I've seen a few articles about how "stolen" or ripped apps will secretly send SMS to all your friends, the developer and so on about how you're a thief, etc. Now I want to be clear: I'm not looking for a way to get around consequences of stealing paid apps (as a general rule I only use "paid" apps if they are "donation" apps like XDA anyways), or spreading FUD (fear, uncertainty and doubt).
What I am interested in is really finding out what my phone might be doing behind my back, who knows, like sending a list of my contacts to my provider, or sending them SMS or some other kind of "ping". Obviously if I download an app like "Homer Simpson Soundboard" and it asks for SMS permissions it doesn't last long on my phone But is there a way I can monitor such behaviour? Are there non-obvious precautions I can take, or apps which might log this stuff?
You're in luck. A dev here at XDA has made LBE Privacy Guard. It'll run in the background checking permissions of other apps. For example if Facebook wants to read your contacts, a pop-up will alert you and ask you if you want to give Facebook the permission to read them, and so on.
Btw, you'll need to be rooted.
LBE!
Another thumbs up for LBE. Locks any app you want from snooping around and phoning the mother ship.
By blocking network access, on apps that really don't need it, it also blocks those annoying ads that are usually at the top or bottom of an app.
Awesome, thanks so much guys!
Last week I noticed a device under my Google Play account (My Devices) that is not mine, a phone on a Romanian cell phone company network. I also noticed that someone from Russia had accessed my Gmail account. I changed my Gmail password (the old one was alpha-numerica,random, with symbols) and turned on two step authentication.
The Gmail account seems to be ok. The contacts all there and no messages removed or messages sent by people other than me.
The only sign of the intrusion is about a dozen "free" apps ordered by that device. It included sketchy gambling apps, a child's game that from comments I read has adult advertisements, and ringtones. After I changed the password there are new "free" media on the account - books and various video. These appear to be from a different user - all in English as opposed to Russian and nothing sketchy.
My guess on how this started - I downloaded an app with about 100 reviews. The next day the "free" apps started to appear, and the unauthorized device also was added the next day.
My SGS 3 isn't rooted. For Jellybean it seems that I have to wait for a stable root, should be another few days.
I contacted the Play Store support and they were of no help. They referred me to Gmail support but Gmail doesn't offer phone support. I think only support on a Google Group forum.
Any idea how this could have happened and how to get this device off of my account? My PC's are secure and my primary PC is Linux.
starfcker69 said:
Last week I noticed a device under my Google Play account (My Devices) that is not mine, a phone on a Romanian cell phone company network. I also noticed that someone from Russia had accessed my Gmail account. I changed my Gmail password (the old one was alpha-numerica,random, with symbols) and turned on two step authentication.
The Gmail account seems to be ok. The contacts all there and no messages removed or messages sent by people other than me.
The only sign of the intrusion is about a dozen "free" apps ordered by that device. It included sketchy gambling apps, a child's game that from comments I read has adult advertisements, and ringtones. After I changed the password there are new "free" media on the account - books and various video. These appear to be from a different user - all in English as opposed to Russian and nothing sketchy.
My guess on how this started - I downloaded an app with about 100 reviews. The next day the "free" apps started to appear, and the unauthorized device also was added the next day.
My SGS 3 isn't rooted. For Jellybean it seems that I have to wait for a stable root, should be another few days.
I contacted the Play Store support and they were of no help. They referred me to Gmail support but Gmail doesn't offer phone support. I think only support on a Google Group forum.
Any idea how this could have happened and how to get this device off of my account? My PC's are secure and my primary PC is Linux.
Click to expand...
Click to collapse
I have the IMEI # of the phone added to my account, also the model number (registered in Russian Federation). Could the IMEI be useful? I can PM if interested.
Imeis are quite useful to many people...Just don't pursue this on xda.
Sent from my Galaxy Nexus using xda premium
My account too was almost hacked.
I signed into youtube and a notice was shown that someone from ip in china tried to log into my google account and it denied them and i changed my password. No weird apps nothing.
The thing is probably the app you downloaded.
Just because it has 100 downloads doesn't mean its malware but you need to check permissions always.
Even big games like "Paper Toss" has been know to sell peoples info to companies.
When you read permissions. There should be a list of all the options the app requests.
Be Smart. If you download a calculator, It shouldn't have access to your personal identy, messages and the big key is internet access.
If you download a calender it may need access to contacts but it it also needs internet access, its probably is storing your contacts and sending them out to a site that then sells to a company and lastly, your grandparents receive phone calls asking if they want to buy a service and use your name as who referred them.
Also. rooting is a good option. With an app on here called pdroid or droidwall you can download those apps but it will alert yyou when the app wants to use a permission (like internet) and gives you the option to allow or deny.
good luck
I have one update. I think that after I changed my password and went to two step verification, the purchases of "free" apps and media stopped. It's been four days and nothing new added. So far so good. Thanks for the replies. BTW, Google of no help.
I'd still like to know how the Gmail account was compromised - I may never know.
similar thing just happened to me (Galaxy Note) appeared on my account from no where. When I contacted google if they can help or if they are interested in tracking him down, all they said was we cant help you. And change the pw. Obviously I know that I need to change the pw. I know Apple would have tracked it down somehow if it was an iphone. My pw has 22 characters number letter symbols yet it was hacked.
Since google is not helping me I installed Android Lost app on this NOTE and waiting to get a location update via email. I know it wont do anything much and I cant do anything against him or her since no paid apps were downloaded. Still I would like to do something to crooks like this. He only had 6 apps installed (facebook,viber candy rush) and terminal emulator (which worried me).
I really hope that Android close their unlimited backdoors in the OS.
Was going to download and try this app from the Google store but have issues with privacy concerns:
This app has access to these permissions:
Your accounts
read Google service configuration
find accounts on the device
use accounts on the device
Your location
approximate location (network-based)
precise location (GPS and network-based)
Your messages
read your text messages (SMS or MMS)
receive text messages (SMS)
access mail information
Network communication
full network access
view network connections
view Wi-Fi connections
Your personal information
read calendar events plus confidential information
Phone calls
directly call phone numbers
read phone status and identity
Storage
modify or delete the contents of your USB storage
Your applications information
retrieve running apps
Your social information
read your contacts
read call log
System tools
read Home settings and shortcuts
write Home settings and shortcuts
test access to protected storage
Affects battery
control vibration
Status bar
expand/collapse status bar
Wallpaper
set wallpaper
adjust your wallpaper size
Click to expand...
Click to collapse
Why does this app need to access so much of my personal information?
Yearoftherat said:
Was going to download and try this app from the Google store but have issues with privacy concerns:
Why does this app need to access so much of my personal information?
Click to expand...
Click to collapse
Hi,
As you know, Themer helps increase the user experience by providing valuable information straight onto your homescreen.
This includes:
1. Displaying how many unread emails/SMS/missed calls you have. (Your messages
read your text messages (SMS or MMS)
receive text messages (SMS)
access mail information))
2. Displaying your map coordinates on a map image. (Your location
approximate location (network-based)
precise location (GPS and network-based))
3. A built-in dialer app that can display your recent contact as well as allow you to call a number directly from your homescreen. (Phone calls
directly call phone numbers
read phone status and identity) (Your social information
read your contacts
read call log)
4. Display agenda information. (Your personal information
read calendar events plus confidential information)
As you can see, it's all for display purposes. If you look at other widgets on the Play Store that perform the same activities, they will also require these permissions. It just so happens that Themer has all of these features built into one app. Hope this helps clarify the matter.
Thanks for the clarification. Looking forward to trying out the app!
I have the same concerns, beginning with the need to login before using any themes. (The explanation given in the faq seems too lame for me). Looks like a terrific app but possibly not for those who worry about privacy. I'm personally too scared to try it.
One option to explore is using this app with xprivacy installed which allows one to restrict unneeded permissions. Maybe a firewall might help?
Anderson2 said:
I have the same concerns, beginning with the need to login before using any themes. (The explanation given in the faq seems too lame for me). Looks like a terrific app but possibly not for those who worry about privacy. I'm personally too scared to try it.
One option to explore is using this app with xprivacy installed which allows one to restrict unneeded permissions. Maybe a firewall might help?
Click to expand...
Click to collapse
Hi Anderson2,
That FAQ actually sums it up quite well. The login feature creates a security barrier for us, which even though is not the most advanced way of preventing intrusions into our theming servers, it does a good job in finding people who are trying to tamper with our systems. That and of course sending users email updates of new features if they request it.
When exactly do you need login? Just to download themes? After the download can one log out? I don't like the idea that you have access to my emails, texts, and any files your widgets access. That is what concerns me.
I don't know enough about themer because I'm afraid to use it, but I believe your zooper widget doesn't require login. (Does it?) Can you explain how they differ in the need for protection?
I have to say that I share those concerns. Why do you force users to login with their Google or Facebook accounts? I do not understand why this should be a better securitry barrier than the login data from mycolorscreen.com? I would not even give away my login data to someone I know, so why should I give away this data to someone I do not know at all???
Well said.
+1
shibadoo said:
I have to say that I share those concerns. Why do you force users to login with their Google or Facebook accounts? I do not understand why this should be a better securitry barrier than the login data from mycolorscreen.com? I would not even give away my login data to someone I know, so why should I give away this data to someone I do not know at all???
Click to expand...
Click to collapse
Yet you log in to this forum and use it.
The explanations have been given. It's to ensure you are who you say you are when you access their servers to download the themes.
As for all the other access, Themer provides a lot of different information as explained (you DID read what he posted, correct?) GPS position, weather, etc. All of this is based on location, etc, as well as if you want unread email counts, etc. It's all there in Themer given you everything all rolled into one app, rather than having to download each piece separately. If you don't like it, don't use it. Thousands upon thousands of users are using it without any issues. I definitely like to protect my privacy, but this app is the least of your worries about privacy.
There are many other problems that could result if they didn't want you to verify who you say you are. Do you want someone to hack their servers and then you download a hacked theme that could result in even more privacy issues for you?
In the end, if you don't want to use it, don't. Nobody is forcing you to use it and they have every right to protect their investments as well. There are plenty of other apps out there you can use that can provide the same type of experience. Usually, the themes are not housed in a server so you can download them from elsewhere, but unless you're getting them from Google Play, then who is to say how safe those are? Many 3rd-party app stores are NOT the safest as they do not follow Google's security policy. At least with Themer, it's in the Google Play market and has had to go through Google's scrutiny.
A few weeks ago, the app was erroneously flagged as something that could steal your information. Google came back later and stated it was an error on their part and verified that the app is safe and it will not steal your information.
I've used it for months and nothing bad has happened to me.
There are many other ways for hackers to get your PI and this is the least of your worries.
vulcanvillalta said:
As an American, and therefore afraid of everything, I personally vote to not give out so much information. But on the other hand, IF someone wanted to get all of your information, they could probably do it without your consent. I would probably stay away from it, though. Just to "try" to be safe.
Click to expand...
Click to collapse
Once Facebook introduces its anonymous login feature, our developers will implement the feature into Themer
iBolski said:
Yet you log in to this forum and use it.
Click to expand...
Click to collapse
Yes, I do use this forum, but of course I do not log in with my Google account. There would be no reason to do so - same goes for Themer. I would have no problem if Themer would ask for my login data from mycolorscreen.
iBolski said:
The explanations have been given. It's to ensure you are who you say you are when you access their servers to download the themes.
Click to expand...
Click to collapse
You think you know who I am because I enter some data that nobody ever controls? I could simply enter some Google account data I created only for Themer. But honestly, this is too much effort for me only the check if I like an app.
iBolski said:
As for all the other access, Themer provides a lot of different information as explained (you DID read what he posted, correct?) GPS position, weather, etc. All of this is based on location, etc, as well as if you want unread email counts, etc. It's all there in Themer given you everything all rolled into one app, rather than having to download each piece separately. If you don't like it, don't use it. Thousands upon thousands of users are using it without any issues. I definitely like to protect my privacy, but this app is the least of your worries about privacy.
Click to expand...
Click to collapse
What exactly has GPS and weather to do with my Google Account data? I do not share GPS data with Google, so I would not with Themer as well. And for a weather forecast I would simply type in 5 numbers - my zip code. This is exactly what I do right now.
iBolski said:
There are many other problems that could result if they didn't want you to verify who you say you are. Do you want someone to hack their servers and then you download a hacked theme that could result in even more privacy issues for you?
Click to expand...
Click to collapse
And because the people at Themer have may account data, nobody can hack their servers? So the solution to all hacked servers worldwide is so simple? Just giving them Google account data?
iBolski said:
In the end, if you don't want to use it, don't. Nobody is forcing you to use it and they have every right to protect their investments as well. There are plenty of other apps out there you can use that can provide the same type of experience. Usually, the themes are not housed in a server so you can download them from elsewhere, but unless you're getting them from Google Play, then who is to say how safe those are? Many 3rd-party app stores are NOT the safest as they do not follow Google's security policy. At least with Themer, it's in the Google Play market and has had to go through Google's scrutiny.
Click to expand...
Click to collapse
Yes, I do not use it. This is the consequence.
iBolski said:
There are many other ways for hackers to get your PI and this is the least of your worries.
Click to expand...
Click to collapse
So what should be my worries if it is not giving away voluntarily my Google account data to someone I do not know???
And you forgot something: I know at least 5 people that use their Android phones without a Google account, and they also do not use Facebook. Believe it or not: these people do really exist, and they even survive without a Google and a Facebook account.
So for me there is no credible information why the people at themer need my Google account data, and why this should protect them from being hacked. Or why my Google Account data should be safer than my mycolorscreen account data. This is why I will not use themer and would not recommend it to others.
shibadoo said:
Yes, I do use this forum, but of course I do not log in with my Google account. There would be no reason to do so - same goes for Themer. I would have no problem if Themer would ask for my login data from mycolorscreen.
You think you know who I am because I enter some data that nobody ever controls? I could simply enter some Google account data I created only for Themer. But honestly, this is too much effort for me only the check if I like an app.
What exactly has GPS and weather to do with my Google Account data? I do not share GPS data with Google, so I would not with Themer as well. And for a weather forecast I would simply type in 5 numbers - my zip code. This is exactly what I do right now.
And because the people at Themer have may account data, nobody can hack their servers? So the solution to all hacked servers worldwide is so simple? Just giving them Google account data?
Yes, I do not use it. This is the consequence.
So what should be my worries if it is not giving away voluntarily my Google account data to someone I do not know???
And you forgot something: I know at least 5 people that use their Android phones without a Google account, and they also do not use Facebook. Believe it or not: these people do really exist, and they even survive without a Google and a Facebook account.
So for me there is no credible information why the people at themer need my Google account data, and why this should protect them from being hacked. Or why my Google Account data should be safer than my mycolorscreen account data. This is why I will not use themer and would not recommend it to others.
Click to expand...
Click to collapse
You describe me exactly. I don't use my Google account to login anywhere, don't use Facebook, have phone GPS and location turned off, only enter zip code for weather, turn off sync everywhere, use a firewall, xprivacy, etc. - - and Google only thinks it has my info.
Everyone I know who is not a teenager or addicted to Facebook does the same.
vulcanvillalta said:
If you use fake names etc and are vague about your location, no, google doesnt have your name. But what about your IP address. They can tell that your pseudonym is performing functions from the specific location you are in. You might not GIVE them your name or address, but with the IP address linking you to a specific internet connection, they certainly can figure out who you are and where you are, if they want to.
Click to expand...
Click to collapse
Which is why I don't want to help other sites identify me by giving them my Google login. Not everyone has Google capabilities.
The points made in defense of keeping your personal information private (and not using your Google login for Themer) are valid and understood.
However, Themer is not designed for that type of mindset.
Themer is designed for the overall market - the vast majority if you will - not for privacy advocates.
It's simply a tool that allows the general Android user base (the FB'ers, Google +'ers, i.e. Socialites) to easily login to an app designed to make their phones look cool. Most of the functionality of the Themes are far more invasive than your Google login anyway (GPS coordinates, access to text/email notifications, call logs, etc) so I really don't see the point of wildly waving your arms around saying "privacy breach! privacy breach!"
Don't use it. Cool. I'm OK with that. I'm sure they are too. But why complain about it? What is the goal? Surely you cannot think they will redesign the app for you.
So really, you're just posting on XDA to aggravate the devs. I mean, what launcher doesn't have access to all of your info? It's like complaining that a specific model of car has a license plate that can be used to identify you. Guess what? All cars do. Take the bus bro
Anderson2 said:
Which is why I don't want to help other sites identify me by giving them my Google login. Not everyone has Google capabilities.
Click to expand...
Click to collapse
But your phone can still identify you. You are still logged into the internet via your carrier's internet and they can definitely get who you are on the phone.
You might as well just stay off the internet completely then.
And, if you're going to stay off the internet, then why have a smart phone? You're already identified out there through your carrier. If they breach your carrier account, they have all sorts of information right then and there, more so than Google would have. Think about it. Your billing address, etc.
Don't think for a minute that your carrier is completely safe. Even Verizon has had breaches.
vulcanvillalta said:
Like I said above, IF PEOPLE WANT YOUR INFORMATION, THEY CAN GET IT. There are nasty identity thieves out there that can find all of your information SOOOO easily. So easily. So whether or not you use an app or make a phonecall or whatever, you can still be traced and you can still be monitored and your information can still be acquired. I'm not trying to be a downer, but you can either accept that you are at the mercy of whoever wants to stalk you, or you can spend the rest of your life worrying and trying to protect yourself from something you literally have no control of.
IMHO, if you can use the app and it would benefit you, you might as well enjoy it.
Click to expand...
Click to collapse
Not sure why you quoted me bro, I'm on the same page you are.
IT need to display some information about your phone