As living in China, it doesn't seem they were crossing a line. Things gone mad here.<p>If you want to type Chinese, you'll need an IME. Most of Chinese people relies on them. It was indeed an exploitable point, that you slip a lot of stuff into it:<p>- News pop-ups of course;
- System information gatherer? Sure;
- Search engine, convenient;
- Anti-Malware software, certainly;
- Anti-Virus software, you'll have it;
- Homepage? Come on, let's make a bolder move
- Browser!
- A PC Manager. It's a combination of AV/AM and a software catalog, and the sweetest feature is to tell you how many seconds it took to boot up to your desktop, and shows a % of population you've beat across the nation, people can be bitchy over this.<p>Not just one major software vendor did this, everyone capable did, and still doing. There's also large internet companies that used by people on daily basis uses 0day exploits to push their desktop software. Like if you browse the Chinese part of the internet for one day, you'll end up with bunch of cute little Anti-Virus/cleanup/tweaking goodies rest in your notification area, some times they fight each other and cause BSoD.
Along the same vein, I highly recommend this read from Aral Balkan[0] on how advertising and analytics data is now really just a fancy word for what we considered <i>spyware</i> back in the older (freer) days of the Internet.<p>[0]: <a href="https://aralbalkan.com/notes/spyware-2.0/" rel="nofollow">https://aralbalkan.com/notes/spyware-2.0/</a>
I can't speak for anyone else, but there's only so far I would be able to go in a job. I once turned down a job because a major client of the company was the RIAA. It reminds me of what LinkedIn did with their iPhone app and Email.. I can't believe that either Android or iOS would allow any of their apps after they did that.<p>I don't have either FB or FB messenger installed, since the split... mostly because they ate my battery life, and breaking apart existing/working functionality sucks. Not to mention they've been gimping their mobile website ever since, I've been avoiding them much more lately. But FB is nowhere near this level of sleaze.
There was a single mention of Paint.NET in the article with no other comment. Is that the company involved in this? It was not clear to me nor do I recognize the name of the author.<p>There are two technical holes in how this was achieved, disregarding the initial drive-by update install:<p>* Unprotected browser cookie storage<p>* Android web-based App Install requires no user interaction past a request to a web endpoint<p>Are these holes still open?
Site’s struggling for me. Google cache: <a href="https://webcache.googleusercontent.com/search?q=cache:http%3A%2F%2Fwww.codeword.xyz%2F2015%2F08%2F09%2Fexploiting-android-users-for-fun-and-profit%2F" rel="nofollow">https://webcache.googleusercontent.com/search?q=cache:http%3...</a>
Its funny the author mentions all the Google Play stuff about installing apps to users phones without them ever even knowing.. I actually found a company exploiting this in the wild using browser extensions, I wrote about it on this blog:<p><a href="http://extensiondefender.com/blog/" rel="nofollow">http://extensiondefender.com/blog/</a><p>I'm not sure if the news I released had any effect, but they rapidly pivoted from a "desktop to mobile" ad network:
<a href="https://web.archive.org/web/20141209085229/http://vulcun.com/" rel="nofollow">https://web.archive.org/web/20141209085229/http://vulcun.com...</a><p>To some kind of e-Sports betting site:
<a href="https://vulcun.com/" rel="nofollow">https://vulcun.com/</a><p>Oddly enough I submitted a bug report to google telling them they should set a content-security-policy on play.google.com, and was basically told "wont-fix" so the vulnerability to play store still exists.
This raises an interesting point I've thought a lot on which is "Developer Moral Responsibility" (Best way I can sum it it). I've started 2-3 blog posts on this subject only to shelve them indefinitely as the "gray" things I've been involved in were minor on the grand scale and the places I worked at when those things occurred were 99% "good" and I wouldn't want to smear their names over things that were minor at best (the "everyone else is doing it argument/excuse"). I would love it if a "Developer Morality Manifesto" or similar were created and accepted at both a developer and company level to cover some of these "dark" practices
Way back when I was young and webvan.com was hot, I also worked on similar stuff. I didn't know then who I was, or even slightly what I wanted in life. Typical early-20s kind of thing. Anyways, I understand exactly what this guy feels like, as I feel the same way about the things I did back then. And these days I have turned down a couple of jobs that I felt were being too aggressive about advertising. One company's product was to give you a kind of GMail search, at the cost of collecting all kinds of information about you and aggregating it on remote servers to use for advertising. The founders were real cool guys, but this was just not something I am willing to contribute to.
But why?<p>Money? You said "thousands" of "users", even if you sell those owned computers/phones at let's say $1 you don't make that much as a company.<p>Fame/street creds? Look how I got those lusers
?<p>Or you don't even care? you could optimise the deadliness of an atomic weapon and you would feel the same: code done ! Awesome !
For those wondering how to protect against a "malware-steals-cookie" attack, see:<p><a href="http://www.browserauth.net/channel-bound-cookies" rel="nofollow">http://www.browserauth.net/channel-bound-cookies</a><p>I believe Google does this now for their auth cookies.
This. This is what pisses me off at the Android and it's ecosystem. I'm an avid android user, and more and more witnessing how it's turning exactly what windows was(is) and how crappy they are in protecting their users.<p>You can submit an app to the play store and get it approved within a day. I mean, come one, phone data are some of the valuable possessions one has in this century and they care less about it being abused. I wish there can be a tightly knit app store similar to iOS with stringent reviews & regulation, but I know it's never going to happen.