New “Snowden Phone” likely not quite up to Snowden-level standards

The easiest way to not be tracked via your phone is to not have a phone. Of course, that means you won’t have a phone. So you can’t call or text, much less check your e-mail or play Angry Birds while on the bus.

Even if you do have a phone, setting it up with privacy-minded tools—Tor, OTR chat, secure texting, and calling—is cumbersome, and of course requires that your calling or texting partner on the other end of the line has all of that installed as well.

On Wednesday FreedomPop, a Los Angeles-based mobile data startup, announced what it’s nicknamed the “Snowden Phone” after the notorious whistleblower. Officially called the Freedom Privacy Phone, it's actually a three-year-old Samsung Galaxy II Android with a modified bootloader, which means you can’t easily upgrade the Android firmware without, say, breaking the entire VOIP setup.

Read 4 remaining paragraphs | Comments

“World’s most secure smartphone” looks like snake oil, experts say

No one will ever hack this phone. Just trust us.

Do you want a phone that secures all of your data and communications, and can't be hacked by even the savviest of criminals and governments? Of course you do. But if you're a realist, you'd probably say that while strong security can be achieved with discipline, perfect security doesn't exist.

Yet, perfect security was the promise of a company called QSAlpha when it recently sent me an e-mail titled "Un-hackable Superphone to be Unveiled via Kickstarter." QSAlpha is seeking $2.1 million to build a phone it dubs the Quasar IV. Pledges starting at $395 would reserve backers a phone estimated for an April 2014 delivery.

A draft of the Kickstarter page and an accompanying video shared with Ars calls it the "world's most secure smartphone," featuring "unprecedented security with a military-grade encryption." Those kinds of claims—coupled with a lack of technical detail—make security experts who reviewed the Kickstarter page suspicious.

Read 28 remaining paragraphs | Comments


Japanese One-Click Fraud Campaign Comes to Google Play

One-click fraud refers to a scam that attempts to lure users interested in adult-related video to a site that attempts to trick them into registering for a paid service. For many years, it has been common to see this type of fraud on computers. As smartphone usage has increased, so has the number of these types of scams on smartphone devices. People typically come across these scam sites by searching for things that they are interested in or by clicking on links contained in spam messages. We also witnessed the advent of one-click fraud Android apps just over a year ago and those apps can now be found on Google Play.


Figure 1. One of the developers hosting the apps

app_page1.png  app_page2.png

Figure 2. Two examples of one-click fraud apps

The apps can easily be found on Google Play through keyword searches in the same manner as an Internet search. For example, entering Japanese words related to pornographic video results in one of these apps being at the top of the search results at the time of writing. Typically, the apps only require the user to accept the “Network communication” permission, although some variants do not require the user to accept any permissions. This is because the app is simply used as a vehicle to lure users to the scam by opening fraudulent porn sites. The app itself has no other functionality. This may fool users into feeling safe about the app and catch them off guard when launching the app.

no_permission.png  one_permision.png

Figure 3. Typical permissions requested by the apps

The first variant of this type of app that we have seen appeared in late January, although it is possible that apps were released earlier than this. From then on, the apps were published by different developers each time and the number of apps steadily grew though many were removed from Google Play at one point for unconfirmed reasons. We are now seeing multiple developers fiercely publishing apps in bulk on a daily basis. We have so far confirmed over 200 of these fraudulent apps published by over 50 developers, although it is likely that more exist. These apps have been downloaded at least 5,000 times in the last two months. As far as victims go, we are not aware of how many of these users actually paid money to the scammers; the “service” costs about 99,000 yen (approximately US$1,000). It certainly must be worth the time and effort for the scammers as they have continued doing business for over two months.

siteA.png  siteB.png  siteC.png

Figure 4. Examples of sites that the apps open


Figure 5. Registration page that is displayed when attempting to view a video

Interestingly, it appears that the scammers are not only interested in one-click fraud. A couple of the developers we have come across also publish dating service apps. It is not surprising to see scammers involved with both one-click fraud apps and dating service apps because these types of dating services are typically considered dodgy in Japan.


Figure 6. Scammer publishing both a one-click fraud app (far right) and dating service apps

Symantec detects the apps discussed in this blog as Android.Oneclickfraud. When looking for apps, we recommend downloading them from trusted sources regardless of where the apps are hosted or found. Installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device is a good idea to keep your device protected as well. For general safety tips for smartphones and tablets, please visit our Mobile Security website.