Android flaw news

[Phoenix67]

Tutuo kaya eto?!?

Mobile security company Bluebox said today that it recently discovered a vulnerability in Android that makes any Android device released in the last four years vulnerable to hackers who can read your data, get your passwords, and control any function of your phone, including sending texts, making phone calls, or turning on the camera.

That’s almost 900 million Android devices globally.

“A Trojan application … has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords,” Bluebox CTO Jeff Forristal posted. “It can essentially take over the normal functioning of the phone and control any function.”

BlueBox

Bluebox modifed an Android device manufacturer’s application to obtain access to all permissions on the device.
The vulnerability is due to “discrepancies” in how Android apps are approved and verified, Bluebox says, allowing hackers to tamper with application code without changing the app’s cryptographic signatures. That means that an app — any app — which looks perfectly safe and legitimate to an app store, a device, an engineer, or a user actually could actually have malicious code embedded within it.

Forristal said that the details of the bug have already been disclosed to Google back in February, and that Google has “notified their device partners.”
The problem, however, is that because of Android’s fragmented nature and the fact that device manufacturers and mobile carriers release Android updates sporadically if at all, many Android devices are not running the latest software, and cannot be user-updated.

Forristal puts it diplomatically:
“The availability of these updates will widely vary depending upon the manufacturer and model in question.”
If an attacker successfully gains control of an Android device — and Bluebox will be revealing technical details of the vulnerability at hacker conference Black Hat USA 2013 in late July — the hacker essentially gains control of all permissions on the phone or tablet.
That’s a disaster for users, particularly because many Android users, particularly those in Asian and Eastern countries, use the 500+ independent Android app stores that have little or no authentication or verification procedures to ensure that apps that pass through their services are legit, forming a perfect opportunity for unscrupulous and technically-inclined thieves and spies to gain control of your phone.

I’ve asked Google for a comment, and received a very simple, terse response from a Google representative:
We aren’t commenting.

I’m not sure exactly how to interpret that, but I suspect that Google wants this to get as little press as possible while the company scrambles to get as many Android devices updated as possible before the end of July.

That’s a challenge, because many carriers have installed franken-versions of Android on devices sold two or three years ago with custom user interfaces and crapware pre-installed apps, and may not be able to turn out new, updated versions of their customized Android version quickly … or have a way to distribute them economically.

Users who are unsure of their phone’s update status or who are unable to update should be extremely cautious when installing apps, Bluebox says, and be sure to identify the publisher of the app before installing it. In addition, it’s a good idea to only install apps from Google Play, where Google has at least some ability to verify and validate apps — although that does not provide for perfect safety, Forristal said.
“People should look to upgrade their Android devices and inquire with their device manufacturer to see if they are tackling this issue,” Forristal told me via email. “Enterprises need to invest in comprehensive mobile security solutions that protect the integrity of their data against these kind of vulnerabilities.”

Read more at Massive Android flaw allows hackers to ?take over? and ?control? 99% of Android devices (updated) | VentureBeat

[1D4LV]

it may, it may not..... IT security is all about awareness, preparation, prevention and remediation.
as far as i know, the risks in android are the apps, which are used to transport malware....android app development kasi is different from iOS where in iOS, it gets quality tested first by Apple prior to allowing it for deployment.

15 year IT security practitioner here.... ;)

[5Speed]

it may, it may not..... IT security is all about awareness, preparation, prevention and remediation.
as far as i know, the risks in android are the apps, which are used to transport malware....android app development kasi is different from iOS where in iOS, it gets quality tested first by Apple prior to allowing it for deployment.

15 year IT security practitioner here.... ;)

so does it means that IOS/Apple has a better implementation / support of their software and their 3rd party software developer over Android / Google?

[boybi]

so does it means that IOS/Apple has a better implementation / support of their software and their 3rd party software developer over Android / Google?

Yes, if you download apps from the App Store.

Not sure if you're jailbroken and you get your apps from Cydia or App Cake.

[1D4LV]

so does it means that IOS/Apple has a better implementation / support of their software and their 3rd party software developer over Android / Google?

boybi's correct.... from the official apple store, it is safe.
from cydia....nope..... not guaranteed.

[dreamur]

it may, it may not..... IT security is all about awareness, preparation, prevention and remediation.
as far as i know, the risks in android are the apps, which are used to transport malware....android app development kasi is different from iOS where in iOS, it gets quality tested first by Apple prior to allowing it for deployment.

15 year IT security practitioner here.... ;)

I thought google tests their apps that are available on play unless you allow your droid to accept unknown sources or root it.

Sent from my GT-N7100 using Tapatalk 4 Beta

[5Speed]

there are many mobile companies using android and I think it is one of the reason why there's a proliferation of this issue.

Each mobile company has their own customization of the Android version (samsung, htc, sony, etc..) on their device and even on different models as well...

Maybe this is the root of the problem... (not an IT expert here though )

IOS is only for Apple...


Anyway I have both platform... I like both of them... hehehe

[brainmafia_310]

I thought google tests their apps that are available on play unless you allow your droid to accept unknown sources or root it.

Sent from my GT-N7100 using Tapatalk 4 Beta

then why is it even i downloaded from play store some of my apps require to check to install from unknown sources.

[1D4LV]

I thought google tests their apps that are available on play unless you allow your droid to accept unknown sources or root it.

Sent from my GT-N7100 using Tapatalk 4 Beta

they don't have the proper testing capability as iOS does, otherwise, it contradicts the open sourceness of android.
and the fact that even in google play, apps that are deemed as legit and still being used by malicious developers.
going back to my previous statement, IT security is a matter of proactiveness. even though your house has a security lock, you still feel the need to have your home secured diba? same as with your car? it goes the same in computing. the process never ends.

[dreamur]

Agree on this. Are available anti virus that you can download for free good enough to provide protection? I am using AVG and Avast.

Sent from my GT-N7100 using Tapatalk 4 Beta

[s10pao]

they don't have the proper testing capability as iOS does, otherwise, it contradicts the open sourceness of android.
and the fact that even in google play, apps that are deemed as legit and still being used by malicious developers.
going back to my previous statement, IT security is a matter of proactiveness. even though your house has a security lock, you still feel the need to have your home secured diba? same as with your car? it goes the same in computing. the process never ends.

sir na curious lang ako. ano kinalaman ng proper testing sa open sourceness ng android?

[Retz]

Thos who always download or watch **** are most vulnerable.

[Monseratto]

Most vunerable are the rooted phones as well, because there's no way to check those modded OS for frankenware.

[xwangbu]

a rooted phone isn't always on custom firmware.

btt: bluebox only provided a screenshot and details to be released pa on blackhat conf end of july.
hopefully it is just FUD.

[1D4LV]

sir na curious lang ako. ano kinalaman ng proper testing sa open sourceness ng android?

kung Google tests everything, the scenario gets closed and controlled, which is not the way open source works.
people always see opensource as free....not always the case....

[1D4LV]

sir na curious lang ako. ano kinalaman ng proper testing sa open sourceness ng android?

kung Google tests everything, the scenario gets closed and controlled, which is not the way open source works.
people always see opensource as free....not always the case....

in opensource, code should always be available for everyone for manipulation.
dito nagsisimula ang security issues.

btw..... ang problema with open source is not on viruses but on malware.

[xninjax]

If a bad guy can persuade/trick you to run his program on your phone, it's not your phone anymore

[1D4LV]

If a bad guy can persuade/trick you to run his program on your phone, it's not your phone anymore

true..... and how to do that? by inserting malwares that open your phone, install keyloggers in legit applications.

[roninblade]

kung Google tests everything, the scenario gets closed and controlled, which is not the way open source works.
people always see opensource as free....not always the case....

in opensource, code should always be available for everyone for manipulation.
dito nagsisimula ang security issues.

btw..... ang problema with open source is not on viruses but on malware.

i think you have the wrong idea about the nature of the issue, open source, and testing.

every major software company does extensive testing but they can't test EVERYTHING. they make tests for each each use case they can think of but they can't cover everything. that's why there are regular patches and updates from Google, MS, and, yes, even Apple. some bugs are serious, some are not. it just turns out this current Android bug is a serious security flaw.

whether closed source or open source if software companies can test absolutely everything then we would live in a perfect world and there would be no software bugs and security issues that require patching.

finally, the issue has nothing to do with open source at all. it has to do hacking and security protocols. bluebox tampered with an application to grant it all permissions (to do anything) on the device. hackers don't have to have your source code to make trojan applications. the problem with android is it's security protocols but the hack is in the apps which are mostly closed source.

[Retz]

I think none is safe sa panahon natin ngayon. Vulnerable na tayo ngayon sa mga hacking / phishing.