What did you expect...
Everyone knows Google = The Matrix!
(Mine is the ankle length black leather jacket with the designer sunglasses in the pocket)
Someone's found (yet) another nasty security flaw in Android, by crafting a way to pack malicious software to look like images. The good news is that disclosure was kept back until Google had put a fix in place; the bad news is, of course, the huge number of phone-owners who never update – either through choice, ignorance or …
And you think that Google didn't fix Bouncer to prevent the app from getting into the Play Store in the first place? And you think they didn't fix "Verify Apps" which runs on your phone? And which is delivered via Google Play Services all the way back to GB devices?
This is exactly the kind of bugs that Google can fix with Bouncer and Verify Apps.
... it's like the MS JPG issue from several years back. In order to get "infected" by the jpg, your machine had to be compromised first.
This is the same thing, but comes in a lovely all-in-one package.
Nice to see past mistakes are learnt and improved on to make the customer experience easier.
Although I have G1
HTC G1 can definitely run at least 2.2 courtesy of Cyanogen. Probably later too (just not an official mainstream cyanogen port any more). Same as my Xperia Arc - it is officially not able to run anything past 4.0 and that was pretty awful, its max stable (and buggy) Cyanogen was 9. It is running at present a reasonably up-to date 4.4.4 courtesy of the Legacy Xperia cyanogen spinoff project which is ahead of what most new phones coming of the factory lines are running. It is also reasonably bug free. Average uptime is weeks of heavy use (mostly as "newspaper" and GPS).
As an added bonus I no longer have the Tw*tter and F***book taking all of the rather scarse application partition space. So something that should have been replaced by now is still perfectly usable and will probably remain "in-service" for a couple of extra years.
It will also be replaced by another Sony for this exact reason - you can get a bootloader unlock from the manufacturer straight away and all top of the line models have excellent Cyanogen/AOSP support.
Running evervolv AOSP 4.4.4 on the old HTC Inc, it's been pretty stable and smooth, except for a few video driver related nuisances and the fact that the /system partition is soldered to be ridiculous 250 MB, the datadata partition is not too big either, 150 MB. Despite all that and thanks to the community it's fun to use.
You must be littered with malware if the press are to be believed. Oh your not??? That doesn't make sense....
With billions of android devices out there, everyone will know someone that's had an Android malware infestation on their device? Oh we don't? That doesn't make sense....
This reporting nonsense has to stop, it's watering down the worth REAL malware threats.
That's why telcos and vendors should not be able to handle the update process (or remove functionalities), and it should come from the software vendor itself.
Think if HP, Dell, Lenovo, etc. could control what software updates and features you can install on your PCs... of course they would try to stop updating older machine and force you to but new ones - Apple, which controls both the HW and SW side, does something alike when new OS releases no longer support older but still valid models.
Google anyway is not interested in spending money in efforts to keep your OS updated... after all your phone is just a Google terminal to access your data. Only if Android market starts to shrink seriously under security issues Google will change something, otherwise it has no real interest.
Many OEMs and operators already have a copy of their apps on Play anyway, from there it's a small step to Google automatically pushing apps on the OEMs' and operators' behalf to the phones on first run, i.e. you update base Android then get OEM customisation apks, operator customisation apks, and Google Play Services pushed to the phone.
If ever you were to install or update to another version of Android you could get the customisation downloaded again.
If the OEM and operator apks weren't suitable for that device and version of Android then they wouldn't get downloaded and you'd have fewer customisations or even a base install if neither OEM nor operator manage to get their finger out. That would be an incentive for them to keep their customisation up to date and making it useful instead of letting it rot.
Probably not as simple as I'm making out (binary blobs, configuration, etc... which also need to be installed into base Android for the phone to work) but anything's got to be better than the current unholy mess. It can't be rocket science to get it figured out.
Apple, which controls both the HW and SW side, does something alike when new OS releases no longer support older but still valid models.
can you cite examples? my 2008 Aluminium MacBook 13 inch is running Yosemite just fine, it's the non 64 bit intel Macs that can't upgrade so anything less than a core 2 Duo can't be os upgraded (that's Intel Core Duo & Intel Core Solo).
http://support.apple.com/kb/ht3696
Supporting 6 year old machines is quite good i think.
.. to fragment the Android market place. Whenever there is a cockup, it's finger pointing all around, but nobody ever really picks up the blame. That's about as brave as telling everyone they have no privacy, but making sure your own details aren't available. Way to go, Google.
..to fragment the Android market place.. it's finger pointing all around, but nobody ever really picks up the blame.... this behaviour encouraged Putin to snatch Crimea...
How did you figure this all out? My tin foil hat is off for your very intricate yet so logical train of thought. And where is your own tin foil hat, dear AC? Where's the tin foil icon, El Reg?
I did not realize that Sony was so hacking-friendly with their devices. I'm amazed that they not only tolerate, but encourage tinkering with their phones. Is Sony's smartphone division a rogue faction that doesn't talk to anyone else in the company? I say this based on their attitude towards allowing owners of PS3s to run Linux (promised, then taken away), and everything else they publish being DRM'd within an inch of its life. Is Sony finally waking up? My next mobile device may be made by Sony then.
I've always thought Sony built decent stuff, but their business plan of the last few years seems to be summed up by: 1) Ignore user wishes/privacy/security/fair use rights. 2) Invoke the ire of everyone. 3) Deny any wrongdoing until it's embarrassingly plain that they're lying. 4) Lose tons of money in settlements to wronged users and hasty after the fact fixes.
Sony is an overpriced brand riding on their years decades past accomplishments and name recognition.
It is really very sad. I remember when they broke into the western market with superior and cheaper radios and TVs back in the late 1960s and early 1970s and dominated for the next 30 years, then lost their way in the late 1990s.
"No baloney, it's a Sony!"
"It also does not enable UK law enforcement agencies to take action against UK citizens committing cyber crime offences whilst physically outside the UK on the basis of their nationality alone."
Good, and that is the way it should stay. Whilst I quite agree that some really really serious crimes should allow extra-territorial jurisdiction (crimes against humanity for instance), hacking certainly isn't one - let the country where you perform the act in prosecute the act.
FTA: "...the huge number of [android] phone-owners who never update – either through choice, ignorance or that their handset-maker holds back upgrades."
Which of those three options is the most likely?
[Hint it isn't the first two! And to debunk the ignorance angle, the last Android handset I had would check for updates once a week and ping an alert if one was available].
Looking at the typical update rates on iOS (yes, I know, excepting iOS 8.0.x) it looks like there aren't significant numbers of users that are complete refusniks when it comes to updating phone software.
If someone sends you an email with a .apk attachment, is it possible to install that? Most people know these days not to click on unknown attachments, and spam filters will remove exe files and may remove apk as well.
However, if it looks like a jpeg, many people feel safe clicking on it. If after clicking on it, it shows an image and there's also a pop up for installing an app with a name like "Facebook Messenger update" they might think it was an automated thing unrelated to the email and click OK. If it works with inline images, simply opening/previewing the image would be enough to launch the installer dialog.
I wonder if we're going to see a lot of spam using this technique in a few weeks? If what I'm suggesting can be made to work, the Android malware problem is going to grow exponetially in the next few months.
Yes it's possible to install a .apk sent through email (if you turn off the restriction to install only for Google). But it doesn't sound like just clicking on the image would do anything, although it wasn't totally clear. It sounds like you need a "helper" evil app already installed for the code embedded in the image to do anything.
You must be talking about MS Windows which operates by extensions , not file permissions plus file headers/utilities, both user and the system can be tricked by the former.
What this vulnerability allows to do is that one can "hide" a piece of code inside the apk already. It says in the linked paper that one can insert "another apk" inside the given one hidden in an image. That hidden apk can be installed later. It is unclear what the authors mean by "another apk", since every Android Application Package gets installed under unique uid and guid (permissions). The vuln. is not a privilege escalation type as well. So it's just a concealing code type then.