Pakistan Cyber Force: Android Phones spying on users - How to Tame & Disarm this electronic spy before using

Pakistan Cyber Force [Official] Networked Blog

Top stories

Pakistan Cyber Force [Official]

Sunday, November 20, 2011

Android Phones spying on users - How to Tame & Disarm this electronic spy before using

Print Friendly and PDF


Have you got an Android Phone and installed apps from the Android Market? Well guess what, you just blew your cover to Google which is CIA's information gathering tool on the cyber world, and its information stealing partners. Most of the mainstream Android Apps as well as the operating system itself are spying on you. Most of the stock apps installed in your new Android phone silently talk on the web without you even knowing about it and all of them have full access to your private data including your location, text messages, contacts and even the data you have stored on your external storage including the SD card of the phone.

For example, take a look at the permissions granted by default to these apparently innocent and helpful looking stock apps which include the stock Youtube app, the Dialer app, and the My Files (the stock file browser) app.

Youtube App(left), Phone(middle), My Files(right)
This clearly shows that when you connect to internet, these apps can automatically upload all the data that they want to Google's servers. Why on earth would a File Browser require details of your contacts, google mail as well as the phone state and identity? And above everything, when it doesn't have the functionality to connect to remote machines, why on earth does it require full internet access?

Let me bring to your notice another beautiful trap laid by the information thieves behind Android. Just like Apple's popular app Siri (the talking assistant), many promising looking apps have started popping up on the android market and most of them use Google's own Text To Speech (TTS) service. This service takes a sample of your voice, uploads it to the internet to Google's servers, and brings back the text which was said in that voice message. How safe is that? And let me ask you a question, how wise is it to let such services run wildly and freely on your phone when you are having a personal discussion with a group of your old friends after a late night dinner? But its there, and its running without your knowing in the background.

Let me give you a bigger shock. These are the visible apps, whereas being a powerful multi-threaded environment, your Android phone has dozens of daemons (processes with no user interface, in other words ghost processes) running in the background which you don't even know or care about. And all those hidden thieves are talking on the web sending whatever data they want, anonymously to remote servers without your consent. For example, the Kernel of your phone.

On my test phones running Android, in Pakistan, this little thief was found talking to the following IP addresses secretly. I was not able to log the packets for a detailed dissection however you can try it on your own if you want to.
  • 173.192.219.151
  • 119.73.37.46
  • 50.19.53.41
For those of you who are interested in digging deeper into it, you can visit this website to backtrace these IP addresses, and others that you find out on your phone after you go through this tutorial, to find out exactly who is listening to you secretly over the web.

This is not all, I have not found anywhere on internet exactly how could one disarm this dirty little spy i.e., your Android phone that resides in your pocket, around your workplace and near your family all the time, informing Google, the CIA's partner in information stealth crime. And what's worse, there are thousands of free apps available in the Android Market whose developers have given shady details about their technological and corporate background, which are having complete access to absolutely every feature of your phone without your consent. At the end of this article, we shall use brute force method to disarm your pocket spy ensuring your personal information safety. Let us first share a brief study done by Duke University, Penn State and Intel Research Labs regarding this matter here.

Quote from PC World Website:

<-------------------------- Quote --------------------------->
Even if you never use services like Foursquare or Facebook Places or Google Latitude to announce your physical location to the world, the apps you have installed may be capturing this information and sharing it with advertisers -- without your knowledge or consent.

A study by researchers at Duke University, Penn State, and Intel Research Labs has revealed that Android apps are collecting location information from users' GPS phones and sharing them without notifying users or asking for permission.
The researchers looked at 30 popular Android apps, including The Weather Channel, MySpace, Evernote, BBC News Live Stream, Yellow Pages, and Spongebob Slide. They used a home-made tool called TaintDroid to track what data was being shared and with whom. The skinny:
  • Two thirds of these apps violated user privacy by sharing location data or information that could identify individual handsets.
  • Half of them sent user location information to advertising networks like Admob or analytics companies like Flurry without user consent.
  • Seven of the apps sent the unique device identification numbers of the GSM user and the handsets' SIM card to its servers.
  • Two of the apps captured the users' cell phone number along with the ID number and the users' geographical coordinates.
Nice.
Mind you, if the police wanted this information, they'd need a court order. These apps are doling it out like candy to advertising firms and storing it on their own servers. Per the study [PDF]:
This finding demonstrates that Android's coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data. Moreover, we found that one application transmits the phone information every time the phone boots. While this application displays a terms of use on first use, the terms of use does not specify collection of this highly sensitive data.
The study did not name which applications shared each kind of information -- a shame, really, because the ones that did not are tarred with the same brush as the guilty ones. Me, I'd uninstall all of them, just to be safe.
Here's the full list of apps tested, both guilty and innocent:
The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Live, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote.
I've written before about why location privacy is important and how your location data is mostly up for grabs. But the reality is proving far worse than even I imagined. Simply by installing an app, you could be transmitting a stream of data indicating where you are 24/7 that isn't protected by any law yet on the books.
While this study was limited to Android apps, the problem is not. I expect to hear a lot more about other apps slurping up GPS and handset information, either accidentally or deliberately, on other handset platforms. The reason we're hearing about Android first is that Android is open source and easier for researchers to access.
It seems the location chickens are coming home to roost. Let's hope you don't end up with egg all over you.
<------------------------- Unquote -------------------------->

Don't be deceived by the sleak looks of these electronic spies. Make sure to clean them before you plan to use one of these!

Let's do some cleaning!
Nobody likes being spied upon. So here we present to you a brute force method of kicking out the apps that a normal phone user never actually needs on his phone in the first place. We shall proceed step-by-step. However, before we start, you need a few apps installed on your Android phone before proceeding further.
1: First of all, you have to root your phone. Ignore all the hype that it voids warranty because it doesn't, and even if it does, you can flash your phone with clean firmware before you plan to sale it forward, so it really doesn't matter in the first place. There are several methods available for rooting dozens of Android phones which are available, so you will just have to dig into this part yourself. Once rooted, a little app named SuperUser will be installed on your phone granting you explore the prohibited areas of your device.

2: After successful root, you need to install Root Explorer, or any other good file browser that lets you explore through the root directory ( /System ) on your phone.
3: There are a whole lot of system stock apps which come pre-installed and you normally don't need them on your phone. Most of them are severe spies which not only spy on you but also sync your personal information including contacts, messages and more on a completely untrustworthy Google server under the pretext of "sync with your mail account". The test phone which we examined is the most widely sold Android device in Pakistan, the Samsung Galaxy Ace. After you have rooted the phone and have access to /system/app, all you need to do is to rename these apps so that the OS can no longer access them and you can rename them back to original just in case you run into any operational problems.
  • AccountAndSyncSettings.apk
  • AccountAndSyncSettings.odex
  • ApplicationsProvider.apk
  • ApplicationsProvider.odex
  • BadgeProvider.apk
  • BadgeProvider.odex
  • DataCreate.apk
  • DataCreate.odex
  • Dlna.apk
  • Dlna.odex
  • Email.apk
  • Email.odex
  • GenieWidget.apk
  • Gmail.apk
  • GoogleBackupTransport.apk
  • GoogleCalendarSyncAdapter.apk
  • GoogleContactsSyncAdapter.apk
  • GoogleFeedback.apk
  • GooglePartnerSetup.apk
  • GoogleQuickSearchBox.apk
  • MediaUploader.apk
  • MusicHub_U1.apk
  • PicoTts.apk
  • PicoTts.odex
  • SamsungApps.apk
  • SamsungAppsUNA3.apk
  • SecDownloadProvider.apk
  • SecDownloadProvider.odex
  • SerialNumberLabelIndicator.apk
  • SerialNumberLabelIndicator.odex
  • signin.apk
  • signin.odex
  • SisoDrmProvider.apk
  • SisoDrmProvider.odex
  • SnsAccount.apk
  • SnsAccount.odex
  • SnsProvider.apk
  • SnsProvider.odex
  • syncmldm.apk
  • syncmldm.odex
  • Talk.apk
  • Talkback.apk
  • TtsService.apk
  • TtsService.odex
  • UnifiedInbox.apk
  • UnifiedInbox.odex
  • VoiceSearch.apk
  • wssomacp.apk
  • wssomacp.odex
  • wssyncmlnps.apk
  • wssyncmlnps.odex
4: These are those stock apps which a normal phone user seldom uses. For checking e-mail, there are several browsers and credible third party open-source apps available for checking mail remotely. Now, all you have to do is add .bak at the end of the file names of each and everyone of these apk and odex files using Root Explorer on your rooted phone(make sure to hit the Read/Write privilege button at the top right in case of Root Explorer). Your phone could momentarily hang up as these processes crash in the memory, and in some cases it can even reboot. But don't worry, this is normal.
After getting done with it, turn off your phone. Then hold its home button + Power button to bring it to debug mode. Once there, you should select "Clear Cache Partition" option and then reboot for a clean startup. If you, however intend to rename any other apps besides the list mentioned above, and upon reboot your phone is not functioning properly, you can go back to /system/app and rename those apps back to normal one by one to trace the problem and reboot. It's a hit-and-trial procedure on various phones. Just get rid of everything that you don't require as long as your phone is working fine. Even if your phone doesn't start up properly after making changes to apps that you just discarded, in the worst case all you could have to do is to reprogram your phone's firmware but with smart phones, its extremely easy to do it. I flash my phone's firmware every couple of weeks, no big deal really. Dozens of guides are available for almost all main Android cellphones online, so you'll have to do a bit of digging for that.

5: After you have done this and more if you see fit, test your phone for a few hours to ensure that it is functioning properly. Once you are sure, note down the names of all the apps you renamed, and now you can safely delete them permanently from your phone. However if your phone has enough internal memory, leaving them intact is a good decision so that you can bring an app back just in case, something goes wrong and you know due to which app it happened.

6: There is a free app available named AutoStarts (download apk here) which once installed on a rooted phone, gives you access to disable automatic startup events for individual applications, both stock as well as third party apps. Once you clean your phone from useless services and spies, this application is useful for keeping services from auto-starting which automatically start and start their spying, for example, the stock Google Maps application. I found it permanently running on a brand new phone and no matter what one would do, this app would simply not stay killed even after a FORCE SHUTDOWN from settings app. But using this app Autostarts, I was able to disable its autostart events. You will find this app really handy not only in keeping the obvious spies asleep unless you badly need them, but also it will help you in speeding up your phone manifold since useless apps will be prevented from starting up automatically in the background when you don't need them.

7: Install an app named DroidWall which is a full featured firewall for your phone, or any other firewall app of your choice and trust. DroidWall is available for free download in Android Market. Once installed, use this app to deny internet access to all apps whom you DO NOT WANT to access the internet in the first place. Especially, the GPS service. I don't know about you but I don't want my GPS coordinates to be reported on the internet because I don't trust what information GPS service is sending over the internet. As you can see in the screenshot on the right, I have blocked internet access to each and everyone of these process and more, that are listed with grey check-boxes on the right left side of app names. You can use this app to fully control as well as log your phone's internet traffic activities.

8: Now onto a more serious issue. Do you know that Android Market app itself is spying upon you? Yes it is, and perhaps more seriously than any other apps because it records absolutely all app records which you are using. What's even worse, the initial agreement which you sign by pressing "Accept" button before using the Android Market states that Google possesses the right to remotely uninstall any app it wants from your phone, without your consent. Surprised? It needs your gmail account to be linked to your market so if you use your gmail address for e-mail purpose, you are trapped. But unfortunately you have to use it everytime you need an app. Don't worry, we can take care of this as well. All you have to do is to make a fake gmail account, and link it to your android mobile phone, so that your e-mails cannot be linked to your cyber activities. A better way to avoid this nuisance is to cut all the android market files from your phone when you are not using market, and paste them in a separate folder on your SD card. You can just move them back momentarily to /System/App whenever you need to access the market. Here is a list of all those apps in /System/App that are basically making up the Android Market app.
  1. DownloadProvider.apk
  2. DownloadProvider.odex
  3. DownloadProviderUi.apk
  4. DownloadProviderUi.odex
  5. DrmProvider.apk
  6. DrmProvider.odex
  7. DrmUA.apk
  8. DrmUA.odex
  9. GoogleServicesFramework.apk
  10. MarketUpdater.apk
  11. Vending.apk
Do your research about the apps you want, using your computer's internet, note them down and install them in one go. After getting done, simply cut all the above mentioned files from /System/app of your phone and paste them somewhere on your SD card or in a .zip file. Now Android Market is temporarily gone from your phone and it can no longer keep track of your apps. Whenever in future, you want it back momentarily, you can put all these files back, sign into your fake gmail account using from market and you're good to go again. However, a reboot will be required every time you move these files in most cases.

General safety precautions: 
  1. Never use any Text-To-Speech related apps as long as they are using Google's TTS service at their back-end (it is always mentioned in the app description on Android Market that what stock apps it makes use of). We don't want anyone sitting thousands of miles away from us, to listen to our conversations just for the sake of sending us back its text.
  2. Don't ever allow GPS service and all other apps that have no business on internet, to access the web. Always have a firewall in place and running BEFORE you connect to the internet.
  3. Don't let the market and other stock apps access internet freely all the time when you are actually not doing any internet activity. Make use of the firewall or brute force method as explained above, to take care of your privacy business with your own hands.
  4. Always check and investigate the trustworthiness of the developer of a particular app which your phone is running, before you allow it to have complete internet access. Usually contact e-mail addresses of the developers are mentioned in the Android Market, so its a good idea to contact the developer directly.
  5. Try to use as many trustworthy third party apps as you can, replacing the stock apps.
  6. High end users, it's always a good idea to place a packet logger in place too, which can sniff all the internet traffic so that you can monitor which crooked little thief is stealing what. Andro Shark is a good app out there in the market however there are many that do the job. It's upto you to make your own choice.
With this, I can say that your phone is comparatively much more secure than it was when you bought it brand new from the market. Let your friends know about this information too who you know are using Android phones / tablets. Even Apple and other mainstream products are doing pretty much the same with your privacy, but we shall target others at a later time.

Please send your suggestions, questions and additional queries in the comments below. (Related: What is Traitorware? Technology that spies on you)

Comments
0 Comments

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...