back to article Pwn all the Androids, part II: Flaw in Java, hidden Trojan

Security researchers in China claim to have uncovered a second Android vulnerability that might be abused to modify smartphone apps without breaking their digital signatures. The flaw, discovered by the "Android Security Squad", stems from a Java-based issue (explained on a Chinese language blog here, Google translation here …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Again? Oh no, not again!

    Android has more holes in it than a string vest.

    1. Homer 1
      Paris Hilton

      It must be milking time in the "Screw Google" shed

      Them anonymous cow herds sure is busy today.

      1. Anonymous Coward
        Anonymous Coward

        Re: It must be milking time in the "Screw Google" shed

        So you're OK with your yet-again-unsafe platform then?

        It's probably the best indicator that Android <> Linux..

        1. JDX Gold badge

          Re: It must be milking time in the "Screw Google" shed

          It's probably the best indicator that Android is far more popular than Linux.

          1. eulampios

            @JDX

            It's probably the best indicator that Android is far more popular than Linux.

            It seems to be even more popular than MS Windows, however, please remind us when did any of the following infection with malware ever happen to an Android user:

            -- by inserting a media

            -- by clicking on a web link, visiting a webpage

            -- when opening a document or email attachment

            -- through the (MS) Remote Procedure Call

            1. Anonymous Coward
              Anonymous Coward

              Re: @JDX

              My company has recently just added our first apps to both the Windows Store and Google Play.

              For Windows store, we had to had to provide company docs and basically verify our identity. Then when we submitted apps, Microsoft tests them. They reject them if they lack privacy policy, clear instructions what the app does, cause crashes or contain potential security issues (at least ones they suspect/find). I understand Apple does a similar process on its app store.

              With Android, we just pay our 25 bucks, set up an account, upload our app and we're in business.

              The biggest problem with Android is the app store, and the assumption by most users that if it's on Google's official play store, it's ok. Not sure this is necessarily an issue with Android technically, but in practice it is... because that is probably the biggest route to malware getting onto Android phones.

        2. Homer 1
          Linux

          Re: It must be milking time in the "Screw Google" shed

          "So you're OK with your yet-again-unsafe platform then?"

          I wouldn't be if that were the case, which it isn't, it's blatant FUD spread by the Screw Googlers.

          First of all, this latest "vulnerability" isn't new at all, it's the same one as last time, so repeating the same story, whilst intimating that it's actually a new "vulnerability", just because someone new is talking about exploiting the old one in a new way, is clearly propaganda.

          Secondly, this "vulnerability" has precisely zero to do with Android security, or even software at all. It's the same "vulnerability" one would have by downloading Photoshop from The Pirate Bay instead of buying it from Adobe. The fact of it being Android or Windows or Mac, Free or proprietary, is utterly irrelevant, except in the sense that, if it's Free and you actually have (and understand) the sources, then you'll discover whether or not it's malicious in advance, thus preventing the problem from ever manifesting in the first place.

          IOW software's integrity is only as secure as its source.

          But if idiots choose to download, install and run mysterious binary blobs from dodgy sources, what exactly do you expect Google to do about that? You may as well claim that 'su -c "rm -fr /"' is a "vulnerability" too, or that smashing your own head in with a hammer is a "vulnerability".

          Freedom necessarily incurs risk. I'd rather have that freedom and take that risk, than be a slave in Apple's prison.

          1. Anonymous Coward
            Anonymous Coward

            Re: It must be milking time in the "Screw Google" shed

            I'd rather have that freedom and take that risk, than be a slave in Apple's prison.

            Weird definition of freedom you have. I either choose (yes, choose, nobody forces me) to use an iOS device and thus have less worries about what I install so I can spend my time simply using the device for which I bought it (read: it does in no way stop me from what I want to do, YMMV). Alternatively I choose Android which means I have the immense "freedom" to be forced to sign up to the "tell us the color of your underpants" Google terms of service if I want to use the native platform, and agree to something that can only be jokingly described as a "privacy" policy. And it's designed by an outfit whose main product is the output of continuously spying on us. Mwah. Hard choice.

            I'm actually very happy that iPhones are no longer "fashionable", I like the platform but I hate the associated cult garbage.

  2. graeme leggett Silver badge

    less than 64K in size

    how much code can you fit in 64K? how much code is needed to write something nasty?

    I know the Amiga demo scene used to get away with less than 64K but they were working in machine code and lots of other targeted methods to avoid bulky code

    1. auburnman

      Re: how much code is needed to write something nasty?

      DELETE * FROM * ;

      1. John Brown (no body) Silver badge
        Thumb Up

        Re: how much code is needed to write something nasty?

        "DELETE * FROM * ;"

        MSDOS

        DEL *.*

        *nix

        rm -r *

        1. eulampios

          @John Brown

          You probably want the "rm -rf *" to force it. Yeah, in order to apply it to an android app, make sure you need the write permissions for the app in question.

      2. Jon Massey
        FAIL

        Re: how much code is needed to write something nasty?

        Msg 102, Level 15, State 1, Line 1

        Incorrect syntax near '*'.

    2. AndrueC Silver badge
      Joke

      Re: less than 64K in size

      how much code can you fit in 64K? how much code is needed to write something nasty?

      Lol, when I first started programming 64kB was the entire memory address space :)

      1. Version 1.0 Silver badge
        Happy

        Re: less than 64K in size

        You rich sods - a whole 64k? I had to start with 8k and that included the operating system.

        The fact is that most programmers these days are lazy and if you give them a Gb of memory then they will use it and cry for more - but there are a lot of folks out here who cut their teeth on programming multitasking real time operating systems supporting multiple users in 32kb ... and doing real science too.

        1. AndrueC Silver badge
          Joke

          Re: less than 64K in size

          You rich sods - a whole 64k? I had to start with 8k and that included the operating system.

          We thought people with operating systems were royalty. Every time we wanted to check for a key press or update the screen we had to write our own routines.

        2. annodomini2

          Re: less than 64K in size

          Dons thick Yorkshire accent "When I were a lad..."

          Yadda, yadda, yadda.

      2. Captain DaFt

        Re: less than 64K in size

        My first computer was a used Commodore 128, got it about the time Win 3.11 was getting its legs on PCs.

        It came with several 64 and 128 floppy drives, one of which was a 3.5 floppy ( 1581, if i recall correctly.)

        Any way, it formatted to 1.8 Meg, and at the time, held all all my software and data on one disc!

        These days, it wouldn't even hold one decent mp3 or png.

    3. Homer 1
      Terminator

      Re: less than 64K in size

      64K? Pfft, luxury.

      Try 512 bytes.

    4. gcla72
      Joke

      Re: less than 64K in size

      Dunno but the worlds biggest virus was only 640K, which "ought to be enough for anybody"...

    5. AbelSoul

      Re: 64K Amiga demo scene

      I'm still amazed by what those guys could do with outdated Motorola68k hardware and 64k

      This one from 2005 is pretty cool:

      http://thedemoscene.tumblr.com/post/10892719876/a-dream-2-by-scoopex-winner-of-the-amiga-64k

    6. Homer 1
      Boffin

      Re: Amiga's "targeted methods"

      You mean the blitter and copper.

  3. Destroy All Monsters Silver badge
    Headmaster

    Not Java then, more like Dalvik VM.

    Although .jar files are also .zip files, so there may be some as yet to be discovered sideeffects on a JVM, too.

    1. Shades

      Not a problem with Java or the Dalvik VM. Subheading is classic El Reg click bait.

  4. tomban
    Stop

    Stay away from those third-party apps

    As above.

    1. Craigness

      Re: Stay away from those third-party apps

      Unzip them and check for duplicate file names, then install if you must.

    2. Anonymous Coward
      Anonymous Coward

      Re: Stay away from those third-party apps

      Should have bought a Windows Phone. It's the only current uncracked major mobile OS...

      1. chr0m4t1c

        Re: Stay away from those third-party apps

        Yeah, but that's only 'cos it's not popular enough yet.

        ...

        <Falls off chair laughing>

        Yet.

        Man, I crease me up sometimes.

      2. Homer 1
        Linux

        Re: "Windows Phone is the only current uncracked mobile OS"

        That's because nobody uses it.

        And Android hasn't been "cracked", simply because there's nothing to crack. How exactly does one "crack" something that's already open by design?

  5. Jess

    So why didn't google make the play store push out system updates?

    If they had designed the system right, they could update everything except the drivers for the hardware, themselves (and the drivers with the help of the manufacturers)

    1. Craigness

      Re: So why didn't google make the play store push out system updates?

      They weren't seeking control, so they made it open. It was designed right for what its intended use was, and it's up to the OEMs to patch their versions of Android.

      1. John Lilburne

        Re: So why didn't google make the play store push out system updates?

        "It was designed right for what its intended use was"

        The distribution of malware to add to Google's coffers?

    2. Anonymous Coward
      Anonymous Coward

      Re: So why didn't google make the play store push out system updates?

      Would you expect "GNU" to be pushing out updates to Red Hat, Ubuntu, Mint etc every time there is a bug/security flaw, or would you expect the Red Hat et al to be doing it?

      What would happen if one of the OEMs had modified that bit of Android code to provide different functionality and Google went and changed it?

      Should all manufacturers be stopped from making their own changes to the Android code to suit their own devices? Is it non open-source software that you think Android should be? You could always choose a Nexus or Google Edition phone.

      The device manufacturers can take this code, test quickly and roll out the patch within a couple of weeks, it's easy for them to do and with a small team and some registered Beta users patches like this could be rolled out for all their devices (including ancient 3/4 year old ones) within a month.

      1. FrankAlphaXII

        Re: So why didn't google make the play store push out system updates?

        Thats great in theory. But will they in reality? I doubt it for most of them. Thats what sucks about Android, your manufacturer may or may not push out updates like that.

        1. sabroni Silver badge
          Thumb Down

          Re: Hooray for the crappy update system!

          Hey, it was designed to suck and it certainly works!

          1. silent_count

            Re: Hooray for the crappy update system!

            It's not so much the system which is broken - *if* the OEMs/phone carriers push updates, they'll get to people's phones just fine. The problem is that all of the OEMs fork the OS to shovel their brand of crapware upon their victims... err.. provide added value to their valued customers... and then have no financial interest in updating anything but their current models.

            The obvious solution is for everyone to immediately root their phone and install stock android or CyanogenMod. Then they'll get updates as soon as they're released, and Google *does* have a financial interest in updating the OS which feeds them user info and funnels customers through their store.

            However, rooting a phone (usually) voids the warranty and, even if it didn't, is beyond the technical ability of most users. I wish there were an easy solution but there isn't.

        2. tom dial Silver badge

          Re: So why didn't google make the play store push out system updates?

          No, that's what sucks about {CellPhoneVendor}, who don't push out updates in a timely way.

      2. Ru

        Re: So why didn't google make the play store push out system updates?

        Would you expect "GNU" to be pushing out updates to Red Hat, Ubuntu, Mint etc every time there is a bug/security flaw, or would you expect the Red Hat et al to be doing it?

        What's in it for the phone manufacturers? If the average customer hasn't heard of this security issue, and even f they have they might not care, and the problem isn't unique to them, there's very little incentive for them to do any work. Google don't make them push updates, and the manufacturers would much rather just concentrate on getting their next batch of devices working and sold and encourage their customers to upgrade.

        Even a small team of devs won't come cheap, and the work they do does not directly generate revenue. Unless Google's own Ts&Cs for their licensees include patching timescales and product support lifetime requirements, I don't see many manufacturers doing this out of the goodness of their hearts. I don't see Google making their Ts&Cs more onerous either, because they don't want to lose their customers, who do care about such things.

        TL;DR: the manufacturers don't care, because customers don't care and aren't willing to pay a premium.

      3. Ambivalous Crowboard

        Re: So why didn't google make the play store push out system updates?

        "The device manufacturers can take this code, test quickly and roll out the patch within a couple of weeks,"

        Yes, but they don't. Not if you're using a not-the-latest handset (e.g. Samsung S2).

        And the carriers are even slower to react. Try going to the "Android Firmware Download" page on Vodafone or T-Mobile. Isn't one? Oh right.

        I appreciate there is OTA updates but, again, why not just let Google update that bit of code on your phone if it hasn't been touched by the vendor or carrier?

  6. Anonymous Coward
    Anonymous Coward

    The cynic

    that resisdes within, wonders if, sometimes, these exploits are written by the chocolate factory et-all to attempt to kill 3rd party app sites...

    Not all the time, just sometimes...

  7. Anonymous Coward
    Anonymous Coward

    Cyanogenmod 10.1.x fixes both vulns...

    Rolled out within a few HOURS, HTC One X International.

    Impressive.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cyanogenmod 10.1.x fixes both vulns...

      Cool, that's 3 users protected! Hurrah for Android!

      1. Anonymous Coward
        Anonymous Coward

        Re: Cyanogenmod 10.1.x fixes both vulns...

        And they've all logged in to upvote you!!! Aww bless!

        1. phuzz Silver badge
          Thumb Up

          Re: Cyanogenmod 10.1.x fixes both vulns...

          Make that four...

          And I'm running CM10 on my tablet as well, do I count twice?

  8. heyrick Silver badge

    and the whole process might take weeks, if not months

    ...if at all.

    I notice Google frequently update the Google Play Services (over 3G too, when I've told Play not to update anything when not on WiFi - bastards); yet this highlights a stunning flaw in the Google system which is unable to differentiate between system specific stuff (up to the manufacturer) and genetic operating system stuff. It is no good saying that it is up to the OEMs and not Google for they entered into this knowing full well what the market is like, the many phones on sale with Android 2.3.x and the lack of "official ICS" for numerous devices because manufacturer and operator have your money and no longer give a f....

    Quite simply, it should never have been set up in such a way as to require the cooperation of this many indifferent organisations just to patch a flaw in the operating system.

    1. Anonymous Coward
      Anonymous Coward

      Re: and the whole process might take weeks, if not months

      it should never have been set up in such a way as to require the cooperation of this many indifferent organisations just to patch a flaw in the operating system.

      What, by making Google actually RESPONSIBLE for something? Not going to happen. Their model of "all the profits, none of the responsibilities" is working well so far, as long as they can keep pesky people away that ask about rights and privacy and actually following laws. Or paying tax..

  9. mark l 2 Silver badge

    If the oem ships the device with the option to install from 3rd party app stores turned off then they will probably not bother sending an update to fix it as 99% of the users will just be getting their apps from google play and Google should be scanning the play store to find any dodgy apps. and those that do turn it on will probably invalidate their warranty under some part of their t&cs so the oems aren't bothered about those users anyway.

  10. Wzrd1 Silver badge

    I'm trying to wrap my head around one thing.

    Android security. In the same sentence?!

    That's an oxymoron. Like government economy, military intelligence or reasonable person.

This topic is closed for new posts.

Other stories you might like