law if I insist that I did not.
"...where the legal onus is on the credit provider to prove that it was I who spent the money, in a court of law if I insist that I did not."
Or, in America, a completely biased arbitration proceeding, likely located as far as possible geographically from where ever you live. Yes, they do keep the paperwork you signed off on to get that bit of plastic.
"...Darwin is calling
all those who are stupid enough to click on a link from some random SMS and then click "install" when prompted if they want to proceed with an MMS messaging APK from an unknown source..."
Have to agree here. The only times I've ever turned on unknown sources was to install the Amazon app (apparently Google don't allow alternative play-type stores by default and to install a diving app my own dive buddy wrote, to test for him.
In both cases, it was immediately disabled again.
My bank do send me SMS messages. To date they have never, ever, sent me an SMS with a link to install anything and frankly if I received one, I'd be very highly suspicious of it but I guess the kind of people these target don't fall into the tech savvy/above average intelligence/overly cynical and suspicious group(s) as found here.
My bank do send me SMS messages. To date they have never, ever, sent me an SMS with a link to install anything and frankly if I received one, I'd be very highly suspicious of it but I guess the kind of people these target don't fall into the tech savvy/above average intelligence/overly cynical and suspicious group(s) as found here.
I have a feeling anyone who does fall for such a ruse will subsequently become members of the overly cynical and suspicious group. I am a card carrying member.
DevOps.
Because it's bleeding edge. The hottest buzzword. Gotta keep saying it so it sounds like I'm aligned with latest technology. Plus it hasn't been mentioned in the past hour.
DevOps.
Time to set up a long, drawn-out meeting to discuss how great it is and bill by the hour for it.
<quote>... I'd be very highly suspicious of it but I guess the kind of people these target don't fall into the tech savvy/above average intelligence/overly cynical and suspicious group(s) as found here fall into the lowest 25 percentile of the intelligence scale.</quote>
There!!
FTFY!
"The only times I've ever turned on unknown sources was to install the Amazon app"
The official National Lottery app also requires 'unknown sources' to be enabled, because apparently Google 'doesn't allow any real money lottery apps in its store' (https://www.national-lottery.co.uk/android/installation)
Or so I'm told. By a friend. Obviously. Ahem...
Well, in the lot, you will find heart surgeons, car mechanics, university professors, if the mms looks legit. Now, if you think they are stupid, how good are you at heart surgery or motor car mechanics ?
We all have our specialities ...
Hey, I could say: I am sure you run internet explorer/edge, so your opinion does not count. Worst is, you ARE supposed to be an expert in that field .... you are like a heart surgeon performing life-threatening operations with a sharp piece of plastic found in a bin outside the hospital ... STFU!
I have good chances, because according to Gartner, 95% of "computer-literate users" (whatever that means) are useless at just that.
"Well, in the lot, you will find heart surgeons, car mechanics, university professors, if the mms looks legit. Now, if you think they are stupid, how good are you at heart surgery or motor car mechanics ?"
Not stupid, just ignorant. There's no excuse for a certain level of ignorance about technology if you have a smartphone you carry around with you all the time, interact with daily, use to plan your social life and even your financial affairs on. You damn well better learn to treat such a device as intimately as you do your own home and not simply hope to excuse yourself if you leave all the doors unlocked because you never bothered to read the lock manual.
For what it's worth, I do know every intimate detail about my personal vehicle as I do use it and depend on it daily. I don't know how the esoteric control systems in a flash luxury car work, but as the very label implies it's not a necessity and so I don't feel any inclination to spend vast sums of money on such a vehicle. Smartphones are another such luxury. Nobody seemed to need a smartphone when they were called PDAs and marketed at businessmen. Are we responsible, self-aware individuals or are we just specialized consumers with an ever-narrowing scope of knowledge and wisdom?
This seems to target those who are just smart enough to be able to root their phone and allow installs from untrusted sources, but dumb enough to follow any link they're given.
It is unfortunate that these people seem to be in the majority. I, for one, like to keep my phone security turned on and would always recommend that others do to.
Rooting seems trendy, but for the majority of people it's really not a good idea. (see Just smart enough)
This post has been deleted by its author
MMS Messaging
Do you want to install this application? It will get access to:
Allow this app to:
* Your messages: edit your text messages (SMS or MMS), read your text messages (SMS or MMS), receive text messages (SMS)
* Network communication: full network access
* Services that cost you money: directly call phone numbers, send SMS messages
* Phone calls: read phone status and identity
* System tools: draw over other apps, prevent phone from sleeping, retrieve running apps
Not that having your bank account robbed isn't bad enough (probably worse) but it sounds like "gains administration permission to do stuff including erase your phone" has been distorted into "ZOMG it will erase your phone!!!1". Neither external link seems to say it actually does erase your phone. And I'm not sure why they would want to do that. In general I would expect the authors to prefer you keep using a compromised phone for as long as possible.