Malware in Mobile Devices
Malware means software designed to function in ways that mistreat or harm the user. (This does not include accidental errors.)
Malware and nonfree software are two different issues. The difference between free software and nonfree software is in whether the users have control of the program or vice versa. It's not directly a question of what the program does when it runs. However, in practice nonfree software is often malware, because the developer's awareness that the users would be powerless to fix any malicious functionalities tempts the developer to impose some.
Here are examples of malware in mobile devices. See also the the Apple malware page for malicious functionalities specific to the Apple iThings.
Type of malware
- Back doors
- Digital restrictions management or “DRM” means functionalities designed to restrict what users can do with the data in their computers.
- Jails—systems that impose censorship on application programs.
- Tyrants—systems that reject any operating system not “authorized” by the manufacturer.
Mobile Back Doors
The universal back door in portable phones is employed to listen through their microphones.
Most mobile phones have a universal back door, which has been used to turn them malicious.
Samsung Galaxy devices running proprietary Android versions come with a back door that provides remote access to the data stored on the device.
Samsung's back door provides access to any file on the system.
In Android, Google has a back door to remotely delete apps. (It is in a program called GTalkService).
Google can also forcibly and remotely install apps through GTalkService (which seems, since that article, to have been merged into Google Play). This adds up to a universal back door.
Although Google's exercise of this power has not been malicious so far, the point is that nobody should have such power, which could also be used maliciously. You might well decide to let a security service remotely deactivate programs that it considers malicious. But there is no excuse for allowing it to delete the programs, and you should have the right to decide who (if anyone) to trust in this way.
Many Android devices can be hijacked through their Wi-Fi chips because of a bug in Broadcom's non-free firmware.
The NSA can tap data in smart phones, including iPhones, Android, and BlackBerry. While there is not much detail here, it seems that this does not operate via the universal back door that we know nearly all portable phones have. It may involve exploiting various bugs. There are lots of bugs in the phones' radio software.
Faceapp appears to do lots of surveillance, judging by how much access it demands to personal data in the device.
Pairs of Android apps can collude to transmit users' personal data to servers. A study found tens of thousands of pairs that collude.
Google Play intentionally sends app developers the personal details of users that install the app.
Merely asking the “consent” of users is not enough to legitimize actions like this. At this point, most users have stopped reading the “Terms and Conditions” that spell out what they are “consenting” to. Google should clearly and honestly identify the information it collects on users, instead of hiding it in an obscurely worded EULA.
However, to truly protect people's privacy, we must prevent Google and other companies from getting this personal information in the first place!
Google Play (a component of Android) tracks the users' movements without their permission.
Even if you disable Google Maps and location tracking, you must disable Google Play itself to completely stop the tracking. This is yet another example of nonfree software pretending to obey the user, when it's actually doing something else. Such a thing would be almost unthinkable with free software.
Verizon announced an opt-in proprietary search app that it will pre-install on some of its phones. The app will give Verizon the same information about the users' searches that Google normally gets when they use its search engine.
Currently, the app is being pre-installed on only one phone, and the user must explicitly opt-in before the app takes effect. However, the app remains spyware—an “optional” piece of spyware is still spyware.
The Meitu photo-editing app sends user data to a Chinese company.
A half-blind security critique of a tracking app: it found that blatant flaws allowed anyone to snoop on a user's personal data. The critique fails entirely to express concern that the app sends the personal data to a server, where the developer gets it all. This “service” is for suckers!
Apps that include Symphony surveillance software snoop on what radio and TV programs are playing nearby. Also on what users post on various sites such as Facebook, Google+ and Twitter.
More than 73% and 47% of mobile applications, both from Android and iOS respectively share personal, behavioral and location information of their users with third parties.
“Cryptic communication,” unrelated to the app's functionality, was found in the 500 most popular gratis Android apps.
The article should not have described these apps as “free”—they are not free software. The clear way to say “zero price” is “gratis.”
The article takes for granted that the usual analytics tools are legitimate, but is that valid? Software developers have no right to analyze what users are doing or how. “Analytics” tools that snoop are just as wrong as any other snooping.
Many proprietary apps for mobile devices report which other apps the user has installed. Twitter is doing this in a way that at least is visible and optional. Not as bad as what the others do.
Portable phones with GPS will send their GPS location on remote command and users cannot stop them: http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers. (The US says it will eventually require all new portable phones to have GPS.)
Spyware in Cisco TNP IP phones: http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html.
Spyware in Android phones (and Windows? laptops): The Wall Street Journal (in an article blocked from us by a paywall) reports that the FBI can remotely activate the GPS and microphone in Android phones and laptops. (I suspect this means Windows laptops.) Here is more info.
Some Motorola phones modify Android to send personal data to Motorola.
Some manufacturers add a hidden general surveillance package such as Carrier IQ.
Widely used proprietary QR-code scanner apps snoop on the user. This is in addition to the snooping done by the phone company, and perhaps by the OS in the phone.
Don't be distracted by the question of whether the app developers get users to say “I agree”. That is no excuse for malware.
The iPhone 7 contains DRM specifically designed to brick it if an “unauthorized” repair shop fixes it. “Unauthorized” essentially means anyone besides Apple.
The article uses the term “lock” to describe the DRM, but we prefer to use the term digital handcuffs.
Some Android phones are tyrants (though someone found a way to crack the restriction). Fortunately, most Android devices are not tyrants.