Tag Archives: Android

Amazonian Trojans and Marketing Fear-Mongering

Hello there, welcome back to our scheduled programming on how to drum up clicks and views on your website “Powered by Fear Uncertainty and Doubt”.

As most marketing organizations know, sometimes you need to be a little creative when coming up with news and research. You draw a target for your security researchers to hit, and hope they come back with meaningful data that’ll make it to the next news cycle. And sometimes it actually works.

This time it didn’t. Recently, when reviewing my Twitter/Facebook feeds, I ran across “news” that state that Amazon (OMG – our trusted Amazon) are selling Rooted Android tablets, preinstalled with Trojans. Most of the public probably goes: “Hide your Nexus and shoot your Kindles!” in response. How dare Amazon sell us trojaned tablets?

But worry not, only after actually reading the details of the article (http://www.net-security.org/malware_news.php?id=3152) and the original research report (http://www.cmcm.com/blog/en/security/2015-11-09/842.html) you’ll understand that:

  1. Amazon has nothing to do with this. Just like you and I can set up shop on Amazon and start selling backdoored laptops, Amazon wouldn’t have anything to do with said backdoored laptops.
  2. It’s not about your usual tablet. So you can pull back your Nexus, brush up your Kindle, and keep using your Asus/Samsung/LG/[brand] Android tablet.
  3. It’s not even really an Android issue. One could have jailbroken an iPad, install a backdoor/trojan on it, and sell it online. The Android part is relates more to the price point and the ability to sell really cheap tablets.
  4. I dare you to recognize any of the “brands” of tablets sold with these trojans. Funny, the top “brand” is actually, wait for it, “NO BRAND”. I kid you not.

brands

So after sorting out the FUD, we are left with no much of a scare. Suspiciously cheap tablets, marketed mostly as “no brand” (or other brands which at least I’ve never heard of), are filled with questionable software. Kind’a reminds me of even “big name” manufacturers who load their phones/tablets/laptops with assorted unwanted software (officially dubbed “bloatware”). Wow. How did this not make headline news across the nation?

Bottom line – it’s pretty sad that we end up running research on the fringe areas of consumer devices and shopping behaviors. Yes, there’s a technical merit to analyzing a Chinese backdoor, but marketing it as “OMGWTFBBQ!” by sprinkling in Amazon and Android in the headline is pure marketing alchemy. Let’s get back to two things:

  1. Educating that when the deal seems too good, it probably is.
  2. Focusing our research efforts on more meaningful things. Yes, this also applies to stunt hacking, or junk hacking of sorts. There’s a lot of brainpower that could be diverted to solving problems that we have been dealing with for ages, yet would probably yield less media buzz.

Mail Encryption for Android?

So, now that the saga with having a decent GPG mail client for Mac has been finally resolved (huge kudos to the guys at gpgtools!), it’s time to get some encryption love on an Android device.

I don’t know if you ever ended up searching for any decent GPG/PGP/SMIME (not that anyone uses SMIME) mail client for your Android, but the selection in the past couple of years has been pretty slim. Aside from the old K-9 (and paid for Kaiten), there isn’t really much out there. And these clients aren’t up to speed. Lacking PGP-Mime support means you can’t read most emails sent from a desktop machine (gpgtools uses OpenPGP mime format), add the fact that there isn’t much of an Exchange server support (no ActiveSync) and you are left wanting more (it was actually easier to download the encrypted message .asc, save it locally, fire up APG, decrypt it, save the plaintext locally, open it in a text editor, and delete all the clutter you just left on your sdcard. ugh.).

So, when I found _another_ mail app that claims to be able to do GPG, and Exchange, and isn’t a UI disaster, I had to give it a go.

Enter R2Mail2 (yeah, I know… marketing isn’t their strong suite). So far I have to say that installation has been a breeze (don’t forget to go through the weird process of managing the certificate store in the app, then adding your GPG keypair). And it works as advertised (!). OpenPGP mime support, encryption, decryption, signing, and yes – even Exchange (!!).

For what it’s worth – I’m giving it a try (meaning – the pay for version). Just giving my extra 2c to help you get on the PRISM “gotta-see-what-he’s-emailing-about” list 🙂