Over on ComputerWorld there's a story about a rogue Android app doing the rounds that runs up big texting bills behind the user's backs by sending messages to premium rate numbers. However, when you strip away the hype, Android handset users hit by this only have themselves to blame.
Here's the nasty in question:
The cyber criminals grabbed a copy of Steamy Windows, then added a backdoor Trojan horse - "Android.Pjapps" by Symantec's label -- to the app's code. The reworked app is then placed on unsanctioned third-party "app stores" where unsuspecting or careless Android smartphones find it, download it and install it.
"The Trojan lets them send SMS [short message service] messages to premium rate numbers," said Thakur, for which the hackers are paid commissions.
OK, let's count the ways that users are to blame:
- Configuring their handsets to allow the download and installation of non-Android Market apps. This is the first, and probably biggest mistake. The restriction is there to protect users from themselves. Most handsets make it clear as to the implications of lifting this restriction. For example, here's the warning that HTC user:"Warning: Having this option enabled makes your phone and personal data more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for and damage to your device or loss of data that at result from using these applications."Seems like a pretty clear warning to me. The sort of thing that you ignore at your peril.
- Downloading apps from random third-party app stores. The Internet is a dodgy place, where a lot of stuff is not as it seems. Having the freedom to download and install any and all crap you come across might seem cool, but when things go wrong, you only have yourself to blame. Stick to trusted sources.
- When you install any Android app, it explicitly asks for permissions to perform various categories of activities. This is displayed for a reason. Read it. Understand it. And if in doubt, DON'T give an app permission to do stuff that could backfire on you.
As much as some elements of the media (along with security firms) want to portray this as a big deal for Android users, it isn't. It only affects people who've taken the foolhardy step of choosing to lift restrictions put in place to protect them.