back to article INVASION of the UNDEAD ANDROIDS: Hackers can pwn 'nearly all' devices

A four-year-old Android bug could be used to plant malware on 99 per cent of Android devices on the market, according to security researchers. Bluebox Security CTO Jeff Forristal said the vulnerability in Android’s security model creates a means for hackers to modify an Android app's APK code without breaking its cryptographic …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I sense...

    Furious typing on keyboards with the @ sign in the wrong place...

    1. ThomH

      Re: I sense...

      What? American keyboards?

  2. aj87
    Thumb Down

    The malicious app still needs to be installed by the user, the user is still warned what privileges are asked for.

    This so much more effort than just writing malware and calling it "angry birds", hoping someone will download and side load it. Its not like this master key allows malicious apps to replace the genuine ones served up by the Play Store.

    Most normal android users are protected by the default setting that doesn't allow sideloading, those of us that like the freedom to side load apps are I would hope smart enough to notice when an app is asking for odd permissions.

    I've seen this reported many times but congrats on El Reg for the most sensationalist title.

    1. jai

      But the last paragraph suggests they're able to get the dodgy code into apps that are in the Play Store. so it's not a case of replacing genuine ones from the Store, you just need your dodgy app to be in the Store and then the average punter will assume it's safe because it comes from the Store, no?

      Yes, i guess it still asks for permissions, but if you'd disguised your malware as a utility app that would require those kind of permissions, how's the end user supposed to know not to allow it?

      1. aj87

        You'd also have to take over the developers account, then you could push an APK to the Play store and users will be updated with your new malware.

        If you have access to the play store account I'm pretty sure you could just put anything you liked up there for people to download, regardless of if the master key is compromised.

        Its still easier to list something new on the play store as "Angry birds" and have a few people download the malicious app.

    2. Anonymous Coward
      Anonymous Coward

      It runs what is basically Linux, so Swiss Cheese central. So this isn't exactly a surprise...

      1. adnim
        FAIL

        Mmm

        "it runs what is basically Linux, so Swiss Cheese central. So this isn't exactly a surprise..."

        It runs an Google developed shell/GUI on top of a modified Linux kernel.

        It is exploitable because it was designed with revenue generation as opposed to security in mind.

        When Android is hacked it is Android that is hacked not Linux

        Every application asks for ridiculous permissions on install? No user will notice anything out of the ordinary. Why do they need those permissions? Profiling, tracking, advertising.... revenue generation.

        I'm not defending Android, out of the tin it is not to be trusted. Perhaps it shouldn't be trusted when rooted, and "locked down" I shrug, even when I think I own my Android, I will never trust it with my bank details.

        1. Anonymous Coward
          Anonymous Coward

          Re: Mmm

          I was going to install something yesterday that looked good. I think it was the XBMC remote. But it wanted permission to read my text messages? why on earth would a media remote want to do that?!

          I can only assume it is poor testing, request everything so nothing fails to work.

          1. fix

            Re: Mmm

            For a very neat reason :-)

            The XBMC remote has the facility to put received text messages up as a banner on the XBMC device that your mobile is remotely controlling ..... couldn't do that if it was unable to read them first on the phone.

            1. Anonymous Coward
              Anonymous Coward

              Re: Mmm

              And this is the problem with Android permission.

              This app needs for internet access, read your contacts and modify the SD card.

              Could mean it just needs to log into your XYZ account and sync the info.

              Equally, it could mean it's going to connect to the web and then download shitload of kiddy porn to your phone before contacting everyone in your address book saying your a peado.

              Extreme I know, but this is why the permission info is a waste of time.

            2. Anonymous Coward
              Anonymous Coward

              Re: Mmm

              "The XBMC remote has the facility to put received text messages up as a banner on the XBMC device that your mobile is remotely controlling ..... couldn't do that if it was unable to read them first on the phone."

              Why isn't the grant of permissions controllable by the user [1], on something like a "choose from: permit always/never permit/ask each time app started/ask each time permission requested" basis when the app is installed or updated (or when the user changes their mind)?

              Is that even possible in Android, officially or otherwise?

              How difficult would that be to implement?

              Would it destroy the economics of Google and Android?

              If it did, would that be a bad thing?

              Does Windows Mobile or whatever its called this week do something like that?

              Does the Applephone OS do something like that?

              [1] The user .ne. the customer. Google's customer is the company buying the data which Google holds on the user.

    3. Anonymous Coward
      Anonymous Coward

      The malicious app still needs to be installed by the user, the user is still warned what privileges are asked for.

      Ahhh Fandroids.... I bet we'd all be hearing a different tune if that was windows 8 in the title

      1. aj87

        In Windows 8 you don't have a thing that prevents you installing from "Unknown sources".

        1. Crazy Operations Guy

          "In Windows 8 you don't have a thing that prevents you installing from "Unknown sources".

          Yes it does, Actual Windows 8 apps have to either come from the Windows App Store or a System Center server configured by the system Administrator to side-load company apps. Even then with regular programs you still get the UAC prompt showing who signed the code, etc.

          1. Tom 13

            Re: "In Windows 8 you don't have a thing that prevents you installing from "Unknown sources".

            Ah yes, the UAC meme. MS has never been able to resolve a problem that has existed since at least DOS 3.1 (the first one I used):

            c:> delete *.*

            c:> Are you youre? (y/n)

            c:> Y

            Doh!

            1. Phil101

              Re: "In Windows 8 you don't have a thing that prevents you installing from "Unknown sources".

              @Tom 13: Not sure what your point is - unless you'd already run the command prompt as elevated or had changed the default ACLs this would generate a UAC prompt.

      2. hplasm
        Devil

        " I bet we'd all be hearing a different tune if that was windows 8 in the title..."

        But only 2 people would be affected, so why bother?

      3. fishman

        <<<Ahhh Fandroids.... I bet we'd all be hearing a different tune if that was windows 8 in the title>>>

        It would be a yawn - just another Windows vulnerability.

  3. Pen-y-gors

    Simple solution

    Buy a Sony Experia Arc, the one that they aren't providing an upgrade to ICS for, and which they load with so much bloatware (which they don't let you uninstall) and hey-presto! Pretty soon your memory is full ('cos you can't move the bloatware to the SD card) and you can't download any more apps, malware-ridden or not.

    Works for me...although I'll never buy another Sony phone.

    (And no, I can't be arsed to go through the hassle of rooting it etc.)

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple solution

      Not much different with Samsung's flagship S4, 9GB free space out of 16GB. A few games, MP3s and video and you're full.

      1. Anonymous Coward
        FAIL

        Re: Simple solution

        Of course, you can just bung an SD card in the slot for the MP3, M4a and other content files, then the 9GB is irrelevant. Samsung are rolling out 4.2 updates that allow apps to be moved to the external SD too.

        1. mmeier

          Re: Simple solution

          Will systems older that three month get an update from Samsung? Maybe even with fixes for the other bugs and security holes?

          Or will we again be told "buy the next generation"?

          1. Danny 14

            Re: Simple solution

            S2 still gets updates

            1. Steve Foster
              Facepalm

              @Danny 14

              Indeed, mine recently upgraded itself to ICS OTA (after asking me if it could).

              Of course, now I can't find a bunch of things as Google have adopted the Microsoft approach to Windows of pointlessly moving stuff around from version to version.

              1. Steve Foster
                Pint

                Re: @Danny 14

                Duh - I meant to say from ICS to JB.

                <--- because I need it --->

                (bi-directional arrows to cope with ElReg designers)

        2. Anonymous Coward
          Anonymous Coward

          Re: Simple solution

          The point is this is a flagship phone. It should be 32GB as standard like the HTC One.

          If you don't have enough space on your phone to download to then you can't move it to the SD card since any applications are downloaded to internal memory first. You can't download straight to SD card.

          This complaint has been on Watchdog for christs sake, there are a lot of unhappy S4 owners out there.

        3. Tufty Squirrel
          Paris Hilton

          Re: Simple solution

          >> SD card blah blah apps to SD card

          But you still run out of space. Not space to store applications and documents on the SD card itself, but "internal" memory used by applications and Android itself. My several-hundred-euro tablet running Android has >16GB free on its SD card, but won't check my mail because

          "Out of space ... Free up some space and try again"

          Fuck Android. It's crap. I've tried to like it, but it's crap.

    2. Fred Flintstone Gold badge

      Re: Simple solution

      Pretty soon your memory is full

      Yup. The old Sony, probably patented "security through obesity" method.

      It's platform independent - I've also come across it on Sony laptops...

    3. Alfie
      Unhappy

      Re: Simple solution

      I know where you are coming from! I have an Arc S, which just has a faster CPU, and it took me about a month to download enough apps to fill it.

      I did root it and installed a nice app called Link2SD which gets around the problem by spoofing 'unmoveable' apps into a second partition on your SD card.

      It was my first smartphone, and I knew nothing about rooting until I checked out the XDA forum. Took about an hour to do using their instructions and was surprisingly easy. Bloatware removed no problem. One day I might even put ICS or JB on it, but I dont think the single core processor is really up to it.

      Anyway, back to the original story - chances of Sony ever producing a fix for this when they cant be bothered producing a decent ICS upgrade for it? Zero!

  4. xyz Silver badge

    Ah... they've found the built in NSA backdoor!

    I bow before our superior NSA overlords; Sirs!

  5. S4qFBxkFFg
    Go

    could mean progress...

    Not such a great idea having a three-link chain (Google, manufacturer, network) for getting software to phones, was it?

    Much more of this, and we'll have to change to a system where people get the OS directly from Google.

    (Fringe benefit - no more crapware.)

    1. Anonymous Coward
      Anonymous Coward

      Re: could mean progress...

      Or you could just buy a Nexus that does this already.

      £279 for a Nexus4 and £5 a month for unlimited data, unlimited texts and 100 mins beats any other smartphone deal I have seen.

      I'm not going to tell you the network or the deal, do the research.

      1. mmeier

        Re: could mean progress...

        Assuming that unit does all you want. If not (i.e I do not use touch-only devices) than the Nexus is not an option.

      2. S4qFBxkFFg

        If it sounds too good to be true...

        "£5 a month for unlimited data"

        Either you're trolling or that deal's about to get slapped with a "fair use" clause (if it doesn't have one already).

  6. Anonymous Coward
    Anonymous Coward

    An OS has a vulnerability SHOCKER!

    Every OS has its vulnerabilities. The fact that google is being targeted (as windows) is because its user base is so large.

    If you play in the garden like iOS users, you should be fine! At least with Google, you can escape if you wish.

    1. Anonymous Coward
      Anonymous Coward

      The fact that google is being targeted (as windows) is because its user base is so large.

      iOS is not exactly underrepresented in the mobile phone market, but they appear to suffer a lot less from these problems.

  7. Anonymous Coward
    Anonymous Coward

    F R A G M E N T A T I O N

    That's the problem with carriers/manufacturers handling OS updates

    You can't expect the average punter to root their handset

    1. Ian Yates

      Re: F R A G M E N T A T I O N

      I thought that Jelly Bean was supposed to reduce all this by allowing UI customisation without modifying the OS so much that patches can't be applied...

      Obviously there'll always be some limitation to that, but being able to supply base security updates without affecting the window manager should be standard.

      Pre-ICS I was always a Sense fan, but I'm happy with AOSP now.

      1. Anonymous Coward
        Anonymous Coward

        Re: F R A G M E N T A T I O N

        "I thought that Jelly Bean was supposed to reduce all this by allowing UI customisation without modifying the OS so much that patches can't be applied.."

        That was the idea. There is no reason Sense or TouchWiz need the OS to be customised, android provides the ability to replace every stock app on a stock build distributed with custom APKs.

        The reason they do customise the OS is to prevent porting Sense onto a Samsung or TouchWiz onto a HTC, without customising the OS, there would be nothing stopping this from being possible and manufacturers would lose their only grip on customers.

  8. Anonymous Coward
    Anonymous Coward

    Yawn

    Only 99% of phones if 100% of phones had the ability to sideload apps from another less reputable location than Google Play enabled.

    Android users should really be fighting back against this bullshit scaremongering reporting, as quite clearly the easy option for Google is to simply remove the ability to sideload apps, it would close the door on Android piracy too. OtherOS all over again. You had it all, but demonstrated you couldn't be trusted with it.

  9. mark l 2 Silver badge

    If this a fundamental flaw in the Android code couldn't Google release an update for all android phones regardless of whether the manufacturer offers a patch or not or can Google only offer update for apps via the play store not the Android OS?

    1. El Andy

      @mark l 2: Nope. Android fundamentally has absolutely no way of doing this and it's open source nature also means it's highly debatable whether they could ever even provide technology to do so.

      1. Schmuck
        Facepalm

        @El Andy

        "... it's open source nature also means it's highly debatable... "

        Care to hand one of them there 'postrophes back in for recycling'?

        1. Havin_it
          Trollface

          And what's that one at the end of your post about then, mm?

    2. mmeier

      Some manufacturer specific parts of Android are closed source. That is why i.e there is no full support for the Wacom Pen used by the Note-series

  10. Anonymous Coward
    Anonymous Coward

    Good

    Maybe someone can use this to develop an easy way to root my loader-locked Motorola Defy Mini.

    The existing rooting method is a right faff and the pre-installed, undeletable crapware really spoils the phone :-(

  11. Michael Thibault
    Go

    Popcorn

    and Parmesan.

  12. John Smith 19 Gold badge
    FAIL

    So the mechanism that mean to stop unauthorised changes to an app does not *work*

    That will be the one that ensures you can trust that app with your data.

    That will the things people pay money for.

    And it's existed for four years. so this is the illusion of security without actual security.

    1. Mikel
      Meh

      Re: So the mechanism that mean to stop unauthorised changes to an app does not *work*

      Particularly in the case of forced bloatware apps I personally would never trust one. The very premise that it cannot be removed tells me whose interest it is to serve, and that is not mine.

      1. Danny 14

        Re: So the mechanism that mean to stop unauthorised changes to an app does not *work*

        Buy a contract phone get bloat to subsidise. Dont buy a contract phone then.

      2. Anonymous Coward
        Anonymous Coward

        Re: So the mechanism that mean to stop unauthorised changes to an app does not *work*

        Then buy a sim-free/payg phone.

        Then network can't futz with your phone if they have never touched it.

        Want a subsidised phone rather than forking out 4-600 quid? put up with the bloat.

        Incidentally in my experience where you can't remove stuff you can turn it all off and even remove the icon from your apps list.

        Our Samsungs and HTCs certainly seem to allow this.

  13. This post has been deleted by its author

  14. Charlie Clark Silver badge

    Strict liability

    for which the operators will not release a new version,

    Is the one like where car makers won't pay for recalls while they fix dodgy pedals, tyres, fuel lines, etc? All we need are a few customers ready to say "class action" and updates will be rolled out.

  15. Anonymous Coward
    Anonymous Coward

    Pwning an android is like stealing food from Lidl: one way or another you'll end up with sh*t on your breath.

  16. Anonymous Coward
    Anonymous Coward

    It's hard to keep track if all the problems with android. It's not surprising given google doesn't care about protecting users. They're just as interested as the bad guys in tracking you or slurping data off your phone. Android is such a ghetto.

  17. Greg J Preece

    Is it me, or does the Android logo, when given horns, look a lot like one of the imps from Zero Punctuation?

  18. Slx

    There's a major problem with getting Android updates out to end users because both manufacturers and carriers are in the middle of it and they can be ridiculously slow at pushing out updates.

    I have a HTC One and I'm still awaiting a 4.2.2 update that Three Ireland are "testing".

    OS updates need to get out quickly and plug security holes, that sadly isn't often the case with the way things are done in the Android ecosystem and it will inevitably cause some major problems, much like the lazy IT departments that continue to force users to run ancient versions of Internet Explorer because some clapped out piece of software uses it as a front end and then wonder why they got hacked.

  19. Anonymous Coward
    Anonymous Coward

    Not done yet

    After resisting the drive for tablets in the workplace due to;

    A. Not being convinced our use would add any productivity for the extra IT risk

    B. my conviction that there would be a major security issue with Android within the year.

    The jury it out on A and still believe B, though I don't think this is it, I foresee something bigger and only have about six months to be proven wrong or right.

  20. R3D4C73D

    When will somebody finally sue the carriers for not updating the phones they sold with security flaws?

  21. Anonymous Coward
    Anonymous Coward

    Feet back to the ground

    So, the risk is that a legitimate app would be tampered with? So.. if I'm a villain and I want to take advantage.... hmm... so I somehow get the source code of a legit app. I add my own homemade or previously packaged back door, and then I just take advantage of the signature flaw, so my app still looks legit... cool. OK, now how do I make my victim to install my especially seasoned app..? Course, all have to do is break the Play store security or whatever system the original manufacturer has... and upload my espec... right... Hmm.. What the heck? If can do that, why do I need a security flaw in the signature algorithm!!? ...OK, k. yes I put my especial seasoned app in my own especially seasoned website... cool!! ... Hmm, If I can convince any moron to download an app from my own especially seasoned website. What the heck!!?

  22. Anonymous Coward
    Anonymous Coward

    NSA_KEY

    Looks to neat to be accidental.

    Chinese flood world with Huawei kit...the Americans respond with the "ANDROID_KEY"

  23. Anonymous Coward
    Anonymous Coward

    Surprise!

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    1. Simulacra75
      Facepalm

      Re: Surprise!

      Crawl back under your bridge, Eadon. There's a good little boy.

  24. Stuart 16
    Facepalm

    The big question is

    How will Eadon blame MS for this...?

    1. John Smith 19 Gold badge
      Unhappy

      Re: The big question is

      "How will Eadon blame MS for this...?"

      I think he just did.

      1. Anonymous Coward
        Anonymous Coward

        Re: The big question is

        Do not feed the trolls.

        Do not even acknowledge the existence of the trolls.

        That is all.

        fnord

  25. RyokuMas

    Yeah, what happened to Eadon while I've been out of things? I saw all his posts got deleted - did he finally get himself banned?

    1. Simulacra75
      Thumb Up

      @RyokuMas

      "Yeah, what happened to Eadon while I've been out of things? I saw all his posts got deleted - did he finally get himself banned?"

      Think he/she/it may have done so. Read an article about a week ago or so and he made some comment that was removed by a Moderator with the parting "you're out of here, have had enough" type message with it.

      1. Anonymous Coward
        Anonymous Coward

        Re: @RyokuMas

        Indeed, he went on another round of accusing people of being shills, accepting bribes etc.

        Straw that broke the camels back I suspect rather than the single offense in question.

  26. Anonymous Coward
    Anonymous Coward

    You think its bad *now* ...

    Just wait until someone writes a battery pwning trojan that overrides the built in failsafes (software I might add) and causes the batteries on thousands of phones to overcharge outside their narrow safety envelope.

    Can you say "Epidemic of spontaneous human combustion" ?

    AC

  27. thecapsaicinkid

    This whole scare is completely ridiculous. It's like saying, hosting a malicious .exe on a website could be used to exploit 100% of Windows PCs.

This topic is closed for new posts.

Other stories you might like