back to article 60 per cent of Androids exposed by new attack on mediaserver

Duo Security researcher Kyle Lady says attackers can compromise more than half of enterprise Android phones by chaining two operating system and chip vulnerabilities. The flaws affect scores of phones on the market from the most popular Lollipop version 5 Android system, second-placed KitKat version 4.4, and the barely-used …

  1. Adam 52 Silver badge

    "Yet again, the fix would be proper vetting of code in Google Play and other app stores"

    Why? The fix would surely be to patch the bug, that way you fix the hole wherever the exploit comes from, including direct download. Lock the door, don't rely on a security guard on the front gate whilst leaving the back open.

    "About one in 200 phones contain an unwanted or malicious application in what could be an indication of the potential effectiveness of Beniamini's attack"

    Somebody really needs to go on a stats or deductive reasoning for beginners course.

    1. dajames Silver badge

      It's not one or the other ...

      "Yet again, the fix would be proper vetting of code in Google Play and other app stores"

      Why? The fix would surely be to patch the bug, that way you fix the hole wherever the exploit comes from, including direct download. Lock the door, don't rely on a security guard on the front gate whilst leaving the back open.

      You need to do both.

      You lock the door if it has a lock, but you keep the security guard for doors that don't have locks. You employ a security guard but you still lock the doors because the guard can't see everything that goes on.

      In this case, the unlockable doors are lots of older Android devices running e.g. KitKat that are never going to get an upgrade to Marshmallow (much though we may wish that that were not so) so we -- or rather Google -- do still need to improve the filtering of apps in Play Store.

      That filtering is never going to be perfect, though, so Google do also need to issue patches and improve the security model of the OS.

  2. David Roberts
    WTF?

    enterprise Android?

    Mentioned several times with no explanation.

    Presumably no starships involved.

  3. Charlie Clark Silver badge
    Stop

    That's it

    This

    is the last

    time I read

    one of Mr Pauli's

    articles.

    Poorly researched and poorly written with a one sentence per paragraph style that makes it even harder to find any content, if there is any.

    FWIW enterprise Android usually means locked down with an app whitelist. Or, increasingly, their own "app stores".

    1. J Bourne

      Re: That's it

      "FWIW enterprise Android usually means locked down with an app whitelist. Or, increasingly, their own "app stores".

      So even less likely to be downloading dodgy apps from the Play store or anywhere else...

      Can I have 2 minutes of my life back please?

      feature request to el Reg : please attach author's name to articles in RSS feed.

      1. VinceH

        Re: That's it

        "feature request to el Reg : please attach author's name to articles in RSS feed."

        It does - but whether you see it depends what you are using. Looking at the source feed, for this article it contains <name>Darren Pauli</name>. If I render the feed in my browser, that isn't shown, whereas my normal reader (FeedDemon Pro) does show it.

        1. Fazal Majid

          Re: That's it

          @VinceH

          Thanks for the tip, I had the same issue as @J Bourne. I have been using the ancient feed http://www.theregister.co.uk/excerpts.rss, switching to http://www.theregister.co.uk/headlines.atom gives the author (but no other categories or tags)

  4. Rob Crawford

    Let me get this right

    This is a news story about a "researcher" that is using a bug that was patched by google back in January.

    Bit of a non story, apart from the shite service provided by phone manufacturers and carrier branded phones which we all know about anyway

    1. Anonymous Coward
      Anonymous Coward

      Re: Let me get this right

      Not all manufacturers of course. My Sony has been updated to a patched 6.01. My wifes much older xperia patched to a very recent Android 5.

      Just because you aren't running the latest Android, doesn't mean you aren't getting patched. Google do security patches for 6, 5.1, 5 and 4.4

    2. Anonymous Coward
      Anonymous Coward

      Re: Let me get this right

      A day can't go by without the Register mentioning Android at least once in relation to malware else it's computer/banking/flash malware.

    3. Michael Wojcik Silver badge

      Re: Let me get this right

      It extends to other vulnerabilities. Anything that gets you QSEE access can be leveraged to take over the kernel.

      And "a bug that Google patched" means "a bug that still exists in most Android devices, which will never be updated", of course.

  5. Doctor_Wibble
    Headmaster

    mediaserver service not generic media server...

    Might be an idea to clarify for anyone who's not an Android Anorak that 'mediaserver' here is referring to the 'mediaserver' service in the OS and not an external Media Server or Mediaserver or some other recapitalised variant on the word. Otherwise it just looks like a typo, other products/names are equally guilty of this.

    Confessing my own ignorance, I had thought 'mediaserver' was a Windows thing and from the headline made the assumption this was using an android device as the stepping-stone for an attack.

    I may still have misunderstood except for the bit where my slab is now even more unsupported than it was the last time.

    No dunce's cap icon for me?

  6. Lee D Silver badge

    I have the say, the "smartphone security" fuss for me is quite annoying.

    No other device I have has less apps, that are updated automatically and regularly, that don't install without telling me exactly what they do or don't have access to, and which can be automatically pulled if they turn up on a malicious apps list (which is on by default in almost all Android phones) and where you can't install apps from external sources by default either (even Amazon Apps requires you to untick that box!).

    As the article says 0.5% of Android phones have an unwanted (? You mean, "I don't want that on there any more"?) or malicious app. What's that ratio for your average home desktop PC, not taking into account managed, enterprise, etc. devices? I imagine it's a LOT higher.

    In terms of malicious apps, I think my ancient phone is probably the safest thing I have at the moment and the rest are kept clean by good management, not by the security of the device itself or vendor updates pushing new OS versions all the time.

  7. Leeroy Silver badge

    Av

    I'm hoping that Sophos AV protects my users from most of these attacks. Enforced number checking before dial is on as well as app scanning and link blocking etc.

    Not had a report of anything being blocked yet so either my users are sensible or sophos is missing the mark.

    Fortunately we are due upgrades to new phones from Galaxy S5's in a few months, fingers crossed for an S7 :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020