Totally flaming awesome!!!
It's a grand world where amazing things happen. Please keep the wondrous software and firmware coming into our lives for the beauty they bring!
Four Qualcomm vulnerabilities grant malware writers total access to modern Android smartphones. Yes, yes, nine hundred meellion "potential" users, if you're counting. Attackers can write malicious apps that, when installed, exploit the software flaws to gain extra privileges on Android Marshmallow and earlier versions of …
Same thing here.
For 2 seconds I looked for the field where I could input my mobile's model and check if it was vulnerable, before I realized I was on the PlayStore page (yes, I should have known before I clicked, but I expected better from El Reg).
Can't be bothered to install an app for the sole purpose of checking if I'm vulnerable to 1 specific exploit, so thanks, but no thanks.
Not really. Never ever actually seen a exploited Android device in the wild, despite Stagefright, despite this and all the other scare stories.
Not a day goes by where I don't see a malware infested Windows device.
Those two are literally worlds apart. Anyone that claims different is either an idiot, or has an agenda.
Windows didn't suffer any mass attack until years after they were possible, despite all kinds of warnings about how big of a problem they could be. It took the example of multiple such attacks spreading like wildfire to get Microsoft to start taking security seriously. And it wasn't until Windows 7 that the extra attention started having any real effect (not that 7 is 100% secure, but it is significantly better than XP even XPSP3 ever was)
The day is coming where there will be a mass Android attack - which will probably spread itself by sending MMS to your contacts who will send it theirs, and so on. Sure maybe in two years 50% of Android devices won't be vulnerable to the MMS exploits (unless new ones are found, which isn't unlikely) but that would still mean hundreds of millions of devices could be compromised in a day.
Its just a question of whether someone will do it for the notoriety, or if they will have a revenue model in mind (clickjacking, stealing bank info or whatever)
Looks like people at BlackBerry have had a busy weekend - they're now rolling out August 5th patches to their Priv Android phone, or least the factory unlocked SIM free ones.
Fairly smart work. Apart from Nexus and with BlackBerry being hot on Google's heels, who else is keeping their products that up to date?
"even though it was last patched in the mid 90s (I think it was)"
As the S3 was only released in 2012 you're not even close! ;)
It would be wonderful if a user-focused .APK was released that installed SuperSU on vulnerable phones using this exploit, as Towelroot did.
Even better if it managed to get S-OFF, and we could use it to definitively clear this vendor brain damage.
Perhaps Sunshine will be getting an update soon.
"There are ways to hide the root status from individual apps - I've used one with flawless success. Get xposed and you won't regret it!"
How when SafetyNet checks itself with an encrypted connection back to Google AND can upgrade itself through that same connection? We don't know Google's private key. SafetyNet can even detect /system-less root now.
What app would I ever want to run that insisted that I relinquish control of my phone?
NONE!
What sane app would *insist* that we run a flawed /system/lib/libstagefright.so that would allow a system to be cracked like an egg?
What SHOULD happen is banking and finance apps that refuse to run on vulnerable systems. When Citibank and Wells Fargo start blocking Android 4.4 KitKat and lower, Google and the OEMs will probably find a way to get patches out.
As I see it, there are two primary risk categories.
1) Jailbroken phones, the owners of which install stuff from everywhere.
2) Non-jailbroken phones, the owners of which only install from the Play store.
Naturally, all vulnerabilities affect category #1. But I'm frequently unclear on whether category #2 people should shit their pants with worry on a daily basis until their phone is patched, or whether they should just ignore such reports as irrelevant.
Personally, my biggest complaint is all the "Crap Apps" that Android has Baked In from the "Factory" by Google.
As far as I can tell, no matter what I do, there are a whole Bunch of "Services" that I neither Want nor Need nor Use but which will keep right on sucking up my battery power, no matter What I do.
I've tried disabling stuff. The list is so long that it would take me a Week. Then there are all the ones that Can't be disabled because the Phone somehow Needs them to function as a Phone.
And, to cap the futility, Android keeps automagically downloading Updates that turn everything back on just a couple days after I turn them all OFF..
My not-that-old flagship still gets nightlies, but I won't be hold my breath for CM 13/Marshmallow. There are other ROMs (mostly Lollipop-based, or flaky Marshmallow builds) but the logic of which phones stay interesting to devs enough to support eludes me.
"The ecosystem is such that it makes exploitation more difficult because it needs to be designed for [each device],” Dai Zovi said at the time. “[Android] security features like verify apps, and Google Play store application checks makes it a much safer system.”
Spin it baby. Spin it.