Android's accessibility service grants god-mode p0wn power Michael Bentley of security-through-analytics outfit Lookout has found android malware that does not require user permission to install. Bentley, Lookout's head of response, says the Shedun malware accomplishes the feat using the Android's accessibility features. When installed the malware will use the accessibility service …
The one thing I *have* to make sure is activated & functioning flawlessly is the very same attack vector they'll use to fuck me over?
*FacePalmGroan*
Fuck it. As badly as it sucks, I guess I'll have to stick with a Basic (not "Smart") Phone, just so I can have some chance in hell of remaining secure.
Apple is too expensive, Android is waiting to violate me for needing it to be Accessible, BlackBerry *might* be an option *IF* Verizon decides to release the Priv, Windows phones are pointless, and none of the other OS' out there give any mention whatsoever wrt Accessibility.
*HeadDeskHeadDeskHeadDesk*
Damn it, this blows goats.
> Windows phones are pointless,
I don't think so. News like these (which seem to be pouring daily) make me happier and happier that I have an old Lumia 710 - never mind lack of apps, it also means malware writers are not interested, and it does what I need it to do, so far. The only problem is the browser is getting so old it is starting to have problems with some web sites. In a year or so I will probably have to replace it for that reason. (But with what? none of the alternatives look appealing right now - with Microsoft looking like it wants to destroy what was good in Windows Phone, Android looking like a plague ship, and Apple overpriced, as you note).
If this were true, it would be really easy for users to root phones, one click root apps. The reality is, its not easy (which is why many users buy Nexus with unlockable bootloader and root via recovery )
This is just another stagefright theoretical thing, billions of phones technically vulnerable, but everyone with an agenda to hide the reality, that nobody is actually affected.
All it takes is someone who wants to mount a large scale attack to make it go from theoretical to "giant pain in the ass that gets the issue discussed on the evening news" like back when all of Windows' continual vulnerabilities to a large scale attack left the theoretical realm with stuff like I.Love.You, CodeRed and so forth 15 years ago.
"The following exploits are used by ShiftyBug and Shuanet of the mentioned families:
Memexploit
Framaroot
ExynosAbuse
These are not new exploits, in fact, many of them are used in popular root enablers."
From: Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire https://blog.lookout.com/blog/2015/11/04/trojanized-adware/
Basically, don't use third party app stores that you don't trust.
Sigh, first you are warned when enabling an app that requires accessibility exactly what it could allow a malicious app to do and second - it's not just a case of accepting a permission on the Play Store or a runtime permission with Android 6 - you have to actually enable the specific app that wants access to the accessibility service - by ticking the box next to the name of the app. If an app can't legitimately justify why it wants access, you simply don't allow it - and let's not stop there, the same goes for any app that wants to be a "device administrator" without legitimate reason.
The article is pretty vague and the video isn't much help either. It seems like first a user installs the app, then it says it wants you to enable the accessibility features. If you do it starts to install adware and other crap without your permission. So the user has to install the app and give it permission, then it starts installing stuff on it's own.
It's not a virus.
I couldn't agree more. If you watch the video, the amount of manual interaction doesn't quite match the "vulnerability". I HATE using this term but, this is exactly a FEATURE not a vulnerability. And the fact you have to explicitly grant these overreaching privileges means this is not exactly a proper attack vector.
Mutliple levels:
Back Orifice was a set of malware that infected users of Back Office systems back in the 90s - so called because it was specifically for Back Office and it fucked them over.
Back Office was a Microsoft product.
"by design" is a typical Microsoft statement, regarding perceived flaws or bugs, usually seen in their KB articles.
This reported malware, which causes issues similar to Back Orifice, requires the user to actually agree for its installation, before it fucked people over.
Therefore... Back Orifice... by design.
Back Orifice didn't require Back Office to work, I think it was actually designed to emulate MSBO in terms of remote administration(RA) of machines. BO just did it on the sly; there were extensions like Silk Rope that would bundle the BO Server into other executables, so that it would install when the victim ran the tainted .exe.
If if properly configured it was a great RA tool, using strong (for the 90's) encryption and could be set to use authentication. I used it as a free RA tool for several machines.
Admittedly, I did use it on some machines that were not mine, as well.
Its true, the downside of Apple toys is price - the upside is they control their ecosystem and for many people thats a price worth paying. If you feel like a walk on the wildside you can jailbreak. Google should get serious about the quality of the apps on the playstore and throw out most of them, do we really need umpty-million apps when most of us use the same few dozen.
This might score a personal best of down votes...
I see this as a feature not a bug.
With great responsibility comes great... wait, I think I got that back to front.
But it would be really helpful if I could go "OK Google/Siri, please install this app" or "Ok [other branded voice app] please add a title and upload my latest video to youtube" etc. But most functions beyond the weather and messaging give a "I cannot do that" or "press this button to continue" which negate the entire point of voice commands.
Sounds great. Just great.
I don't want to go to Apple, as they're too expensive, and Windows mobile doesn't have a lot of apps and support yet.
I installed "warez" only once, and never again, it dumped something on my phone which make it run hot and useless. A factory reset sorted that out, luckily.
Still waiting for the promised Android updates for my devices, but I have to assume that these will never come.
Then the time is right for an alternative to Android to take over... just not Windows or Apple, thanks.
How is it installed? That never seems to matter much in these android malware reports. Security is preventing bad things from carrying out their bad behaviour.
"when the bank is robbed, the robbers will have caused major financial hardship for those whose accounts were affected, OMG!". Yes, we know there are lots of robbers-to-be out there. Do banks have a "robber problem"
Obviously, the whole point is preventing it. Mainstream Android is doing a darn good job overall.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
