Add to del.icio.us    Digg this    Get a great Ubuntu Linux dedicated server for less than $3 a day!

Tweet Share on Twitter

December 8, 2011

Some anti-virus firms have already begun releasing Carrier IQ detection apps for the Android operating system, but only after the controversial software became a talking point on Capitol Hill, and more than a month after a security researcher first discovered it while working on a HTC EVO smartphone.

For its part, BitDefender has released Carrier IQ Finder, an app that identifies the presence of the controversial mobile diagnostic tool, following Lookout's earlier release of a similar tool called Carrier IQ Detector.

Both applications allow mobile phone users to detect if they have Carrier IQ running on their Android phone without actually removing it. Each has been available at no charge via the official Android Market since December 1st.

In a statement, BitDefender said that Carrier IQ's mobile network diagnostic tool is "so deeply integrated with the device’s firmware that Carrier IQ Finder cannot remove it".

Catalin Cosoi, global research director at Bitdefender says "The Carrier IQ package can't be removed by the users themselves if they don't have root access on the device. They can, however, take the issue with the carrier and ask that the package be removed from the system, but that's impossible to do unless they already know it's presence."

However, all of this still leaves us with the question of why do these anti-virus firms needed an extra app to detect Carrier IQ in the first place? Shouldn't this application have been detected as potentially unwanted, at least, some time ago?

In a blog post, Lookout explained why signature detection for Carrier IQ was not added to its stand-alone Android security applications.

"Based on what we know so far, it doesn’t appear that Carrier IQ’s software is malware, and for that reason it’s not flagged as such by Lookout, but that still doesn't mean it's 100 percent harmless" it said.

Kevin Mahaffey, co-founder and CTO of Lookout says his company released its tool in response to several requests from users. He added that even though Carrier IQ wasn't malware, it did raise transparency and privacy issues, however, especially with Congress.

Mahaffey suggested that anti-malware protection ought to be all-in-one in mobile phones. After all, anti-spyware software started off as a separate utility package in the Windows PC world some years back, but didn't rule out the possibility of releasing other stand-alone tools in future. And smartphones are a perfect example of that.

Kaspersky Lab said it too had decided Carrier IQ wasn't malware but said that, unlike Lookout, not to release a stand-alone tool.

Ram Herkanaidu, education manager at Kaspersky Lab, explained "Kaspersky Lab does not currently detect Carrier IQ on Android devices because leaving aside the question of whether wireless service providers need to collect this level of information, it is not strictly speaking malicious software. Currently there are no plans for Kaspersky to create a separate tool to detect Carrier IQ on mobile devices. That said, our global security researchers are investigating this and if any developments occur, we will take action appropriately."

Lookout's product line is just that, although technically speaking, savvy users might be able to find out if Carrier IQ is running on their devices, its tool is needed because it allows less technically sophisticated users to do the same thing.

The whole issue leaves us wondering about the ability of Lookout or other Android anti-virus firms to flag up something potentially unwanted on devices, especially if it happens to be made by a commercial developer who might sue. We put this point to Lookout but weren't able to get a specific answer on whether or not it was up for contesting such actions.

Anti-virus firms have been stung with lawsuits before over the detection of user-installed bundled spyware on Windows machines, something that might easily be repeated in the Android arena. Notorious, defunct crapware vendor Zango unsuccessfully sued security software maker Kaspersky Lab for calling its product "spyware".

Kaspersky manned up and fought the action, defending an important principle in the process. Carrier IQ's initial response to the discovery of its software by security researcher Trevor Eckhart in the middle of last month was to issue a cease and desist letter, though in fairness, the firm has since tried to explain what it's all about and how its technology operates in a way that has defused many but not all of the original concerns.

Smartphone manufacturers and network providers confirmed that devices using Carrier IQ tracking software include Apple, AT&T, Sprint, HTC, and Samsung, so it doesn't just affect Android devices but most mobile phones.

And although iPhone users are also affected, the issue of whether anti-malware software can protect them doesn't arise because on-board anti-virus scanners for iOS are against the Jobsian faith. Users of Android devices who take the trouble to apply security software are entitled to feel more protected, but the Carrier IQ affair raises doubts about this since it's almost impossible to tell with 100 percent accuracy.

It's notable that Android anti-virus firms weren't saying "Wow-- this app is weird and it has all these privileges" and the fact that they weren't asking any questions about Carrier IQ until the same day Senator Al Franken sent a letter to Carrier IQ.

This further raises the question of whether these mobile security apps have the ability to detect something clearly malign-– a future Android rootkit, for example. Recent tests by AV-Test.org that revealed the inadequacies of some Android freebie scanner products (Lookout wasn't tested) hardly inspire confidence on this point either.

To be sure, computer researchers at Rutgers University in the U.S. developed a proof-of-concept rootkit back in March 2010. Security firms including Fortify Software and Imperva have since expressly warned of this risk. Lessons from history suggest not every security vendor will respond promptly to the risk if and when it arrives.

In 2004, when the Sony BMG CD copy-protection rootkit scandal broke, security researcher Mark Russinovich and F-Secure independently discovered the software at about the same time. F-Secure quickly and decisively stood up and condemned Sony's illegal use of the same tactics used by virus writers in its copyright protection software.

However, it was only after Sony admitted it had erred that other anti-virus vendors belatedly added detection, as explained in a good historical overview of the whole affair by Bruce Schneier.

But for its part, Lookout totally disagrees that this analogy was appropriate. The Sony rootlet involved third-party modifying software, it said. Carrier IQ supplied a diagnostic tool built into phones and was more akin to Microsoft Software Update.

In other mobile news

AT&T finds itself at the very bottom of Consumer Reports' annual survey that measures consumer satisfaction with wireless carriers. This is the second year in a row that AT&T makes this list to the bottom. And while all of this happening, a relatively little-known wireless provider called Consumer Cellular topped the ratings, as strange as it might seem.

Of the four major wireless carriers in the United States, Verizon Wireless again scored the highest in this year's overall ratings, followed very closely by Sprint.

Survey respondents gave good scores to Verizon for its texting service and data service satisfaction, as well as for general staff knowledge in its call centers.

For its part, T-Mobile USA was below Verizon and Sprint but nevertheless continued to rate significantly better than the higher-priced AT&T Mobility.

Paul Reynolds, electronics editor for Consumer Reports says "Our survey indicates that subscribers to prepaid and smaller service providers are happiest overall with their cell phone service."

And while subscribers of smaller wireless carriers might be a bit happier, Reynolds stressed that regional and prepaid carriers tend to offer a smaller selection of smartphones. "The major carriers are still leading options for many consumers, and we found they ranged widely in how well they satisfied their customers. And pretty much the same goes for most rural carriers as well," Reynolds noted.

Consumer Reports surveyed about 66,250 of its subscribers about their service and customer-support experience with both standard and no-contract providers.

The full report has carrier ratings for twenty-two metropolitan markets, and can be found in the January 2012 issue of Consumer Reports and at Consumer Reports Online.

In other mobile news

Carrier IQ is still working hard to mitigate serious security and privacy concerns over its snooping software, which is preloaded on most smartphones and used to log information about dead zones, glitchy applications and network congestion. And now the company is having a lot more issues than what it bargained for.

On Friday, two separate class action lawsuits were filed against the company alleging it violated federal laws on wiretaps and consumer privacy.

An Android mobile application developer has wrote about what he thinks could be a conclusive proof that millions of smartphones all over the globe are secretly monitoring key presses, geographic locations, and received messages of its users. If true, this is a serious security risk, and one that needs to be rapidly addressed and corrected by all phone makers.

Trevor Eckhart demonstrated last week how software from a Silicon Valley company known as Carrier IQ recorded in real time the keys he pressed into a stock HTC EVO mobile handset, which he had reset to factory settings just prior to the demonstration.

Numerous questions over how the company tracks and uses data arose two weeks ago when more security researchers accused the company of tracking the location and usage history of wireless customers without their knowledge.

Carrier IQ could not be immediately reached for comment on these 2 lawsuits, but has been battling to protect its image against a flood of accusations that it records user's keystrokes and sends them to wireless providers – known in technical jargon as a rootkit keylogger.

The company denied that it captures, records or transmits keystrokes, but its statements failed to damp down allegations from some tech blogs, which vilified Carrier IQ's technology as "the rootkit of all evil" and "Carrier IQ creeps out everyone."

Carrier IQ says the accusations are completely unfounded – it only collects information mobile operators need to figure out problems with devices and network performance.

Andrew Coward, Carrier IQ's vice president of marketing, said that the company did not track keystrokes or users' location. But most wireless industry observers we spoke to disagree.

Add to del.icio.us    Digg this    Get a great Ubuntu Linux dedicated server for less than $3 a day!

Tweet Share on Twitter

Source: BitDefender & Kapersky Labs.

    This article was featured on Business 5.0 and on Tech Blog.