back to article Google claims ‘massive’ Stagefright Android bug had 'sod all effect'

Despite shrill wailings by computer security experts over vulnerabilities in Android, Google claims very, very few of people have ever suffered at the hands of its bugs. Speaking at the RSA security conference in San Francisco on Tuesday, Adrian Ludwig, director of Android security, said the Stagefright hole – which prompted …

  1. ratfox

    Another way to read this is that users are so easy to trick, it's not worth coding complicated intrusion techniques...

    1. Anonymous Coward
      Anonymous Coward

      Yet another way to read this is that the really nasty exploits are being used in targeted attacks and haven't made it into the open black market yet.

      1. Charlie Clark Silver badge

        Yet another way to read this is that the really nasty exploits

        Not really. If the easiest way to compromise a phone is to get the user to install something then that's the thing to do.

    2. Anonymous Coward
      Anonymous Coward

      "Google claims ‘massive’ Stagefright Android bug had 'sod all effect'"

      Translation: - between the combination of Java and Linux there are so many other holes Android is already like a sieve and it really didn't make any difference...

      1. wikkity

        "between the combination of Java and Linux"

        And the fact that most android software is implemented in a particular programming language is significant how?

    3. razorfishsl

      Users are stupid and Greedy, that is why they are Easy.....

    4. Anonymous Coward
      Anonymous Coward

      Have you ever heard a pub declaring its beer is not good?

      That's why independent researchers are needed.... oh wait, paying them handsomely may help to keep them quiet?

  2. Tim99 Silver badge
    Big Brother

    MRDA

    "He would, wouldn't he?" (Mandy Rice-Davies Applies).

  3. Mikel

    Finally a sane article on Android security

    As I've been saying for quite some time. Real people with real Android who get their apps from Google Play just don't have this problem. It's shifty third party app stores, apps from websites emails and torrents that do. Or we would know about it. And if you let Google scan your third party apps, seldom even then.

    But now the Microsoft shills will come and shout "secure software is unpossible!" - because they refused to believe they've been using shoddy quality low security poorly engineered software this whole time.

    And again: antivirus and firewalls are snake oil. They are worse than useless. They are completely the wrong answer to security.

    1. Anonymous Coward
      Anonymous Coward

      Re: Finally a sane article on Android security

      "Real people with real Android who get their apps from Google Play just don't have this problem. It's shifty third party app stores, apps from websites emails and torrents that do"

      Oh really?

      A simple search of tech news suggests Google Play has frequently found to be hosting malware of various types:

      http://www.zdnet.com/article/gooligan-android-malware-grabs-a-million-google-accounts-in-huge-google-play-fraud/

      http://www.ibtimes.co.uk/google-removes-13-android-apps-play-store-infected-brain-test-malware-1537049

      https://blog.lookout.com/blog/2016/09/16/embassy-spyware-google-play/

      https://www.grahamcluley.com/advertising-trojan-100-android-apps-google-play-store/

      ...and many others...

    2. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Finally a sane article on Android security

      As I've been saying for quite some time. Real people with real Android ...

      Not sure whether serious or actually a washing powder salesman now working for the Google.

      1. Anonymous Coward
        Anonymous Coward

        Re: Finally a sane article on Android security

        "I'm not a dentist, but I can tell you....."

    3. William 3 Bronze badge

      Re: Finally a sane article on Android security

      As soon as people make unfounded allegations about other people being shills (usually a main competitor) if they dare disagree with them, I know that it's them who is the shill.

      Cast your mind back, and remember them as the kid in class that used to drop farts, make really loud noises about it being someone else.

      The really good ones at doing this end up in corporate PR or politics.

      1. sabroni Silver badge

        Re: As soon as people make unfounded allegations about other people being shills

        It's not unfounded to read someone's post and say "that makes you sound like a shill". It's understandable when all they're saying is "See! I told you so! This product is great!!".

        I very much doubt the OP is paid by Google, but his cheerleading does smack of salesman.

        1. This post has been deleted by its author

    4. Charlie Clark Silver badge

      Re: Finally a sane article on Android security

      Mikel,

      I agree with most of what you say but I think Jason Bloomberg below makes the better point. People harping on about security flaws in Android aren't necessarily Microsoft (or more likely Apple) shills or fanbois. They're more likely to be just excitable users or occasionally journalists writing clickbait. All software companies should take security seriously. In the Android eco-system this is acknowledged to be less Google's problem than the manufacturers and I don't see it improving without regulation.

      Sometimes you have to go outside the Google Play Store – I do it to get stuff that is geo-blocked for some reason – and this should be possible in any market. Google handles this correctly by disabling it by default but allowing the user to disable it.

      Ant-virus products are mainly fig-leaves but can be useful for some users even if they only spot VBA mischief. Firewalls, depending on your definition, can be very useful, but, yes there is also industry that has spotted a niche by scaring rather than educating users.

      1. Mikel

        Re: Finally a sane article on Android security

        ~ Sometimes people go outside the Play Store

        And if you do that, and you haven't disabled Verify Apps, the app will be verified by Google. If it's known to carry nastiness, it is blocked. If other people who install it drop off the system too often, it is blocked. If it contains any known form of nastiness, it is blocked (a rare form of legitimate malware scan, the app is scanned once per version not once per installation or run). If there's anything at all suspicious about it, it's flagged for review. Then you have to give specific permission for it to have access to features and you can decide if you trust the author and publisher with those features only - not the whole device.

        And if you install it anyway, or disable the Verify Apps feature, or give it access to features that it shouldn't need, then you can't say it's a software insecurity that you suffer the consequences of that choice.

        Don't pretend it's just the app store that's protecting people. It's a lot more than that.

    5. David Lawton

      Re: Finally a sane article on Android security

      You do know that Stage Fright was exploited by sending a specially crafted picture message? Did not need a dodgy app installed, the OS was vulnerable to it out the box.

      I am surprised a tool to exploit this did not end up in the wild and made easily accessible. Would have been interesting if it had.

    6. TheVogon

      Re: Finally a sane article on Android security

      "But now the Microsoft shills will come and shout "secure software is unpossible!" - because they refused to believe they've been using shoddy quality low security poorly engineered software this whole time."

      No, it's not "unpossible" - at least to a degree:

      http://news.softpedia.com/news/white-hat-hacker-claims-windows-phone-is-the-most-secure-mobile-platform-495841.shtml

      http://news.softpedia.com/news/Kaspersky-Says-Windows-Phone-Is-the-Most-Secure-Mobile-OS-483901.shtml

      etc.

    7. Planty Bronze badge

      Re: Finally a sane article on Android security

      Indeed, I have never ever seen a single Android device infection, yet deal with malware infested Windows devices day in day out.

      In many people's eyes, Android is the Windows of the mobile world, which frankly ridiculous, and makes them appear like either a rabid fanboy, a nutter, or a pleb.

      I personally blame security researchers, who seem to want to either sell snakeoil software off the back of the myth, or are basically just a paid Apple pen.

  4. Jason Bloomberg Silver badge
    Black Helicopters

    Risk assessment

    What we have seen recently, in terms of software security, the arguably more serious issue of terrorism, and for any matter of concern really, is the propagation of the notion that if there is a risk it will be exploited to the maximum possible extent.

    Exaggerating the risk is simply fearmongering, but it plays well to the audience of paranoiacs who believe that if it could happen it will happen and there's no guarantee it won't.

    People simply need to get a grip. But that's not the nature of the world we live in today.

  5. teknopaul

    I installed an app from play

    It started to put popups in my notification area slowed down browsing and tried to get me to buy pointless stuff from rusia.

    it was called Kapersky something.

    I uninstalled it.

    1. Anonymous Coward
      Coat

      Re: I installed an app from play

      There's your problem right there. You were socially engineered and duped.

      The program you were supposed to download was Kaspersky, but those clever malware people got you with their 1 digit spelling mistake.

      Better be careful, you can get caught just as easily on the web with mistakes like that...

      1. Stevie

        Re: I installed an app from play

        Confucius say: Smart-ass one-liner work best when only one line, grasshopper.

  6. YourNameHere

    Targets?

    "but exploits abusing the security blunder peaked at less than eight infections per million users"

    Its perfectly secure unless your the people trying to make a difference or are pointing out issues by almost any government any more. At which time you and your family will become one of the 8 in a million. If your just some arm chair quarterback sitting in your lounge chair pointing fingers at everyone else, then your safe.

  7. DrXym

    Kind of obvious really

    The main threats to people are downloading warez and dodgy "sexy screensaver" apps that wants permissions to make calls. There are also occasional Chinese OEM phones with malicious apps preinstalled.

    I expect most people running brand devices and using the Google store are completely safe. Of course if they check their brains in at the door and install some APK that promises a free game, movies or whatever then they could be in for a nasty shock. But sometimes freedom also means the freedom to make stupid decisions.

    1. Anonymous Coward
      Anonymous Coward

      Re: Kind of obvious really

      Yeah, the fear mongering is what makes a smashing story, but now we know what really happened; few, very very few handsets were compromised, and those at the hands of their idiot master. I switched off of those wacky sammy phones and got a fruity fone, mostly for security and for knowning first hand the device my child uses day in/out. But I still keep my S4, it's light and runs my android purchased wares, and has not received more than one OS update ever. Pixel or iPhones are the only way to go these days. Like it or not. The other choices seem to be:

      "Chinese and Amazon Android-based gadgets"

      Don't. Just, don't. There is no valid third choice, it's a trick question! :P

      1. Anonymous Coward
        Anonymous Coward

        Re: Kind of obvious really

        Or you could realise that smart phones are not and never will be actually required, other than through artificial end of lifing of older tech.

        There is only one choice - 2G!!

  8. Anonymous Coward
    Anonymous Coward

    Depends on your motivation

    Exploiting a random Android user is pretty pointless. What's the gain that you can't get other methods?

    Exploiting a particular Android phone, like say an orange president who insists on using his personal phone for tweets and carries it with him everywhere, is a different story entirely. That's easily worth the investment to use one of these bugs to develop a silent exploit that lets you e.g. activate the microphone so you can listen in to conversations taking place near it.

  9. Anonymous Coward
    Anonymous Coward

    Source

    "Software nasties tend to be sleazy apps, installed by punters, that do unpleasant things in the background"

    Or as we know them, Apps you find on Googles Play Store.

  10. razorfishsl

    The guy is an idiot, "very few people" he needs to get out of his little ivory spy tower and start looking at Chinese Android, see if he thinks a few million devices are a "few people"

    Or he could try running a corporate network in china factories, and get to see the "shill devices" that have been specifically engineered to hack corporate networks from the inside.

    Perhaps take a look at WIFI.com, a company that specializes in the theft of corporate WIFI network credentials in the attempt to turn a profit by spreading advertising malware inside corporate systems.

    Then maybe he can be qualified to talks about android "security"

    1. oldcoder

      That has nothing to do with the problem.

      What you are talking about is BUILT to invade networks.

      Since the device is doing what it was designed for, it can't be called "malware", and doesn't reflect at all on Android security.

      It does reflect on the activity of the VENDOR of the device.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like