back to article Everybody without Android Oreo vulnerable to overlay attack

Any unpatched Android phone running a version older than Oreo is going to need patching fairly soon, with researchers turning up a class of vulnerability that lets malware draw fake dialogs so users “okay” their own pwnage. The risk, according to Palo Alto Networks' researchers, comes from what's known as an overlay attack. …

Anonymous Coward

"will need updating"

I am of the opinion that millions of Android users (i.e. the majority) who are not running OREO will be waiting and waiting and waiting for patches let alone the opportunity to upgrade to OREO.

Makers and carriers in the main can't be bovvered to support the handsets they sell once they have gone out the door or if they do then it is only until the model is replaced by another one.

There are some exceptions to this and if you have one of these devices then you are one of the lucky ones.

Updates or rather the lack of them is IMHO Android's Achillies heel. I know that Google want to change things but it seems like a snail will reach the top of Everest before anything worthwhile is done.

Never mind, all the techy press will be salivating about the latest iPhone tomorrow so this will quickly be forgotten or pushed under the carpet.

Shiny-shiny rulez ok!

55
2
Anonymous Coward

Re: "will need updating"

This was the agenda here. It's as if this is an apple sponsored propaganda story against android, just when they have something to promote.

There is nothing to suggest that pre Oreo devices couldn't be patched, and despite what people think they know about android updates, most major brands DO get patches, not every month like Nexus and pixel, but they do get catch-up patch sets.

There is also no proof of concept, and no real way to work out how easy this is to actually abuse, if it's anything like pretty much every other android security non story, then real world exploits will be pretty much zero, and android security is all noise and never any real action...

7
29
Silver badge

Re: "will need updating"

Except that when the story first broke earlier this year, Google said it wasn't a bug and it was working as intended on Nougat.

Now that Oreo is there, suddenly it is fixed and Nougat and earlier are at risk?

22
0

Re: "will need updating"

On my third android phone now - an HTC, a Motorola and a Lenovo. Not one has received an update more than 18 months after the handset was released. Each time, there's been stories that "In this years update, google have solved updating without needing handset manufacturers/carriers" - it's like the year of the linux desktop.

19
2
Silver badge

Re: "will need updating"

"There is nothing to suggest that pre Oreo devices couldn't be patched"

No one is saying that it's impossible to patch, in fact, that's part of the problem, we know from experience that most Android phones don't get updates for more than a year or so after they're first released.

Personally I'm willing to put up with the occasional flakyness of a custom ROM (Lineage), and so will probably receive a patch for this in the next week or two, but the majority of Android devices out there will never get patched. Despite the fact, as you point out, it's possible to patch older versions of Android.

Oh, and why? Because there's no money in updating an old phone, when you could be selling people new phones.

17
0
Anonymous Coward

Re: "will need updating"

Then don't buy cheap shite? Factor in support and spend more. You certainly don't have to spend apple type stupid money to get good android support, Sony offer, LG too, but don't expect done £99 phone to get patches at all.. you need to lower your expectations, or stop being a cheapskate.

2
33

Re: "will need updating"

AC lol just lol, I have a LG G3 which was a flagship, it received one update in its entire life (to

marshmallow)

1) it was an LG flagship

2) its not cheap shite

Last update post 6.0 was dated 2016-08-01 for 1 security fix patch.

Sorry to burst your bubble.

This kind of issue is the biggest flaw in android, the more popular and fragmented it becomes, the bigger the issue.

21
2
Silver badge
Childcatcher

Re: "will need updating"

This kind of issue is the biggest flaw in android...

The flaw is not with Android, but with the service providers. If a patch has been created by Google and the phone companies will not push it out, it is not a flaw with the OS but with the service model that it is implemented under. Small pleasure in knowing this if you are affected, but pressure should be placed on those responsible for the lack of updates, not on those who actually created them and made them available.

14
2

This post has been deleted by a moderator

Silver badge
Meh

Re: "will need updating" @Aodhhan

"I have an older Android phone"

That's nice. So which phone model is it?

I'd like to buy a new phone. Can you provide a list of Android phones that will receive updates for at least the next 3 years, based on past mfgr performance or a mfgr pledge?

I don't like my iPhone very much, but the service model is way better than any Android phone.

11
1

Re: "will need updating"

im full of crap? Wooah nice attitude you have there.

It got released with lollypop, upgraded to MM and then in august 2016 it received the august security update.

its stock, hasnt been rooted or jailbroken, smartarse, minimal apps installed from the app store also.

LG have only ever released an upgrade to 6.0 for it, then the august 2016 security patch. Since then nothing.....FACT there were noises about Android 7 on the G3 but it has never materialised, now its a 3yr old device and while its more than capable, it wont see 7, never mind 8.

Perhaps YOU should do some research on the actual handset from the makers before assuming every Android handset works the same as yours, not all handsets are equal, thanks to vendors and carriers.

8
0
Silver badge

Re: "will need updating"

Same here. Bought a LG G4 six months after release and the last update it got was August 2016. Absolute zip since then. I'm now two versions of behind on Android on a phone that's barely two years old. Way to go LG!

Unless you now buy the 'now expensive' Google phones you are up shit creek after 6 months.

The whole Android update scene is total bullshit. But I now treat it as such and just shrug when such articles like this appear.

Let's put this into perspective. Just how many people actually get hit by these 'killer' vulnerabilities?

It's enough to make you buy an iPhone next time...

10
0

Re: "will need updating"

Always buy SIM-free, unlocked, and try to buy as directly from the manufacturer as is practical. The fewer middle men adding their own software and their own indifference to security, the better.

6
1
Anonymous Coward

Re: "will need updating"

My Huawei P9Lite (+/- 1yr old, simlock free) got three updates already.

The snooping gets better and better and the battery life about halves with each update.

Selling new phones? I think you're not far off the mark.

0
0
Silver badge

Re: "will need updating"

"Always buy SIM-free, unlocked, and try to buy as directly from the manufacturer as is practical. The fewer middle men adding their own software and their own indifference to security, the better."

Makes no difference. Most manufacturers just give up after 8-12 months from release.

5
0
Anonymous Coward

Re: "will need updating"

@Aodhhan, could you please explain why did you feel the need to be so vulgar and disrespectful when replying to someone else's post? How was that desirable or necessary and for what benefit?

3
2
Anonymous Coward

Re: "will need updating"

"@Aodhhan, could you please explain why did you feel the need to be so vulgar and disrespectful when replying to someone else's post? How was that desirable or necessary and for what benefit?"

You must be new here.

7
1
Bronze badge
Megaphone

Just how many people actually get hit by these 'killer' vulnerabilities? It's enough to make you buy an iPhone next time...

In a recent interview ( https://www.youtube.com/watch?v=UVVjlYz-YeM ) John McAfee says (wrt phones)

"there is no security whatsoever", "the OS is designed to watch you", they are the "ultimate spy device", "the anti-virus paradigm is no longer functional", "by the time malware is found it's too late", "hackers spend weeks, months, some times even years sniffing around your device".

(31:45) "BTW, what is the least secure phone?"

"The Samsung S7 is the most secure ... All iPhones can be remotely rooted ... The most hackable phone in the world is the iPhone"

0
1
Silver badge

The most hackable phone in the world is the iPhone

McAfee is full of crap.

If iPhones are so wide open, then why do exploit brokers offer as much as $1.5 million for an iOS zero-day, vs $200K for Android?

If iPhones are so wide open, why did one of the most advanced intelligence agencies in the world pay $1 million to get into one iPhone?

If iPhones are the most hackable phones in the world, why does Android have more than 3x as many CVEs?

Anything can be hacked given enough time and money, of course. But given the security track record -- and the fact that iOS devices are far more likely to receive updates than Android devices -- McAfee's statement does not hold up.

3
0

Re: "will need updating"

Hmm. My jolly old original HTC One has only recently received a bundle of updates to Android. Apps still update regularly.

And with "power saving" switched on, I'm still getting a full day's use, sometimes two if I'm frugal.

0
0

Re: "will need updating"

Am I just lucky? My Note 4 gets full updates (300MB+) every month or so. Takes 30-40 min. Maybe this is only for the Note. Anyone else noticed?

1
1

Re: "will need updating" @Aodhhan

See my post above. My Samsung Note 4 gets very frequent updates. I chose a 4, not a 5, because you can still change the battery. I tend to use phones till they die of old age.

HTH

0
1
Anonymous Coward

Re: "will need updating"

LG g3 is a phone from 2014, and the latest security update is android 6.01 (D85130g) and includes July 2017 patches. #fail. Your issue is clearly with your network and their reluctantance to distribute patches, and nothing to do with LG, Google or android at all....

0
0
Silver badge

Re: "will need updating"

Sometimes, its the only language SOME snowflake millenials understand.

0
1

Re: "will need updating"

Apologies Robert, you are correct,

its LGs fault, not Android itself mate :)

0
0

Re: "will need updating"

do you have links to the files from LG by any chance mate? I cant find any post August 2016 for my 32Gb European model.

0
0

Re: "will need updating"

snowflake millenial?

Im 45 ffs :P

1
0
Silver badge

Re: "will need updating"

Congratulations, Anonymous. You are blinded by your arrogance and pomposity.

Have you considered that even without updates, it can work out cheaper to buy a new "non-label" phone more often, with even faster capabilities.

Sure, there are dodgy things out there, but we are El Reg readers. We can sort the chaff out from the good stuff, right?

There are many reason to buy a more expensive branded phone. "not being a cheapskate" isn't one of them. It's a tech device, not a bloody fashion accessory.

1
1
Anonymous Coward

Re: "will need updating"

> You must be new here.

No Andy, I recall reading this rag regularly back in 2001, possibly earlier. But even if I was, how does that excuse rude behaviour?

I just don't understand what benefit anyone could possibly get from it.

0
0
Holmes

Re: "will need updating"

I was not trying to excuse rude behavior. I've just simply come to expect it. In fact, I found it refreshing that you would bother to speak up about it.

0
0

Re: "will need updating"

Hello i am new to chat. To comment i think my phone is older than a lollipop android version... i dont think this vunerability exist

0
0
Silver badge

Sick of new

versions of android every 12-18 months.

It's forced obsolescence and it seems to be getting worse.

14
4
Anonymous Coward

Re: Sick of new

What press feature are you desperate for precisely? Or don't you know?? Essentially you version of android doesn't really matter, as unlike iOS, Google can update most stuff via Google play (iOS system apps need system updates, android doesn't)

1
21
Silver badge

Re: Sick of new

Google was forced to do that hack to try to get some parts of its OS updated without the OEMs and carriers getting in the way, but that's only a halfway measure that doesn't fix the real issue with the Android update model.

Perhaps this is why Google is rumored to be buying HTC's phone business, so they can fix it on the OEM end and start applying pressure to the carriers.

17
0
Anonymous Coward

Re: Sick of new

The world won't stop. We have to live with a constant evolution of products. What consumers OTOH should ask for is to have the hardware and software for their gizmos supplied separately, and regulatory authorities should back them up. No manufacturer or network operator should be allowed to lock a device to prevent it from running "unauthorized" software. Manufacturers may not offer adequate support for their products, but this would open the market for 3rd-parties to offer independent subscription-based firmware updates. I'd be happy to pay a little extra for a bare-bones android-subscription to keep my mobile devices updated and safer.

10
0

Re: Sick of new

Google owned Motorola. Kept the patents, ditched the company off to Lenovo, and did nothing about fixing the OEM end, so I'm not sure why you think buying HTC would be any different.

16
0
Anonymous Coward

Re: Sick of new

"Google was forced to do that hack"

Nope, it's been this way since android 1.0 #tryharder

0
10
Silver badge

Re: Sick of new

" Google can update most stuff via Google play (iOS system apps need system updates, android doesn't)"

So why can't my 3 year old phone run some apps then? They don't require any more hardware features.

2
0
Silver badge

Re: Sick of new

And every version is hyped as a major fix over the previous version but when (and if hahaaa) you get it, the reaction?

Meh!

Meet the new Android...same as the old Android.

3
0
Silver badge

Re: Sick of new

iOS system apps need system updates, android doesn't

iOS system apps need receive system updates, android usually doesn't

FTFY

3
0

Re: Sick of new

The carriers do have responsibility for the integrity of their network.

Phones, hardware and software, need to certified to be on the network. Certification involves serious testing. This is a good thing for network reliability.

Adding bloatware that cannot be removed, is just the telcoms being the a'holes they have always been since Ma Bell.

Slurping your data is Google's business model. Search, Maps, Android, Chrome, etc. are just means to that end.

0
0

Re: Sick of new

"Slurping your data is Google's business model. Search, Maps, Android, Chrome, etc. are just means to that end."

And slurping money from your wallet is Apple's.

0
0
Anonymous Coward

Re: Sick of new

Apple slurp data exactly the same as Google, Microsoft too. Go read their privacy statements from all 3 and discover there is literally no difference at all. If you think buying an iPhone give you some privacy then Android doesn't, you need a reality check, you paid a£300 surcharge for absolutely nothing at all...

0
0
Silver badge
Facepalm

...simply by being installed on the device."

I'm save then! For ages my Android has been refusing to install any software. Ever since Google Play said it needs to move to a current version in order to function and at the same time refused to update because my Android build is too old.

12
0
Silver badge

...simply by being installed on the device."

A thin sliver of hope...

Which means you should be OK if you only install kosher apps from the supposedly kosher Play store... oh wait...

7
0
Silver badge

Not a bug...

When this was first raised in February / March this year, Google said it wasn't a bug and it was working as expected...

1
0

android vs android

it would be great if manufacturers didn't mess with android and bundle their own unmaintained versions. fine if they want to bundle apps on top, feel free, but let users receive patches direct from google as soon as they are released. just like you do with every other operating system out there

5
0

Watch this space...

This looks like a Good Thing: https://www.xda-developers.com/project-treble-custom-rom-development/

1
1
Anonymous Coward

Lineage ?

...just saying.

Of course this is only the tip of the iceberg. Isn't Googles strategy to have Android (in some form or other) in *everything* eventually ???

2
1
Silver badge
Joke

Everybody without Android Oreo vulnerable...

So is my iPhone OK then?

3
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017