Feeds

back to article INVASION of the UNDEAD ANDROIDS: Hackers can pwn 'nearly all' devices

A four-year-old Android bug could be used to plant malware on 99 per cent of Android devices on the market, according to security researchers. Bluebox Security CTO Jeff Forristal said the vulnerability in Android’s security model creates a means for hackers to modify an Android app's APK code without breaking its cryptographic …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

I sense...

Furious typing on keyboards with the @ sign in the wrong place...

5
6
Silver badge

Re: I sense...

What? American keyboards?

7
1
Thumb Down

The malicious app still needs to be installed by the user, the user is still warned what privileges are asked for.

This so much more effort than just writing malware and calling it "angry birds", hoping someone will download and side load it. Its not like this master key allows malicious apps to replace the genuine ones served up by the Play Store.

Most normal android users are protected by the default setting that doesn't allow sideloading, those of us that like the freedom to side load apps are I would hope smart enough to notice when an app is asking for odd permissions.

I've seen this reported many times but congrats on El Reg for the most sensationalist title.

18
9
jai
Silver badge

But the last paragraph suggests they're able to get the dodgy code into apps that are in the Play Store. so it's not a case of replacing genuine ones from the Store, you just need your dodgy app to be in the Store and then the average punter will assume it's safe because it comes from the Store, no?

Yes, i guess it still asks for permissions, but if you'd disguised your malware as a utility app that would require those kind of permissions, how's the end user supposed to know not to allow it?

4
6
Anonymous Coward

It runs what is basically Linux, so Swiss Cheese central. So this isn't exactly a surprise...

2
25
Bronze badge
FAIL

Mmm

"it runs what is basically Linux, so Swiss Cheese central. So this isn't exactly a surprise..."

It runs an Google developed shell/GUI on top of a modified Linux kernel.

It is exploitable because it was designed with revenue generation as opposed to security in mind.

When Android is hacked it is Android that is hacked not Linux

Every application asks for ridiculous permissions on install? No user will notice anything out of the ordinary. Why do they need those permissions? Profiling, tracking, advertising.... revenue generation.

I'm not defending Android, out of the tin it is not to be trusted. Perhaps it shouldn't be trusted when rooted, and "locked down" I shrug, even when I think I own my Android, I will never trust it with my bank details.

14
4
Anonymous Coward

The malicious app still needs to be installed by the user, the user is still warned what privileges are asked for.

Ahhh Fandroids.... I bet we'd all be hearing a different tune if that was windows 8 in the title

15
18

You'd also have to take over the developers account, then you could push an APK to the Play store and users will be updated with your new malware.

If you have access to the play store account I'm pretty sure you could just put anything you liked up there for people to download, regardless of if the master key is compromised.

Its still easier to list something new on the play store as "Angry birds" and have a few people download the malicious app.

4
2

In Windows 8 you don't have a thing that prevents you installing from "Unknown sources".

3
3
Bronze badge

"In Windows 8 you don't have a thing that prevents you installing from "Unknown sources".

Yes it does, Actual Windows 8 apps have to either come from the Windows App Store or a System Center server configured by the system Administrator to side-load company apps. Even then with regular programs you still get the UAC prompt showing who signed the code, etc.

5
3
Anonymous Coward

Re: Mmm

I was going to install something yesterday that looked good. I think it was the XBMC remote. But it wanted permission to read my text messages? why on earth would a media remote want to do that?!

I can only assume it is poor testing, request everything so nothing fails to work.

5
3
fix

Re: Mmm

For a very neat reason :-)

The XBMC remote has the facility to put received text messages up as a banner on the XBMC device that your mobile is remotely controlling ..... couldn't do that if it was unable to read them first on the phone.

5
0
Anonymous Coward

Re: Mmm

And this is the problem with Android permission.

This app needs for internet access, read your contacts and modify the SD card.

Could mean it just needs to log into your XYZ account and sync the info.

Equally, it could mean it's going to connect to the web and then download shitload of kiddy porn to your phone before contacting everyone in your address book saying your a peado.

Extreme I know, but this is why the permission info is a waste of time.

4
3
Anonymous Coward

Re: Mmm

"The XBMC remote has the facility to put received text messages up as a banner on the XBMC device that your mobile is remotely controlling ..... couldn't do that if it was unable to read them first on the phone."

Why isn't the grant of permissions controllable by the user [1], on something like a "choose from: permit always/never permit/ask each time app started/ask each time permission requested" basis when the app is installed or updated (or when the user changes their mind)?

Is that even possible in Android, officially or otherwise?

How difficult would that be to implement?

Would it destroy the economics of Google and Android?

If it did, would that be a bad thing?

Does Windows Mobile or whatever its called this week do something like that?

Does the Applephone OS do something like that?

[1] The user .ne. the customer. Google's customer is the company buying the data which Google holds on the user.

6
1
Silver badge
Devil

" I bet we'd all be hearing a different tune if that was windows 8 in the title..."

But only 2 people would be affected, so why bother?

11
2

<<<Ahhh Fandroids.... I bet we'd all be hearing a different tune if that was windows 8 in the title>>>

It would be a yawn - just another Windows vulnerability.

2
1
Silver badge

Re: "In Windows 8 you don't have a thing that prevents you installing from "Unknown sources".

Ah yes, the UAC meme. MS has never been able to resolve a problem that has existed since at least DOS 3.1 (the first one I used):

c:> delete *.*

c:> Are you youre? (y/n)

c:> Y

Doh!

1
0

Re: "In Windows 8 you don't have a thing that prevents you installing from "Unknown sources".

@Tom 13: Not sure what your point is - unless you'd already run the command prompt as elevated or had changed the default ACLs this would generate a UAC prompt.

0
0
Silver badge

Simple solution

Buy a Sony Experia Arc, the one that they aren't providing an upgrade to ICS for, and which they load with so much bloatware (which they don't let you uninstall) and hey-presto! Pretty soon your memory is full ('cos you can't move the bloatware to the SD card) and you can't download any more apps, malware-ridden or not.

Works for me...although I'll never buy another Sony phone.

(And no, I can't be arsed to go through the hassle of rooting it etc.)

4
0
Anonymous Coward

Re: Simple solution

Not much different with Samsung's flagship S4, 9GB free space out of 16GB. A few games, MP3s and video and you're full.

3
10
Bronze badge
FAIL

Re: Simple solution

Of course, you can just bung an SD card in the slot for the MP3, M4a and other content files, then the 9GB is irrelevant. Samsung are rolling out 4.2 updates that allow apps to be moved to the external SD too.

7
2
Bronze badge

Re: Simple solution

Will systems older that three month get an update from Samsung? Maybe even with fixes for the other bugs and security holes?

Or will we again be told "buy the next generation"?

3
5
Gold badge

Re: Simple solution

Pretty soon your memory is full

Yup. The old Sony, probably patented "security through obesity" method.

It's platform independent - I've also come across it on Sony laptops...

2
0
Silver badge

Re: Simple solution

S2 still gets updates

5
1
Anonymous Coward

Re: Simple solution

The point is this is a flagship phone. It should be 32GB as standard like the HTC One.

If you don't have enough space on your phone to download to then you can't move it to the SD card since any applications are downloaded to internal memory first. You can't download straight to SD card.

This complaint has been on Watchdog for christs sake, there are a lot of unhappy S4 owners out there.

0
5
Paris Hilton

Re: Simple solution

>> SD card blah blah apps to SD card

But you still run out of space. Not space to store applications and documents on the SD card itself, but "internal" memory used by applications and Android itself. My several-hundred-euro tablet running Android has >16GB free on its SD card, but won't check my mail because

"Out of space ... Free up some space and try again"

Fuck Android. It's crap. I've tried to like it, but it's crap.

0
9
Unhappy

Re: Simple solution

I know where you are coming from! I have an Arc S, which just has a faster CPU, and it took me about a month to download enough apps to fill it.

I did root it and installed a nice app called Link2SD which gets around the problem by spoofing 'unmoveable' apps into a second partition on your SD card.

It was my first smartphone, and I knew nothing about rooting until I checked out the XDA forum. Took about an hour to do using their instructions and was surprisingly easy. Bloatware removed no problem. One day I might even put ICS or JB on it, but I dont think the single core processor is really up to it.

Anyway, back to the original story - chances of Sony ever producing a fix for this when they cant be bothered producing a decent ICS upgrade for it? Zero!

0
0
Bronze badge
Facepalm

@Danny 14

Indeed, mine recently upgraded itself to ICS OTA (after asking me if it could).

Of course, now I can't find a bunch of things as Google have adopted the Microsoft approach to Windows of pointlessly moving stuff around from version to version.

0
0
Bronze badge
Pint

Re: @Danny 14

Duh - I meant to say from ICS to JB.

<--- because I need it --->

(bi-directional arrows to cope with ElReg designers)

1
0
xyz
Bronze badge

Ah... they've found the built in NSA backdoor!

I bow before our superior NSA overlords; Sirs!

7
1
Bronze badge
Go

could mean progress...

Not such a great idea having a three-link chain (Google, manufacturer, network) for getting software to phones, was it?

Much more of this, and we'll have to change to a system where people get the OS directly from Google.

(Fringe benefit - no more crapware.)

6
1
Anonymous Coward

Re: could mean progress...

Or you could just buy a Nexus that does this already.

£279 for a Nexus4 and £5 a month for unlimited data, unlimited texts and 100 mins beats any other smartphone deal I have seen.

I'm not going to tell you the network or the deal, do the research.

5
7
Bronze badge

Re: could mean progress...

Assuming that unit does all you want. If not (i.e I do not use touch-only devices) than the Nexus is not an option.

0
1
Bronze badge

If it sounds too good to be true...

"£5 a month for unlimited data"

Either you're trolling or that deal's about to get slapped with a "fair use" clause (if it doesn't have one already).

1
0
Anonymous Coward

An OS has a vulnerability SHOCKER!

Every OS has its vulnerabilities. The fact that google is being targeted (as windows) is because its user base is so large.

If you play in the garden like iOS users, you should be fine! At least with Google, you can escape if you wish.

7
3
Anonymous Coward

The fact that google is being targeted (as windows) is because its user base is so large.

iOS is not exactly underrepresented in the mobile phone market, but they appear to suffer a lot less from these problems.

5
4
Anonymous Coward

F R A G M E N T A T I O N

That's the problem with carriers/manufacturers handling OS updates

You can't expect the average punter to root their handset

4
7
Bronze badge

Re: F R A G M E N T A T I O N

I thought that Jelly Bean was supposed to reduce all this by allowing UI customisation without modifying the OS so much that patches can't be applied...

Obviously there'll always be some limitation to that, but being able to supply base security updates without affecting the window manager should be standard.

Pre-ICS I was always a Sense fan, but I'm happy with AOSP now.

0
0
Anonymous Coward

Re: F R A G M E N T A T I O N

"I thought that Jelly Bean was supposed to reduce all this by allowing UI customisation without modifying the OS so much that patches can't be applied.."

That was the idea. There is no reason Sense or TouchWiz need the OS to be customised, android provides the ability to replace every stock app on a stock build distributed with custom APKs.

The reason they do customise the OS is to prevent porting Sense onto a Samsung or TouchWiz onto a HTC, without customising the OS, there would be nothing stopping this from being possible and manufacturers would lose their only grip on customers.

1
0
Anonymous Coward

Yawn

Only 99% of phones if 100% of phones had the ability to sideload apps from another less reputable location than Google Play enabled.

Android users should really be fighting back against this bullshit scaremongering reporting, as quite clearly the easy option for Google is to simply remove the ability to sideload apps, it would close the door on Android piracy too. OtherOS all over again. You had it all, but demonstrated you couldn't be trusted with it.

5
8
Bronze badge

If this a fundamental flaw in the Android code couldn't Google release an update for all android phones regardless of whether the manufacturer offers a patch or not or can Google only offer update for apps via the play store not the Android OS?

2
1
Bronze badge

@mark l 2: Nope. Android fundamentally has absolutely no way of doing this and it's open source nature also means it's highly debatable whether they could ever even provide technology to do so.

2
3
Bronze badge

Some manufacturer specific parts of Android are closed source. That is why i.e there is no full support for the Wacom Pen used by the Note-series

0
1
Facepalm

@El Andy

"... it's open source nature also means it's highly debatable... "

Care to hand one of them there 'postrophes back in for recycling'?

14
0
Bronze badge
Trollface

And what's that one at the end of your post about then, mm?

0
0
Anonymous Coward

Good

Maybe someone can use this to develop an easy way to root my loader-locked Motorola Defy Mini.

The existing rooting method is a right faff and the pre-installed, undeletable crapware really spoils the phone :-(

1
0
Bronze badge
Go

Popcorn

and Parmesan.

0
0
Gold badge
FAIL

So the mechanism that mean to stop unauthorised changes to an app does not *work*

That will be the one that ensures you can trust that app with your data.

That will the things people pay money for.

And it's existed for four years. so this is the illusion of security without actual security.

4
3
Silver badge
Meh

Re: So the mechanism that mean to stop unauthorised changes to an app does not *work*

Particularly in the case of forced bloatware apps I personally would never trust one. The very premise that it cannot be removed tells me whose interest it is to serve, and that is not mine.

2
0
Silver badge

Re: So the mechanism that mean to stop unauthorised changes to an app does not *work*

Buy a contract phone get bloat to subsidise. Dont buy a contract phone then.

2
0

Page:

This topic is closed for new posts.