McGruffThe FBI's Internet Crime Complaint Center has recently issued a warning about Android malware, citing two new malicious applications and how they can cause all sorts of havoc to the unsuspecting user. From the IC3 page:

Loozfon is an information-stealing piece of malware. Criminals use different variants to lure the victims. One version is a work-at-home opportunity that promises a profitable payday just for sending out e-mail. A link within these advertisements leads to a website that is designed to push Loozfon on the user's device. The malicious application steals contact details from the user’s address book and the infected device's phone number.

FinFisher is a spyware capable of taking over the components of a mobile device. When installed the mobile device can be remotely controlled and monitored no matter where the Target is located. FinFisher can be easily transmitted to a Smartphone when the user visits a specific web link or opens a text message masquerading as a system update.

Loozfon and FinFisher are just two examples of malware used by criminals to lure users into compromising their devices.

While we applaud the intent of the message -- keeping users safe -- the mechanics and facts are sorely lacking. Both the examples involve user "phishing," or tricking someone into clicking something. These aren't just flying around in space looking for your phone. And there's a big difference there.

Case in point -- one of the popular methods of propagation for the Loozfon malware that wasn't mentioned involves a promise of meeting wealthy Japanese men. Presumably, you can meet these men by clicking a link in an unsolicited message or from a web page. Protip -- you won't. Don't click them. The FinFisher malware gets even more tricky, as they mention the user is promised a system update if they click a link. In realty the user gets a variant of a corporate trojan written by professionals with ties to law enforcement

The FBI also gives a lengthy list of precautions to take to keep your phone safe, and we have to agree with them. Common sense items like not clicking unknown links and password protecting your phone are a must. Yet they forgot the most important one:

Applications can not install themselves after they have been downloaded. 

Even if you've clicked and downloaded one of these malicious apps, you still have to ask to install it, agree to the permissions you're given, then OK the entire process. Until that happens, it's just a file that can do no harm. There's two real pieces of advice we can give here -- read what you're installing, and pay attention to what you click. 

Source: IC3


Reader comments

The FBI issues Android malware warning, forgets how apps work


Miss information and lack there of true information is what scares people away from Android, sometimes i think it's a plot to cause hysteria amongst the mass's.

I'm stumbling over "opens a text message masquerading as a system update." Since when are system updates EVER delivered via text message?? You'd have to be pretty stupid and/or uneducated about computers in general to fall for that one...

"You'd have to be pretty stupid and/or uneducated about computers in general to fall for that one..."

I agree, my friend. But the world is full of some pretty idiotic blokes. My school is chock-full of 'em.

but don't most users download apps and give permission to install without looking?

I know I've done this frequently.... on apps downloaded directly from the Google Play store.

I'm sure Apple was behind this. Just wait a week or two and you will see ads that say "FBI investigates Android Viruses".

"When installed the mobile device can be remotely controlled and monitored no matter where the Target is located."
So it doesn't matter that there's a Target a few blocks away from my house? Oh, good, I thought living close to a store would increase my chances of being hacked.