back to article Bad news, fandroids: He who controls the IPC tool, controls the DROID

A security flaw in a core message-passing mechanism leaves every Android device potentially vulnerable to attack, security researchers warned on Thursday. The newly discovered flaw enables hackers to override in-app security features, leaving critical apps such as mobile banking susceptible to tampering. The same vulnerability …

  1. choleric

    Who?

    Who let the IPCC into my phone? They'll be reducing my minutes in the interests of curtailing hot air emissions.

    (Joke icon not available on El Reg's mobile interface, in fact the coat icon might be a better choice.)

  2. Anonymous Coward
    Anonymous Coward

    How many

    Of the millions of Android Devices will get an update to fix this?

    Think of all those still running Gingerbread...

    Will the carriers even care? Nah.

    My old Nokia is luckily unaffected.

    1. DougS Silver badge

      Re: How many

      Gingerbread? I'll bet the majority of Android phones sold on today, October 16 2014, will never see an update. Too often people think about the big name phones that get a lot of attention like Samsung Galaxy or HTC One, which of course will be updated (at least the more recent models) but those are a pretty small minority of the overall Android sales. Few of the low/mid range phones will ever get an update. This is why El Reg refers to them as "landfill Android".

      People like to claim Apple has "planned obsolesence" to force people to upgrade, but the 3gs, introduced in June 2009, was able to update all the way through iOS 6 released in 2012, and still iOS 6.x is still updated for pressing security issues - the most recent 6.1.6 released early this year. Does anyone think that their shiny new Note 4 will be receiving updates in early 2019?

    2. Anonymoist Cowyard

      Re: How many

      Oh, and there are now BILLIONS of Android devices. Has been for over two years. It's 2million new Android activations every day..

      With that rate adoption, and 90% marketshare, you would think everyone would know someone that's had malware problems on their Android phone (if the press were to be believed). Strangely, I don't know a single person that's ever had a problem, and I suspect everyone else is the same...

      Go figure.... The press and snakeoil companies continue to embarrass themselves in public with this nonsense.

      1. SuccessCase

        Re: How many

        "The press and snakeoil companies continue to embarrass themselves in public with this nonsense."

        and next commenter "JASOVTTSUC"

        Well I would agree that The Registers security issue reporting leaves a lot be desired. They too often dramatise inconsequential issues. As always it's important to read the article carefully and logically evaluate based on what is known and established rather than what is implied.

        Yes also The Register far too often quote vested interest "security experts" (read anti-malware salesmen) without adequate discrimination.

        Having said that, in this case the "security expert" has presented his findings at a black hat conference - a foreboding place if you are acting with no more basis than a "snake oil" salesman and that's somewhat more noteworthy than a mere press release. This article is a bit short on established fact and is too vague, so it will be important to read the details. But on the face of it, this sounds very worrying for Android.

        The Register cry wolf all the time. But then also there are sometimes very real large scale security threats. Heartbleed and then Shellshock have shown complacency is a grave error. Both were exploited in the real world effectively and damagingly extremely quickly.

        You would be a fool not to keep track of this one.

        1. eulampios

          Re: How many, @SuccessCase

          What the previous commenter said about the "ubiquitous" Android malware was :

          >> Strangely, I don't know a single person that's ever had a problem, and I suspect everyone else is the same...

          My question would be: did you or any of the lot now reading or commenting here has ever seen, known or heard about an Android malware victim? Again, personally, not from El Reg, Zdnet or Fox News. The latter media, btw, never found a single specimen either (other than the virtual people existing somewhere out of our sight).

          Why am I asking? Because, apparently, any Windows user I have ever known had some sort of a Windows malware in the past or not so past experience. This very experience has a huge problem extrapolating onto the current press on Android malware, since it doesn't match with the local reality.

          >>Heartbleed and then Shellshock have shown complacency is a grave error.

          Although, I'd agree that complacency is a grave error, Shellshock ? More details please on the "complacency repercussions" and how detrimental this vulnerability was. I mean, do you know if anyone got busted through the dhclient-script when connecting to a wicked wifi router? For a contrast, when the Loveletter hit the world in circa 2000, a lot of people around me got that back then..

          1. Andy Watt

            Re: How many, @SuccessCase

            If nobody is being infected, why does Android malware continue to be found, even in the Play Store? Why bother writing it if nobody is getting the malware?

            Could it perhaps be that a lot of android malware is caught by those who:

            1. Don't run antivirus on their phone

            2. Wouldn't recognise the infection if they knew there was one

            Don't assume that no smoke means no fire where malware is concerned. Windows users had to learn the hard way how to get used to looking after their PCs. Android is still young by comparison as a platform, and an awful lot of landfill android users are just upgrading to keep a phone. They have no idea they're even carrying something which _has_ malware.

            Complacency? I'd say so, that's classic complacency. I don't know anyone who's died of ebola.... yet.

      2. Graham 24

        Re: How many

        "Strangely, I don't know a single person that's ever had a [malware] problem, and I suspect everyone else is the same..."

        Those applications that do things like log your online banking keystrokes tend to keep quiet about it, you know. The whole point of most malware is that you don't realise it's there.

        1. Michael Thibault
          Trollface

          Re: How many

          >The whole point of most malware is that you don't realise it's there.

          Shock! Stop the presses!

          Oh, wait! An-what? Okay, then.

          Nothing to see here. Move along folks. Move along.

    3. Anonymoist Cowyard
      Stop

      Re: How many

      Nothing to fix, JASOVTTSUC.

      (Just Another Snakeoil Vendor Trying To Sell Useless Crap)

      1. P. Lee Silver badge

        Re: How many

        Checkpoint.... Data protection experts?

        Nice firewall GUI but serious users turn off all the other guff because it breaks failover or it just breaks.

  3. John Smith 19 Gold badge
    Coat

    New exploit tool just released.

    "Grinder"

    But seriously. this is where that "no update" policy most mobile operators will bite.

    Or is part of the planned obsolescence? "Oh dear finding a gaping security hole in your phones' OS is our way of saying you need a new phone."

  4. Matt Piechota

    Where is Binder?

    So is Binder part of the base OS (it sounds like it) or part of the various Googly packages? The latter is the only hope that it'll get fixed on any of my devices. It'd be nice if Android went more package-based instead of the monolithic "entire OS in an image", but that doesn't seem to fly with the culture around phones. I guess I'll have to step-up my efforts (aka get around to) to put cyanogen or whatever on my 2+ year old phone; I know Verizon isn't going to help me out there.

    1. Charles 9 Silver badge

      Re: Where is Binder?

      Binder is part of the base OS. It's the thing that handles what Android calls Intents. The Intents are IPC messages that say you want to do such and such. They're also what prompt you to pick a program to handle things like Market links, SMS messages, and so on unless you set a default. What the article is claiming is that something can hijack the intent chain so as to call up system-level functions and use them to hack the device.

      Honest question: Can this hijack occur with just a URI or does it require some kind of app installation to perform?

      PS. It may interest you to know that Binder is an inherited thing. It comes from OpenBinder which was in turn originally developed for BeOS (now that brings back memories).

  5. Mark 85 Silver badge

    Almost

    This almost makes me long for dial-up on the 'putters and a dumb old hardwired phone.

  6. heyrick Silver badge
    Megaphone

    Check Point advocates multi-layered security as a defence against Binder-based exploits.

    They might advocate that.

    Me? I'd advocate a complete rethink of the Android infrastructure to understand that it is an operating system and as such requires updates and patches just like all the other operating systems. This to happen as and when necessary. Without the need for carrier intervention because we know sure as hell that such a thing just won't happen. My phone is running Android 2.3.something. That was "old" when I bought the phone new (but Sony took its merry time making ICS available and Orange France totally ignored that). They still seem to be stuck in the mindset of the feature phone where what is shipped is what you get. Couple this with an insistence on having locked bootloaders and an updater that can't handle running on anything under 2GHz (what, to push some data down a USB link?) and only works on Windows anyway, you have so many fail points it isn't even funny.

    Since rooting the phone and flashing something third-party is outside of the skill set of most users, Android needs to be capable of self-patching.

    1. Marcelo Rodrigues

      Re: Check Point advocates multi-layered security as a defence against Binder-based exploits.

      "Since rooting the phone and flashing something third-party is outside of the skill set of most users, Android needs to be capable of self-patching."

      Not only this, but the whole thing should be like updating a computer. Better still: EXACTLY like we do with our computers.

      I can by a (say) Dell, and it would come with a pre installed OS. OR, I could just by an "empty" mobile, and install some OS. THAT would be great.

      Even if my choice ended up with "your hardware is 36 months old, it is outside the official support time".

  7. sisk Silver badge

    You know, I like Android. I really do. It gives a great user experience in my opinion. But it's starting to look more and more like a security graveyard on par with Windows 2000.

    I'm just shy of hatred in my opinion of iOS. I use the iPad forced on me at work only when there's no other choice, and other choices do include lugging a laptop around. That's how much I dislike iOS. Not saying anything against it other than my personal opinion of it is negative. And Windows Phone? I'm not exactly a Windows fan under the best of circumstances.

    I think it's about time for a new contender in the mobile market to come along.

    1. Anonymous Bullard

      You'd think it's getting as bad as Windows looking at all the reports. As long as you stick to the play store, you should be ok.

      There's a lot of security research going on with Android, due to it's massive popularity and the fact that you can see the source and debug/experiment it. It's just a shame the updates aren't as slick as Linux on the server/desktop.

  8. Steve Knox Silver badge

    Correct me if I'm wrong, but...

    From the whitepaper, they've simply identified an ideal target, in that pretty much all information in an Android system passes through Binder at some point.

    While they've been able to simulate an exploit by hacking their own system compiled from Android code, they haven't actually produced a working attack against a production Android device.

    So this is more to the point of where should smart criminals or defenders focus their efforts in Android, rather than "ZOMG WERE ALL PWND!"

    1. Daggerchild Silver badge

      Re: Correct me if I'm wrong, but...

      Confused. So they've identified that a kernel feature would be an excellent thing to exploit, but can't show it can be? Really? Seriously?

      What was the blackhat *reaction* to this presentation?

    2. John Smith 19 Gold badge
      Unhappy

      To quote the piece. "featured a proof of concept rootkit for the Binder component"

      So yes I'd say if that's what's available in the open literature I think we can take it as read that others have spotted what looks like a rather juicy "watering hole" to allow an attacker to hit any apps data stream within an Android device.

      1. Michael Wojcik Silver badge

        Re: To quote the piece. "featured a proof of concept rootkit for the Binder component"

        "featured a proof of concept rootkit for the Binder component"

        Yes, but from their paper (linked to in the article):

        Most importantly, all the techniques described in this paper require running with root permissions.

        The concept they're proving is that "if you can get access to Binder messages, you can do a lot of stuff". They demonstrate keylogging, form interception, SMS interception, and so on - but all of their exploits require root.

        As others have said above (though I'm not sure any of the people making this claim actually looked at the slides or read the paper), this talk was very much about why the Binder is a juicy target for malware authors, and not about actual vulnerabilities that exist today. While there may well be such vulnerabilities, the authors do not describe any.

        In short, it's "look at this whopping great attack surface!".

  9. Jack of Shadows Silver badge

    Embedded

    Android is being handled the same way that other embedded devices are being handled, which is like to no updates. I thought (sorry, my mistake) that the retirement of Windows XP support and all those POS (translate that TLA whichever way suits) would have resulted in some consciousness raising about mixing between the differing treatments of desktop/server computing and embeds. The former internet connected and updated often, the latter not and not. Usually? Well, hopefully.

    We've been extremely lucky that for all the juiciness of the Android target, it's been pretty much left alone. Why go embed retail when the wholesale returns of their bigger brothers is so much more lucrative. And a phone botnet? Puh-leese. (That'll change.) That the targets are so diverse in addition to being diffuse probably factors in as well. So mark this as "The Gilded Age of Innocence."

    BTW, IPC has been a threat vector only since, maybe, the '80's

    1. P. Lee Silver badge

      Re: Embedded

      The arguments for stability in embedded devices go away with an ever changing and exposed user environment. These are not factory-floor disconnected PLCs.

      The mobile market is maturing. Sorry to the manufacturers but you need to overspec the hardware to cope with updates, run fewer models (so you can test updates), and push the OS updates through quickly.

  10. John Smith 19 Gold badge
    Unhappy

    The problem is what *sort* of device is a smart phone?

    Seriously. is it a microwave oven (when was the last time you saw a software update for a microwave? or a real computer?

    Historically phone companies did not issue SW updates for phones because they did not need to. They were analogue and had no processor.

    Now if you want to offer a computer with built in mobile phone capability they should accept they have to support it like a computer OS.

    And of course you get the issues of 3rd party software.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019