back to article App permissions? Pah! Rogue Android soft can 'place phone calls at will'

Researchers at German security firm Curesec have identified bugs present in most versions of Android that can allow malicious applications to place phone calls, even when they lack the necessary permissions. By exploiting these vulnerabilities, rogue apps can get up to such mischief as surreptitiously dialing out to expensive …

4.2.1 is SDK >=17 and vulnerable on my Zopo Captain S

My particular version wasn't listed on the website, but the call came up despite no permissions granted to do so.

Of course there is no OS update available from the manufacturer yet - and Cyanogenmod doesn't seem to be available for my phone yet :-(

0
0
Anonymous Coward

Re: 4.2.1 is SDK >=17 and vulnerable on my Zopo Captain S

Linux + Java = insecure?! Hardly like that's a shock. Both are the worst of breed in their respective arena for vulnerabilities.

4
26
Anonymous Coward

So

The fact that I dumped Android and bought into iOS justifies my decision. Barely a week goes by without an hearing about an exploit of some kind.

As to the uptake of they newer Android OS, 12%, how does that compare with the iOS update?

I was a long time fan of a Android, I had 7 phones and pretty much the only way to get a proper upgrade with all features was to buy a new phone.

There might be those that think Apple takes the p*ss but Android handset manufacturers make taking the p*ss an art form.

9
16
Anonymous Coward

Re: So

Surely your decision is justified only if you suffered exploits or were going to.

As it is you're just pleased to be given feedback that makes you feel better about paying a wad of money to jump into a walled garden.

8
3
Anonymous Coward

Re: So

You still have exploits, it's just your buddies with iPhones in the mess don't talk about them. You are just as wide open with iOS as anyone else.

Actually iOS is worse. You have to wait ages for security fixes. Google actively push theirs through Google Play services within hours for many security problems...

https://plus.google.com/110558071969009568835/posts/ajd6TqNLZrZ

1
1
Anonymous Coward

Re: So

Kit Kat 4.4.4 was released before this was announced and was released in days after 4.4.3 so if you were concerned about getting quick updates you could have bought a Nexus device or a GPE device (still lots of choice) or just not downloaded apps from dodgy Warez stores.

The thing is you have plenty of choice with Android, with Apple you only have two (take it or leave it - oh sorry, you can take it or leave it in 'pretty' colours as well).

1
1

I wonder....

If the carrier is responsible for the updates, fails to provide the security updates and then profits from users getting hit by the exploit... what would the law say?

5
2
Silver badge

Re: I wonder....

If, as usual, the exploit is only exploitable by side-loaded apps then users are largely on their own as they have to set the phone to allow installs from other sources themselves.

It's a different matter if it can be exploited by apps from the official store but even then it's not really the carriers who need to worry.

5
0
Silver badge
FAIL

"The fix is to get upgraded to version 4.4.4"

That means throw the phone away and buy a new one.

7
8
Anonymous Coward

Re: "The fix is to get upgraded to version 4.4.4"

How so?

All my devices are on 4.4.4. and I didn't need to buy ANYTHING...

0
0
Silver badge

Re: "The fix is to get upgraded to version 4.4.4"

Then it's less than a year old or you're lucky enough for it to be supported by CyanogenMod.

0
0
Silver badge

They fixed a metric assload of security holes in KitKat 4.4.3 running on my Moto G, including ones that used to let me turn the cell data & GPS on/off via code. It became difficult to tell my Raspberry Pi to open the garage door when I get within 70 meters of home.

That's ok, my phone's rooted so I just made my app a "system" app, but that's now harder to do in KitKat too.

I guess security is now sorta-kinda on Google's radar.

And I hear 4.4.4 is coming to the Moto G in a couple months, so I'm glad I don't have to throw it away and buy a new phone.

3
0
Megaphone

Wait. What? So my phone is using GPS even though I've turned it off in the settings?? Who knew?

0
4

@Gene Cash

'And I hear 4.4.4 is coming to the Moto G in a couple months, so I'm glad I don't have to throw it away and buy a new phone.'

I love your optimism you happy smiley person you. Your depression will be all the greater when they don't deliver.

1
8

Re: @Gene Cash

It's already rolling out to Moto G handsets in some countries, India for example. Past performance would indicate that the UK release is going to be pretty soon.

Most Android OEMs are pretty crap with update schedules but Motorola's newer handsets X, G, E seem to have changed that for the better.

4
0
Silver badge

Runnng 4.4.4 no worries

Well, until next week anyway. The problem here is not Android but the phone companies that insist on modifying everything and then fail to update the OS when a new phone comes out.

Google may be "evil" but at least it's an evil that I know about rather than the friendly phone company that pretends to care but forgets everything once they've got a two year contract.

1
1

Re: Runnng 4.4.4 no worries

Agreed - the problem here isn't Google / Android - they fix the bugs pretty much as soon as found (and all software has bugs, regardless of who makes it).

The problem is Samsung/LG/HTC along with Vodafone/EE/whoever, who require that so much extra crap is added on top of Android, and this all needs to be rewritten and thoroughly tested for a new release. This is what takes the time to roll out, and why they all can't be bothered to upgrade old handsets. Hopefully the Silver programme may change this mindset.

3
2

Re: Runnng 4.4.4 no worries

all software has bugs, regardless of who makes it

True. That said, I took a look at the second bug (since I'm running a phone with Android 2.mumble, though I install almost no apps on it, and certainly not without considerable scrutiny), and it's 1) a dumb mistake on the part of the developer, 2) pretty obvious when you have the source code, 3) part of a general class which is likely to contain other bugs of the same sort, and 4) indicative of a systemic software-security failure on Google's part.

The last is the failure to recognize that security is a cross-cutting aspect, and mechanisms such as Android's "activities" either need security implemented at a lower level (say, using a capability architecture of some sort), or need it automatically injected via some aspect mechanism. Requiring the developer to either review which activities are exported, or to manually implement safeguards against misuse, will inevitably produce privilege-escalation bugs.

Explicitly wrapping security around functionality is good - it reduces the attack surface and increases the depth of defenses - but in itself is not sufficient against reasonable threat models for consumer software that controls anything of value.

1
1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017