or Connect
AppleInsider › Forums › Mobile › iPhone › New Android 'Fake ID' flaw empowers stealthy new class of super-malware
New Posts  All Forums:Forum Nav:

New Android 'Fake ID' flaw empowers stealthy new class of super-malware - Page 3

post #81 of 102
This is hilarious. I haven't posted here in so long, but Daniel or Mr. DED just posted at Ars Technica on its own version of the article.

http://arstechnica.com/civis/viewtopic.php?f=2&t=1251045&p=27300557#p27300557

Of course, Daniel failed to mention that AOSP is already patched here back in April:

https://android.googlesource.com/platform/libcore/ /android-cts-4.1_r4


and despite him saying Google won't fix it, already updated Google play services to detect apps that try to take advantage of the flaw for any handset or tablet, thus negating any issues for handsets that won't get updated, even though phones like the 2 generation old Samsung GS3 are running 4.4.2.

And of course, Flash hasn't been in any Android device since 4.1.

I guess in the years since I've been here, nothing has changed. DED still posts bull sht about Google and Android. And you guys fall for it every time.
post #82 of 102
Quote:
Originally Posted by Tallest Skil View Post
 

Please no. Between “polar vortex”, “supermoon”, “superstorm”, and all the other ludicrously idiotic, meaningless, and misleading buzzwords the media seems to want to invent this decade, we don’t need “super malware” thrown in.

 

=(

 

Mal-zilla?

post #83 of 102
Quote:
Originally Posted by sprockkets View Post

This is hilarious. I haven't posted here in so long, but Daniel or Mr. DED just posted at Ars Technica on its own version of the article.

http://arstechnica.com/civis/viewtopic.php?f=2&t=1251045&p=27300557#p27300557

Of course, Daniel failed to mention that AOSP is already patched here back in April:

https://android.googlesource.com/platform/libcore/ /android-cts-4.1_r4


and despite him saying Google won't fix it, already updated Google play services to detect apps that try to take advantage of the flaw for any handset or tablet, thus negating any issues for handsets that won't get updated, even though phones like the 2 generation old Samsung GS3 are running 4.4.2.

And of course, Flash hasn't been in any Android device since 4.1.

I guess in the years since I've been here, nothing has changed. DED still posts bull sht about Google and Android. And you guys fall for it every time.


Don't you mean "Prince McLean"?

post #84 of 102

Quote:

Originally Posted by AppleInsider View Post

Among the trusted apps that can be spoofed by Fake ID is Adobe Flash, which Google deeply integrated into Android's web browser in an attempt to prove that Steve Jobs was wrong about Flash not being a good idea on mobile devices.
Quote:

Originally Posted by Formosa

There's some incredible synergistic irony going on here... Flash + Android (vs. SJ)

 

 

Yep, the man's doing a pretty good job fighting even from beyond. He's a regular Jobi-Wan

 

Android Ludicrous (beta) - Ha, ha, haa

post #85 of 102
Bugs are bugs and all software has them. So, this is not a story about a security flaw in Android. It's a story about multiple OSes named Android with some common code over which Google has no ability to patch when the inevitable flaws are discovered.

Android buyers wanted cheap and choice. Some wanted open source and freedom to operate the android devices based upon their perceived needs. Many simply wanted anything non-Apple.

There is a balance and there are costs to be paid whichever choice one goes with. I've been happy with my choice of Apple. My costs have been easily measured by the prices I pay for Apple products and software. The costs of going with Android are not measurable by the costs of the software or devices and are harder to quantify. But they are significant.
post #86 of 102
Quote:
Originally Posted by Corrections View Post
 

 

 

As the article clearly points out: the last time Bluebox pointed out a major design failing in Android's security architecture, there was malware in the wild within the month. 

 

You lob personal attacks at the author, but the real issue is Google's sloppy work and the difficulty of fixing things in the "open paradise" that is Android. That, and the droid groupies who makes excuses for the company and its half baked products.

I really wish you'd stop referring to yourself in the third person, its the same in every one of your threads.

 

At best its misleading, at worst its dishonest.  For someone who claims to be a serious tech journalist, it does your credibility no favours.

post #87 of 102
Quote:
Originally Posted by Corrections View Post
This isn't even remotely true. Google has started issuing some updates and patches via Google Play Services, but this happened all of twice this year. The last update is 5.0, from June 25. Check your phone to see if you have an update. You do not, because a new one hasn't been released yet.   

 

I guess you don't understand how Google updates their OS. Very understandable, because most Android users don't even know.

The core security features of Android are included in an app called Google Play Services, completely independent of the OS version running. Because it is an app, Google updates this outside of software updates under carrier control. Google uses this power to automatically push security updates to ALL of its phones (v2.3 and later = ~99.3%) behind the scenes once every two weeks. This makes security updates to Android faster and reaching more users than even iOS.

Yes, this flaw should have been caught from the start and yes Google didn't push the fix in AOSP until recently but even before this went public Google pushed an update to play services to squash any chance of this security flaw ever being abused on all phones v2.3 and up (those that support Google play services).

 

Bluebox sells security software and has been called out before for fear mongering to sell it's software. That's what you're seeing here and AI is using it to generate views (which works and is good business). But this story is not what AI makes it out to be.

 

Edit: I checked my Google play services like you suggested. They updated it July 28, 2014.

Link showing last Google play services update: https://play.google.com/store/apps/details?id=com.google.android.gms&hl=en


Edited by NexusPhan - 7/30/14 at 5:10am
post #88 of 102
Quote:
Originally Posted by reefoid View Post

I really wish you'd stop referring to yourself in the third person, its the same in every one of your threads.

At best its misleading, at worst its dishonest.  For someone who claims to be a serious tech journalist, it does your credibility no favours.

I disagree totally. In the situation of defending the editorial against attacks, while wearing a different hat, it makes far more sense and reads better by others done that way. If it were written in the first person it would come across as too personal and a bit weird. IMHO. Imagine if a painter were also an art lecturer at a college and one of his paintings came up and was criticized in a class by a pupil. The professor would respond referring to 'the painter' in the third person while trying to explain. If he started saying 'I did this or I did that' it would be very unprofessional unless he had introduced the painting in class and asked for criticism in the first person to start with.
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
post #89 of 102
Quote:
Originally Posted by digitalclips View Post


I disagree totally. In the situation of defending the editorial against attacks, while wearing a different hat, it makes far more sense and reads better by others done that way. If it were written in the first person it would come across as too personal and a bit weird. IMHO. Imagine if a painter were also an art lecturer at a college and one of his paintings came up and was criticized in a class by a pupil. The professor would respond referring to 'the painter' in the third person while trying to explain. If he started saying 'I did this or I did that' it would be very unprofessional unless he had introduced the painting in class and asked for criticism in the first person to start with.

I realize this is small website, but at any company I worked at, if employees posted on the forums, you did one of two things:

 

1. Post under an account that was clearly flagged and identified as an employee;

2. Post under a smurf account and nobody can know your true identity because your words can reflect upon the company.

 

Posting under an account not identified as the author/employee/representative yet people knowing said poster's identity is typically viewed as unprofessional at any company and their associated community I have worked for.


Edited by Negafox - 7/30/14 at 9:38am
post #90 of 102
Scott Forristal?
post #91 of 102
The danger this exploit presents might be judged by how much damage has been done by those who try to exploit it. This "new" flaw has been around since 2010.

It exists inside an Apache Harmony library file and while it may still be exploitable there are several ways to block the vulnerability.

If you need to know how then you might want to look into methods such as turning on 'Verify Apps' in Android settings, installing CyanogenMod, only downloading apps from the Play Store or installing the Re-key app which blocks it (or by installing the Master Key multi-fix Xposed module, which is not a simple process.)

If you don't need to know how to protect yourself from it and just need a good laugh or something to mock then a trip to the closest mirror should set you right.
post #92 of 102
Quote:
Originally Posted by Negafox View Post

I realize this is small website, but at any company I worked at, if employees posted on the forums, you did one of two things:

1. Post under an account that was clearly flagged and identified as an employee;
2. Post under a smurf account and nobody can know your true identity because your words can reflect upon the company.

Posting under an account not identified as the author/employee/representative yet people knowing said poster's identity is typically viewed as unprofessional at any company and their associated community I have worked for.

This is DED we are talking about here. That's like having Don Henley writing editorials on a pop music blog and also as a blogger, it would be pretty neat eh? Have some respect will ya! 1biggrin.gif
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
post #93 of 102
Quote:
Originally Posted by Corrections View Post
 

 

 

As the article clearly points out: the last time Bluebox pointed out a major design failing in Android's security architecture, there was malware in the wild within the month. 

 

You lob personal attacks at the author, but the real issue is Google's sloppy work and the difficulty of fixing things in the "open paradise" that is Android. That, and the droid groupies who makes excuses for the company and its half baked products.


The real sloppy work at issue is you not checking your facts and publishing yet another chicken little article informed by ignorance.

 

You are some hypocrite to be complaining about personal attacks.  You once called me a liar. I subsequently proved that I wasn't but you typically didn't apologise..

post #94 of 102

It has been used by hackers to allow Android phones to be rooted.  My Moto X was rooted via this exploit.

 

But, yes, there are dozens of articles on how dangerous and widespread it is but so far there don't seem to be any saying that it has been used to steal from anyone.  But it could have been.  Maybe.  I guess.

post #95 of 102
Quote:
Originally Posted by RalphMouth View Post
 

How do you fix the flaw on all those billions of Android phones that have been sold since 2010?

 

This is the main difference between Android and iOS that the anti-iOS crowd ignores. Flaws and security breaches are found in both OSes all the time. However it is a lot easier to get the fix out to all the iOS devices. 


Yes, iOS updates are much more readily available and timely.

 

This flaw is addressed by an Android setting under Security that causes new apps to be verified before installing them.  There is also an app that you may install that blocks the flaw.  I don't know of any features like that in iOS or The App Store, but I'm really not very familiar with it, so there might be and I wouldn't know.  There are other way to block it as well.

post #96 of 102
Quote:
Originally Posted by dasanman69 View Post


You can also get apps from Amazon. They only allow apps after vetting them.


And F-Droid, and a few other places that might be deemed "reliable" depending one one's perspective.

post #97 of 102
Originally Posted by digitalclips View Post
I disagree totally. In the situation of defending the editorial against attacks, while wearing a different hat, it makes far more sense and reads better by others done that way. If it were written in the first person it would come across as too personal and a bit weird. IMHO. Imagine if a painter were also an art lecturer at a college and one of his paintings came up and was criticized in a class by a pupil. The professor would respond referring to 'the painter' in the third person while trying to explain. If he started saying 'I did this or I did that' it would be very unprofessional unless he had introduced the painting in class and asked for criticism in the first person to start with.

 

Your analogy is good (and I agree with it out of context), but that’s not what is happening here. He’s no teacher and we’re not learning anything. There’s no master/apprentice relationship here. It would be very fitting, particularly since he has now confirmed it, to refer to himself in the first person.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #98 of 102
Even if the actual damage this flaw causes is zero, the real headline is that Android software updates are not made universally available by all service providers.
post #99 of 102
Quote:
Originally Posted by sprockkets View Post

This is hilarious. I haven't posted here in so long, but Daniel or Mr. DED just posted at Ars Technica on its own version of the article.

http://arstechnica.com/civis/viewtopic.php?f=2&t=1251045&p=27300557#p27300557

Of course, Daniel failed to mention that AOSP is already patched here back in April:

https://android.googlesource.com/platform/libcore/ /android-cts-4.1_r4


and despite him saying Google won't fix it, already updated Google play services to detect apps that try to take advantage of the flaw for any handset or tablet, thus negating any issues for handsets that won't get updated, even though phones like the 2 generation old Samsung GS3 are running 4.4.2.

And of course, Flash hasn't been in any Android device since 4.1.

I guess in the years since I've been here, nothing has changed. DED still posts bull sht about Google and Android. And you guys fall for it every time.

 

Google issuing a fix for AOSP does not result in a patch being delivered to the hundreds of millions of phones using a distribution that includes AOSP code.

 

Also, you simply lied when you represented the article stating "Google won't fix it." The article actually states that Google is expected to issue patches, but that those patches are unlikely to ever reach most Android users for the usual reasons. 

 

Flash doesn't need to be "in" Android for there to be remaining vulnerabilities related to Google's hardwiring of Flash into the Android webview.

 

Also, "Google Play Services is not Android. It is a proprietary layer of Google APIs, apps and services that runs on top of Android. When the vulnerability is in core Android, Google Play Service updates will have no impact on any device not running this layer (most devices in China or Kindle Fire, for example) or protect against any malicious app that uses the core vulnerability directly, since that vulnerability will continue to exist until the core OS is updated. Google Play Services is great for distributing bug fixes and new functionality - it's usefulness for addressing Android's security patch issues is less cut and dried."

 

So stop lying "sprockkets."

 

Android is a mess, and no character assassination by you changes that fact. 

post #100 of 102

What the hell? You removed my first line again, you fucking bastard!

 

If you don't like being called out Mr. Correction for being a sock puppet for Daniel, then don't fucking do it!

 

"Google issuing a fix for AOSP does not result in a patch being delivered to the hundreds of millions of phones using a distribution that includes AOSP code."

 

Uh, so? They gave the patch to OEMs. Any of the OEMs who took the code from AOSP for their own phones can grab it the same way they did it initially.

 

"Also, you simply lied when you represented the article stating "Google won't fix it." The article actually states that Google is expected to issue patches, but that those patches are unlikely to ever reach most Android users for the usual reasons. "

 

BULL SHIT. You flat out omitted information.

 

Every android phone is perfectly capable of receiving the update. Android phones get security udpates all the time, from the HTC One S recently who got patched for heart bleed (as being one of the few phones to be on 4.1.x who stopped getting updates over a year ago) to Motorola's phones to patch the bootloader to Samsungs' who were patched for a root exploit on Verizon.

 

You can pretend all you like that phones don't get patches, but that hasn't been the case ever. Upgrades to Android!=security updates. 

 

"Flash doesn't need to be "in" Android for there to be remaining vulnerabilities related to Google's hardwiring of Flash into the Android webview."

 

No shit Daniel. It only makes your argument that much weaker. Next strawman please.

 

"Also, "Google Play Services is not Android. It is a proprietary layer of Google APIs, apps and services that runs on top of Android. When the vulnerability is in core Android, Google Play Service updates will have no impact on any device not running this layer (most devices in China or Kindle Fire, for example) or protect against any malicious app that uses the core vulnerability directly, since that vulnerability will continue to exist until the core OS is updated. Google Play Services is great for distributing bug fixes and new functionality - it's usefulness for addressing Android's security patch issues is less cut and dried.""

 

Well if they want to update the patch is in AOSP for them to grab. Various Linux distros do the same - take patches in the kernel then package them for users.

 

Not google's fault if OEMs build their own devices and not update their own devices.

 

edit: STOP REMOVING MY POST, YOU DON'T LIKE IT, TOUGH SHIT

 

"So stop lying "sprockkets."

 

You first Daniel, and seeing how you can't tolerate me calling you out, tough shit, I'm reposting this and copying and pasting it. Good luck with that.

 

"Android is a mess, and no character assassination by you changes that fact. "

 

Nor is your ability to handle the truth, or even any fucking shred of journalism.

 

But oh, we can't have this pic here cause it exposes my pathetic character!

 

 

 

Dude, I don't really care about your pathetic web site, nor your stupid articles. I only came here cause you tried to troll us intelligent ars readers with your bull shit. 

 

Keep your fapping articles for your lemmings. **** off.


Edited by sprockkets - 8/3/14 at 8:28pm
post #101 of 102
Quote:
Originally Posted by Corrections View Post
 

"Google presumably also "scanned" its Android code and failed to realize that it wasn't even verifying app signing certificates. That's pretty basic PKI work. "

 

Sure, just like that mistake apple made. But go on.

 

"This isn't even remotely true. Google has started issuing some updates and patches via Google Play Services, but this happened all of twice this year. The last update is 5.0, from June 25. Check your phone to see if you have an update. You do not, because a new one hasn't been released yet.   "

 

And since they fixed it back in April when it was disclosed and GP services is updated every 6 weeks or more, you have proof it wasn't already patched before disclosure? Of course not, you are just making BS assumptions.

 

"Thanks for the tip. Google "how to sideload android software" and you get 1M responses. Are you so sure nobody has ever followed any of those?

How about the "Android Central Sideload Wonder Machine" which Android Central promotes and tells its users: "It's a Windows program that can install applications you have downloaded outside the official Android Market to your Android phone.""

 

And there are 2.6 millions results on how to jailbreak ios7.1. So what? Google search anything and you'll find a lot of results. 

Wait you use google?

 

"What a fantastically ignorant thing to say. So nobody sideloads Android apps, and the same company that doesn't know how to implement basic PKI cryptography for its users is a magical sky god that omnisciently protects all the peoples who buy cheap phones. "

 

Even if they did, what of it? They saw the warning about what happens when they do. Even side loaded apps are scanned, but you wouldn't know that.

 

You want to say that the only way to fix stupid is to not allow him to be stupid? Go ahead. Terrible shame that the level of intelligence in people today is at a steady decline that the average person can't even change a stupid vacuum belt if their life depended on it.

 
"Except cheap phones like the Galaxy Nexus (and +80% of all Android phones actively accessing Google Play), which still carry those other serious vulnerabilities related to integrated Flash that pervade every app on the system. 
 
​Keep telling yourself that."
 
Yeah, and for all the ways you can hack an ios device, the sky hasn't fallen yet. Oh, except for the time that a bunch of people were locked out of their ios devices remotely. Hmm..., but that's OK! 
 
 
.Hmm, I know! Let's ask anyone who has Windows and probably 80% of them will say they've dealt with malware, reinstalling windows, driver issues, slowdowns, to frustrations with printers.
 
Now let's all ask our fellow Android users and see how many have complained of anything.
 

 

Oh wait, they haven't.

post #102 of 102
Quote:
Originally Posted by Corrections View Post
 

Also, "Google Play Services is not Android. It is a proprietary layer of Google APIs, apps and services that runs on top of Android. When the vulnerability is in core Android, Google Play Service updates will have no impact on any device not running this layer (most devices in China or Kindle Fire, for example)

So un-updateable devices that have forked off from the main branch of Google-supported Android won't get an update from Google?  Why do you think Google would/should care?  Amazon made their choice here, let them patch their own subOS.  Likewise for the Chinese devices.

 

Dressing these forks up as a Google issue is grasping for criticism.

 

Quote:
Originally Posted by Corrections View Post
 

or protect against any malicious app that uses the core vulnerability directly, since that vulnerability will continue to exist until the core OS is updated.

Is it even possible to get around Google Play Services by using "the core vulnerability directly" or are you just making stuff up?

censored

Reply

censored

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • New Android 'Fake ID' flaw empowers stealthy new class of super-malware
AppleInsider › Forums › Mobile › iPhone › New Android 'Fake ID' flaw empowers stealthy new class of super-malware