Linked by Thom Holwerda on Fri 5th Jul 2013 13:59 UTC, submitted by bowkota
Privacy, Security, Encryption "Researchers said they've uncovered a security vulnerability that could allow attackers to take full control of smartphones running Google's Android mobile operating system." So, how bad is this? Can anybody with knowledge of Android's inner workings explain?
Order by: Score:
Not too serious
by bentoo on Fri 5th Jul 2013 14:28 UTC
bentoo
Member since:
2012-09-21

Must not be "generally critical" otherwise Google would have publicly disclosed/fixed it per their 60 day policy. :|

http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsi...

Reply Score: 2

Its about non Play store apps
by Bill Shooter of Bul on Fri 5th Jul 2013 14:35 UTC
Bill Shooter of Bul
Member since:
2006-07-14

First of all, this is a risk for people installing applications that appear to be from reputable developers but from sketchy app stores. Most in the EU/USA who stick to installing apps from google play are not really in danger of it.


This is a vulnerability in how applications are signed, I think. So a person installing an app could be fooled at a deeper level than before. However, there are already malicious clones of apps out there that fool people that don't make use of this vulnerability. Like the recent Jay-Z app.

http://www.bbc.co.uk/news/technology-23194413

Reply Score: 4

RE: Its about non Play store apps
by WereCatf on Fri 5th Jul 2013 14:42 UTC in reply to "Its about non Play store apps"
WereCatf Member since:
2006-02-15

No, this is a risk for Google Play - apps, too: it has been shown multiple times that the heuristics that Google uses to detect malign code is easy to fool, so you could make a legitimate app and publish it on Google Play, but add a payload there that adds itself to any and all of your currently-installed applications. Then, even if the user removed the app with the payload the system would still be hosed and the only way to fully remove the payload would be a complete system format and a clean install from a firmware image.

Basically this is a "Oh f--k!" - moment for Android.

Edited 2013-07-05 14:42 UTC

Reply Score: 2

AndyB Member since:
2013-03-22

Surely Google will screen/virus check all apps being submitted to the app store, otherwise all sorts of stuff could be in there, with no way to separate the good from the bad!

Reply Score: 1

Bill Shooter of Bul Member since:
2006-07-14

I think it would be pretty difficult to get this on Google play. If I understand it correctly, it allows malicious app devs, to modify existing apps outside of the device while keeping the signature valid.

I don't think Google's malware detection is bad enough to allow me to upload an app signed by rovio.

I also don't think there is a way to infect other apps once on the device. I haven't read anything that says that it could.

Edit:

From the article:

While it would be devastating if an attacker was able to get such a modified APK into the Google Play Store, or somehow use the technique to hijack the update mechanism of legitimate apps, there are probably safeguards already in place to prevent such attacks.

"I imagine that Google would move quickly to add some logic to look for such attacks," Dan Wallach, a professor specializing in Android security in the computer science department of Rice University, told Ars. "Without that available to an attacker, this is likely to only be relevant for Android users who use third-party app stores (which have lots of other problems). This bug could also be valuable for users trying to 'root' their phones."


Edited 2013-07-05 15:01 UTC

Reply Score: 4

WereCatf Member since:
2006-02-15

I guess, I jumped to conclusions. My apologies.

Reply Score: 2

Bill Shooter of Bul Member since:
2006-07-14

Don't get me wrong it still sucks donkey balls for anyone who lives in a country that doesn't have access to the play store. Like China. They're all kind of screwed through no fault of their own.

Reply Score: 2

Here is a much better article on the matter.
by TM99 on Fri 5th Jul 2013 15:52 UTC
TM99
Member since:
2012-08-26

Out of the articles making the rounds this morning, this one is the most detailed, non-hyperbolic, and worth reading.

http://www.computerworld.com/s/article/9240556/Android_flaw_lets_at...

Reply Score: 3

Comment by jonoden
by jonoden on Fri 5th Jul 2013 19:11 UTC
jonoden
Member since:
2012-02-13

The funny thing is that only if you enable the ability to sideload apps are you susceptible to this. There is also a pretty stern "you are potentially f*8&ing yourself if you do this" warning pops up if you enable the "allow apps from unknown sources" feature. I believe that warning has been there since 1.6. ;)

Not trying to downplay the criticality of this problem, but sideloading has always been a risky business.

Reply Score: 3

Yep
by Drunkula on Fri 5th Jul 2013 19:36 UTC
Drunkula
Member since:
2009-09-03

Just don't enable "unknown sources" and you should be fine...

Reply Score: 2

Fame and fortune
by Soulbender on Sat 6th Jul 2013 02:59 UTC
Soulbender
Member since:
2005-08-18

So... I see that yet another "security" startup need some more seed capital and think some PR will do the trick.

a Trojan application from the device manufacturer can grant the application full access to Android system and all applications


WOW! No, really? You don't say?

Edited 2013-07-06 03:01 UTC

Reply Score: 3