Re: The sky has fallen
"Move on, there's nothing to see here."
Really it's very important not to speculate on the details of the security flaw or provide bad information in these situations. You have just given a very wrong impression of the threat. Nearly all Android devices have such remote control software installed, as it is installed by the OEM's. (Nexus devices however are known not to be affected).
The problem has arisen because there is a known Google Certifi-Gate related bug that has had to be worked around by every vendor of supplying mRST (Mobile Remote Support Tool) software. It turns out that several third party rMST vendors workarounds have weaknesses which can be exploited by third party apps running on the device. It is important not to install side loaded apps until your carrier issues an update (if they ever do).
It seems however that any app can exploit the mRST weakness though clearly apps that are side loaded are not vetted so are more of a risk (I've been unable to ascertain if it is only side loaded apps that can exploit this weakness. I think not, but perhaps someone else can comment on this point) and attackers can exploit this flaw to silently gain near complete control of the device. Clearly, that is bad.
BTW, Samsung's response is, as usual and expected of Samsung, unconscionably irresponsible. Let's analyse what they have said:
"At Samsung, we understand that our success depends on consumers' trust in us, and the products and services that we provide. We are aware of Check Point's alleged claims, and Samsung has addressed this issue. Samsung encourages users not to execute unsecure apps."
The cynicism of this response is on so many levels it' not funny.
"We are aware of Check Point's alleged claims, and Samsung has addressed this issue"
If they have addressed the issue, then they for sure know the claims are not simply alleged. What are they suggesting their programmers have done, speculated about what the vulnerability might be and kind-of fixed a theoretical speculative issue just for the hell of it? Of course not. This is spin pure and simple.
Also, by saying "we have addressed the issue" it very much seems they are trying to suggest the issue is no longer a problem. Except of course, until as a user, you receive an update it is, and you are left vulnerable and the carriers are required to issue a firmware update. It they don't, then the bad mRST software remains available and executable for exploitation. Most El Reg readers will understand that, but most non techie readers most certainly will not. By not spelling it out, it is difficult to conclude otherwise than that Samsung are more concerned to minimise negative PR than inform and protect their customers.
And finally by saying "Samsung encourages users not to execute unsecure apps." it rather seems they are attempting to suggest users will be to blame for executing apps that take advantage of their security flaw. Really this is just a sign-off to try to make themselves sound like they are saying the responsible thing, when by not having spelt out their customers remain vulnerable, they are being anything but responsible. Here I'm speculating a bit, but I feel it's warranted (and I'm not speculating about the flaw itself but Samsung's motives). It seems to me these words are carefully selected to suggest the issue is limited to side loaded apps, when it is anything but clear this is the case (for an issue such as this, every word of a press release will have been very carefully considered by a senior executive backed by extremely capable team of techies, so I think it highly unlikely the ambiguity would be anything but deliberate and cynical - if they could have said "side-loaded" rather than the more ambiguous "unsecure apps" I think it likely they would have done). I could be wrong on this last point, but somehow I think not. But still, irrespective of that last point: Wankers.
Biting the hand that feeds IT
