Who let the IPCC into my phone? They'll be reducing my minutes in the interests of curtailing hot air emissions.
(Joke icon not available on El Reg's mobile interface, in fact the coat icon might be a better choice.)
A security flaw in a core message-passing mechanism leaves every Android device potentially vulnerable to attack, security researchers warned on Thursday. The newly discovered flaw enables hackers to override in-app security features, leaving critical apps such as mobile banking susceptible to tampering. The same vulnerability …
Gingerbread? I'll bet the majority of Android phones sold on today, October 16 2014, will never see an update. Too often people think about the big name phones that get a lot of attention like Samsung Galaxy or HTC One, which of course will be updated (at least the more recent models) but those are a pretty small minority of the overall Android sales. Few of the low/mid range phones will ever get an update. This is why El Reg refers to them as "landfill Android".
People like to claim Apple has "planned obsolesence" to force people to upgrade, but the 3gs, introduced in June 2009, was able to update all the way through iOS 6 released in 2012, and still iOS 6.x is still updated for pressing security issues - the most recent 6.1.6 released early this year. Does anyone think that their shiny new Note 4 will be receiving updates in early 2019?
Oh, and there are now BILLIONS of Android devices. Has been for over two years. It's 2million new Android activations every day..
With that rate adoption, and 90% marketshare, you would think everyone would know someone that's had malware problems on their Android phone (if the press were to be believed). Strangely, I don't know a single person that's ever had a problem, and I suspect everyone else is the same...
Go figure.... The press and snakeoil companies continue to embarrass themselves in public with this nonsense.
"The press and snakeoil companies continue to embarrass themselves in public with this nonsense."
and next commenter "JASOVTTSUC"
Well I would agree that The Registers security issue reporting leaves a lot be desired. They too often dramatise inconsequential issues. As always it's important to read the article carefully and logically evaluate based on what is known and established rather than what is implied.
Yes also The Register far too often quote vested interest "security experts" (read anti-malware salesmen) without adequate discrimination.
Having said that, in this case the "security expert" has presented his findings at a black hat conference - a foreboding place if you are acting with no more basis than a "snake oil" salesman and that's somewhat more noteworthy than a mere press release. This article is a bit short on established fact and is too vague, so it will be important to read the details. But on the face of it, this sounds very worrying for Android.
The Register cry wolf all the time. But then also there are sometimes very real large scale security threats. Heartbleed and then Shellshock have shown complacency is a grave error. Both were exploited in the real world effectively and damagingly extremely quickly.
You would be a fool not to keep track of this one.
What the previous commenter said about the "ubiquitous" Android malware was :
>> Strangely, I don't know a single person that's ever had a problem, and I suspect everyone else is the same...
My question would be: did you or any of the lot now reading or commenting here has ever seen, known or heard about an Android malware victim? Again, personally, not from El Reg, Zdnet or Fox News. The latter media, btw, never found a single specimen either (other than the virtual people existing somewhere out of our sight).
Why am I asking? Because, apparently, any Windows user I have ever known had some sort of a Windows malware in the past or not so past experience. This very experience has a huge problem extrapolating onto the current press on Android malware, since it doesn't match with the local reality.
>>Heartbleed and then Shellshock have shown complacency is a grave error.
Although, I'd agree that complacency is a grave error, Shellshock ? More details please on the "complacency repercussions" and how detrimental this vulnerability was. I mean, do you know if anyone got busted through the dhclient-script when connecting to a wicked wifi router? For a contrast, when the Loveletter hit the world in circa 2000, a lot of people around me got that back then..
If nobody is being infected, why does Android malware continue to be found, even in the Play Store? Why bother writing it if nobody is getting the malware?
Could it perhaps be that a lot of android malware is caught by those who:
1. Don't run antivirus on their phone
2. Wouldn't recognise the infection if they knew there was one
Don't assume that no smoke means no fire where malware is concerned. Windows users had to learn the hard way how to get used to looking after their PCs. Android is still young by comparison as a platform, and an awful lot of landfill android users are just upgrading to keep a phone. They have no idea they're even carrying something which _has_ malware.
Complacency? I'd say so, that's classic complacency. I don't know anyone who's died of ebola.... yet.
"Strangely, I don't know a single person that's ever had a [malware] problem, and I suspect everyone else is the same..."
Those applications that do things like log your online banking keystrokes tend to keep quiet about it, you know. The whole point of most malware is that you don't realise it's there.
So is Binder part of the base OS (it sounds like it) or part of the various Googly packages? The latter is the only hope that it'll get fixed on any of my devices. It'd be nice if Android went more package-based instead of the monolithic "entire OS in an image", but that doesn't seem to fly with the culture around phones. I guess I'll have to step-up my efforts (aka get around to) to put cyanogen or whatever on my 2+ year old phone; I know Verizon isn't going to help me out there.
Binder is part of the base OS. It's the thing that handles what Android calls Intents. The Intents are IPC messages that say you want to do such and such. They're also what prompt you to pick a program to handle things like Market links, SMS messages, and so on unless you set a default. What the article is claiming is that something can hijack the intent chain so as to call up system-level functions and use them to hack the device.
Honest question: Can this hijack occur with just a URI or does it require some kind of app installation to perform?
PS. It may interest you to know that Binder is an inherited thing. It comes from OpenBinder which was in turn originally developed for BeOS (now that brings back memories).
They might advocate that.
Me? I'd advocate a complete rethink of the Android infrastructure to understand that it is an operating system and as such requires updates and patches just like all the other operating systems. This to happen as and when necessary. Without the need for carrier intervention because we know sure as hell that such a thing just won't happen. My phone is running Android 2.3.something. That was "old" when I bought the phone new (but Sony took its merry time making ICS available and Orange France totally ignored that). They still seem to be stuck in the mindset of the feature phone where what is shipped is what you get. Couple this with an insistence on having locked bootloaders and an updater that can't handle running on anything under 2GHz (what, to push some data down a USB link?) and only works on Windows anyway, you have so many fail points it isn't even funny.
Since rooting the phone and flashing something third-party is outside of the skill set of most users, Android needs to be capable of self-patching.
"Since rooting the phone and flashing something third-party is outside of the skill set of most users, Android needs to be capable of self-patching."
Not only this, but the whole thing should be like updating a computer. Better still: EXACTLY like we do with our computers.
I can by a (say) Dell, and it would come with a pre installed OS. OR, I could just by an "empty" mobile, and install some OS. THAT would be great.
Even if my choice ended up with "your hardware is 36 months old, it is outside the official support time".
You know, I like Android. I really do. It gives a great user experience in my opinion. But it's starting to look more and more like a security graveyard on par with Windows 2000.
I'm just shy of hatred in my opinion of iOS. I use the iPad forced on me at work only when there's no other choice, and other choices do include lugging a laptop around. That's how much I dislike iOS. Not saying anything against it other than my personal opinion of it is negative. And Windows Phone? I'm not exactly a Windows fan under the best of circumstances.
I think it's about time for a new contender in the mobile market to come along.
You'd think it's getting as bad as Windows looking at all the reports. As long as you stick to the play store, you should be ok.
There's a lot of security research going on with Android, due to it's massive popularity and the fact that you can see the source and debug/experiment it. It's just a shame the updates aren't as slick as Linux on the server/desktop.
From the whitepaper, they've simply identified an ideal target, in that pretty much all information in an Android system passes through Binder at some point.
While they've been able to simulate an exploit by hacking their own system compiled from Android code, they haven't actually produced a working attack against a production Android device.
So this is more to the point of where should smart criminals or defenders focus their efforts in Android, rather than "ZOMG WERE ALL PWND!"
So yes I'd say if that's what's available in the open literature I think we can take it as read that others have spotted what looks like a rather juicy "watering hole" to allow an attacker to hit any apps data stream within an Android device.
"featured a proof of concept rootkit for the Binder component"
Yes, but from their paper (linked to in the article):
Most importantly, all the techniques described in this paper require running with root permissions.
The concept they're proving is that "if you can get access to Binder messages, you can do a lot of stuff". They demonstrate keylogging, form interception, SMS interception, and so on - but all of their exploits require root.
As others have said above (though I'm not sure any of the people making this claim actually looked at the slides or read the paper), this talk was very much about why the Binder is a juicy target for malware authors, and not about actual vulnerabilities that exist today. While there may well be such vulnerabilities, the authors do not describe any.
In short, it's "look at this whopping great attack surface!".
Android is being handled the same way that other embedded devices are being handled, which is like to no updates. I thought (sorry, my mistake) that the retirement of Windows XP support and all those POS (translate that TLA whichever way suits) would have resulted in some consciousness raising about mixing between the differing treatments of desktop/server computing and embeds. The former internet connected and updated often, the latter not and not. Usually? Well, hopefully.
We've been extremely lucky that for all the juiciness of the Android target, it's been pretty much left alone. Why go embed retail when the wholesale returns of their bigger brothers is so much more lucrative. And a phone botnet? Puh-leese. (That'll change.) That the targets are so diverse in addition to being diffuse probably factors in as well. So mark this as "The Gilded Age of Innocence."
BTW, IPC has been a threat vector only since, maybe, the '80's
The arguments for stability in embedded devices go away with an ever changing and exposed user environment. These are not factory-floor disconnected PLCs.
The mobile market is maturing. Sorry to the manufacturers but you need to overspec the hardware to cope with updates, run fewer models (so you can test updates), and push the OS updates through quickly.
Seriously. is it a microwave oven (when was the last time you saw a software update for a microwave? or a real computer?
Historically phone companies did not issue SW updates for phones because they did not need to. They were analogue and had no processor.
Now if you want to offer a computer with built in mobile phone capability they should accept they have to support it like a computer OS.
And of course you get the issues of 3rd party software.
Biting the hand that feeds IT © 1998–2020