Linked by Thom Holwerda on Fri 5th Jul 2013 13:59 UTC, submitted by bowkota
Privacy, Security, Encryption "Researchers said they've uncovered a security vulnerability that could allow attackers to take full control of smartphones running Google's Android mobile operating system." So, how bad is this? Can anybody with knowledge of Android's inner workings explain?
Thread beginning with comment 566366
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Its about non Play store apps
by WereCatf on Fri 5th Jul 2013 14:42 UTC in reply to "Its about non Play store apps"
Member since:

No, this is a risk for Google Play - apps, too: it has been shown multiple times that the heuristics that Google uses to detect malign code is easy to fool, so you could make a legitimate app and publish it on Google Play, but add a payload there that adds itself to any and all of your currently-installed applications. Then, even if the user removed the app with the payload the system would still be hosed and the only way to fully remove the payload would be a complete system format and a clean install from a firmware image.

Basically this is a "Oh f--k!" - moment for Android.

Edited 2013-07-05 14:42 UTC

Reply Parent Score: 2

AndyB Member since:

Surely Google will screen/virus check all apps being submitted to the app store, otherwise all sorts of stuff could be in there, with no way to separate the good from the bad!

Reply Parent Score: 1

Bill Shooter of Bul Member since:

I think it would be pretty difficult to get this on Google play. If I understand it correctly, it allows malicious app devs, to modify existing apps outside of the device while keeping the signature valid.

I don't think Google's malware detection is bad enough to allow me to upload an app signed by rovio.

I also don't think there is a way to infect other apps once on the device. I haven't read anything that says that it could.


From the article:

While it would be devastating if an attacker was able to get such a modified APK into the Google Play Store, or somehow use the technique to hijack the update mechanism of legitimate apps, there are probably safeguards already in place to prevent such attacks.

"I imagine that Google would move quickly to add some logic to look for such attacks," Dan Wallach, a professor specializing in Android security in the computer science department of Rice University, told Ars. "Without that available to an attacker, this is likely to only be relevant for Android users who use third-party app stores (which have lots of other problems). This bug could also be valuable for users trying to 'root' their phones."

Edited 2013-07-05 15:01 UTC

Reply Parent Score: 4

WereCatf Member since:

I guess, I jumped to conclusions. My apologies.

Reply Parent Score: 2