![[Section contents]](/graphics/icons/side-menu.png "Section contents"){kind=icon}
/
Malware /
By product /
/
Malware /
By product /
Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; that is the basic injustice. The developers and manufacturers often exercise that power to the detriment of the users they ought to serve.
This typically takes the form of malicious functionalities.
Nearly all mobile phones do two grievous wrongs to their users: tracking their movements, and listening to their conversations. This is why we call them “Stalin's dream”.
The malware we list here is present in every phone, or in software that is not made by Apple or Google (including its subsidiaries). Malicious functionalities in mobile software released by Apple or Google are listed in dedicated pages, Apple's Operating Systems are Malware and Google's Software Is Malware respectively.
If you know of an example that ought to be in this page but isn't here, please write to <webmasters@gnu.org> to inform us. Please include the URL of a trustworthy reference or two to serve as specific substantiation.
This section describes one other malicious characteristic of mobile phones, location tracking which is caused by the underlying radio system rather than by the specific software in them.
The authorities in Venice track the movements of all tourists using their portable phones. The article says that at present the system is configured to report only aggregated information. But that could be changed. What will that system do 10 years from now? What will a similar system in another country do? Those are the questions this raises.
The phone network tracks the movements of each phone.
This is inherent in the design of the phone network: as long as the phone is in communication with the network, there is no way to stop the network from recording its location. Many countries (including the US and the EU) require the network to store all these location data for months or years.
Many popular mobile games include a random-reward system called gacha which is especially effective on children. One variant of gacha was declared illegal in Japan in 2012, but the other variants are still luring players into compulsively spending inordinate amounts of money on virtual toys.
Almost every phone's communication processor has a universal back door which is often used to make a phone transmit all conversations it hears.
The back door may take the form of bugs that have gone 20 years unfixed. The choice to leave the security holes in place is morally equivalent to writing a back door.
The back door is in the “modem processor”, whose job is to communicate with the radio network. In most phones, the modem processor controls the microphone. In most phones it has the power to rewrite the software for the main processor too.
A few phone models are specially designed so that the modem processor does not control the microphone, and so that it can't change the software in the main processor. They still have the back door, but at least it is unable to turn the phone unto a listening device.
The universal back door is apparently also used to make phones transmit even when they are turned off. This means their movements are tracked, and may also make the listening feature work.
Android phones subsidized by the US government come with preinstalled adware and a back door for forcing installation of apps.
The adware is in a modified version of an essential system configuration app. The back door is a surreptitious addition to a program whose stated purpose is to be a universal back door for firmware.
In other words, a program whose raison d'ĂȘtre is malicious has a secret secondary malicious purpose. All this is in addition to the malware of Android itself.
A very popular app found in the Google Play store contained a module that was designed to secretly install malware on the user's computer. The app developers regularly used it to make the computer download and execute any code they wanted.
This is a concrete example of what users are exposed to when they run nonfree apps. They can never be completely sure that a nonfree app is safe.
Xiaomi phones come with a universal back door in the application processor, for Xiaomi's use.
This is separate from the universal back door in the modem processor that the local phone company can use.
Baidu's proprietary Android library, Moplus, has a back door that can “upload files” as well as forcibly install apps.
It is used by 14,000 Android applications.
A Chinese version of Android has a universal back door. Nearly all models of mobile phones have a universal back door in the modem chip. So why did Coolpad bother to introduce another? Because this one is controlled by Coolpad.
Samsung Galaxy devices running proprietary Android versions come with a back door that provides remote access to the files stored on the device.
Many Android apps fool their users by asking them to decide what permissions to give the program, and then bypassing these permissions.
The Android system is supposed to prevent data leaks by running apps in isolated sandboxes, but developers have found ways to access the data by other means, and there is nothing the user can do to stop them from doing so, since both the system and the apps are nonfree.
Digital restrictions management, or “DRM,” refers to functionalities designed to restrict what users can do with the data in their computers.
The Netflix Android app forces the use of Google DNS. This is one of the methods that Netflix uses to enforce the geolocation restrictions dictated by the movie studios.
These bugs are/were not intentional, so unlike the rest of the file they do not count as malware. We mention them to refute the supposition that prestigious proprietary software doesn't have grave bugs.
Out of 21 gratis Android antivirus apps that were tested by security researchers, eight failed to detect a test virus. All of them asked for dangerous permissions or contained advertising trackers, with seven being more risky than the average of the 100 most popular Android apps.
(Note that the article refers to these proprietary apps as “free”. It should have said “gratis” instead.)
Siri, Alexa, and all the other voice-control systems can be hijacked by programs that play commands in ultrasound that humans can't hear.
Some Samsung phones randomly send photos to people in the owner's contact list.
Many Android devices can be hijacked through their Wi-Fi chips because of a bug in Broadcom's non-free firmware.
The CIA exploited existing vulnerabilities in “smart” TVs and phones to design a malware that spies through their microphones and cameras while making them appear to be turned off. Since the spyware sniffs signals, it bypasses encryption.
The mobile apps for communicating with a smart but foolish car have very bad security.
This is in addition to the fact that the car contains a cellular modem that tells big brother all the time where it is. If you own such a car, it would be wise to disconnect the modem so as to turn off the tracking.
Samsung phones have a security hole that allows an SMS message to install ransomware.
WhatsApp has a feature that has been described as a “back door” because it would enable governments to nullify its encryption.
The developers say that it wasn't intended as a back door, and that may well be true. But that leaves the crucial question of whether it functions as one. Because the program is nonfree, we cannot check by studying it.
“Deleted” WhatsApp messages are not entirely deleted. They can be recovered in various ways.
A half-blind security critique of a tracking app: it found that blatant flaws allowed anyone to snoop on a user's personal data. The critique fails entirely to express concern that the app sends the personal data to a server, where the developer gets it all. This “service” is for suckers!
The server surely has a “privacy policy,” and surely it is worthless since nearly all of them are.
A bug in a proprietary ASN.1 library, used in cell phone towers as well as cell phones and routers, allows taking control of those systems.
Many proprietary payment apps transmit personal data in an insecure way. However, the worse aspect of these apps is that payment is not anonymous.
Many smartphone apps use insecure authentication methods when storing your personal data on remote servers. This leaves personal information like email addresses, passwords, and health information vulnerable. Because many of these apps are proprietary it makes it hard to impossible to know which apps are at risk.
An app to prevent “identity theft” (access to personal data) by storing users' data on a special server was deactivated by its developer which had discovered a security flaw.
That developer seems to be conscientious about protecting personal data from third parties in general, but it can't protect that data from the state. Quite the contrary: confiding your data to someone else's server, if not first encrypted by you with free software, undermines your rights.
The insecurity of WhatsApp makes eavesdropping a snap.
The NSA can tap data in smart phones, including iPhones, Android, and BlackBerry. While there is not much detail here, it seems that this does not operate via the universal back door that we know nearly all portable phones have. It may involve exploiting various bugs. There are lots of bugs in the phones' radio software.
This section gives examples of mobile apps harassing or annoying the user, or causing trouble for the user. These actions are like sabotage but the word “sabotage” is too strong for them.
The WeddingWire app saves people's wedding photos forever and hands over data to others, giving users no control over their personal information/data. The app also sometimes shows old photos and memories to users, without giving them any control over this either.
Samsung phones come preloaded with a version of the Facebook app that can't be deleted. Facebook claims this is a stub which doesn't do anything, but we have to take their word for it, and there is the permanent risk that the app will be activated by an automatic update.
Preloading crapware along with a nonfree operating system is common practice, but by making the crapware undeletable, Facebook and Samsung (among others) are going one step further in their hijacking of users' devices.
The Femm “fertility” app is secretly a tool for propaganda by natalist Christians. It spreads distrust for contraception.
It snoops on users, too, as you must expect from nonfree programs.
A new app published by Google lets banks and creditors deactivate people's Android devices if they fail to make payments. If someone's device gets deactivated, it will be limited to basic functionality, such as emergency calling and access to settings.
Samsung is forcing its smartphone users in Hong Kong (and Macau) to use a public DNS in Mainland China, using software update released in September 2020, which causes many unease and privacy concerns.
Twenty nine “beauty camera” apps that used to be on Google Play had one or more malicious functionalities, such as stealing users' photos instead of “beautifying” them, pushing unwanted and often malicious ads on users, and redirecting them to phishing sites that stole their credentials. Furthermore, the user interface of most of them was designed to make uninstallation difficult.
Users should of course uninstall these dangerous apps if they haven't yet, but they should also stay away from nonfree apps in general. All nonfree apps carry a potential risk because there is no easy way of knowing what they really do.
Apple and Samsung deliberately degrade the performance of older phones to force users to buy their newer phones.
See above for the general universal back door in essentially all mobile phones, which permits converting them into full-time listening devices.
Almost all proprietary health apps harvest users' data, including sensitive health information, tracking identifiers, and cookies to track user activities. Some of these applications are tracking users across different platforms.
TikTok apps collect biometric identifiers and biometric information from users' smartphones. The company behind it does whatever it wants and collects whatever data it can.
Many cr…apps, developed by various companies for various organizations, do location tracking unknown to those companies and those organizations. It's actually some widely used libraries that do the tracking.
What's unusual here is that proprietary software developer A tricks proprietary software developers B1 … B50 into making platforms for A to mistreat the end user.
Baidu apps were caught collecting sensitive personal data that can be used for lifetime tracking of users, and putting them in danger. More than 1.4 billion people worldwide are affected by these proprietary apps, and users' privacy is jeopardized by this surveillance tool. Data collected by Baidu may be handed over to the Chinese government, possibly putting Chinese people in danger.
Most apps are malware, but Trump's campaign app, like Modi's campaign app, is especially nasty malware, helping companies snoop on users as well as snooping on them itself.
The article says that Biden's app has a less manipulative overall approach, but that does not tell us whether it has functionalities we consider malicious, such as sending data the user has not explicitly asked to send.
Xiaomi phones report many actions the user takes: starting an app, looking at a folder, visiting a website, listening to a song. They send device identifying information too.
Other nonfree programs snoop too. For instance, Spotify and other streaming dis-services make a dossier about each user, and they make users identify themselves to pay. Out, out, damned Spotify!
Forbes exonerates the same wrongs when the culprits are not Chinese, but we condemn this no matter who does it.
Google, Apple, and Microsoft (and probably some other companies) are collecting people's access points and GPS coordinates (which can identify people's precise location) even if their GPS is turned off, without the person's consent, using proprietary software implemented in person's smartphone. Though merely asking for permission would not necessarily legitimize this.
The Alipay Health Code app estimates whether the user has Covid-19 and tells the cops directly.
The ToToc messaging app seems to be a spying tool for the government of the United Arab Emirates. Any nonfree program could be doing this, and that is a good reason to use free software instead.
Note: this article uses the word “free” in the sense of “gratis.”
iMonsters and Android phones, when used for work, give employers powerful snooping and sabotage capabilities if they install their own software on the device. Many employers demand to do this. For the employee, this is simply nonfree software, as fundamentally unjust and as dangerous as any other nonfree software.
The Facebook app tracks users even when it is turned off, after tricking them into giving the app broad permissions in order to use one of its functionalities.
Some nonfree period-tracking apps including MIA Fem and Maya send intimate details of users' lives to Facebook.
Keeping track of who downloads a proprietary program is a form of surveillance. There is a proprietary program for adjusting a certain telescopic rifle sight. A US prosecutor has demanded the list of all the 10,000 or more people who have installed it.
With a free program there would not be a list of who has installed it.
Many unscrupulous mobile-app developers keep finding ways to bypass user's settings, regulations, and privacy-enhancing features of the operating system, in order to gather as much private data as they possibly can.
Thus, we can't trust rules against spying. What we can trust is having control over the software we run.
Many Android apps can track users' movements even when the user says not to allow them access to locations.
This involves an apparently unintentional weakness in Android, exploited intentionally by malicious apps.
In spite of Apple's supposed commitment to privacy, iPhone apps contain trackers that are busy at night sending users' personal information to third parties.
The article mentions specific examples: Microsoft OneDrive, Intuit's Mint, Nike, Spotify, The Washington Post, The Weather Channel (owned by IBM), the crime-alert service Citizen, Yelp and DoorDash. But it is likely that most nonfree apps contain trackers. Some of these send personally identifying data such as phone fingerprint, exact location, email address, phone number or even delivery address (in the case of DoorDash). Once this information is collected by the company, there is no telling what it will be used for.
BlizzCon 2019 imposed a requirement to run a proprietary phone app to be allowed into the event.
This app is a spyware that can snoop on a lot of sensitive data, including user's location and contact list, and has near-complete control over the phone.
Data collected by menstrual and pregnancy monitoring apps is often available to employers and insurance companies. Even though the data is “anonymized and aggregated,” it can easily be traced back to the woman who uses the app.
This has harmful implications for women's rights to equal employment and freedom to make their own pregnancy choices. Don't use these apps, even if someone offers you a reward to do so. A free-software app that does more or less the same thing without spying on you is available from F-Droid, and a new one is being developed.
Many Android phones come with a huge number of preinstalled nonfree apps that have access to sensitive data without users' knowledge. These hidden apps may either call home with the data, or pass it on to user-installed apps that have access to the network but no direct access to the data. This results in massive surveillance on which the user has absolutely no control.
A study of 24 “health” apps found that 19 of them send sensitive personal data to third parties, which can use it for invasive advertising or discriminating against people in poor medical condition.
Whenever user “consent” is sought, it is buried in lengthy terms of service that are difficult to understand. In any case, “consent” is not sufficient to legitimize snooping.
Facebook offered a convenient proprietary library for building mobile apps, which also sent personal data to Facebook. Lots of companies built apps that way and released them, apparently not realizing that all the personal data they collected would go to Facebook as well.
It shows that no one can trust a nonfree program, not even the developers of other nonfree programs.
The AppCensus database gives information on how Android apps use and misuse users' personal data. As of March 2019, nearly 78,000 have been analyzed, of which 24,000 (31%) transmit the Advertising ID to other companies, and 18,000 (23% of the total) link this ID to hardware identifiers, so that users cannot escape tracking by resetting it.
Collecting hardware identifiers is in apparent violation of Google's policies. But it seems that Google wasn't aware of it, and, once informed, was in no hurry to take action. This proves that the policies of a development platform are ineffective at preventing nonfree software developers from including malware in their programs.
Many nonfree apps have a surveillance feature for recording all the users' actions in interacting with the app.
An investigation of the 150 most popular gratis VPN apps in Google Play found that 25% fail to protect their users' privacy due to DNS leaks. In addition, 85% feature intrusive permissions or functions in their source code—often used for invasive advertising—that could potentially also be used to spy on users. Other technical flaws were found as well.
Moreover, a previous investigation had found that half of the top 10 gratis VPN apps have lousy privacy policies.
(It is unfortunate that these articles talk about “free apps.” These apps are gratis, but they are not free software.)
The Weather Channel app stored users' locations to the company's server. The company is being sued, demanding that it notify the users of what it will do with the data.
We think that lawsuit is about a side issue. What the company does with the data is a secondary issue. The principal wrong here is that the company gets that data at all.
Other weather apps, including Accuweather and WeatherBug, are tracking people's locations.
Around 40% of gratis Android apps report on the user's actions to Facebook.
Often they send the machine's “advertising ID,” so that Facebook can correlate the data it obtains from the same machine via various apps. Some of them send Facebook detailed information about the user's activities in the app; others only say that the user is using that app, but that alone is often quite informative.
This spying occurs regardless of whether the user has a Facebook account.
Facebook's app got “consent” to upload call logs automatically from Android phones while disguising what the “consent” was for.
Some Android apps track the phones of users that have deleted them.
The Spanish football streaming app tracks the user's movements and listens through the microphone.
This makes them act as spies for licensing enforcement.
We expect it implements DRM, too—that there is no way to save a recording. But we can't be sure from the article.
If you learn to care much less about sports, you will benefit in many ways. This is one more.
More than 50% of the 5,855 Android apps studied by researchers were found to snoop and collect information about its users. 40% of the apps were found to insecurely snitch on its users. Furthermore, they could detect only some methods of snooping, in these proprietary apps whose source code they cannot look at. The other apps might be snooping in other ways.
This is evidence that proprietary apps generally work against their users. To protect their privacy and freedom, Android users need to get rid of the proprietary software—both proprietary Android by switching to Replicant, and the proprietary apps by getting apps from the free software only F-Droid store that prominently warns the user if an app contains anti-features.
Grindr collects information about which users are HIV-positive, then provides the information to companies.
Grindr should not have so much information about its users. It could be designed so that users communicate such info to each other but not to the server's database.
The moviepass app and dis-service spy on users even more than users expected. It records where they travel before and after going to a movie.
Don't be tracked—pay cash!
Tracking software in popular Android apps is pervasive and sometimes very clever. Some trackers can follow a user's movements around a physical store by noticing WiFi networks.
AI-powered driving apps can track your every move.
The Sarahah app uploads all phone numbers and email addresses in user's address book to developer's server.
(Note that this article misuses the words “free software” referring to zero price.)
20 dishonest Android apps recorded phone calls and sent them and text messages and emails to snoopers.
Google did not intend to make these apps spy; on the contrary, it worked in various ways to prevent that, and deleted these apps after discovering what they did. So we cannot blame Google specifically for the snooping of these apps.
On the other hand, Google redistributes nonfree Android apps, and therefore shares in the responsibility for the injustice of their being nonfree. It also distributes its own nonfree apps, such as Google Play, which are malicious.
Could Google have done a better job of preventing apps from cheating? There is no systematic way for Google, or Android users, to inspect executable proprietary apps to see what they do.
Google could demand the source code for these apps, and study the source code somehow to determine whether they mistreat users in various ways. If it did a good job of this, it could more or less prevent such snooping, except when the app developers are clever enough to outsmart the checking.
But since Google itself develops malicious apps, we cannot trust Google to protect us. We must demand release of source code to the public, so we can depend on each other.
Apps for BART snoop on users.
With free software apps, users could make sure that they don't snoop.
With proprietary apps, one can only hope that they don't.
A study found 234 Android apps that track users by listening to ultrasound from beacons placed in stores or played by TV programs.
Faceapp appears to do lots of surveillance, judging by how much access it demands to personal data in the device.
Users are suing Bose for distributing a spyware app for its headphones. Specifically, the app would record the names of the audio files users listen to along with the headphone's unique serial number.
The suit accuses that this was done without the users' consent. If the fine print of the app said that users gave consent for this, would that make it acceptable? No way! It should be flat out illegal to design the app to snoop at all.
Pairs of Android apps can collude to transmit users' personal data to servers. A study found tens of thousands of pairs that collude.
Verizon announced an opt-in proprietary search app that it will pre-install on some of its phones. The app will give Verizon the same information about the users' searches that Google normally gets when they use its search engine.
Currently, the app is being pre-installed on only one phone, and the user must explicitly opt-in before the app takes effect. However, the app remains spyware—an “optional” piece of spyware is still spyware.
The Meitu photo-editing app sends user data to a Chinese company.
The Uber app tracks clients' movements before and after the ride.
This example illustrates how “getting the user's consent” for surveillance is inadequate as a protection against massive surveillance.
A research paper that investigated the privacy and security of 283 Android VPN apps concluded that “in spite of the promises for privacy, security, and anonymity given by the majority of VPN apps—millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps.”
Following is a non-exhaustive list, taken from the research paper, of some proprietary VPN apps that track users and infringe their privacy:
READ_SMS and SEND_SMS
permissions upon installation, meaning it has full access to users'
text messages.READ_LOGS permission to read logs
for other apps and also core system logs. TigerVPN developers have
confirmed this.Some portable phones are sold with spyware sending lots of data to China.
Facebook's new Magic Photo app scans your mobile phone's photo collections for known faces, and suggests you circulate the picture you take according to who is in the frame.
This spyware feature seems to require online access to some known-faces database, which means the pictures are likely to be sent across the wire to Facebook's servers and face-recognition algorithms.
If so, none of Facebook users' pictures are private anymore, even if the user didn't “upload” them to the service.
Facebook's app listens all the time, to snoop on what people are listening to or watching. In addition, it may be analyzing people's conversations to serve them with targeted advertisements.
A pregnancy test controller application not only can spy on many sorts of data in the phone, and in server accounts, it can alter them too.
Apps that include Symphony surveillance software snoop on what radio and TV programs are playing nearby. Also on what users post on various sites such as Facebook, Google+ and Twitter.
The natural extension of monitoring people through “their” phones is proprietary software to make sure they can't “fool” the monitoring.
“Cryptic communication,” unrelated to the app's functionality, was found in the 500 most popular gratis Android apps.
The article should not have described these apps as “free”—they are not free software. The clear way to say “zero price” is “gratis.”
The article takes for granted that the usual analytics tools are legitimate, but is that valid? Software developers have no right to analyze what users are doing or how. “Analytics” tools that snoop are just as wrong as any other snooping.
More than 73% and 47% of mobile applications, for Android and iOS respectively hand over personal, behavioral and location information of their users to third parties.
According to Edward Snowden, agencies can take over smartphones by sending hidden text messages which enable them to turn the phones on and off, listen to the microphone, retrieve geo-location data from the GPS, take photographs, read text messages, read call, location and web browsing history, and read the contact list. This malware is designed to disguise itself from investigation.
Like most “music screaming” disservices, Spotify is based on proprietary malware (DRM and snooping). In August 2015 it demanded users submit to increased snooping, and some are starting to realize that it is nasty.
This article shows the twisted ways that they present snooping as a way to “serve” users better—never mind whether they want that. This is a typical example of the attitude of the proprietary software industry towards those they have subjugated.
Out, out, damned Spotify!
Samsung phones come with apps that users can't delete, and they send so much data that their transmission is a substantial expense for users. Said transmission, not wanted or requested by the user, clearly must constitute spying of some kind.
A study in 2015 found that 90% of the top-ranked gratis proprietary Android apps contained recognizable tracking libraries. For the paid proprietary apps, it was only 60%.
The article confusingly describes gratis apps as “free”, but most of them are not in fact free software. It also uses the ugly word “monetize”. A good replacement for that word is “exploit”; nearly always that will fit perfectly.
Gratis Android apps (but not free software) connect to 100 tracking and advertising URLs, on the average.
Widely used proprietary QR-code scanner apps snoop on the user. This is in addition to the snooping done by the phone company, and perhaps by the OS in the phone.
Don't be distracted by the question of whether the app developers get users to say “I agree”. That is no excuse for malware.
Many proprietary apps for mobile devices report which other apps the user has installed. Twitter is doing this in a way that at least is visible and optional. Not as bad as what the others do.
Samsung's back door provides access to any file on the system.
The Simeji keyboard is a smartphone version of Baidu's spying IME.
The nonfree Snapchat app's principal purpose is to restrict the use of data on the user's computer, but it does surveillance too: it tries to get the user's list of other people's phone numbers.
The Brightest Flashlight app sends user data, including geolocation, for use by companies.
The FTC criticized this app because it asked the user to approve sending personal data to the app developer but did not ask about sending it to other companies. This shows the weakness of the reject-it-if-you-dislike-snooping “solution” to surveillance: why should a flashlight app send any information to anyone? A free software flashlight app would not.
Portable phones with GPS will send their GPS location on remote command, and users cannot stop them. (The US says it will eventually require all new portable phones to have GPS.)
FTC says most mobile apps for children don't respect privacy: http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/.
Some manufacturers add a hidden general surveillance package such as Carrier IQ.
Jails are systems that impose censorship on application programs.
Tyrants are systems that reject any operating system not “authorized” by the manufacturer.