back to article Here we go again: Software nasties slip into Google Play, exploit make-me-root Android flaw for maximum pwnage

At least three malicious apps with device-hijacking exploits have made it onto the Google Play Store in recent weeks. This is according to eggheads at Trend Micro, who found that the since-removed applications were all abusing a use-after-free() flaw in the operating system to elevate their privileges, and pull down and run …

  1. RyokuMas Silver badge
    Joke

    No, no, no!

    "Here we go again..."

    Surely this article should be titled "It's 2020 and you can pwn Android by [blah blah blah]"???

    1. yoganmahew

      Re: No, no, no!

      To be followed by "if your phone is more than six months old, bin it, you'll never get a fix for this and many other security holes".

      1. Anonymous Coward
        Anonymous Coward

        Re: No, no, no!

        This is true for every manufacturer pushed update, who typically stop any support past not 6 months, but typically 3 in my experience. Samsung excluded

        But Google started Android One, which I have on my Nokia 7.1. Bought it in march and I had a pack of updates last week since it is Google pushed and managed. I think everyone in need of a new Android phone should look at Android One if no other, for security reasons.

        1. Anonymous Coward
          Anonymous Coward

          Re: I think everyone in need of a new Android phone should

          think before they tap. But then, thinking BEFORE is so hard! While thinking hard AFTER is so easy...

          1. Anonymous Coward
            Anonymous Coward

            Re: I think everyone in need of a new Android phone should

            > "think before they tap. But then, thinking BEFORE is so hard! While thinking hard AFTER is so easy..."

            FTFY

        2. Anonymous Coward
          Anonymous Coward

          Re: No, no, no!

          You exclude Samsung but my experience puts them in with the rest of the walkaway android crowd

          1. Lord Elpuss Silver badge

            Re: No, no, no!

            "You exclude Samsung but my experience puts them in with the rest of the walkaway android crowd"

            I'm not a fan of Android in any form, but in Samsung's favour they are at least going for a simpler business model where they make more money up front and then make an effort to safeguard their customers with the goal of getting some loyalty and repeat business. Knox isn't too bad, biometrics are modern and Smart Anti-Tracking tries to deal with some of the more pond-scum end of the advertising spectrum. They're also going down the innovation route; DeX is genuinely useful and although the Galaxy Fold was a non-starter, they are at least trying.

            Generally speaking the more premium you go, the more companies value you as a customer and the more effort they make to retain you. If you're at the bargain basement end, they think purely transactionally and couldn't care less about you once they've offloaded their latest tat.

      2. Jaap Aap

        Re: No, no, no!

        Switch to LineageOS!

  2. JimmyPage Silver badge

    One reason why I prefer websites to apps.

    Although there are 999 others too.

  3. ThatOne Silver badge
    Facepalm

    Programmed Obsolescence

    Or, how to make sure people will throw away perfectly good computers any university would had dreamed of having 50 years ago...

    Nowadays manufacturers (and not only phones) don't compete on features, they just make sure their product won't last more than a year or two, for some stupid reason (lack of updates, no means to change a failing battery, new, incompatible vanity standards, and so on).

    The best investments of 2020 are in the waste management sector: Their best years are ahead...

    1. Lord Elpuss Silver badge

      Re: Programmed Obsolescence

      My iPhone X is fine. My kids' iPhone 7 and iPhone SE, both from 2016, are fine. My dad's iPhone 6s from 2015 is fine. All are fully supported and running the latest iOS.

      The only maintenance ANY of these phones have needed is the iPhone SE, which needed a new screen when my son dropped it; €70 from the local repair shop.

      Current second hand values; €550 for the X, €250 for the 7, €175 for the SE, and even the 6s is still worth €150. Phenomenal value over the years.

      1. ThatOne Silver badge

        Re: Programmed Obsolescence

        > The only maintenance ANY of these phones have needed

        Irrelevant; My Android phone is from 2008, and besides the battery being a little weak, it works just fine too. The problem is it runs an outdated and unpatched version of the OS, and while Apple phones do indeed get updates a little longer, I'm pretty sure no iPhone from 2008 is still supported and running a fully patched OS.

        Please compare it to computers: My laptop, an expensive high-end Toshiba from 2007 is still running strong (CPU beefy enough for office work and older games, Nvdia graphics card, 2 HDs, it does everything I need to do), obviously I had to upgrade the OS at some point, but it was possible. Can't do the same with my phone, which is still more than adequate for what I do with it (pretty little).

        1. Lord Elpuss Silver badge

          Re: Programmed Obsolescence

          ” Irrelevant; My Android phone is from 2008, and besides the battery being a little weak, it works just fine too. The problem is it runs an outdated and unpatched version of the OS“

          So not irrelevant then; your 2008 Android is now a security nightmare, and if (as I’m sure you’ll claim) you don’t use it for anything ‘smart’, then why put up with the abysmal battery life and performance when you could just use a dumb phone instead?

          You stated manufacturers “...just make sure their product won't last more than a year or two”; my comment was to illustrate that Apple engineer their devices to last MUCH longer than this, citing 4 examples.

          1. ThatOne Silver badge

            Re: Programmed Obsolescence

            > why put up with the abysmal battery life and performance when you could just use a dumb phone instead?

            That's a different, also irrelevant issue*; What bothers me is the fact I can't just upgrade/change the OS of my phone, like on a "normal" computer; On a phone you depend on the generosity of the manufacturer, and the fact Apple is more generous than Google doesn't change much. Can you install the latest iOS on a 2008 iPhone (that would be the original one)? AFAIK not, so it's the same problem.

            * Obviously I've got a cheap replacement, but I still miss the old phone, because it had features I would need to pay well over $1000 to get nowadays. And it still works just fine, so the commercially dictated OS lock-in is the only reason to bin it.

            1. Lord Elpuss Silver badge

              Re: Programmed Obsolescence

              Ok since you seem determined to keep railroading 'relevance' to whatever your argument is, let me make this simple to avoid going round in yet more circles.

              Your original post stated: "Nowadays manufacturers (and not only phones) don't compete on features, they just make sure their product won't last more than a year or two."

              My post rebutted this by giving an example of four phones from one manufacturer that have clearly been designed to last far longer than 'a year or two' - in terms of both software (still fully supported) and hardware (zero maintenance except that required by user error). It doesn't get more 'relevant' to your post than that. End of story.

              Moving on to the rest of your post - firstly if you had an Android phone in 2008, it was an HTC Dream/T-Mobile G1. There's nothing this phone does that can't be done better by a modern Android landfill device costing $100 or less, except the keyboard and trackball. If you want that, you need to look at a BlackBerry PRIV or similar, which these days can still be picked up for less than $200. Secondly, if despite this you are particularly attached to the G1 you can root it and install Linux, Cyanogenmod or any number of custom Android builds; or even put Windows95 on it if you want to torture yourself. It still won't be good, but you're not as locked-in as you think you are.

  4. Anonymous Coward
    Anonymous Coward

    Give me money

    Hi I'm Goo Gle, I sell software other people make. I tell you it's safe, but we don't bother to check it that well, because it's more important to make money than have security. Besides, it's not our security, why should we care.

    Yes we have your contact data, but don't expect us to tell you when we remove an app you downloaded from us for malware, 'cause we really don't care. And we don't want you asking for a refund (wouldn't that be extra work).

    Thanks for the kaching, good luck getting your bank account back after we let hackers take your passwords lol

    (end accurate sarcasm)

  5. Lord Elpuss Silver badge

    Apple.

    Seriously people, if you're a Reg reader running consumer Android, you need your head seeing to.

    Neither Google nor Android manufacturers give a rat's arse about protecting your data, except to prepare it for sale. It's not part of their business model. Consumer Android is not safe, it's not private, and updates are lousy. Chumps get sucked in by some pretty hardware then realise (if they're lucky) that it was the bait in the trap, they're the product and it was cheap for a reason. The smart ones get out while they still can; the dumb ones get on forums and fire broadsides at Apple users for paying too much without realising that any difference in price is the price you pay to dance with the Devil. And when you dance with the Devil, you stay until the music stops.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020