- Authors|Yu Zhenni, Yin Ming
- Information Collection|Yu Zhenni, Yin Ming
This year’s CCTV "3·15" evening party exposed a large number of information security chaos in the Internet industry, including such things as "Memory Optimization Master", "Super Clean Master", "Smart Clean Master", "Mobile Manager PRO", etc. This kind of "mobile phone cleaning" software has a security trap problem.
It is understood that when Ms. Li, who is in her 70s, uses her smartphone to read news and novels, she often automatically pops up some "safety reminders" indicating "insufficient memory", "mobile phone trash is full", "cleaning virus files" and so on.
When Ms. Li followed the prompts to use the software to complete the cleanup, another "safety prompt" popped up on the phone, inducing her to download another cleanup software to clean up. After going over and over again, Ms. Li found that these "safety tips" were cleaned up more and more, her mobile phone began to freeze frequently, and the battery became less durable. What is puzzling is that junk cleaning software is used every day, but why is the mobile phone slower and slower?
In response to this phenomenon, experts from the Cybersecurity Center of the China Electronics Standardization Institute tried several software for experiments and monitoring. During the experiment, the researchers discovered that these so-called "mobile phone cleaning software" have serious "domestic doll" behaviors, and the path of "reminding, downloading, and cleaning" will be repeated one after another.
But are these "cleaning masters" really cleaning up the rubbish in the phone? This is not the case.
First of all, we first give a brief introduction to the principle of "cleaning up system garbage". System garbage refers to the remaining files of the system, such as the remaining files of the program that are uninstalled after installation, etc., which will not be used again. And we generally choose to "kill" the background process of the application and clean up some non-junk files, such as system log files, image cache, browser cache, and history records, in order to improve the running speed of mobile phones and clean up the memory. When Android phones clean up these files, they usually look for common signs first, then classify them into the library and clean them up to free up storage space.
In fact, many software comes with a cache cleaning function, and it is not necessary to use a third-party cleaning software.
So how do these so-called "clean master" software do?
The tester tested one of the software called "Mobile Manager PRO" and found that this App had no cleaning effect in essence. Not only that, it also secretly obtained a lot of mobile phone information. In just 8.75 seconds, the App has read 890 application lists, more than 1,300 mobile phone user ID IMSI numbers, more than 900 mobile device ID IMEI numbers, and more than 50 GPS (Global Positioning System) ) Geographical location information. The permissions required for these application behaviors are defined by Google as "dangerous permissions" because they cover areas where the application requires data or resources related to the user's private information.
The purpose of this app for collecting mobile phone information at such a high frequency, according to He Yanzhe, deputy director of the Evaluation Laboratory of the China Institute of Electronic Technology Standardization, is mainly to collect personal information for high frequency upload. One is to occupy a large amount of mobile phone memory and deliberately The mobile phone becomes stuck, which encourages users to download and use cleaning software. The second is to perform user portraits, so as to continuously push all kinds of vulgar and even deceptive advertisements and content to "easy to be misled and induced" Groups on mobile phones.
These "cleaning software" dressed in "garbage cleaning" and "safety protection" mainly target the elderly, using some exaggerated inductive words and pictures to mislead the elderly to click to download and use. While these applications make mobile phones slower and slower, they may even leak personal information, increase the risk of fraud, and cause user property losses. Subsequent advertising content pushed in the app also contained a lot of false and over-marketing content, which seriously harmed the rights and interests of users.
After the issue of the mobile phone cleaning software was exposed at the CCTV "3·15" party, the Shanghai Communications Administration immediately investigated the Shanghai Supa Technology Co., Ltd. to which the mobile phone cleaning software belongs. At the same time, the Administration also launched relevant plans to organize technical support units to conduct investigations and tests on the same type of mobile phone cleaning software, and request rectifications for similar problems.
Smartphones and mobile applications were originally intended to bring convenience and happiness to people, but now they are used by people with bad intentions, trying to make money by obtaining personal information and private data. As shown in the data of the professional version of Tianyancha, there are currently more than 790,000 smart communication-related companies in my country, 6.2% of smart communication-related companies in China have had legal proceedings, and more than 85,000 smart communication-related companies have experienced operational abnormalities, with more than 10,000 One smart communication-related company has been subject to administrative penalties, and more than 2,500 related companies have committed serious violations. How to further strengthen industry supervision, control false marketing, supervise and deal with Internet companies’ illegal collection and use of users’ personal information, and effectively safeguard users’ legitimate rights and interests is the next issue for industry regulatory authorities to think about.
In response to App abuse of authority and illegal collection and use of user personal information, the Technical Research Department of the Security Engineering Research Center of China Academy of Telecommunications provides a solution for regulators-a mobile application full life cycle management platform in accordance with national and industry standards. (Https://appsec.anquanbang.net). The platform can detect the permissions used by the App and the behavior of the App through the combination of dynamic and static. In addition, the platform also provides mobile application security testing, channel monitoring, security reinforcement, personal privacy compliance assessment, application traceability, asset management, situational awareness and other services, covering mobile application development, testing, launch, release, and operation Each link.
For developers, it is recommended to set encryption technology in the mobile phone system to implement encryption protection against the source of the data. At the same time, an authoritative third party can also be used to build a good data environment, using data security technology and auditing methods to establish a data monitoring system to ensure the legal compliance of data storage, data transmission, and big data calculation processes.
For ordinary users, they need to further their knowledge about network security and mobile application security, do not trust those exaggerated advertisements, do not click on links of unknown origin, and do not disclose personal information. In addition, users also need to learn to manage mobile phone permissions, improve their ability to discern rumors in Moments, and cultivate healthy surfing habits. Only when one's own safety awareness is strengthened, can we better avoid those "safety traps".
Part of the information source: CCTV Finance