Most active commenters

    ←back to thread

    Taking over 60k spyware user accounts with SQL injection

    (ericdaigle.ca)
    227 points mtlynch | 13 comments | 03 Jul 25 14:56 UTC | HN request time: 1.468s | source | bottom
    1. ryanrasti ◴[08 Jul 25 16:30 UTC] No.44501605[source]
    > Q: Can I monitor a phone without them knowing?

    > A: Yes, you can monitor a phone without them knowing with mobile phone monitoring software. The app is invisible and undetectable on the phone. It works in a hidden and stealth mode.

    How is that even possible on a modern Android? I'd think one of the explicit goals of the security model would be to prevent this.

    replies(2): >>44501617 #>>44504378 #
    2. ridgewell ◴[08 Jul 25 16:32 UTC] No.44501617[source]
    I'm not familiar with this app but based on the read, it sounds like they're essentially relying on someone to sneak into the target's phone, install an apk with a 'Settings' logo, where you grant it all permissions (I assume the installer facilitates the process of manually granting full permissions for each permissions type and disabling battery optimization). Android does allow you to effectively delegate full permissions to an app like that, albeit in a manual way.
    replies(2): >>44501639 #>>44502771 #
    3. afarah1 ◴[08 Jul 25 16:35 UTC] No.44501639[source]
    Camera and microphone usage should be hard-wired to an LED
    replies(1): >>44501782 #
    4. Polizeiposaune ◴[08 Jul 25 16:52 UTC] No.44501782{3}[source]
    and a switch which has a physical air gap when off.
    replies(2): >>44502526 #>>44503753 #
    5. itslennysfault ◴[08 Jul 25 18:10 UTC] No.44502526{4}[source]
    Thanks for your suggestion, but at this time the NSA cannot allow this change.
    replies(2): >>44502879 #>>44506699 #
    6. roland35 ◴[08 Jul 25 18:39 UTC] No.44502771[source]
    I wonder if it would show up in periodic permissions scans done by android. Hopefully!

    But as the TechCrunch author stated, oftentimes alerting the stalker can be dangerous for the victim.

    7. ryanrasti ◴[08 Jul 25 18:51 UTC] No.44502879{5}[source]
    Haha! That gave me a good laugh.
    8. MisterTea ◴[08 Jul 25 20:24 UTC] No.44503753{4}[source]
    "But the switch will compromise its water tightness like the headphone jack does!" - every mobile sycophant.
    replies(2): >>44505317 #>>44505803 #
    9. boznz ◴[08 Jul 25 21:50 UTC] No.44504378[source]
    I think setting up your own evil-proxy or evil-wifi-hotspot and periodically connecting your phone to them may help in the detection of these and many other phone home malware. I am getting closer to the paranoia threshold to almost give it a try.
    replies(1): >>44506581 #
    10. jojobas ◴[09 Jul 25 00:46 UTC] No.44505317{5}[source]
    Magnets and reed switches? Crazy talk!
    11. bigfatkitten ◴[09 Jul 25 02:24 UTC] No.44505803{5}[source]
    Or worse: It might add 15 cents to the BOM!
    12. lyu07282 ◴[09 Jul 25 05:26 UTC] No.44506581[source]
    Then you would've seen some encrypted traffic to firebase which probably includes a bunch of legitimate apps on your phone too.
    13. aitchnyu ◴[09 Jul 25 05:51 UTC] No.44506699{5}[source]
    Mics listen for voice commands all the time and some cameras can be activated without their LEDs.