This is a social problem. She was instructed to do xyz over whatsapp. Any device can be compromised. It’s all about informing people what not to do. Like how very slowly old people are starting to wake up to the idea that you don’t pay the IRS with google play gift cards.

Totally agree that it’s a social problem. But it’s getting worse, not better.

There are hard security rules that you should always follow, for example, never click on links from an unknown sender. In the last five years I’ve noticed a trend of bureaucracies in every institution now want you to violate generally accepted security rules for their own convenience.

For example, I got a text from a new number saying (sic) “we’re your dentist office and we’ve changed over to a new system, please click this link and provide some sensitive PII for us ahead of your visit.” Although I had a dentist appointment coming up in a week, I called their office to confirm the appointment, no one over the phone asked me to do anything different, so I ignored the text.

When I got into the office, the receptionist politely told me that I did not fill out the patient forms ahead of my visit, and that I should have received a text message, and now they had to print the forms, which is a problem for them because they’re trying to go paperless. It was a very polite interaction, but the subtext was that I violated an implied contract with their office to engage regularly with them.

As members of the public, we’re asked to click on links from places we don’t recognize, to support the functioning of bureaucracies. Everyone engages in this behavior. I’ve found financial and insurance companies to be the worst offenders.

Regardless, institutions in authoritative positions are opening up massive avenues for social engineering by requiring the general public to ignore security best practices to interact with them. It succeeds in reducing administrative costs from them, but introduces systemic risk that the public is paying for in the form of security breaches.

Did you try getting your government to prosecute those scammers? I'm always confused by Americans inventing 100 different software ways to try to lockout people from their devices for "security", but noone wonders why exactly this kind of egregious scammage isn't actually punished and money retured?

Much of it not punished because many of the scammers are in other countries.

The likelihood you get scammed as you age approaches 1.

Older people start defaulting to trust due to the mental burnout induced by having to overthink every situation.

Insurance companies are trying to figure out right now how to cover scam insurance per your age.

Can't be solved completely, anything can be social engineered. But thats no excuse for not solving as completely as possible. I couldn't discern from the article the extent to which any technical vulnerabilty was involved -- or if it was pure social engineering, eg with the criminals using the info they had gotten out of the user to gain access to their accounts via more social engineering of their bank? Was an Android system exploit involved? Was the malware app able to escalate its privilege and access info from other apps? If either of those, what about Android's security model or implementation needs to be further hardened? (Naive questions, I'm neither a security nor a Android engineer.)

> It seems so easy to take full control of phones these days.

What?

The lady agreed to install and run an app, because someone asked her to do so.

She literally handed over control of her phone with its bank account accesses, essentially.

Also, that's an Android phone, which might or might not matter, but i imagine this social engineering (as if) scam would work in general.

In the words of Laocoon, "quidquid id est, timeo danaos et dona ferentes" if i remember.

I think the OP implies that she should not be allowed to control her own phone to the point where she can't do that - more corporate control and more corporate baby sitting.

Actually I was saying more of, one app can just allow a hacker to take control of your phone completely. It’s quite scary especially knowing that the public isnt well-educated on this yet.

On the front page of HN right now as you posted this: https://news.ycombinator.com/item?id=37623479

There’s a little bit of alert fatigue on this stuff. Online internet privacy/security folks kick up a fuss about a lot of things that I don’t think cause me any harm, and it’s reducing my ability to detect legitimate threats. I can’t constantly evaluate whether something is Google “spying on my web browsing” or “this guy can steal your money”.

Fortunately, the solution of just sticking to mainstream platforms works. If I’m on a Mac with an iPhone, anything that hits me hits half of Americans. I’ll be in a nice big class-action once the damages are widespread.

Interestingly, this disincentivizes niche platforms.

> Fortunately, the solution of just sticking to mainstream platforms works.

Well, it depends. For widespread non-targeted attacks, like the one mentioned in the parent comment, I think using a niche platform is a form of security through obscurity that can actually work, because it's possible the generic exploit you encounter is not designed to work on your non-standard system (like a virtual machine, a hardened configuration, a non-mainstream OS like OpenBSD...). Although this is more difficult on phones, because it's not possible to use some mainstream services on niche platforms due to attestation requirements.