Feeds

back to article Android update process gives malware a leg-up to evil: Indiana U

Researchers from Indiana University Bloomington have tagged a vulnerability in the way Android handles updates, which they say puts practically every Android device at risk of malicious software. As ThreatPost explains, the vulnerability uses the update process to “ramp up the permissions given to malicious apps once Android is …

COMMENTS

This topic is closed for new posts.

theoretical non-event

Theoretically this might be weakness but there's 2 things stop it being a major problem.

1) the long lamented fact that manufacturers tend not to bother pushing out more than 1 os update if any to old devivces.

2) on the rare occasions that Updates to android have been available for my phone, all apps have had to be reinstalled anyway.

So in effect the only real risk is the standard one that the average user just accepts the permissions requested witout reading/understanding the implications.

8
3
Silver badge

Re: theoretical non-event

Over the past three years, I've had Android updates to an HTC phone and to a Nexus 4. I've never had to reinstall any of my many apps, though a few have insisted on being updated after the update. Is that what you mean by 'reinstall'?

5
0
Silver badge

Re: theoretical non-event

My Desire S went from Gingerbread to ICS, but this wasn't over the air, and it wiped the phone in the process. My wife's Xperia Mini never got off of Gingerbread.

I won't claim that these two phones are representative, but they do balance out your examples.

My Nexus 7 gets all the updates, and I slightly regret letting KitKat on.

1
0
Anonymous Coward

Re: theoretical non-event

So your main line of defence is the crap/non-existing update process?

Pardon me for not being impressed..

0
0

"with help from Rui Wang of Microsoft Research."

Microsoft Research: always keen to help.

Plus this assumes that people take a blind bit of notice of permissions (and therefore would have refused the app based on the new permission) which I am of the believe isn't the case a lot of the time.

16
1
Anonymous Coward

"puts practically every Android device at risk of malicious software"

Oh, dear, that's new. Oh wait, no it isn't.

Android is the Swiss Cheese of mobile OSs

5
16
Bronze badge

@the Anonymous Swiss Cheese connaisseur

You seem to be a knowledgeable Swiss Cheese gourmet. Have you tried the one made in Redmond, WA?

Talking about permissions? How would you call the OSes made by Microsoft over the last 20 some years that had no API to separate both applications and their permissions manifested to the user before the install? Those would qualify as big Swiss Cheese holes without any cheese left at all.

15
1
PM.

Re: @the Anonymous Swiss Cheese connaisseur

We all should face a fact that Android is the new Windows.

It's not the OS's fault (mostly). It's the openness and ubiquity.

All OS-es are exploitable and the ones with >70% market share are a desired target.

Android security is mostly smoke and mirrors.

Most Android phones and tablets are vulnerable from day 1 , because they come with older Android versions for which exploits exist.

It is a fact of life and one should simply acknowledge it and plan accordingly.

Do you _really_ need all those games and bells and whistles ?

Maybe paying 1$ for official version of some app is not that stupid when cracked versions exist ?

Hint: crackers also have to earn money to make ends meet.

Example: I bought a new Samsung Galaxy Chat recently. It comes with Android 4.1 .

Is this a safe Android version ? Don't think so.

Sadly no official upgrade exists and I will not install anything unofficial , so I am stuck.

4
4
Bronze badge

Re: @PM

Agreeing with you on the openness of Android and the unfortunate negative consequences of it that almost every OEM and ARM chip manufacturer to substantially mess things up. Thinking about one Chinese at the moment, Allwinner, that require bloody MS Windows to make their version of Android to upgrade. In general, there's the idiotic proprietary blobs, Linux kernel mess etc. And it's not only the vulnerabilities which are not that many for Android that get on people's nerves...

I would like to yet see or hear someone getting a trojan on a device or someone getting hacked due to the fact that the device was vulnerable. Well, I mean not from Kaspersky or MacAffee or Microsoft, I mean from someone that actually got it.

0
0
Bronze badge
Pint

Re: @the Anonymous Swiss Cheese connaisseur

"Maybe paying 1$ for official version of some app is not that stupid when cracked versions exist ?"

Where's the +100 button when you need one?

If I were wearing my hat right now, I'd take it off to you!

1
0
Bronze badge
Facepalm

Re: @eulampios

The AC wrote: "Android is the Swiss Cheese of mobile OSs"

I see you didn't refute the AC's claim about mobile OSs at all. Why?

0
2
Bronze badge
Facepalm

@Sandtitz Re: @eulampios

"I see you didn't refute the AC's claim about mobile OSs at all. Why?"

How about because an OS is an OS? Its purpose is to provide an interface for applications to the hardware on the device. The distinction between "Mobile" and "Desktop" is getting sillier and sillier everyday. With 8 inch Windows 8 devices and (for the moment, at least) 21 inch Android AiOs, they're all just computers at this point.

3
0
JCB
Happy

Re: @the Anonymous Swiss Cheese connaisseur

"We all should face a fact that Android is the new Windows."

Or perhaps we should view Android as the old Windows. Having now replaced my Android tablet by a Windows tablet, I now have a reliable and regular upgrade process independent of the hardware manufacturer. I now have a tablet PC that works ... like a PC.

Desktop can be a bit fiddly with an 8 inch screen and a fat finger but I've got used to it and my accuracy has improved. ModernUI works like a tablet interface. I use each as the mood takes me. For stuff like Kindle say, I have a choice of "Windows 8" version for Modern and "Windows 7" version for desktop.

0
0
Bronze badge
Facepalm

Re: @Vector

You're right about the mobile and desktop thing. Fully functional x86 Linux distros and Windows can exist in mobile devices - at least in tablets.

But the whole mobile device economy is dominated by mobile phones and tablets, and mobile devices with the x86 Windows are in the minority.

The reality - however - is that there is malware for Android, but the Winphone (and RT) malware stats are still zilch, nada, zip, zero. While eulampios can froth about all the malware Windows has had (and still has), those malware statistics are meaningless in the mobile operating systems Microsoft is flogging, just like the Android malware doesn't concern my laptop with Mint.

2
0
Silver badge

"All OS-es are exploitable"

"...and the ones with >70% market share are a desired target."

I'm pretty sure iOS would be nearly as desirable a target, since it has a much higher share among affluent customers / countries as compared to its overall share.

0
0
Bronze badge

@Sandtitz Re: @Vector

"The reality - however - is that there is malware for Android, but the Winphone (and RT) malware stats are still zilch, nada, zip, zero."

First, I hope that you're prepared to back that statement with facts as I suspect that there is malware out there, you just haven't heard about it yet. Second, if there is malware out there, there will be far more targeting Android since it's a broader target, just as Windows has been the primary target in the desktop world due to its broad deployment.

For years, Apple touted how much more secure the Macintosh OS was over Windows when the reality was, they weren't anymore secure, just that no one really bothered to target Macs. Once their marketshare began to rebound, viruses suddenly started to appear on their vaunted systems.

0
0
Bronze badge
Facepalm

@ Sandtitz

I also prefer Linux Mint, more precisely, LMDE. However, as far as Android is concerned and as many people have said many times before, it would be fair to count the actual number of devices that got trojans installed not the numbers of trojans ready to be installed.

There is very little evidence of anybody ever getting at least a tiny fraction of those nasty trojans advertised by the AV companies. Despite some individual ludicrous report(s) claiming to routinely intercept the traffic these mystical trojans engage in while using some undisclosed magical methods. I myself cannot present these numbers and can only judge by sampling the population available to me and compare it with the results seen with MS Windows malware. This is my statistics. Pretty much, it's a zero vs virtually everyone.

0
1
Bronze badge

Re: @Vector again

"First, I hope that you're prepared to back that statement with facts as I suspect that there is malware out there, you just haven't heard about it yet."

I'm quite sure all the people with vested interests (Antivirus industry, pro Apple/Android users) would make a meal if the aforementioned MS operating systems would get infected. I cannot prove that malware doesn't exist - but I cannot prove that gods don't exist either.

I don't think that even these MS operating systems are 100% secure - nothing is - but so far I haven't heard of anyone even rooting them.

0
1
Bronze badge
Flame

Where's the popcorn? >>

1
0
Linux

I am pulling me pants and rushing over to ios side for the fruit to save me.

0
0
Bronze badge
Coffee/keyboard

While I appreciate you are making a joke, I bet the PR bods at Apple have had a nice start to the week with news like this.

1
0
Anonymous Coward

And for their next trick...

the authors of this report will now list all the devices that were sold with v2.3x of Android and have subsequently been updated to v4.x

I think it will be a very short list

4
2
This topic is closed for new posts.