Four-year-old bug could allow attackers steal data from 99pc Android devices

[mrex]

The article of Bluebox seems to seek only headlines. After reading it you could also say that "100% of android user may use 3rd party market places and install apps from internet and then may be vulnerable to any trojan, virus etc." (You can replace the word android with ios or windows!)

If you're using Google Play, you're in safe. If you try to get paid apps for free, there's nothing to prevent you to get problems too... There is no free meal, right?

Where did they get that 99% anyway? 1% covers devices before donut including S4 which is immune

 

[JeffK627]

The article on Bluebox contains this (emphasis mine):

The Bluebox Security research team

 

[Rxpert83]

At any rate, there's a difference between a security researcher finding a bug and reporting it to the company months ago ( as they already have in this case) and finding a bug being exploited in the wild.


Googles reportedly patched the bug.


At this point for the majority of users this isn't really an issue

Sensationalist media is still going to go zomg 99% of users affected to get clicks.

 

[gtbarry]

People need to realize who this can effect.

The non-tech/non-knowing user (think grandparents): No. They don't know how to allow third party sites through settings. They also don't search around for third-party app sites.

The casual user: not likely (see above)

The sophisticated user: possibly. They know how to allow third party/unsecure sites. They know how to find third party/unsecure sites. They know each step is exposing them. Not that they deserve an infection if they get one, but they will realize they enabled it.

 

[mrex]

The article on Bluebox contains this (emphasis mine): The term "the app store" is a bit ambiguous, it could include the Google Play store but it doesn't specifically mention it.

Yes it could include, but it won't. Because the article is looking for headlines, they don't mention that Google has prevented this to happen in Google Play. It's only possible to get it with apps outside from Google Play.

Most theoretical users affected by this vulnerability are in Asia/East who use unsecure market places etc.

 

[Slug]

As if by coincidence.... BBC News - Jay-Z Android app cloned by hackers

The payload is relatively innocuous, but it demonstrates the danger.

 

[socrates0]

I wonder how many who have rooted their phone have NOT been tempted or actually used a .apk on their phone?

 

[Rxpert83]

I wonder how many who have rooted their phone have NOT been tempted or actually used a .apk on their phone?

Even if its not from the Google play store, there are plenty of LEGITIMATE outside sources to get apps from. Many developers will self publish outside of the play store, as well as the many other app stores available.

Sideloading apps by itself isn't bad. Doing it with hacked apks or from sketchy sources is.

Root actually doesn't have anything to do with it, you don't need to be rooted to sideload

 

[socrates0]

Even if its not from the Google play store, there are plenty of LEGITIMATE outside sources to get apps from. Many developers will self publish outside of the play store, as well as the many other app stores available.

Sideloading apps by itself isn't bad. Doing it with hacked apks or from sketchy sources is.

Root actually doesn't have anything to do with it, you don't need to be rooted to sideload

What you say is true but the number of people I encounter who use .apk's w/o even a cursory check is large & truly astonishing.

 

[funpig]

Why blame the users? The vast majority of users are not very tech savvy. My takeaway from the article is that the OS needs an update patch. And the big problem is that android updates are sporadic and inconsistent with all the different manufacturers and models. Even if you get an update for your particular phone, there is the very real risk that it may not work for your phone. If auto makers sold cars with a faulty ABS system, they would be made accountable and should fix the problem ASAP. We would not go around blaming users that it was up to them to avoid driving when conditions are slippery.

 

[gtbarry]

Why blame the users? The vast majority of users are not very tech savvy. My takeaway from the article is that the OS needs an update patch. And the big problem is that android updates are sporadic and inconsistent with all the different manufacturers and models. Even if you get an update for your particular phone, there is the very real risk that it may not work for your phone. If auto makers sold cars with a faulty ABS system, they would be made accountable and should fix the problem ASAP. We would not go around blaming users that it was up to them to avoid driving when conditions are slippery.

I respectfully disagree. Android allows freedom. And with freedom comes choice.

If you choose to learn how to allow third party sites to install onto your phone (and when you do, Android warns you it is unsafe to do so), then you learn to find a third party site and then learn to download onto your phone - that is on you and you need to take responsibility for your actions.

Android does not control you and sanitize your sins for you. You are learning how to install third party apps (see above) and making the conscious decision to do so - all the while knowing the risks you are taking.

Android is an operating system. Not a parent.

 

[Stannis the Mannis]

I respectfully disagree. Android allows freedom. And with freedom comes choice.

If you choose to learn how to allow third party sites to install onto your phone (and when you do, Android warns you it is unsafe to do so), then you learn to find a third party site and then learn to download onto your phone - that is on you and you need to take responsibility for your actions.

Android does not control you and sanitize your sins for you. You are learning how to install third party apps (see above) and making the conscious decision to do so - all the while knowing the risks you are taking.

Android is an operating system. Not a parent.

Good post and well said.

 

[funpig]

I respectfully disagree. Android allows freedom. And with freedom comes choice.

If you choose to learn how to allow third party sites to install onto your phone (and when you do, Android warns you it is unsafe to do so), then you learn to find a third party site and then learn to download onto your phone - that is on you and you need to take responsibility for your actions.

Android does not control you and sanitize your sins for you. You are learning how to install third party apps (see above) and making the conscious decision to do so - all the while knowing the risks you are taking.

Android is an operating system. Not a parent.

Security flaw + (0 x update) = freedom of choice ???

Because the Android OS is vulnerable, you need to rely on Google Play Store (parent) to protect you? The cynic in me makes me think that Google intentionally puts in the flaw to restrict your freedom of choice.

 

[Slug]

The cynic in me makes me think that Google intentionally puts in the flaw to restrict your freedom of choice.

If it was a question of "restricting freedom of choice" then there would be no "allow unknown sources" option in Android.

Besides, Google have patched the vuln so presumably the patched source code is available. It's up to the device manufacturers to support their handsets by releasing updates.

 

[Mayhem]

I haven't read this entire thread so apologies if this was already posted.

Code Released To Exploit Android App Signature Vulnerability - Slashdot

 

[funkylogik]

Breaking news http://www.ubergizmo.com/2013/07/google-releases-patch-to-fix-android-vulnerability/

Where does this leave those of us using custom firmware?

 

[Rxpert83]

Breaking news Google Releases Patch To Fix Android Vulnerability | Ubergizmo

Google was alerted to this back in Feb, and they patched the play store and sent the patch to manufacturers before this story broke. I know I've read reports of that before today

That article seems to be a clarification of that sites previous article.


Custom ROMs will bake it in long before manufacturers get it out.

The latest cm night already has it fixed

 

[funkylogik]

Ah right lol sorry. Hadnt read the full thread and Appy Geek gave me it as breaking news

So what will custom rom users do mate?

 

[Rxpert83]

Ah right lol sorry. Hadnt read the full thread and Appy Geek gave me it as breaking news

So what will custom rom users do mate?

Read my edit, I wasn't fast enough

Basically, custom ROMs will always get these patches out before manufacturers do.

One more benefit to being root (although we're typically at greater risk for things like this as well)

 

[funkylogik]

True man. Do you know of any of the big devs using the fix yet? :beer:
EDIT stupid eyes lol

 

[SiempreTuna]

Good news for anyone still wants to use 3rd party app markets: no need to wait for the Google fix to reach your device, a utility has been released that apparently fixes this issue!

One thing: you do need to be careful to get it from a reputable source as some devious people have been posting dodgy versions on forums like this ..

The link above comes from the el Reg story .. hopefully, they checked it's kosher!

 

[Hadron]

Read my edit, I wasn't fast enough

Basically, custom ROMs will always get these patches out before manufacturers do.

One more benefit to being root (although we're typically at greater risk for things like this as well)

I can confirm that the recent HTC One 4.2.2 update patches it (have installed it and checked).

I'd guess most stock phones haven't been patched though.

 

[socrates0]

And now this one 'Google Play store inundated with scam apps, Symantec says'