back to article Android bug lets attackers install malware without warning

It's been more than a month since researchers reported two serious security vulnerabilities in Android, but so far there's no indication when they will be purged from the Google-spawned operating system that's the world's most popular smartphone platform. The first flaw allows apps to be installed without prompting users for …


This topic is closed for new posts.
  1. Paul Crawford Silver badge

    Time for liability?

    There really should be a consumer protection law that would punish suppliers who fail to fix vulnerabilities in a reasonable time scale and for, say, 5 years after official "end of life" for buying a product.

    Something like liability for all damages, irrespective of the license T&C, if they fail to patch within 1 month of disclosure perhaps?

    I'm not just talking about Android, the "new windows" of security, but for ALL software and hardware. And no wiggle room.

    Yes it would cost a little, but it would also focus suppliers on releasing decent designs, and not a "ship the crap then forget" model that seems to be today's norm.

    1. nyelvmark

      @Paul Crawford

      Uh huh. Now go find the box your phone came in, and read the warranty / licence agreement. Be assured that these were written by highly-competent (and highly-paid) lawyers. If you don't like what they say, you have 3 options:

      1 - Ask your MP to introduce retroactive legislation modifying the law of contracts. This is unlikely to happen, as it would probably fall foul of European law;

      2 - Assemble a small army of lawyers and challenge Google. This might work, if you have enough money.

      3 - Wipe the phone, give the silly toy to your kids and go buy a sensible phone for a tenner.

      1. Dazed and Confused


        Well he did say irrespective of the Ts&Cs.

        But your license might well not be worth the paper it isn't printed on. If a Judge decides that the terms are not reasonable then they don't stand.

        Companies can not right contracts, at least over here they can't, that exempt them from their legal responsibilities.

        Now the licenses may well say "tough luck son, you have no rights what so ever except to bend over and take what's coming to you coz we pay mega-buck lawyers - so shut up and pay up" which is what the average licenses agreement says.

        But if a judge feels differently...

        Occasionally judges do.

        Then the big companies get the sort of kick up the arse they normally reserve for their customers.

      2. Paul Crawford Silver badge


        What I am suggesting is a new/change to the law so all new products, irrespective of their type and T&C, must be "adequately secure" and maintained that way free of charge by the supplier for 5 years after sale. Otherwise the supplier bears all costs of failure.

        It would get rid of the T&C you refer to and make sure that suppliers of ANY goods such as a car, TV, phone, laptop, etc, are all bound to the same standard for dealing with security fixes in a 'reasonable timescale'.

        After all, its not that hard to do: you start with a decent design that has security as a core part of the requirements, and then keep the design team (or part of them) fixing things as they come up, and have the systems in place to allow patches to be deployed automatically to the consumers.

        Hell, even MS, the original master of incompetent security, now mostly manages that (though not always the 1 month fix time, unless its made public and they *have to* speed things along).

        That is perfectly within reason for a consumer protection law, and ideally it would be an EU-wide one. Just what is wrong with that suggestion?

      3. 2cent

        Google's Fault for supporting Homo-Sapiens

        "2 - Assemble a small army of lawyers and challenge Google. This might work, if you have enough money."

        Unless I am mistaken, it is the manufacturers that are not updating the software.

        Why would they, as Homo-Sapiens using there quit wits, hardware manufacturers can carry the ball, drop it just before the hard hit and move on to the next goal (next product). The rule is "a new ball may be given to a player who dropped the ball or while players may accept an new ball at any time".

        Note: the field is circular with goals constantly changing according lights mounted above goal with dollar signs color coded to your team jersey. Different teams may come and go as they please.

        The game is pretty tough on Cro-Magnon.

    2. Ken Hagan Gold badge

      Re: There should be a law

      Why does there have to be a law? If you don't like insecure, closed source products, take your business elsewhere. Buy a dumb phone.

      And if you introduce a law, what's "vulnerable"? What's "reasonable"? What's "fixed"? I'm sure the lawyers will have a gay old time trying to argue that one out and I'm sure the manufacturers will have more expensive lawyers than you will, so what have you actually achieved?

    3. Vic

      Re: Time for liability?

      > Something like liability for all damages


      It's a really appealing notion when you've just been hit by faulty software, but it would be a bad thing in the long run.

      High-reliability code is realistic - but *extremely* expensive to develop. That means you pay more for anything that uses it. So new products are no longer priced in the hundreds of pounds, but in the thousands. And nobody buys them.

      The practical upshot of such legislation would be to kill off any new products *and* any updates for old products. So you get a worse situation all round...


    4. Neil C Smith

      Phone Companies should be liable too!

      It's time to make phone companies partly responsible for security. For the large number of people on contract phones (not me anymore - fed up with it!) then if the phone companies want to lock down these phones they should also be made to provide timely updates. If the phones aren't made secure in a timely fashion then that should be reason to void the contract. In fact, if they're knowingly not providing security fixes, that's probably breaking some law or other already - maybe it's time for a test legal case?!

  2. Wize

    Apple does have the plus that they only have one hardware platform...

    ...but that's also a minus as we like to have a range of devices. I like that I'm typing this on my phone's slide out keyboard. It's always the choice you have. Stick with 'one size fits all' or get one that fits you snugly but wait for the software to be made to measure.

    At least we aren't being forced to take Vodafone's 360

  3. Anonymous Coward
    Anonymous Coward

    Bring it on!

    I still can't get root on my HTC Wildfire (running Android 2.2)

    Apparently no-one's found a usable vulnerability yet :-/

    1. This post has been deleted by its author

      1. thasaleni


        No u cant, i tried that cynamogen and it says i got a new firmware and cant root

    2. twunt

      Rooting the Wildfire

      Yes you can - idiot

      1. thasaleni

        No u can't u IDIOT read the comments on that post and u'll see all wildfire users are complaining. tried it too and it didnt work

  4. ozmark

    Without warning?

    Whatever happened to the good old days when malware would install WITH warning. I tell you, civility has gone completely out of the window.

    1. DanW

      Polite malware

      I take it you are referring to malware like this...

      Before attempting to infect the document, it displays this message:

      Shall I infect the file ?

  5. Anonymous Coward
    Anonymous Coward

    This is why I don't use a smartphone... matter what brand or type or. I'm happy with my Samsung Jet.

    I just want a phone which helps me to do "phoney" things ;-)

    Yes, its very handy that I can also surf the Net, retrieve my e-mail, listen to mp3s, can use GPS, and even jot down memo's. But that's all I need.

    At least I don't have to worry about malware and other crap finding its way onto my phone one way or the other; simply because its pretty much locked down. About the only extensions available are through Java ME and those Samsung plugin thingies (which name I forgot).

  6. Anonymous Coward
    Anonymous Coward

    Android is Number ONE!!!!

    errrrrm in security flaws! in longest unpatched security flaws! in largest user base of official software abandoned devices! in not so crash hot quality numbers of apps! of errrr damn how embarrasing for something so promising!

    1. Darren 12

      I agree. It's also number one for innovation, number one for customizability, and number one for openness (not completely open but much more so than iOS or WP7, eg. custom ROMs). Given all that, it's the number one OS for me.

    2. gisabsr

      scratches neckbeard and waves hands

      but, but, it's Ooooooopen!

      1. Ken Hagan Gold badge

        You might want to ask RMS about that. Have you tried fixing this latest vulnerability yourself and recompiling from source?

        For all practical purposes, Android is closed source and proprietary.

  7. Jolyon Smith

    What a load of fuss about nothing

    So he created some malware and managed to get it into Marketplace. Big deal. The problem isn't with Android it's with the verification procedures (if any) in the *Marketplace*.

    Fix that and the only people who could be affected by such apps are those who have already chosen to take software from *unverified* sources and put them on their device.

    This is like saying that creating a form of petrol which causes cars to explode and managing to sneak it into the storage tanks of a filling station is a "vulnerability in the internal combustion engine". It's not, it's a problem with the security of the filling station.

    The same applies to the second so called vulnerability also... the software still has to somehow make it onto your phone in order to "attack" it. Address the channels by which software get's on the phone and the vulnerability disappears.

    The comparison with iPhone/iOS concentrates on differences/similarities in the hardware/OS but neglects to address differences in the way the marketplace for apps for the two platforms are administered.

    1. Rob Daglish Bronze badge

      I thought he'd made an app, which installed more apps without permission? Ok, it posed as a wanted app, people agreed to give it permissions, then it snuck some other apps in without telling anyone?

      Once he'd got the Trojan on, it didn't matter where it came from, as it presumably went off to it's own headend to get the software rather than from the marketplace.

      I completely agree that it's down to proper vetting of apps before they are released - with iOS, you never rally had to worry about apps on the AppStore, but I do find myself being mucn more careful on marketplace, but if any hacker would care to write some malware to stop my phone randomly rebooting, I'll take it!

  8. Patrick 8

    forget all smarphones, I'm off this roller-coaster

    I bought my wife a first generation iPod touch when I go my smartphone. I have since used an gone through all the majors from Blackberry, iPhone, Android. I've noticed that these "very expensive" and therefore "very profit making" devices are not long-lived with all the carrying, dropping and general day-to-day abuse they must maintain. Talk about turn-over profit cash cow business model. And here I look at the wife who's iPod is still in great nick with only scratches showing on the rear metal case and it runs just as good and fast as day one I bought it for her, is thin as no smartphone has ever been and has what appears to be as strong a battery as when new. Since going through many XP to Windows 7 update woes I've had no end of syncing issues of one type or another from crashing dll hell to those desktop software that decide to strip out all phone numbers and details bar one. Although not a fan of iTunes on Windows I tested it out and got no errors on sync from the first get go.

    Therefore I am seriously in the camp of considering getting out my still newish dumb tiny super light weight nokia as a phone and using it as a dongle for the laptop as well and getting whatever generation iPod touch, be it fifth or sixth? as my core business requirement is perfect sync with Outlook/Exchange calendars. Android seems to ignore the non-smartphone form factor of iPod Touch and I'm not interested in a tablet as I want a tiny superlight weight device in my suit jacket that I don't have to faff around with root break this or arm wrestle that to get updated software 1. even installed let alone 2. actually working with a. the device and b. the desktop software.

    1. cloudgazer

      Actually top end smartphone hardware is very long lived

      Hmm I dropped my iPhone-1 a lot and it still survived handily till the iPhone-4 launched with just a bit of darkening on one corner of the screen (near a particularly big ding in the metal - I dropped it a LOT).

      The iP4 I've been more careful with, mostly because I picked up a nice Shure hands-free set for my Shure ear-phones and so there's really no reason for me to ever drop it. As a result it's pretty much immaculate, with a few very minor scratches.

      Physically speaking top end Android devices are likely to be fairly robust too, a friend is rocking a hand-me-down HTC phone that is I believe around 2 years old and it's still in good nick. 3 years of life shouldn't be considered exceptional - the problem is that they mostly don't get 3 years of software support, heck they mostly don't get 1.

      By all means get a Touch, just don't expect that if you are the kind of person who destroys his smartphones that a Touch will be somehow immune to your clumsiness. Better to just invest in a good case and a good handsfree set.

  9. Steve Evans

    For once...

    Delays in updates aren't the fault of phone carriers. The phone manufacturers are the biggest bottleneck/slackers. Many of the "older" (aka released last year) HTC handsets have only just received the gingerbread update which Google released at the end of 2010.

    I will be amazed if most of these handsets receive another upgrade before being dumped from support, even though owners could still be paying for them on a 24 month contract.

    I'm all in favour of continual development, but if manufacturers continue to absolve themselves of any responsibility towards existing owners, I for one will continue hopping to different manufacturers - I'm already keeping tabs on how a few others treat existing customers for when I buy my next phone, and of course their attitude to rooting.

    1. Paul Shirley

      I for one will continue insisting any phone has vigorous 3rd party firmware support *before* I buy it. At least I'll have frequent fixes AND a choice of who to trust building it... and I trust some of the hobbyists more than any phone manufacturer right now.

      Beyond that: it's a phone, a basic assumption is the bad guy will have physical possession of it and access to hardware hacking tools nullifying any security care of a dodgy unlock shop. Putting anything you care to lose on one is a big mistake with or without remote exploits. You want security, buy something secure, it just won't be an affordable smartphone.

    2. twunt

      It doesn't help

      That HTC bring out so many handsets - a rate of about 1 Android per month - even more if you include international and carrier variants.

      They are simply not interested in updating your 1 year old handset - they want you to buy a new one.

  10. All names Taken

    Nothing new here. Move along now. Vit!

    A computer operating system with a security issue is news?

  11. Andy Watt


    I just don't see Google suddenly adopting apple's approval strategy, but I hope they do.

    1. Darren 12

      I certainly hope they do not. I'm happy to take responsibility for the software I install on my phone if it means that I get to choose - not Google or Apple - what I do with my phone. For these sorts of tricks to work, people have to intall software from unknown publishers with less than 1000 installs. They can go ahead and do that but I won't. If you want a company to decide what apps are appropriate for you to use, you should get an iPhone.

      1. Andy Watt

        @Darren12 - Yeah, but you're clever enough to care...

        I'm sorry, but you'll have to put up with a degree of control. I made a suggestion on another forum discussing Android security approaches (there's an awful lot of discussion on it, could that indicate SOMEthing...?) that the better security model is "opt-out" locked-down - you apply to have your phone unlocked, as a dev or tech-savvy party, at which point you can do what the hell you like. Sort of like "official jailbreaking".

        This way there can be a self-selecting and self-sizing community of tech-savvy happy people like yourself, and the platform can survive and grow off the masses who enjoy a safe, enjoyable, long-battery-life experience, blissfully unaware they can break out of Google's "walled garden" app store if they wanted.

        While you might be happy (and clever, and intuitive) enough to take responsibility, it doesn't matter if 500 million other people don't care and install some hideous botnet trojan masquerading as angry birds, because Google can't be arsed policing the store properly. The platform will get a reputation as a shit-pit of malware and people will abandon it as their bills start coming in with massive premium call / SMS bills.

        You can't educate either - the platform's sheer installed user base is one of the biggest reasons it's getting hit with malware, like Windows does. It's vulnerable by design so that geeks like us can fiddle with it if we like, but that means it's open to social engineering malware attacks.

        And your last words - "you should get an iPhone" - are exactly what disillusioned punters will do. Then it's bye bye android...

  12. E 2

    Oh noes!

    Evil doers are going to ownz teh brains of my cell phone!

  13. bazza Silver badge


    "One of the hopes for Android a few years back was that it would be a viable alternative to Apple's iOS, both in terms of features and security. With the passage of time, the error of that view is becoming harder to ignore. By our count, Google developers have updated Android just 16 times since the OS debuted in September 2008."

    Google may have updated Android 16 times, but I bet the number of updates actually delivered to every end users by the manufacturers and networks with all those varied handsets and configurations to support is far, far lower than that.

    All it will take is for some massively unacceptable hack to take place (e.g. all Android phones disabled by some virus) and suddenly the buying public will vote with their wallets and buy something else. Seems that Android is, amongst all the mobile platforms out there, significantly vulnerable to that. Are SE, HTC, etc. wise to base their entire business on such fragile foundations?

  14. TeeCee Gold badge


    "The vulnerability is contained in code device manufacturer have put into....."

    So someone out there's got driver or UI cruft code that needs a backdoor through the security layers in order to work. As the Nexus S is mentioned, I have to suspect hardware drivers as the Nexus phones are famously "vanilla".

    So patching the vuln almost certainly means something important will stop working as a result, unless the drivers are rewritten to respect the security model. Effort here will almost certainly be directed at fixing this in the manufacturer's *next* range of products first, then older stuff if they've nothing better to do.

    Conclusion: Affected users awaiting a fix for that one probably shouldn't hold their breath........

  15. Anonymous Coward
    Anonymous Coward

    The trouble is

    People are not likely to run AV on their smartphones if it causes the phone to sap the battery quicker because the CPU is working harder.

    I've also noticed that with HTC devices (I've just bought a Desire S) the antenna position at the bottom means the phone has to work harder to maintain a signal, thus hitting the battery.

  16. Ben Norris

    No new law required, phone companies already liable

    Under the sale of goods act companies are already required to ensure that phones are fit for purpose, free of defects and liable for consequential losses.

    This covers security and software bugs already.

  17. Anonymous Coward
    Anonymous Coward

    Lots of viruses go unreported

    My sons ipod was infected for months, to be honest I was quite happy about it as the thing became too annoying to use!

  18. Anonymous Coward
    Anonymous Coward

    You can't have both

    Security and flexibility are usually inversely proportional.

    That said, all of the prominent mobile OS'es (iOS, WP7 and Android) are inherently robust and secure systems, subscribing to sandboxing, priviledges etc. But we all know no system is entirely bug-free, hence the security breaches etc.

    The thing is: if you want the walled-in, One True Way approach you are better served with iOS or WP7, where all handsets are identical (OSwise). Easier to secure, but much less flexible.

    The moment you allow the telcos to meddle in with the updates, coupled with the variety of devices that sport Android, we get where we are today.

    I agree with the mandatory liability clause. If the telco is late in pushing updates/patches, they should be penalized. If the device is unbranded, then the manufacturer should be held responsible. The OTA update framework is there for a reason.

This topic is closed for new posts.

Other stories you might like

  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading

Biting the hand that feeds IT © 1998–2022