back to article Silent but violent: Foul Google Play flaw lets hackers emit smelly apps

A couple of related vulnerabilities on the Google Play Store have left Android users vulnerable to malware-slingers. Security watchers warn that an X-Frame-Options flaw – when combined with a recent Android WebView (Jelly Bean) bug – creates a means for hackers to silently install any app from the Google Play store. Tod …

Are they going to wait 90 days and then publish demo code?

15
4
Devil

Say what you want about Apple's walled garden...

...and you'd be right -- but it's crap like this that makes me glad I own an iPhone.

I've certainly got issues with the IOS App Store, but at least I don't have to worry too much about this kind of skankiness.

7
13
Anonymous Coward

Re: Say what you want about Apple's walled garden...

"and you'd be right -- but it's crap like this that makes me glad I own an iPhone."

And the recent iPhone malware makes me glad I own a Windows Phone!

12
3

Re: Say what you want about Apple's walled garden...

Really? Not a dig at iOS or the Apple AppStore, but these sorts of vulnerabilities aren't just Android specific.

http://www.theregister.co.uk/2014/11/14/apple_masque_ios_security_response/

I suspect in the case of this particular Android flaw, the issue is likely to be fairly limited since it states that it silently downloads apps from Google Play. Given these are scanned for malware (although I'm not suggesting it has 100% efficacy), it should really limit the exposure to malware.

4
1
Facepalm

Re: Say what you want about Apple's walled garden...

"And the recent iPhone malware makes me glad I own a Windows Phone!"

Quote of the day

4
1

Microsoft, PLEASE fork Android!

The difference here is that, unlike Apple updates, Google has no intention of ever patching this vulnerability, and has flatly refused to do so.

If you want to fix this flaw, Google thinks that you should buy a new phone.

Microsoft tried this stance a decade ago, and finally came to Patch Tuesday after great reluctance.

I wish that we had Patch Tuesday for Android. I think Microsoft could give it to us. Google hasn't suffered enough to redesign Android to make this possible. I would trust Microsoft's capabilities in this area far more than any other (potential) Android player.

And I would love to run Microsoft Cyanogenmod. I think that would work, and I'm glad they're putting money into it.

1
6

This post has been deleted by its author

Silver badge

Re: Microsoft, PLEASE fork Android!

"Microsoft" Android would have to be mostly open source just like AOSP which is why there will be no Microsoft Android.

3
0
Silver badge
Stop

Re: Microsoft, PLEASE fork Android!

"Google thinks that you should buy a new phone."

Isn't it the carriers that ultimately determine when/if you get an updated version of Android on your phone?

Also, patch Tuesday works for Windows because Microsoft have total control over it - hardware vendors can install their own skins and applications, but it's still the same Windows underneath. Given that vanilla Android is open source, and even Google-droid still gives the hardware manufacturers a lot of room to maneuver, I don't think that an equivalent would be feasible for Android - not without turning it into another walled garden, which even Google doubts would be successful.

1
0
Silver badge

Cyanogenmod ftw

More reinforcement that my experiment to run Cyanogenmod without Gapps was the way to go. You can get virtually everything you would ever need (at least I was able too) with F-Droid and if need be Amazon app store. I did it mostly to avoid Google's 24/7 spying but security is just an extra bonus. It is nice to go under settings>account and not see one single account.

3
0

Re: Cyanogenmod ftw

Right. Avoid Google spying by using the Amazon app store..

You do realize that any Amazon purchased Android app will stop working in a month if it can't report back to the mothership right?

Amazon wraps the app in its DRM which requires frequent checking in unless Amazon has changed their software model.

I'm also guessing that Amazon collects usage statistics as the do so because.. big data. Why not.

Yes. Amazon cares much more for your privacy then Google (anybody) does..

6
0
Silver badge

Re: Cyanogenmod ftw

The difference is as you mention you can actually turn off (not open) the Amazon store unlike Google's always on services/frameworks. I don't have any purchased apps on that phone so DRM is not a problem (and you are going to open the app occasionally anyway to check for app updates). You can also easily control the data the app collects because unlike Google's stuff its just another non root non system app. Not saying Amazon is not evil just their app is not allowed to bury itself any near as deep into the OS and can be controlled with existing tools much easier.

0
0
Silver badge

Re: Cyanogenmod ftw

Also to be perfectly honest I am probably going to go F-Droid only anyway as I think I used Amazon for only like one app which I don't need.

0
0
WTF?

Another case of the Pot calling the Kettle Black

"Google Threatens to Air Microsoft and Apple's Dirty Code"

http://www.bloomberg.com/news/articles/2015-02-11/google-riles-silicon-valley-by-exposing-others-security-flaws

Really Google? Well it sure is a good thing that you don't have any "dirty code" in any of your products.

3
0

Re: Another case of the Pot calling the Kettle Black

Well it sure is a good thing that you don't have any "dirty code" in any of your products.

I am sure they have, however, they would appreciate (not rage at, for certain) if anyone finds some little dirtiness in their code and products, including Microsoft, and most probably would fix it within 90 days, unlike that big, old-fashioned, unwieldy colossus, our ... you know who :)

0
3

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018