Significant exploit found in Android

strawman · Jul 24, 2013

http://www.bbc.co.uk/news/technology-23431281

A significant exploit in Android is being used in the wild, researchers say, which allows a malicious program to take control of aspects of the device that normally require user permissions.

So a free game might also be able to read your texts, passwords, and phone numbers called or received without you seeing the security request for access to those parts of your phone.

Google has issued a fix to manufacturers, but it's up to manufacturers to send fixes for each of their android devices.

Google is also scanning all apps on Google Play, so if you never load an app from anywhere other than Google Play, or you have received an update to your Android OS in the last week or two, then you are probably not going to be affected by this exploit.

If you have not updated your phone recently, and you load apps from other android app stores (amazon, websites, etc) then you are vulnerable to this exploit.

Let's hope the latest version of "GEM MATCH ULTIMATE XIV FREE" doesn't start calling pay-per-minute phone services while you sleep.

figmentPez · Jul 24, 2013

stienman said:
Google has issued a fix to manufacturers, but it's up to manufacturers to send fixes for each of their android devices.

I hope someone sues the pants off of any manufacturer that doesn't make this fix available quickly and automatically.

EDIT: Is there any way to know if your phone has received a patch? Or a quick way to find out if one is available for this specific issue? HTC's website suuucks.

Shakey · Jul 24, 2013

stienman said:
Google is also scanning all apps on Google Play, so if you never load an app from anywhere other than Google Play, or you have received an update to your Android OS in the last week or two, then you are probably not going to be affected by this exploit.

If you have not updated your phone recently, and you load apps from other android app stores (amazon, websites, etc) then you are vulnerable to this exploit.

This is an important point to make. You have to be side loading pirated apps or using another app store to be vulnerable to this. It's still good to keep up on these things though.

figmentPez said:
I hope someone sues the pants off of any manufacturer that doesn't make this fix available quickly and automatically.

EDIT: Is there any way to know if your phone has received a patch? Or a quick way to find out if one is available for this specific issue? HTC's website suuucks.

I'm guessing it not only has to go through the manufacturer, but also the carrier. This is one of the biggest problems with Android. Apple controls their hardware, and has enough sway to tell the carriers to push out an update. Not so much with Google and Android. It's annoying as hell.

strawman · Jul 24, 2013

It would be nice if google provided an app on their store that checked for you.

Shakey · Jul 24, 2013

There is an app to scan for an infected app on your device. Bluebox Security Scanner

The Bluebox "Master key" Security Scanner will scan your device to determine:
- If your system is vulnerable or patched to any of the "master key" security flaws affecting most Android devices (there are multiple 'master key' flaws at this point)
- If your system settings allow 'Untrusted Sources' application installs
- If any installed application on your device is trying to maliciously take advantage of any of the 'master key' security flaws

[DOUBLEPOST=1374700774][/DOUBLEPOST]Just an FYI, I haven't tried the app and it's not from Google, so...
It's on the Play store though, and all the apps on it have been checked, so I'm sure it's legit.

PatrThom · Jul 24, 2013

Oh, and while you're at it, if you haven't gotten a new SIM card for your GSM phone in the past 2 years, you might want to do so.

--Patrick

sixpackshaker · Jul 24, 2013

If you can't peruse passwords, then what is the point of giving away free software?

figmentPez · Jul 24, 2013

Shakey said:
It's on the Play store though, and all the apps on it have been checked, so I'm sure it's legit.

Well, they've been checked for known exploits, but that doesn't mean that it's not some other form of scam. I mean, I find it unlikely, but I doubt every app in the Play store is free of problems (otherwise they wouldn't give disclaimers about giving apps acccess to certain parts of your phone.)

Shakey · Jul 24, 2013

figmentPez said:
Well, they've been checked for known exploits, but that doesn't mean that it's not some other form of scam. I mean, I find it unlikely, but I doubt every app in the Play store is free of problems (otherwise they wouldn't give disclaimers about giving apps acccess to certain parts of your phone.)

Right. This app only requests network access, so I doubt it would be malicious. I ended up installing it, like I figured still unpatched.

DarkAudit · Jul 25, 2013

This is one of the reasons I gave up on Android. Didn't matter how often Google pushed out updates, I'd only get it if HTC wanted me to AND if Sprint also wanted me to. Took nearly a year for the Evo to get an official Gingerbread update. By then Google was already pushing Ice Cream Sandwich.

Ravenpoe · Jul 25, 2013

DarkAudit said:
This is one of the reasons I gave up on Android. Didn't matter how often Google pushed out updates, I'd only get it if HTC wanted me to AND if Sprint also wanted me to. Took nearly a year for the Evo to get an official Gingerbread update. By then Google was already pushing Ice Cream Sandwich.

Or you could get any upgrade you want if you root the phone and update it yourself. Granted, some people aren't going to want to be this hands-on, but it is an option.

DarkAudit · Jul 25, 2013

Ravenpoe said:
Or you could get any upgrade you want if you root the phone and update it yourself. Granted, some people aren't going to want to be this hands-on, but it is an option.

I rooted my Evo within a week.

Cyanogenmod was my favorite ROM.

Shakey · Jul 25, 2013

Ravenpoe said:
Or you could get any upgrade you want if you root the phone and update it yourself. Granted, some people aren't going to want to be this hands-on, but it is an option.

I've given up on that with my phones. Unless you're running one of Googles Nexus phones you still have to either wait or deal with buggy and non-working features. It wasn't until Motorola leaked their ICS builds that the ROM's finally became stable enough to be used for my droid 4.

GasBandit · Jul 25, 2013

Heh, my Droid 1 is still using Android 2.2.3 and that's the last update they'll ever make for it, being such an old phone. But really, ever since I got my Nexus 7 tablet, all I use my phone for is... a phone. Well, and a data tether for the tablet when I'm away from Wifi. It is rooted, but I don't really run any other apps or anything on it... because the tablet is so much nicer. And because it's google branded, it gets all updates ASAP.