back to article Android bug lets attackers install malware without warning

It's been more than a month since researchers reported two serious security vulnerabilities in Android, but so far there's no indication when they will be purged from the Google-spawned operating system that's the world's most popular smartphone platform. The first flaw allows apps to be installed without prompting users for …

COMMENTS

This topic is closed for new posts.
  1. Paul Crawford Silver badge

    Time for liability?

    There really should be a consumer protection law that would punish suppliers who fail to fix vulnerabilities in a reasonable time scale and for, say, 5 years after official "end of life" for buying a product.

    Something like liability for all damages, irrespective of the license T&C, if they fail to patch within 1 month of disclosure perhaps?

    I'm not just talking about Android, the "new windows" of security, but for ALL software and hardware. And no wiggle room.

    Yes it would cost a little, but it would also focus suppliers on releasing decent designs, and not a "ship the crap then forget" model that seems to be today's norm.

    1. nyelvmark

      @Paul Crawford

      Uh huh. Now go find the box your phone came in, and read the warranty / licence agreement. Be assured that these were written by highly-competent (and highly-paid) lawyers. If you don't like what they say, you have 3 options:

      1 - Ask your MP to introduce retroactive legislation modifying the law of contracts. This is unlikely to happen, as it would probably fall foul of European law;

      2 - Assemble a small army of lawyers and challenge Google. This might work, if you have enough money.

      3 - Wipe the phone, give the silly toy to your kids and go buy a sensible phone for a tenner.

      1. Dazed and Confused

        @nyelvmark

        Well he did say irrespective of the Ts&Cs.

        But your license might well not be worth the paper it isn't printed on. If a Judge decides that the terms are not reasonable then they don't stand.

        Companies can not right contracts, at least over here they can't, that exempt them from their legal responsibilities.

        Now the licenses may well say "tough luck son, you have no rights what so ever except to bend over and take what's coming to you coz we pay mega-buck lawyers - so shut up and pay up" which is what the average licenses agreement says.

        But if a judge feels differently...

        Occasionally judges do.

        Then the big companies get the sort of kick up the arse they normally reserve for their customers.

      2. Paul Crawford Silver badge

        @nyelvmark

        What I am suggesting is a new/change to the law so all new products, irrespective of their type and T&C, must be "adequately secure" and maintained that way free of charge by the supplier for 5 years after sale. Otherwise the supplier bears all costs of failure.

        It would get rid of the T&C you refer to and make sure that suppliers of ANY goods such as a car, TV, phone, laptop, etc, are all bound to the same standard for dealing with security fixes in a 'reasonable timescale'.

        After all, its not that hard to do: you start with a decent design that has security as a core part of the requirements, and then keep the design team (or part of them) fixing things as they come up, and have the systems in place to allow patches to be deployed automatically to the consumers.

        Hell, even MS, the original master of incompetent security, now mostly manages that (though not always the 1 month fix time, unless its made public and they *have to* speed things along).

        That is perfectly within reason for a consumer protection law, and ideally it would be an EU-wide one. Just what is wrong with that suggestion?

      3. 2cent

        Google's Fault for supporting Homo-Sapiens

        "2 - Assemble a small army of lawyers and challenge Google. This might work, if you have enough money."

        Unless I am mistaken, it is the manufacturers that are not updating the software.

        Why would they, as Homo-Sapiens using there quit wits, hardware manufacturers can carry the ball, drop it just before the hard hit and move on to the next goal (next product). The rule is "a new ball may be given to a player who dropped the ball or while players may accept an new ball at any time".

        Note: the field is circular with goals constantly changing according lights mounted above goal with dollar signs color coded to your team jersey. Different teams may come and go as they please.

        The game is pretty tough on Cro-Magnon.

    2. Ken Hagan Gold badge

      Re: There should be a law

      Why does there have to be a law? If you don't like insecure, closed source products, take your business elsewhere. Buy a dumb phone.

      And if you introduce a law, what's "vulnerable"? What's "reasonable"? What's "fixed"? I'm sure the lawyers will have a gay old time trying to argue that one out and I'm sure the manufacturers will have more expensive lawyers than you will, so what have you actually achieved?

    3. Vic

      Re: Time for liability?

      > Something like liability for all damages

      No.

      It's a really appealing notion when you've just been hit by faulty software, but it would be a bad thing in the long run.

      High-reliability code is realistic - but *extremely* expensive to develop. That means you pay more for anything that uses it. So new products are no longer priced in the hundreds of pounds, but in the thousands. And nobody buys them.

      The practical upshot of such legislation would be to kill off any new products *and* any updates for old products. So you get a worse situation all round...

      Vic.

    4. Neil C Smith
      Devil

      Phone Companies should be liable too!

      It's time to make phone companies partly responsible for security. For the large number of people on contract phones (not me anymore - fed up with it!) then if the phone companies want to lock down these phones they should also be made to provide timely updates. If the phones aren't made secure in a timely fashion then that should be reason to void the contract. In fact, if they're knowingly not providing security fixes, that's probably breaking some law or other already - maybe it's time for a test legal case?!

  2. Wize

    Apple does have the plus that they only have one hardware platform...

    ...but that's also a minus as we like to have a range of devices. I like that I'm typing this on my phone's slide out keyboard. It's always the choice you have. Stick with 'one size fits all' or get one that fits you snugly but wait for the software to be made to measure.

    At least we aren't being forced to take Vodafone's 360

  3. Anonymous Coward
    Anonymous Coward

    Bring it on!

    I still can't get root on my HTC Wildfire (running Android 2.2)

    Apparently no-one's found a usable vulnerability yet :-/

    1. This post has been deleted by its author

      1. thasaleni
        FAIL

        android

        No u cant, i tried that cynamogen and it says i got a new firmware and cant root

    2. twunt

      Rooting the Wildfire

      Yes you can - idiot

      http://forum.xda-developers.com/showthread.php?t=788776

      1. thasaleni
        Facepalm

        No u can't u IDIOT read the comments on that post and u'll see all wildfire users are complaining. tried it too and it didnt work

  4. ozmark
    Unhappy

    Without warning?

    Whatever happened to the good old days when malware would install WITH warning. I tell you, civility has gone completely out of the window.

    1. DanW

      Polite malware

      I take it you are referring to malware like this...

      http://www.symantec.com/security_response/writeup.jsp?docid=2000-121813-2851-99&tabid=2

      Before attempting to infect the document, it displays this message:

      Shall I infect the file ?

  5. Anonymous Coward
    Anonymous Coward

    This is why I don't use a smartphone...

    ...no matter what brand or type or. I'm happy with my Samsung Jet.

    I just want a phone which helps me to do "phoney" things ;-)

    Yes, its very handy that I can also surf the Net, retrieve my e-mail, listen to mp3s, can use GPS, and even jot down memo's. But that's all I need.

    At least I don't have to worry about malware and other crap finding its way onto my phone one way or the other; simply because its pretty much locked down. About the only extensions available are through Java ME and those Samsung plugin thingies (which name I forgot).

  6. Anonymous Coward
    Anonymous Coward

    Android is Number ONE!!!!

    errrrrm in security flaws! in longest unpatched security flaws! in largest user base of official software abandoned devices! in not so crash hot quality numbers of apps! of errrr damn how embarrasing for something so promising!

    1. Darren 12

      I agree. It's also number one for innovation, number one for customizability, and number one for openness (not completely open but much more so than iOS or WP7, eg. custom ROMs). Given all that, it's the number one OS for me.

    2. gisabsr
      Pint

      scratches neckbeard and waves hands

      but, but, it's Ooooooopen!

      1. Ken Hagan Gold badge

        You might want to ask RMS about that. Have you tried fixing this latest vulnerability yourself and recompiling from source?

        For all practical purposes, Android is closed source and proprietary.

  7. Jolyon Smith
    FAIL

    What a load of fuss about nothing

    So he created some malware and managed to get it into Marketplace. Big deal. The problem isn't with Android it's with the verification procedures (if any) in the *Marketplace*.

    Fix that and the only people who could be affected by such apps are those who have already chosen to take software from *unverified* sources and put them on their device.

    This is like saying that creating a form of petrol which causes cars to explode and managing to sneak it into the storage tanks of a filling station is a "vulnerability in the internal combustion engine". It's not, it's a problem with the security of the filling station.

    The same applies to the second so called vulnerability also... the software still has to somehow make it onto your phone in order to "attack" it. Address the channels by which software get's on the phone and the vulnerability disappears.

    The comparison with iPhone/iOS concentrates on differences/similarities in the hardware/OS but neglects to address differences in the way the marketplace for apps for the two platforms are administered.

    1. Rob Daglish

      I thought he'd made an app, which installed more apps without permission? Ok, it posed as a wanted app, people agreed to give it permissions, then it snuck some other apps in without telling anyone?

      Once he'd got the Trojan on, it didn't matter where it came from, as it presumably went off to it's own headend to get the software rather than from the marketplace.

      I completely agree that it's down to proper vetting of apps before they are released - with iOS, you never rally had to worry about apps on the AppStore, but I do find myself being mucn more careful on marketplace, but if any hacker would care to write some malware to stop my phone randomly rebooting, I'll take it!

  8. Patrick 8
    Holmes

    forget all smarphones, I'm off this roller-coaster

    I bought my wife a first generation iPod touch when I go my smartphone. I have since used an gone through all the majors from Blackberry, iPhone, Android. I've noticed that these "very expensive" and therefore "very profit making" devices are not long-lived with all the carrying, dropping and general day-to-day abuse they must maintain. Talk about turn-over profit cash cow business model. And here I look at the wife who's iPod is still in great nick with only scratches showing on the rear metal case and it runs just as good and fast as day one I bought it for her, is thin as no smartphone has ever been and has what appears to be as strong a battery as when new. Since going through many XP to Windows 7 update woes I've had no end of syncing issues of one type or another from crashing dll hell to those desktop software that decide to strip out all phone numbers and details bar one. Although not a fan of iTunes on Windows I tested it out and got no errors on sync from the first get go.

    Therefore I am seriously in the camp of considering getting out my still newish dumb tiny super light weight nokia as a phone and using it as a dongle for the laptop as well and getting whatever generation iPod touch, be it fifth or sixth? as my core business requirement is perfect sync with Outlook/Exchange calendars. Android seems to ignore the non-smartphone form factor of iPod Touch and I'm not interested in a tablet as I want a tiny superlight weight device in my suit jacket that I don't have to faff around with root break this or arm wrestle that to get updated software 1. even installed let alone 2. actually working with a. the device and b. the desktop software.

    1. cloudgazer

      Actually top end smartphone hardware is very long lived

      Hmm I dropped my iPhone-1 a lot and it still survived handily till the iPhone-4 launched with just a bit of darkening on one corner of the screen (near a particularly big ding in the metal - I dropped it a LOT).

      The iP4 I've been more careful with, mostly because I picked up a nice Shure hands-free set for my Shure ear-phones and so there's really no reason for me to ever drop it. As a result it's pretty much immaculate, with a few very minor scratches.

      Physically speaking top end Android devices are likely to be fairly robust too, a friend is rocking a hand-me-down HTC phone that is I believe around 2 years old and it's still in good nick. 3 years of life shouldn't be considered exceptional - the problem is that they mostly don't get 3 years of software support, heck they mostly don't get 1.

      By all means get a Touch, just don't expect that if you are the kind of person who destroys his smartphones that a Touch will be somehow immune to your clumsiness. Better to just invest in a good case and a good handsfree set.

  9. Steve Evans

    For once...

    Delays in updates aren't the fault of phone carriers. The phone manufacturers are the biggest bottleneck/slackers. Many of the "older" (aka released last year) HTC handsets have only just received the gingerbread update which Google released at the end of 2010.

    I will be amazed if most of these handsets receive another upgrade before being dumped from support, even though owners could still be paying for them on a 24 month contract.

    I'm all in favour of continual development, but if manufacturers continue to absolve themselves of any responsibility towards existing owners, I for one will continue hopping to different manufacturers - I'm already keeping tabs on how a few others treat existing customers for when I buy my next phone, and of course their attitude to rooting.

    1. Paul Shirley

      I for one will continue insisting any phone has vigorous 3rd party firmware support *before* I buy it. At least I'll have frequent fixes AND a choice of who to trust building it... and I trust some of the hobbyists more than any phone manufacturer right now.

      Beyond that: it's a phone, a basic assumption is the bad guy will have physical possession of it and access to hardware hacking tools nullifying any security care of a dodgy unlock shop. Putting anything you care to lose on one is a big mistake with or without remote exploits. You want security, buy something secure, it just won't be an affordable smartphone.

    2. twunt

      It doesn't help

      That HTC bring out so many handsets - a rate of about 1 Android per month - even more if you include international and carrier variants.

      They are simply not interested in updating your 1 year old handset - they want you to buy a new one.

  10. All names Taken
    Facepalm

    Nothing new here. Move along now. Vit!

    A computer operating system with a security issue is news?

  11. Andy Watt
    Meh

    Alas...

    I just don't see Google suddenly adopting apple's approval strategy, but I hope they do.

    1. Darren 12

      I certainly hope they do not. I'm happy to take responsibility for the software I install on my phone if it means that I get to choose - not Google or Apple - what I do with my phone. For these sorts of tricks to work, people have to intall software from unknown publishers with less than 1000 installs. They can go ahead and do that but I won't. If you want a company to decide what apps are appropriate for you to use, you should get an iPhone.

      1. Andy Watt
        Stop

        @Darren12 - Yeah, but you're clever enough to care...

        I'm sorry, but you'll have to put up with a degree of control. I made a suggestion on another forum discussing Android security approaches (there's an awful lot of discussion on it, could that indicate SOMEthing...?) that the better security model is "opt-out" locked-down - you apply to have your phone unlocked, as a dev or tech-savvy party, at which point you can do what the hell you like. Sort of like "official jailbreaking".

        This way there can be a self-selecting and self-sizing community of tech-savvy happy people like yourself, and the platform can survive and grow off the masses who enjoy a safe, enjoyable, long-battery-life experience, blissfully unaware they can break out of Google's "walled garden" app store if they wanted.

        While you might be happy (and clever, and intuitive) enough to take responsibility, it doesn't matter if 500 million other people don't care and install some hideous botnet trojan masquerading as angry birds, because Google can't be arsed policing the store properly. The platform will get a reputation as a shit-pit of malware and people will abandon it as their bills start coming in with massive premium call / SMS bills.

        You can't educate either - the platform's sheer installed user base is one of the biggest reasons it's getting hit with malware, like Windows does. It's vulnerable by design so that geeks like us can fiddle with it if we like, but that means it's open to social engineering malware attacks.

        And your last words - "you should get an iPhone" - are exactly what disillusioned punters will do. Then it's bye bye android...

  12. E 2

    Oh noes!

    Evil doers are going to ownz teh brains of my cell phone!

  13. bazza Silver badge

    Updates?

    "One of the hopes for Android a few years back was that it would be a viable alternative to Apple's iOS, both in terms of features and security. With the passage of time, the error of that view is becoming harder to ignore. By our count, Google developers have updated Android just 16 times since the OS debuted in September 2008."

    Google may have updated Android 16 times, but I bet the number of updates actually delivered to every end users by the manufacturers and networks with all those varied handsets and configurations to support is far, far lower than that.

    All it will take is for some massively unacceptable hack to take place (e.g. all Android phones disabled by some virus) and suddenly the buying public will vote with their wallets and buy something else. Seems that Android is, amongst all the mobile platforms out there, significantly vulnerable to that. Are SE, HTC, etc. wise to base their entire business on such fragile foundations?

  14. TeeCee Gold badge
    Alert

    Interesting.

    "The vulnerability is contained in code device manufacturer have put into....."

    So someone out there's got driver or UI cruft code that needs a backdoor through the security layers in order to work. As the Nexus S is mentioned, I have to suspect hardware drivers as the Nexus phones are famously "vanilla".

    So patching the vuln almost certainly means something important will stop working as a result, unless the drivers are rewritten to respect the security model. Effort here will almost certainly be directed at fixing this in the manufacturer's *next* range of products first, then older stuff if they've nothing better to do.

    Conclusion: Affected users awaiting a fix for that one probably shouldn't hold their breath........

  15. Anonymous Coward
    Anonymous Coward

    The trouble is

    People are not likely to run AV on their smartphones if it causes the phone to sap the battery quicker because the CPU is working harder.

    I've also noticed that with HTC devices (I've just bought a Desire S) the antenna position at the bottom means the phone has to work harder to maintain a signal, thus hitting the battery.

  16. Ben Norris

    No new law required, phone companies already liable

    Under the sale of goods act companies are already required to ensure that phones are fit for purpose, free of defects and liable for consequential losses.

    This covers security and software bugs already.

  17. Anonymous Coward
    Anonymous Coward

    Lots of viruses go unreported

    My sons ipod was infected for months, to be honest I was quite happy about it as the thing became too annoying to use!

  18. Anonymous Coward
    Anonymous Coward

    You can't have both

    Security and flexibility are usually inversely proportional.

    That said, all of the prominent mobile OS'es (iOS, WP7 and Android) are inherently robust and secure systems, subscribing to sandboxing, priviledges etc. But we all know no system is entirely bug-free, hence the security breaches etc.

    The thing is: if you want the walled-in, One True Way approach you are better served with iOS or WP7, where all handsets are identical (OSwise). Easier to secure, but much less flexible.

    The moment you allow the telcos to meddle in with the updates, coupled with the variety of devices that sport Android, we get where we are today.

    I agree with the mandatory liability clause. If the telco is late in pushing updates/patches, they should be penalized. If the device is unbranded, then the manufacturer should be held responsible. The OTA update framework is there for a reason.

This topic is closed for new posts.

Other stories you might like