back to article URRGH! Evil app WATCHES YOU WATCHING PORN, snaps your grimace

A new frontier in horror has been breached, as it has emerged that your phone can in some circumstances take a picture of you as you view porn on it, and then use that image of your grimacing face to extort money on pain of exposure. Security outfit Zscaler detected the Android app, which lures victims who assume it is a …

  1. as2003

    It's not really a "vulnerability" in Android if: you have to manually enable installation of unverified 3rd party software, then ignore the blatant red flag that says "this app requires access to your camera".

    1. Teiwaz
      Devil

      Where is the vulnerability

      "It's not really a "vulnerability" in Android"

      Yup, it's a vulnerability in the user (and targets the vooonerables).

    2. Anonymous Coward
      Stop

      This is what I don't get about Fandroids (and many Linux users).

      If a person downloads a dodgy bit of software from some random website, ignores the warning about downloading and running programmes from the internet, click the button to approve instalation. It Microsofts fault for allowing it to happen.

      If someone downloads an app for Android, it's the users fault.

      1. Roq D. Kasba

        It's the users fault either way. You can run Windows 10 all day long clean and happy without a security suite if you don't install anything ;-)

        1. Anonymous Coward
          Anonymous Coward

          Re: Roq D. Kasba

          It's the users fault either way. You can run Windows 10 all day long clean and happy without a security suite if you don't install anything

          Only until the first remote exploit for something like (say) the network stack in W10 shows up. Then someone could passively scan the network you're on to find your W10 PC, exploit it, then voila, you're done.

          Not super likely for home users with with IPv4 NAT... but since IPv6 doesn't have NAT and actual end user IP's are exposed... ugh.

        2. Anonymous Coward
          Anonymous Coward

          It's the users fault either way. You can run Windows 10 all day long clean and happy without a security suite if you don't install and don't connect anything ;-)

          FIFY. I would not want a Windows box near an Internet connection without anti-virus and a certainty that at least its firewall is enabled, over the years I've learned not to invest trust in Windows out of the box defaults..

        3. This post has been deleted by its author

      2. noboard

        because a lot of the past vulnrabilities didn't require that, it was "go to a website and boom", because MS insisted most things have admin privilages, people had complete control over your machine.

        Hopefully things are getting better, but their track record is terrible.

      3. Anonymous Coward
        Anonymous Coward

        This is what I don't get about Fandroids

        It's only natural, I think. You have installed a billion shite apps on your mobile (because you can and because they enrich your life, lol), and practically ALL of those have flash a long list of what functionality on your handset they will have to access for YOU to use the app, and you have no clue what it REALLY means (and you do want to use our app, right? Click "no" if you do not not want to not un-use it. Are you sure? Do you want to cancel? Yes? Good boy).

        You read carefully through the first few lists that pop up during installation, nothing bad happens. Nothing happens, nothing happens, nothing happens, you grow complacent, so you just "yeah-yeah-gimme-gimme" the new apps and then - CLICKBAIT!!!! And your willy's on the facebook, OMG, what will my boss say!?

        1. Jagged

          Re: This is what I don't get about Fandroids

          "CLICKBAIT!!!! And your willy's on the facebook, OMG, what will my boss say!?"

          - Time for a rise? ;D

        2. Rick Giles

          Re: This is what I don't get about Fandroids

          And your willy's on the facebook, OMG, what will my boss say!?

          I guess that depends on if it is impressive...

      4. Pascal Monett Silver badge

        @ Lost all faith

        There is a big difference between a Windows platform and Android - on the Android platform the user is not admin.

        In Windows, historically speaking, the user has always had all rights to the OS and hardware access because Microsoft took two decades to start understanding that that was not a good idea. So yeah, on a PC a lot of malware is there because of Microsoft, not always because of the user.

        1. This post has been deleted by its author

      5. Anonymous Coward
        Anonymous Coward

        "If a person downloads a dodgy bit of software from some random website, ignores the warning about downloading and running programmes from the internet, click the button to approve instalation. It Microsofts fault for allowing it to happen."

        That's because Android and Linux have as much security precautions as possible to prevent it.

        Windows encourages users to run as admin, allowing any bad stuff to hose the system instead of just the user environment.

        Linux also creates new files as non-executable and you must manually change the permissions to execute said files, double click/launch from browser WILL NOT WORK until this is done. Windows on the other hand defaults with the execute permission set meaning double clicking and running from the browser will work.

        1. Anonymous Coward
          Anonymous Coward

          To those downvoters who downvoted my post about Linux not creating new files as executable, where Windows does and that is a problem, have an example of why Linux is doing this right and Windows not.

          http://www.theregister.co.uk/2015/09/08/whatsapp_security_flap/

          In short: a bug in WhatsApp allows vCards to be turned into .BAT files. If a user on Windows downloads this, it takes one click of the 'Run' button to hose their system. If it was a .sh file for Linux, users would have to save the file, right-click properties, tick 'Execute' permission and then double click the file to hose their user account.

        2. thosrtanner

          *sigh* Windows does NOT encourage users to run as admin. It throws up a box saying "this software wants to do something to your computer". And on loads and loads of websites, you see advice that tells you to

          1) Switch off the access control

          2) Change the permissions on <something in program files> so you can write to it

          And also

          3) There is still software that is released that more-or-less expects people to grant write access to places they shouldn't have to (Bethesda/Steam - Skyrim immediately comes to mind, but there are others).

          With a mindset like that even with the large developers, let alone the help sites, what do you expect. If people advised you to always run as root in linux, they'd be howled down. But apparently it's Microsoft's fault that doing the same thing on windows is considered par for the course.

          There are plenty of criticisms that microsoft deserves, but encouraging people to run as admin all the time is not one.

      6. Rick Giles
        Linux

        This is what I don't get about Fandroids (and many Linux users).

        If a person downloads a dodgy bit of software from some random website, ignores the warning about downloading and running programmes from the internet, click the button to approve instalation. It Microsofts fault for allowing it to happen.

        If someone downloads an app for Android, it's the users fault.

        Me thinks you need an editor, or a stream of consciousness filter...

    3. SuccessCase

      I expect, at least as far as the non techie population are involved, landfill Android is about to enjoin quite a few high-end handsets!

    4. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Google's fault

        Correct. The user should be able to prevent the app from accessing things without the app knowing that it is being prevented from accessing them: bogus address book provided to untrusted apps, and so on.

        In the case of the camera you could put a sticker over the lens but that wouldn't handle the case where you have two apps running simultaneously: a trusted one that you want to use the real camera and an untrusted one that you want to receive bogus data instead (a pop video perhaps).

      2. TeeCee Gold badge

        The source of that little issue is that the majority of those permissions that make you go "WTF does it need that for?" aren't actually required by the app at all.

        There's an ever-growing list that are required by the Google crapware baked into 'em all, which is why you ain't going to see them disappearing or you being allowed to stuff them on any official devices.

        I've said it before and I'll say it again. Android could be damned good, if only it were taken away from Google and their cruft was forcibly excised from it.

        1. This post has been deleted by its author

    5. Graham Marsden
      Boffin

      It's not a vulnerabilty...

      It's a ridiculous short-coming in security!

      A user shouldn't have to "ignore the blatant red flag that says "this app requires access to your camera",", they should be able to say "I don't want ANY apps to have access to MY camera unless *I* say they can!"

      The default should be opt IN, not "you can only opt-OUT by not installing the app in the first place".

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not a vulnerabilty...

        A user shouldn't have to "ignore the blatant red flag that says "this app requires access to your camera",", they should be able to say "I don't want ANY apps to have access to MY camera unless *I* say they can!"

        The default should be opt IN, not "you can only opt-OUT by not installing the app in the first place".

        I have trouble parsing that statement. Do you mean "users SHOULD ignore red flags" like asking for privileges an app doesn't need, or are you asking for new functionality that locks the camera unless explicitly enabled?

        Knowing how users think (takes quite a lot of alcohol, but bear with me), that would simply yield complaints that the phone is hard to use. It would be better if Android would switch to the iOS model where permission is sought when the first access is attempted (nice, properly timed red flag there and then), and where permission can be withdrawn again for each individual resource.

        If Google would push that into the next release it would fix quite a few problems in one go.

        1. Graham Marsden

          @AC - Re: It's not a vulnerabilty...

          > are you asking for new functionality that locks the camera unless explicitly enabled?

          I'm saying that that should be the *default* setting for any app. Followed by, as you say, "This app wants to access your camera, do you want to allow it?" to give you the chance to say "hang on, why does a photo slide show viewer want to take pictures right now?"

        2. This post has been deleted by its author

        3. This post has been deleted by its author

      2. This post has been deleted by its author

    6. ponga

      Vulnerability

      To be perfectly fair, if it really can't be uninstalled, *that's* a security flaw. The rest is PEBKAC.

    7. viscount

      It doesn't help that companies like Amazon actually tell you to turn on the the third party app sources so that they can install their app store:

      http://www.amazon.com/gp/help/customer/display.html?nodeId=201482620

      As soon as a user does this they are vulnerable to rogue apps.

  2. This post has been deleted by its author

    1. Anonymous Coward
      Go

      Re: A better headline...

      Dick Turpin App Gets Users To Stand And Deliver

      Any others ?

      1. DavCrav

        Re: A better headline...

        Crims take money shot?

      2. Mutton Jeff

        Re: A better headline...

        "Rank, left flank, skank wank app tanks user rep demands banknotes, much angst"

        1. Billa Bong

          Re: A better headline...

          Mug pic from smut flick, malware takes selfie selfie

      3. Anonymous Coward
        Anonymous Coward

        Re: A better headline...

        These aren't the droid shots you're looking for, move along.

        or

        App trap porn slap over droid snap.

    2. LucreLout

      Re: A better headline...

      P0rn purveyors pernicious program publishes punters private pen1s pumping pictures.

  3. Anonymous Coward
    Anonymous Coward

    signum tempori

    higher than ever number of people lacking common sense who expose themselves, literally and metaphorically, to the rear (here front camera) entry. Fuck me, and the wish comes true.

  4. JasonB
    Meh

    Unchecking?

    "This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device."

    That's already enforced on my device. (Yes I had to check!) Does that suggest that people have made a deliberate decision to download from potentially dodgy sites?

    1. Vic

      Re: Unchecking?

      Does that suggest that people have made a deliberate decision to download from potentially dodgy sites?

      Yes.

      Vic.

      1. Uplink

        Re: Unchecking?

        Cheap Chinese Spyware Phones come with that enabled by default for some reason.

    2. Anonymous Coward
      Anonymous Coward

      Re: Unchecking?

      Does that suggest that people have made a deliberate decision to download from potentially dodgy sites?

      Of course. Close to a billion people can't possibly be wrong..

  5. Anonymous Coward
    Anonymous Coward

    If this app is on the play store then surely google are complicit

    Personally I think it is high time that all application/OS access rights are required to be justified before they can be published or the distributer is held responsible.

  6. Anonymous Blowhard

    Cue for a song...

    I think I'm turning Japanese

    http://www.youtube.com/watch?v=IWWwM2wwMww

    1. Anonymous Blowhard

      Re: Cue for a song...

      What's with the downvote? Don't you know the origins of the song?

      https://en.wikipedia.org/wiki/Turning_Japanese

  7. Anonymous Coward
    Anonymous Coward

    Front facing camera

    Lucky there isn't a down facing camera!

    But what stops me covering up the front facing camera anyway; I never take selfies.

  8. Uplink

    Draw over other apps

    When I see this permission, I think twice. Anyway, adb remove crap.app, after you find out its ID, should rid you of the ransom request. Or just long-press the power button and choose to obliterate your phone :)

  9. Tromos
    Facepalm

    What's not to trust?

    An executable offering porn? What could possibly go wrong?

    1. Anonymous Coward
      Anonymous Coward

      Re: What's not to trust?

      It'll go down. One way or the other :)

  10. kotaKat

    HAH! It's a new spin on the FBI Moneypak viruses.

    Bravo, malware devs. Bravo.

  11. Zog_but_not_the_first
    IT Angle

    Tip of the iceberg

    I'll bet that loads of apps (in the store and beyond) have this capability. Maybe some apps grab all the permissions through lazy programming, but others want control of your camera etc., for a reason. The endless stream of "free" games must feature high in the "suspicious" category.

    Of course some apps use "spy features" in a good cause, such as the excellent Lockwatch. I use this to demonstrate to unconvinced friends that a phone's camera has a stealth mode.

  12. Anonymous Coward
    Anonymous Coward

    No, really?

    ""During the course of our daily malware hunt, we came across a new mobile ransomware variant"

    I do hope they wiped up afterwards.

  13. Anonymous Coward
    Childcatcher

    Rise to the occasion

    I'm thinking anyone with a >= 8" wing-wang will be pretty much OK with their pics being all over the interwebs?

  14. Anonymous Coward
    Linux

    The Microsoft Phone app-gap again!

    Anyone with a Microsoft Windows Phone can't get apps like this! The app-gap is immense, epic fail by Microsoft!!

    1. Anonymous Coward
      Anonymous Coward

      Re: The Microsoft Phone app-gap again!

      No profit - Anyone running windows phone is shamed enough, what would another picture out there with them gripping their handie matter?

  15. regprentice

    In order to run the amazon appstore or another source such as humbe bundle its nescessary to make the permissions change described. Certainly while amazon were giving away a free app a day i couldnt be bothered to switch this option on and off every morningso left 'allow unknown sources' switched on as i assumed i would not be stupid enough to knowingly download anything else.

    That said ive noticed a significant increase in aggressive popup ads which appear to look like the google play store offering the current popular title (that vaguely porny looking one with kate upton in the adverts). Presumably these entice you to install a malicious excecutable.

  16. Anonymous Coward
    Anonymous Coward

    Porn on a phone?

    So it takes a picture of you squinting at a little 5" screen then?

  17. captain_solo

    "Let me see your War Face!" -Gunny Hartman

  18. JimboSmith Silver badge

    BlackBerry PlayBook

    On the PlayBook when you download an application it lists the things that the application wants access to. There is also a checkbox next to each item in the list and you can uncheck permissions you don't want the application to have. Some applications won't work without some permissions i.e. A camera app and the camera, but I like having the choice. I had assumed that Android had had that built in from the start but when I started using it I realized that was missing and I had minimal control. If I can't see a reason for an app needing permission to use something on Android I don't download that app.

  19. Chairo
    Facepalm

    The real risk

    Is with the watchers of the resulting mugshots. Watching people watching porn. What a waste of time, resources. It's so mindless, they might forget to breathe.

    Really - where are they going to post this? Oh, wait - there might be a suitable channel on 4chan...

    1. Nifty Silver badge
      Joke

      Re: The real risk

      Didn't you mean Gogglebox - Channel 4?

  20. tomturkey101

    Duh! If I wanted to make some easy money by taking money from the rich to give to the poor (usually oneself),and keep a clean conscience ,I would set up a sting operation against anyone doing anything questionable.Then call them on it. Highly reminiscent of the Godfather Movie's. "You don't gotta do anything right this moment,but if at some time in the future I should call on you for a"favor",you cannot refuse me. Advice: Keep your "hand's" and your "conscience" clean. You will be much happier.

  21. Richard Scratcher
    Gimp

    Ha!

    As if anyone would recognise me in my gimp mask.

  22. RaymondJWilliams

    Not new

    This kind of ransom it not new. There was already a desktop ransom for some years now. It all deppends on you getting secure or bogus apps. I for one use only big names apps from sites like Fapshows.com or Chaturbate and I never had any problems.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like