back to article Another day, another stunning security flaw in Android – this time hitting 55% of mobes

Fresh from sorting out the Stagefright flaw, Google has another serious security vulnerability in Android on its hands. A privilege escalation hole allows normal apps to gain superpowers to snoop on a device's owner, smuggle in malware, and wreak other havoc. Youtube Video The vulnerability, CVE-2015-3825, affects about 55 …

  1. PleebSmash
    Paris Hilton

    Stageup

    No sexy vulnerability name yet?

    1. Anonymous Coward
      Anonymous Coward

      Re: Stageup

      There are just too many vulnerabilities. They have run out of sexy names.

  2. fnusnu

    Get a grip

    This is no more a 'stunning security flaw' than certifi-gate or stagefright.

    This sort of reporting ranks alongside such tosh as 'advanced persistent threat' and 'sophisticated cyber-attack'

    I read El Reg for their technical accuracy not their ludicrous hyperbole...

    1. diodesign (Written by Reg staff) Silver badge

      Re: Get a grip

      > This sort of reporting ranks alongside such tosh as 'advanced persistent threat' and 'sophisticated cyber-attack'

      Bear in mind, I hate those words and usually kill them on sight.

      > I read El Reg for their technical accuracy not their ludicrous hyperbole

      Why not both? Seriously though, the story has the technical accuracy, and the headline is a headline - have you not noticed that we go a little OTT? ;-) You wanna know the truth? I picked "stunning" because it fitted the space better on the page.

      C.

  3. Mage Silver badge
    Happy

    innocuous-looking app which, when installed

    So I'm OK then. :)

    Hardly a shock that something you DELIBERATELY install, might be able to do something bad.

    1. Anonymous Coward
      Anonymous Coward

      Re: innocuous-looking app which, when installed

      Since it's a privilege escalation, yes it is a shock. Or do you normally expect "Hello, world!" to surreptitiously boost itself to root and own your device ever-after?

      (if you do then at least some kudos for realistic paranoia, but not being able to run apps takes a lot of the smart out of smartphone)

      1. JEDIDIAH
        Linux

        Re: innocuous-looking app which, when installed

        No, it's not a shock. Exploiting Unix with a local privilege escalation hack is nothing new. Back in the day, some people considered this sort of thing a hobby. One of my college profs was one such hobbyist.

        1. Anonymous Coward
          WTF?

          Re: innocuous-looking app which, when installed

          " Exploiting Unix with a local privilege escalation hack is nothing new."

          Nor is going through the windscreen in a crash. That's why we've learn't lessons and created seatbelts, air-bags and collision avoidance systems.

    2. Adam 1

      Re: innocuous-looking app which, when installed

      I give far more credence to the number of and nature of permissions requested than the number of g+ users who give it 5 stars and usually some indecipherable comment.

      The raison d'etre of the permissions model is to limit what an app can do. If it fails to do this then it is a critical flaw. But imagine there was some bug in your phones PIN entry screen where pressing the volume rocker logged you in. I suppose you would argue that such a bug isn't too bad because one should expect that anyone who can physically access it could pwn it.

    3. Anonymous Coward
      Holmes

      Re: innocuous-looking app which, when installed

      I happen to agree. It's no more shocking than the virus/trojan/whatever munching your system after downloading some supposedly neat PC application from "a dodgy site." The apps on my tablets are downloaded only from legit sources and, aside from upgrade keys, are a very stable set.

      Look people, if you play Russian Roulette with the software loaded on your tablet, some "thing" probably will get through despite the best screening in the world at a store and then your "bulletproof" malware checker on that device. Vulnerabilities exist as the software development process is fundamentally broken. I'll spare you my sermons on that topic. I've yet to see proper OS security which obviates any application's security right out the gate.

      That whole reap-sow process will get you.

      1. Anonymous Coward
        FAIL

        Re: innocuous-looking app which, when installed

        "The apps on my tablets are downloaded only from legit sources"

        Yup, Google Play / Apple have never had any dodgy apps.

  4. Dan Paul

    Permissions?

    Isn't the ability to spy on the user pretty much demanded by damn near every app out there anyway?

    It's time for Google to take that ability away from the APP developer community.

    Permissions belong only in the hands of the phone OWNER, IE ME!

    A weather app does not need access to my contacts, photos, texts, email, etc. etc. etc. Obvious misuse of personal info should mean permanent banning from the app store, inadvertent misuse should mean not uploading product on the app store until you PROVE there are no issues with 3rd party verification.

    1. Nunyabiznes Silver badge

      Re: Permissions?

      Have an upvote. However, since Google wants all of their apps to have full rights to you, they would be pretty hypocritical if they tried to stop other app developers from doing the same. I recently bought an Android phone just to check out the advances in the last 3 years, and the permissions requested by the Play Store boggle my mind.

      1. heyrick Silver badge

        Re: Permissions?

        I think Play Store needs the scary permissions as it seems to be a half assed way of updating some back end stuff without a full firmware update

    2. Anonymous Coward
      Anonymous Coward

      Re: Permissions?

      Isn't the ability to spy on the user pretty much demanded by damn near every app out there anyway

      It's so lucrative Microsoft is getting in on the act with W10.

    3. Adam 1

      Re: Permissions?

      You think you are the phone owner. Cute.

      1. paulc

        Re: Permissions?

        I am the phone's 'owner', my device was bought with no contract and is not tied to an network...

        1. Anonymous Coward
          Anonymous Coward

          Re: Permissions?

          You own the phone hardware, but not the software that is running on it. You don't get to decide what permissions the apps get, the software author (i.e. Google) does.

          The same is true on an iPhone, but despite their reputation for control freakery, Apple lets you enable/disable various permissions on apps and change your mind later. The app may warn or possibly even crash if it doesn't have a permission it needs or thinks it needs, but you don't have to worry about Facebook slurping your contact list or whatever.

    4. Adam 1

      Re: Permissions?

      On a serious note, as a developer (a real one not an app developer :p) being able to stipulate the permissions you don't need is quite a nice security layer. If I decided that the world didn't have enough photo editors and that I should release my own, I can stipulate that it should not access the contacts. If my advertising network started spewing out malware, perhaps a more conservative token collection may mitigate the malware.

  5. Anonymous Coward
    Anonymous Coward

    "A privilege escalation hole allows normal apps to gain superpowers to snoop on a device's owner, smuggle in malware, and wreak other havoc."

    Hmmm, what would be handy would be a privilege escalation that allows you to remove un-needed and un-wanted default Google apps without having to root the device in a more traditional way.

  6. Anonymous Coward
    Anonymous Coward

    Another reason to move to Windows Phone 10 once it's released if your device has an upgrade available - given that you can now sideload APKs. Only Xaiomi have confirmed an upgrade will be available so far, but Microsoft have stated that they are planning to "make this software available on more devices in time."

    1. Anonymous Coward
      Anonymous Coward

      So, the worst of both worlds?

  7. Anonymous Coward
    Anonymous Coward

    Is this the same Android...

    That the head security honcho at Google recently claimed had no vulnerabilities?

    Credible much?

    Maybe they need some grown-ups in charge of security. Who do not supp from the company cool aid and who can see past their own ego?

    1. Anonymous Coward
      Joke

      Re: Is this the same Android...

      Wait, aren't these Oracle's bugs now?

    2. chr0m4t1c

      Re: Is this the same Android...

      Didn't that guy work for Adobe in the Flash team a few years ago?

  8. gmathol

    Sure! IBM got a partnership with Apple and therefore is vilifying the competition - and yes Samsung is a better choice than Apple none sense.

    I don't care.

  9. Anonymous Coward
    Anonymous Coward

    Comparison,,,

    Which has the better overall security, Android or IPhone?

    1. LucreLout Silver badge
      Paris Hilton

      Re: Comparison,,,

      @Aimee

      Which has the better overall security, Android or IPhone?

      Windows Phone. I'm the only person I know that uses it, so its pretty much a waste of time anyone developing attack vectors. Security through obscurity - it's like the 80s never ended!

      I suspect no mobile OS has good security. Since most internet access is now via a phone/tablet rather than PC, these are the most common attack surfaces. Regardless of which OS you run on a proper computer, I'd bet the security is considerably better when factoring in firewalling, virus/trojan scanning, logging, and system/network monitoring tool sets etc.

      Paris, because she didn't have anything left to fear from the iCloud leak.

  10. Salamander

    The type of security problem isn't the issue

    All OS have security issues. The issue is how quickly the problem can be fixed and the fix deployed to users. Even if Google fixes this tomorrow, only nexus owners will receive the fix quickly. The rest of us have to hope that the OEMs and the Network operators pull their fingerpost and prepare and deploy the fix.

    This is a problem that only affects android phones. Apple, blackberry and Microsoft can all deploy fixes quickly.

    1. kadeemhunt@gmail.com

      Re: The type of security problem isn't the issue

      not true it has already been patched all the back to android 4.4, It's been patched in the SDK and Google Play Services

  11. Anonymous Coward
    Anonymous Coward

    Might seem like a daft question

    But would encrypting the device help in any of these security issues help? Or as these app's/vulnerabilities are running from within the system would it not make a blind bit of difference?

    Or perhaps even something like an AV product that had a very restrictive policy from the server (no system app's allowed, no apps apart from the ones on the allowed list allowed to run), I am on this latter point referring more to corporate devices with a server policy applied, say perhaps using Kaspersky Endpoint security.

  12. Spleenmeister

    One can't help thinking, in the current climate of forced "openess" encouraged by our spymasters i.e nothing is off limits any more, that these "vulnerabilities" are nothing of the sort to those who would really 0wn you.

    Who wrote and refined them, and put them into the mobile ecosystem, I wonder? It's as likely to be a home-grown spook as a Russian gangster.

    Sure, they're inherent in (all) mobile OS' but it makes you wonder..make me wonder, anyway

  13. Eponymous Bastard

    Devil in the detail

    So, can someone tell me if this can happen if I install an app from the Play Store or is it only possible via side-loading. If it's the latter, WTF.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020