INVASION of the UNDEAD ANDROIDS: Hackers can pwn 'nearly all' devices A four-year-old Android bug could be used to plant malware on 99 per cent of Android devices on the market, according to security researchers. Bluebox Security CTO Jeff Forristal said the vulnerability in Android’s security model creates a means for hackers to modify an Android app's APK code without breaking its cryptographic …
The malicious app still needs to be installed by the user, the user is still warned what privileges are asked for.
This so much more effort than just writing malware and calling it "angry birds", hoping someone will download and side load it. Its not like this master key allows malicious apps to replace the genuine ones served up by the Play Store.
Most normal android users are protected by the default setting that doesn't allow sideloading, those of us that like the freedom to side load apps are I would hope smart enough to notice when an app is asking for odd permissions.
I've seen this reported many times but congrats on El Reg for the most sensationalist title.
But the last paragraph suggests they're able to get the dodgy code into apps that are in the Play Store. so it's not a case of replacing genuine ones from the Store, you just need your dodgy app to be in the Store and then the average punter will assume it's safe because it comes from the Store, no?
Yes, i guess it still asks for permissions, but if you'd disguised your malware as a utility app that would require those kind of permissions, how's the end user supposed to know not to allow it?
You'd also have to take over the developers account, then you could push an APK to the Play store and users will be updated with your new malware.
If you have access to the play store account I'm pretty sure you could just put anything you liked up there for people to download, regardless of if the master key is compromised.
Its still easier to list something new on the play store as "Angry birds" and have a few people download the malicious app.
"it runs what is basically Linux, so Swiss Cheese central. So this isn't exactly a surprise..."
It runs an Google developed shell/GUI on top of a modified Linux kernel.
It is exploitable because it was designed with revenue generation as opposed to security in mind.
When Android is hacked it is Android that is hacked not Linux
Every application asks for ridiculous permissions on install? No user will notice anything out of the ordinary. Why do they need those permissions? Profiling, tracking, advertising.... revenue generation.
I'm not defending Android, out of the tin it is not to be trusted. Perhaps it shouldn't be trusted when rooted, and "locked down" I shrug, even when I think I own my Android, I will never trust it with my bank details.
And this is the problem with Android permission.
This app needs for internet access, read your contacts and modify the SD card.
Could mean it just needs to log into your XYZ account and sync the info.
Equally, it could mean it's going to connect to the web and then download shitload of kiddy porn to your phone before contacting everyone in your address book saying your a peado.
Extreme I know, but this is why the permission info is a waste of time.
"The XBMC remote has the facility to put received text messages up as a banner on the XBMC device that your mobile is remotely controlling ..... couldn't do that if it was unable to read them first on the phone."
Why isn't the grant of permissions controllable by the user [1], on something like a "choose from: permit always/never permit/ask each time app started/ask each time permission requested" basis when the app is installed or updated (or when the user changes their mind)?
Is that even possible in Android, officially or otherwise?
How difficult would that be to implement?
Would it destroy the economics of Google and Android?
If it did, would that be a bad thing?
Does Windows Mobile or whatever its called this week do something like that?
Does the Applephone OS do something like that?
[1] The user .ne. the customer. Google's customer is the company buying the data which Google holds on the user.
Yes it does, Actual Windows 8 apps have to either come from the Windows App Store or a System Center server configured by the system Administrator to side-load company apps. Even then with regular programs you still get the UAC prompt showing who signed the code, etc.
Buy a Sony Experia Arc, the one that they aren't providing an upgrade to ICS for, and which they load with so much bloatware (which they don't let you uninstall) and hey-presto! Pretty soon your memory is full ('cos you can't move the bloatware to the SD card) and you can't download any more apps, malware-ridden or not.
Works for me...although I'll never buy another Sony phone.
(And no, I can't be arsed to go through the hassle of rooting it etc.)
The point is this is a flagship phone. It should be 32GB as standard like the HTC One.
If you don't have enough space on your phone to download to then you can't move it to the SD card since any applications are downloaded to internal memory first. You can't download straight to SD card.
This complaint has been on Watchdog for christs sake, there are a lot of unhappy S4 owners out there.
>> SD card blah blah apps to SD card
But you still run out of space. Not space to store applications and documents on the SD card itself, but "internal" memory used by applications and Android itself. My several-hundred-euro tablet running Android has >16GB free on its SD card, but won't check my mail because
"Out of space ... Free up some space and try again"
Fuck Android. It's crap. I've tried to like it, but it's crap.
I know where you are coming from! I have an Arc S, which just has a faster CPU, and it took me about a month to download enough apps to fill it.
I did root it and installed a nice app called Link2SD which gets around the problem by spoofing 'unmoveable' apps into a second partition on your SD card.
It was my first smartphone, and I knew nothing about rooting until I checked out the XDA forum. Took about an hour to do using their instructions and was surprisingly easy. Bloatware removed no problem. One day I might even put ICS or JB on it, but I dont think the single core processor is really up to it.
Anyway, back to the original story - chances of Sony ever producing a fix for this when they cant be bothered producing a decent ICS upgrade for it? Zero!
I thought that Jelly Bean was supposed to reduce all this by allowing UI customisation without modifying the OS so much that patches can't be applied...
Obviously there'll always be some limitation to that, but being able to supply base security updates without affecting the window manager should be standard.
Pre-ICS I was always a Sense fan, but I'm happy with AOSP now.
"I thought that Jelly Bean was supposed to reduce all this by allowing UI customisation without modifying the OS so much that patches can't be applied.."
That was the idea. There is no reason Sense or TouchWiz need the OS to be customised, android provides the ability to replace every stock app on a stock build distributed with custom APKs.
The reason they do customise the OS is to prevent porting Sense onto a Samsung or TouchWiz onto a HTC, without customising the OS, there would be nothing stopping this from being possible and manufacturers would lose their only grip on customers.
Only 99% of phones if 100% of phones had the ability to sideload apps from another less reputable location than Google Play enabled.
Android users should really be fighting back against this bullshit scaremongering reporting, as quite clearly the easy option for Google is to simply remove the ability to sideload apps, it would close the door on Android piracy too. OtherOS all over again. You had it all, but demonstrated you couldn't be trusted with it.
Then buy a sim-free/payg phone.
Then network can't futz with your phone if they have never touched it.
Want a subsidised phone rather than forking out 4-600 quid? put up with the bloat.
Incidentally in my experience where you can't remove stuff you can turn it all off and even remove the icon from your apps list.
Our Samsungs and HTCs certainly seem to allow this.
This post has been deleted by its author
There's a major problem with getting Android updates out to end users because both manufacturers and carriers are in the middle of it and they can be ridiculously slow at pushing out updates.
I have a HTC One and I'm still awaiting a 4.2.2 update that Three Ireland are "testing".
OS updates need to get out quickly and plug security holes, that sadly isn't often the case with the way things are done in the Android ecosystem and it will inevitably cause some major problems, much like the lazy IT departments that continue to force users to run ancient versions of Internet Explorer because some clapped out piece of software uses it as a front end and then wonder why they got hacked.
After resisting the drive for tablets in the workplace due to;
A. Not being convinced our use would add any productivity for the extra IT risk
B. my conviction that there would be a major security issue with Android within the year.
The jury it out on A and still believe B, though I don't think this is it, I foresee something bigger and only have about six months to be proven wrong or right.
So, the risk is that a legitimate app would be tampered with? So.. if I'm a villain and I want to take advantage.... hmm... so I somehow get the source code of a legit app. I add my own homemade or previously packaged back door, and then I just take advantage of the signature flaw, so my app still looks legit... cool. OK, now how do I make my victim to install my especially seasoned app..? Course, all have to do is break the Play store security or whatever system the original manufacturer has... and upload my espec... right... Hmm.. What the heck? If can do that, why do I need a security flaw in the signature algorithm!!? ...OK, k. yes I put my especial seasoned app in my own especially seasoned website... cool!! ... Hmm, If I can convince any moron to download an app from my own especially seasoned website. What the heck!!?
"Yeah, what happened to Eadon while I've been out of things? I saw all his posts got deleted - did he finally get himself banned?"
Think he/she/it may have done so. Read an article about a week ago or so and he made some comment that was removed by a Moderator with the parting "you're out of here, have had enough" type message with it.
Just wait until someone writes a battery pwning trojan that overrides the built in failsafes (software I might add) and causes the batteries on thousands of phones to overcharge outside their narrow safety envelope.
Can you say "Epidemic of spontaneous human combustion" ?
AC
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
