back to article Everybody without Android Oreo vulnerable to overlay attack

Any unpatched Android phone running a version older than Oreo is going to need patching fairly soon, with researchers turning up a class of vulnerability that lets malware draw fake dialogs so users “okay” their own pwnage. The risk, according to Palo Alto Networks' researchers, comes from what's known as an overlay attack. …

  1. Anonymous Coward
    Anonymous Coward

    "will need updating"

    I am of the opinion that millions of Android users (i.e. the majority) who are not running OREO will be waiting and waiting and waiting for patches let alone the opportunity to upgrade to OREO.

    Makers and carriers in the main can't be bovvered to support the handsets they sell once they have gone out the door or if they do then it is only until the model is replaced by another one.

    There are some exceptions to this and if you have one of these devices then you are one of the lucky ones.

    Updates or rather the lack of them is IMHO Android's Achillies heel. I know that Google want to change things but it seems like a snail will reach the top of Everest before anything worthwhile is done.

    Never mind, all the techy press will be salivating about the latest iPhone tomorrow so this will quickly be forgotten or pushed under the carpet.

    Shiny-shiny rulez ok!

    1. Anonymous Coward
      Anonymous Coward

      Re: "will need updating"

      This was the agenda here. It's as if this is an apple sponsored propaganda story against android, just when they have something to promote.

      There is nothing to suggest that pre Oreo devices couldn't be patched, and despite what people think they know about android updates, most major brands DO get patches, not every month like Nexus and pixel, but they do get catch-up patch sets.

      There is also no proof of concept, and no real way to work out how easy this is to actually abuse, if it's anything like pretty much every other android security non story, then real world exploits will be pretty much zero, and android security is all noise and never any real action...

      1. big_D Silver badge

        Re: "will need updating"

        Except that when the story first broke earlier this year, Google said it wasn't a bug and it was working as intended on Nougat.

        Now that Oreo is there, suddenly it is fixed and Nougat and earlier are at risk?

      2. My Coat

        Re: "will need updating"

        On my third android phone now - an HTC, a Motorola and a Lenovo. Not one has received an update more than 18 months after the handset was released. Each time, there's been stories that "In this years update, google have solved updating without needing handset manufacturers/carriers" - it's like the year of the linux desktop.

        1. Anonymous Coward
          Anonymous Coward

          Re: "will need updating"

          Then don't buy cheap shite? Factor in support and spend more. You certainly don't have to spend apple type stupid money to get good android support, Sony offer, LG too, but don't expect done £99 phone to get patches at all.. you need to lower your expectations, or stop being a cheapskate.

          1. Mark Manderson

            Re: "will need updating"

            AC lol just lol, I have a LG G3 which was a flagship, it received one update in its entire life (to

            marshmallow)

            1) it was an LG flagship

            2) its not cheap shite

            Last update post 6.0 was dated 2016-08-01 for 1 security fix patch.

            Sorry to burst your bubble.

            This kind of issue is the biggest flaw in android, the more popular and fragmented it becomes, the bigger the issue.

            1. Robert Helpmann??
              Childcatcher

              Re: "will need updating"

              This kind of issue is the biggest flaw in android...

              The flaw is not with Android, but with the service providers. If a patch has been created by Google and the phone companies will not push it out, it is not a flaw with the OS but with the service model that it is implemented under. Small pleasure in knowing this if you are affected, but pressure should be placed on those responsible for the lack of updates, not on those who actually created them and made them available.

              1. Richard Boyce

                Re: "will need updating"

                Always buy SIM-free, unlocked, and try to buy as directly from the manufacturer as is practical. The fewer middle men adding their own software and their own indifference to security, the better.

                1. jason 7

                  Re: "will need updating"

                  "Always buy SIM-free, unlocked, and try to buy as directly from the manufacturer as is practical. The fewer middle men adding their own software and their own indifference to security, the better."

                  Makes no difference. Most manufacturers just give up after 8-12 months from release.

              2. Mark Manderson

                Re: "will need updating"

                Apologies Robert, you are correct,

                its LGs fault, not Android itself mate :)

            2. jason 7

              Re: "will need updating"

              Same here. Bought a LG G4 six months after release and the last update it got was August 2016. Absolute zip since then. I'm now two versions of behind on Android on a phone that's barely two years old. Way to go LG!

              Unless you now buy the 'now expensive' Google phones you are up shit creek after 6 months.

              The whole Android update scene is total bullshit. But I now treat it as such and just shrug when such articles like this appear.

              Let's put this into perspective. Just how many people actually get hit by these 'killer' vulnerabilities?

              It's enough to make you buy an iPhone next time...

              1. YARR
                Megaphone

                Just how many people actually get hit by these 'killer' vulnerabilities? It's enough to make you buy an iPhone next time...

                In a recent interview ( https://www.youtube.com/watch?v=UVVjlYz-YeM ) John McAfee says (wrt phones)

                "there is no security whatsoever", "the OS is designed to watch you", they are the "ultimate spy device", "the anti-virus paradigm is no longer functional", "by the time malware is found it's too late", "hackers spend weeks, months, some times even years sniffing around your device".

                (31:45) "BTW, what is the least secure phone?"

                "The Samsung S7 is the most secure ... All iPhones can be remotely rooted ... The most hackable phone in the world is the iPhone"

                1. fidodogbreath

                  The most hackable phone in the world is the iPhone

                  McAfee is full of crap.

                  If iPhones are so wide open, then why do exploit brokers offer as much as $1.5 million for an iOS zero-day, vs $200K for Android?

                  If iPhones are so wide open, why did one of the most advanced intelligence agencies in the world pay $1 million to get into one iPhone?

                  If iPhones are the most hackable phones in the world, why does Android have more than 3x as many CVEs?

                  Anything can be hacked given enough time and money, of course. But given the security track record -- and the fact that iOS devices are far more likely to receive updates than Android devices -- McAfee's statement does not hold up.

            3. jgarbo

              Re: "will need updating"

              Am I just lucky? My Note 4 gets full updates (300MB+) every month or so. Takes 30-40 min. Maybe this is only for the Note. Anyone else noticed?

            4. Anonymous Coward
              Anonymous Coward

              Re: "will need updating"

              LG g3 is a phone from 2014, and the latest security update is android 6.01 (D85130g) and includes July 2017 patches. #fail. Your issue is clearly with your network and their reluctantance to distribute patches, and nothing to do with LG, Google or android at all....

              1. Mark Manderson

                Re: "will need updating"

                do you have links to the files from LG by any chance mate? I cant find any post August 2016 for my 32Gb European model.

          2. Jamie Jones Silver badge

            Re: "will need updating"

            Congratulations, Anonymous. You are blinded by your arrogance and pomposity.

            Have you considered that even without updates, it can work out cheaper to buy a new "non-label" phone more often, with even faster capabilities.

            Sure, there are dodgy things out there, but we are El Reg readers. We can sort the chaff out from the good stuff, right?

            There are many reason to buy a more expensive branded phone. "not being a cheapskate" isn't one of them. It's a tech device, not a bloody fashion accessory.

        2. smot

          Re: "will need updating"

          Hmm. My jolly old original HTC One has only recently received a bundle of updates to Android. Apps still update regularly.

          And with "power saving" switched on, I'm still getting a full day's use, sometimes two if I'm frugal.

      3. phuzz Silver badge

        Re: "will need updating"

        "There is nothing to suggest that pre Oreo devices couldn't be patched"

        No one is saying that it's impossible to patch, in fact, that's part of the problem, we know from experience that most Android phones don't get updates for more than a year or so after they're first released.

        Personally I'm willing to put up with the occasional flakyness of a custom ROM (Lineage), and so will probably receive a patch for this in the next week or two, but the majority of Android devices out there will never get patched. Despite the fact, as you point out, it's possible to patch older versions of Android.

        Oh, and why? Because there's no money in updating an old phone, when you could be selling people new phones.

        1. Anonymous Coward
          Anonymous Coward

          Re: "will need updating"

          My Huawei P9Lite (+/- 1yr old, simlock free) got three updates already.

          The snooping gets better and better and the battery life about halves with each update.

          Selling new phones? I think you're not far off the mark.

    2. Anonymous c0w@®d

      Re: "will need updating"

      Hello i am new to chat. To comment i think my phone is older than a lollipop android version... i dont think this vunerability exist

  2. Anonymous Coward
    Anonymous Coward

    Sick of new

    versions of android every 12-18 months.

    It's forced obsolescence and it seems to be getting worse.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sick of new

      What press feature are you desperate for precisely? Or don't you know?? Essentially you version of android doesn't really matter, as unlike iOS, Google can update most stuff via Google play (iOS system apps need system updates, android doesn't)

      1. Anonymous Coward
        Anonymous Coward

        Re: Sick of new

        Google was forced to do that hack to try to get some parts of its OS updated without the OEMs and carriers getting in the way, but that's only a halfway measure that doesn't fix the real issue with the Android update model.

        Perhaps this is why Google is rumored to be buying HTC's phone business, so they can fix it on the OEM end and start applying pressure to the carriers.

        1. Mod74

          Re: Sick of new

          Google owned Motorola. Kept the patents, ditched the company off to Lenovo, and did nothing about fixing the OEM end, so I'm not sure why you think buying HTC would be any different.

        2. Anonymous Coward
          Anonymous Coward

          Re: Sick of new

          "Google was forced to do that hack"

          Nope, it's been this way since android 1.0 #tryharder

      2. Anonymous Coward
        Anonymous Coward

        Re: Sick of new

        " Google can update most stuff via Google play (iOS system apps need system updates, android doesn't)"

        So why can't my 3 year old phone run some apps then? They don't require any more hardware features.

      3. fidodogbreath

        Re: Sick of new

        iOS system apps need system updates, android doesn't

        iOS system apps need receive system updates, android usually doesn't

        FTFY

    2. Anonymous Coward
      Anonymous Coward

      Re: Sick of new

      The world won't stop. We have to live with a constant evolution of products. What consumers OTOH should ask for is to have the hardware and software for their gizmos supplied separately, and regulatory authorities should back them up. No manufacturer or network operator should be allowed to lock a device to prevent it from running "unauthorized" software. Manufacturers may not offer adequate support for their products, but this would open the market for 3rd-parties to offer independent subscription-based firmware updates. I'd be happy to pay a little extra for a bare-bones android-subscription to keep my mobile devices updated and safer.

      1. wayne 8

        Re: Sick of new

        The carriers do have responsibility for the integrity of their network.

        Phones, hardware and software, need to certified to be on the network. Certification involves serious testing. This is a good thing for network reliability.

        Adding bloatware that cannot be removed, is just the telcoms being the a'holes they have always been since Ma Bell.

        Slurping your data is Google's business model. Search, Maps, Android, Chrome, etc. are just means to that end.

        1. smot

          Re: Sick of new

          "Slurping your data is Google's business model. Search, Maps, Android, Chrome, etc. are just means to that end."

          And slurping money from your wallet is Apple's.

        2. Anonymous Coward
          Anonymous Coward

          Re: Sick of new

          Apple slurp data exactly the same as Google, Microsoft too. Go read their privacy statements from all 3 and discover there is literally no difference at all. If you think buying an iPhone give you some privacy then Android doesn't, you need a reality check, you paid a£300 surcharge for absolutely nothing at all...

    3. jason 7

      Re: Sick of new

      And every version is hyped as a major fix over the previous version but when (and if hahaaa) you get it, the reaction?

      Meh!

      Meet the new Android...same as the old Android.

  3. Evil Auditor Silver badge
    Facepalm

    ...simply by being installed on the device."

    I'm save then! For ages my Android has been refusing to install any software. Ever since Google Play said it needs to move to a current version in order to function and at the same time refused to update because my Android build is too old.

    1. Anonymous South African Coward Bronze badge

      ...simply by being installed on the device."

      A thin sliver of hope...

      Which means you should be OK if you only install kosher apps from the supposedly kosher Play store... oh wait...

  4. big_D Silver badge

    Not a bug...

    When this was first raised in February / March this year, Google said it wasn't a bug and it was working as expected...

  5. nevstah

    android vs android

    it would be great if manufacturers didn't mess with android and bundle their own unmaintained versions. fine if they want to bundle apps on top, feel free, but let users receive patches direct from google as soon as they are released. just like you do with every other operating system out there

  6. Anonymal coward

    Watch this space...

    This looks like a Good Thing: https://www.xda-developers.com/project-treble-custom-rom-development/

  7. Anonymous Coward
    Anonymous Coward

    Lineage ?

    ...just saying.

    Of course this is only the tip of the iceberg. Isn't Googles strategy to have Android (in some form or other) in *everything* eventually ???

  8. Tim99 Silver badge
    Joke

    Everybody without Android Oreo vulnerable...

    So is my iPhone OK then?

    1. Stoneshop
      Holmes

      Re: Everybody without Android Oreo vulnerable...

      So that would mean my N900, C5-00 and XP5300 would be affected? Not to mention the C605, SH888 and 5MX? None of them seem even capable of running any Android version, let alone Oreo.

      And I like it that way.

  9. Roopee Bronze badge

    Security is a feature (or lack) of users as much as software!

    My HTC phone was a one-year-old model when I bought it in 2013. There has never been a patch available for it since then. I'm not unduly bothered - I rarely install apps and never any that ask for silly permissions (such as access to my contacts), but I suppose security patches would be nice provided that's all they are.

    What I don't want is for the UI to change - I like the way it looks and works (part of why I chose this phone) and I don't like any of the newer versions of Android I've played with, even HTC's or Google's.

  10. RyokuMas
    Facepalm

    So let me get this straight...

    Say I had an Android device... either I would have to update to Oreo and be ready for a massive data bill, or don't update and I'm vulnerable???

    At least to take advantage of this exploit, apps have to be installed from Google Play...

    ... oh, wait...

  11. Warm Braw

    A view containing a quick little message for the user

    If you're toast after you click it, you could perhaps claim there was at least nominal documentation of the problem.

  12. Anonymous Coward
    Anonymous Coward

    Given that you have to install something for your android to become vulnerable

    and since google are aware of the issue then allowing it to be deployed via PLAY would be gross negligence?

    1. wayne 8

      Re: Given that you have to install something for your android to become vulnerable

      The article states the exploit can be delivered OUTSIDE of the Play Store.

      Idiots that click on anything.

  13. Anonymous Coward
    Anonymous Coward

    and this is why i moved to iOS from Android. Yeah it might be more locked in terms of being able to tweak, but my phone is very important now i do all my banking on it amongst other things so i value security more than anything else. Whilst i know iOS is not perfect and has its own security flaws at least i know i should get years and years of updates to fix them.

  14. Anonymous Coward
    Anonymous Coward

    must be installed from google play?

    no,. my own lineageOS android phone does not have google play and none of the apps on it were installed from google play. Lets face it. google play is tied to google and google is boring.

    1. cristianduron

      Re: must be installed from google play?

      install google play store apk https://playstore.zone/updates/

  15. Nate Amsden

    couldn't google block it

    If it comes from the store I'd expect them to be able to have a check for malicious things like this. Won't be fool proof but it should catch a bunch of things.

    Funny the researchers say most users will want to update. Obviously it will be years before most have the update.

    ATT has stepped up their badgering of my note3 on 4.4.x to upgrade to 5.0 but i won't have it. Must've gone 3 or 4 months without a single notification to upgrade now maybe once every 2 or 3 days. Removing the mute menu option after pressing power button is a deal breaker when my phone is also a pager. I read this was fixed in a newer 5.x build but it is not available to att note 3 (have another note 3 with 5.0 and a note 4 with 5.1 i think it is). The 5.1 solution sounds worse (volume button mute thing ) than 4.x. haven't put a sim card in note 4 yet. Even with a new battery the battery life seems significantly worse than note 3 for some strange reason.

    I really miss the mute switch on my webos devices as well as the ability to immediately silence the phone just by pressing the power button (no need to look at the screen).

  16. Anonymous Coward
    Anonymous Coward

    Let me guess...

    Updating to Oreo will mean buying a new phone because either the existing manufacturer is not on the ball or you have a crappy chipset that means you won't get a decent third party ROM. Seriously, fcuk Android. This kind of problem rears its ugly head far too often (I've seen it since Eclair), and yet I keep coming back for more.

  17. nickx89

    Didn't understand.

    So, it was there before Oreo had arrived? Did it attack Android mobiles before? Did Google knew about this vulnerability that was patched in Android Oreo? It's ambiguous at this point.

  18. Huns n Hoses

    Oreo?

    See, this is why actual version number are important.

    Was this an ice cream or a biscuit?

    1. 404

      Re: Oreo?

      You win an upvote!

      My last year's Motorola is at 7.1.1 - a fucking version number would be nice, eh?

      Jesus, El Reg!

      Edited.. fucking had to google it - Oreo = 8.0

  19. Snowy Silver badge
    Facepalm

    I have a nexus direct from Google

    Still not going to get update as it is over 2 years old :/

  20. Conundrum1885

    How to fix this

    We need to know, a choice between knackered data and "theoretical" risk isnt much of a choice is it?

    1. fobobob

      Re: How to fix this

      ♬♪♩ If you choose not to decide, you still have made a choice! ♬♪♩

  21. Jim Birch

    If the world was sane, phones would brick themselves if they weren't updated. There is a relentless arms race between hackers trying to bust software and developers trying to secure it.

    There is currently no direct financial incentive for phone makers to create and test updates. They don't get paid for them. There is some reputational incentive but this is rather weak when company has little or no reputation.

    This is how things work. It ain't the best system but the financial logic is undeniable. If you buy a phone that won't update you take a risk. You may also be saving money because updates cost and that is built into the phone cost. Personally, I want the most secure android phone available and I'm happy to pay for it and even lose features for it. If everyone did that, the update problem would be more-or-less fixed. But they don't, they want the best features for the best price...

    On the other hand there are other factors that are improving the situation. The phone market and phone software is maturing. Security improves over time, and phone software stabilizes so less new exploits are being created. Scanning of apps, improving the update distribution model, etc, are all helping too. None of this is perfect. Having a handset that gets regular and timely updates remains a key component.

  22. Anonymous Coward
    Coat

    Phones as platforms-- all-purpose computing devices with obligatory full-fledged operating systems and only a silly minority of strictly fernsprecher-related code-- is the original problem. Of course that is a disastrously anti-trendy position, and I like it that way. Trendy things are typically symptoms.

  23. anonymous boring coward Silver badge

    "'Toast' micro-messages can burn just about every Android users"

    Someone, fix that sentence!

  24. RobinCM

    Nokia

    Are advertising their Android phones in part by stating their "pure Android" nature and that they'll get regular security updates. Specs aren't bad either, my partner bought a Nokia 8 yesterday and it's rather nice - considering getting one myself.

    My HTC One M9 is still on 7.0 April 2017 security update.

    It'll be interesting to see how many other manufacturers start to jump on the "pure & secure" (tm) bandwagon.

  25. Anonymous Coward
    Anonymous Coward

    The problem has been is that Android has been too open to programmers and sand boxing permissions too loss. Dialogues need to be designed to be prescriptive and only ask permissions needed for the actual user usage. Users can fine block permissions as standard, and firewall anything under expert mode. The spy on user loose security ends. We would rather pay a $1 a year instead. Any custom dialogue be contained information feilds, even windowed from app space, so it can't spread. Real security.

    Easy to program without security bugs? So, why hasn't it turned out that way?

  26. Anonymous Coward
    Anonymous Coward

    This is the reason i had stayed away from android initially.Soon to get another one,that just hit the market,but with Nougat.Manufacturers and carriers alike,need to put the pressure on,otherwise,start throwing funding towards samsung and their work (as well as others),towards an different OS independent of google.Furthermore,since these devices also fall under FCC laws,i feel its an pathetic oversight by them as well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like