BUSTED! Secret app on millions of phones logs key taps

An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users.

In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ recorded in real time the keys he pressed into a stock EVO handset, which he had reset to factory settings just prior to the demonstration. Using a packet sniffer while his device was in airplane mode, he demonstrated how each numeric tap and every received text message is logged by the software.

Ironically, he says, the Carrier IQ software recorded the “hello world” dispatch even before it was displayed on his handset.

Eckhart then connected the device to a Wi-Fi network and pointed his browser at Google. Even though he denied the search giant's request that he share his physical location, the Carrier IQ software recorded it. The secret app then recorded the precise input of his search query – again, “hello world” – even though he typed it into a page that uses the SSL, or secure sockets layer, protocol to encrypt data sent between the device and the servers.

http://www.theregister.co.uk/2011/11/30/smartphone_spying_app/

One problem with iOS is that you can't check it to see if it's keylogging.

"Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and networks to assist operators and device manufacturers in delivering high quality products and services to their customers. We do this by counting and measuring operational information in mobile devices – feature phones, smartphones and tablets. This information is used by our customers as a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience. Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment."

From http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf

Since the carriers and device manufacturers are the ones embedding the CarrierIQ clients in the handsets, it seems reasonable that the iPhone and iPad would also contain a client.

It may be that the client is easier to detect in Android.

to one where hackers can poke around and find out what is really going on?

Did you pay attention to the scandal with iPhones collecting and logging a users location without consent?

The logs were backed up to the user's computer and that's it. If someone has physical access to your computer, you have much bigger problems to worry about.

Logging such data without user knowledge is always wrong no matter what company does it.

I have lots of sensitive data and information on my computer. I take reasonable precautions against that data falling into the wrong hands: at a minimum, having a strong password on my computer and phone.

There is also a very visible option that appears whenever you plug in an iOS device to encrypt your backups. The option was there when the "issue" of the location data cache being backed up arose.

I have a hacked archos which early on had no access to the google market so I know there are apps out there that go through no oversight process whatsoever. The swype program says it collects keystrokes and that gave me pause also.

this is a system integrated rootkit intentionally built in by the carriers so they can gather info on customers. They will do the same for iPhones if people don't make a stink about this.

This is not a very good Android vs. iPhone hate fest. This is a carriers don't care about your privacy problem.

By carriers you are referring to AT&T and Verizon right?

They purchased this software and roll it into their ROMS and install it on their phones. As far as Nokia using this software that hasn't been fully disclosed yet. They may be using themselves or it may be on the phones at the behest of the carriers they make the phones for.

"Android" didn't do this. A third party company made software for phone companies to spy with. They could just as well port it to the iPhone and most likely have that port developed or in development.

Tracfone

No apps, no contracts, no worries.

does it do messages, email, gps? You have done a packet trace on it to see what it "phones home"? Is it recording your location at all times?

I rarely use it.

No email or GPS, no internet. If it were any less smart, it would have a crank on the side.

http://www.theregister.co.uk/2011/08/24/why_apple_is_phasing_out_unique_device_identifiers/



Bottom line is the average consumer never will actually know what their smartphones are doing or giving away and we should all act accordingly.

:hi:

Not saying it ought to be that way, but that's the way it is.

Most of the comment on this topic are borderline ignorant or just plain numpty, I think
some of you don't understand the impact this type of invasion has on your lives.

Let me put it this way, what if your bank account and other business is being monitored as
we speak? did any of you spend the time to think about that? As long you have disgruntled
employees working for companies such as this there will be the tendencies to take things
a little further just because they can, this does not only effect your privacy but
everything you do with your smart phone, which includes banking, emails, business meetings,
etc.

This is not something to take lightly, but action is needed to prevent this type of invasion
and the way you do this is by showing the perpetrators how vulnerable they are with this
method falling into the wrong hands.