Credit: John Hering, Jon Oberheide, Adam Laurie, et al
Engadget described a particularly hand-wavey demo thusly:
At the beginning of this contrived little drama, Alfonsi is using an iPhone. You know how everyone and everything these days is telling you not to click links, download files or install applications you don’t expect to receive? Well, he told her to do exactly that — click, download, install his app — with a text message he sent her. To do this in real life, she’d receive warnings, and she’d have to disable the security features on her iPhone. But in the next shot, suddenly our reporter is being spied on by Hering though an Android phone propped up on her desk.
So, let’s make sure that we got this straight:
- Turn on “Unknown sources” to allow your device to install whatever malicious app the horrible mobile porn sites you frequent decide that you need installed.
- Turn off “Verify Apps” so that Google can’t scan those drive-by installed apps and inform you that they’re all sorts of bad.
- When you receive a text message from an unknown number with a link to install an app, tap that link like you know you’re supposed to with all suspicious links in unsolicited messages from unknown senders.
- When Android tells you that the app requires all sorts of ridiculous permissions to run, you tap “Yes, I am an adult and know what all of that meant” (even though you didn’t).
- Now that you’ve given a total Internet Stranger (who tend to be stranger than IRL Strangers) complete access to your phone, act totally surprised when they use that access to your phone to access your phone.