Security flaw opens all modern Android devices to "zombie botnet" takeover [u]

2456714

Comments

  • Reply 21 of 275
    droidftwdroidftw Posts: 1,009member

    Quote:

    Originally Posted by CustomTB View Post





    They won't! At least not one that will make it to phones.


     


    According to koop it's already been addressed.  I hope they do something at the OS level for those that they can in additional to the Play Store fix.


     


     


    Quote:

    Originally Posted by iSteelers View Post



    "Rogue Developers", classic. It's right up there with "Ancient Astronaut Theorists".


     


    The contempt and distrust for 3rd party devs at this site really amazes me.  Especially considering there are many members here who are 3rd party devs themselves.

  • Reply 22 of 275
    correctionscorrections Posts: 1,277member

    Quote:

    Originally Posted by koop View Post



    "Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app stores application entry process in order to block apps that contain this problem"



    --



    So this effects all the Android users who root and side load apps. Lets forget for a second most of those users are smart enough to manage their device security without hand holding, and say this is a whopping 2% of the market...maybe. Thanks for the scary headline I guess.


     


    If nobody "sideloads" apps, then why do Android proponents cite it as a primary feature of the platform? 


     


    Also, 2% of statistics unfavorable to one's personal wishes are just pulled from your ass, apparently.

  • Reply 23 of 275
    correctionscorrections Posts: 1,277member

    Quote:

    Originally Posted by koop View Post


     


    The only one people use and care about. Amazon is the next best one. 


     


    I'm willing to bet 95% of Android users don't even know they can side load applications and will always be getting apps strictly from the Google Play store. As much as Apple users gloat about being walled in (I don't mind it myself) and that's secure, most best selling Android phones in their default settings are fairly locked down out of the box. Mostly the tech heads remove those restrictions, and it's on them to be careful about non-curated software. 


     


    Again, AI glossed over the fact that those who strictly use Google Play (almost everyone) will not be bothered by this issue. Any infection will require social engineering, which is a user error more than anything. 



     


    But that isn't true.


     


    "if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That's the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play"


     


    Imagine how easy it would be to send out update notices for Facebook that install a new version of the app that looks to the system like the one it "securely" installed via Google Play. Broken. This is a real issue, and its not easy to solve. Curious why you're so interested in nobody hearing about it. Security through obscurity? Market share through incompetent dumping?


     


    Also: putting one's head in the sand and saying there is no malware problem didn't work for Windows XP a decade ago. 

  • Reply 24 of 275
    rougerouge Posts: 1member
    Go figure apple has a minor pass code bypass hack that requires access to the device and the press flips out... But android has a gainer ability that allows people to literally steal your device right out from under your nose and people see not to care... Wtf
  • Reply 25 of 275
    cyniccynic Posts: 124member


    Not sure why some people play this issue down and claim that using Google Play is safe. It's not at all, read the article.


     


    Yes, it does at some point refer to manufacturer apps, however it doesn't mean that only such apps can cause harm. It merely means that such apps tend to have privileges within the system that go beyond the permissions regular store apps have.


     


    That doesn't man that no other app can be malicious, in fact they can and they can be just as severe, depending on the permissions the application in question requires. This is a HUGE deal.

  • Reply 26 of 275
    mrrodriguezmrrodriguez Posts: 215member
    Are they talking about the app signing spoof that basically all of xda uses to get apps that don't work on certain phones (Google Wallet) to load? If so, this is a non-story and like someone said above, it doesn't affect the average consumer or the tech savvy rooters.
  • Reply 27 of 275
    runbuhrunbuh Posts: 315member
    So - according to this, I have to load a compromised app (an app originally signed and distributed by a legitimate developer, then compromised by a rogue). Can someone explain how this is supposed to happen via the app store? Doesn't seem likely. Seems more likely to happen if the user downloads and then sideloads such a rogue/hacked app.

    "However, due to the newly discovered Android flaw, a rogue developer can trick the system into thinking that a compromised app is still legitimate, giving it system wide access to do virtually anything."
  • Reply 28 of 275
    drblankdrblank Posts: 3,383member


    Does this affect all of the new Gingerbread phones? 

  • Reply 29 of 275
    Sounds like if you go Android it would be a good idea to go with a late model Google made phone or at least the S4 special & others that are being offered with the pure Android operating system
  • Reply 30 of 275
    genovellegenovelle Posts: 887member

    Quote:

    Originally Posted by koop View Post


     


    The vast majority of Android users have 5 apps on their phone max, use Google Play and have little need to be concerned about the issue. 



    No the vast majority of Android users can't even use Google Play. These are the ones Google doesn't count anymore to make their fragmentation look better.  Their super cool tech friends tell them where to go to get the best apps free because they don't want to pay for anything.  

  • Reply 31 of 275
    richard getzrichard getz Posts: 1,142member
    That's one way to get them to upgrade to a new version...
  • Reply 32 of 275
    richard getzrichard getz Posts: 1,142member

    Quote:

    Originally Posted by Macky the Macky View Post


    To all the Walled Garden Apple-hating idiots; welcome to the wide-assed open Android OS where free malware abounds. 


     


    I've been waiting for this day, for it was sure to come. Now, 900 million Android customers are re-thinking their earlier choice. I'd not be surprised if Apple sales sees a surge that would put the Sandy hurricane to shame... The new iPhones can't get here soon enough...!!!



     


    I doubt that 5% are rethinking this as most of them purchased this Feature-Smart phone just for a phone and know no better. 

  • Reply 33 of 275
    droidftwdroidftw Posts: 1,009member
    Are they talking about the app signing spoof that basically all of xda uses to get apps that don't work on certain phones (Google Wallet) to load? If so, this is a non-story and like someone said above, it doesn't affect the average consumer or the tech savvy rooters.

    If this is the same thing that APKTool does then that would mean this is just sensationalist "journalism.". Surely DED would never take part in such activities just to make Android look bad.
  • Reply 34 of 275
    lkrupplkrupp Posts: 6,783member

    Quote:

    Originally Posted by Corrections View Post


     


    If nobody "sideloads" apps, then why do Android proponents cite it as a primary feature of the platform? 


     


    Also, 2% of statistics unfavorable to one's personal wishes are just pulled from your ass, apparently.



     


    Correct. Go to any tech blog where Android sycophants hang out and they'll be happy to tell you that the ability to root and side load apps is what makes Android so "popular" with the masses. It's all about openness and freedom to do whatever you want, they say. Now we have an Android apologist claiming otherwise.

  • Reply 35 of 275
    correctionscorrections Posts: 1,277member

    Quote:

    Originally Posted by Everett Ruess View Post



    Sounds like if you go Android it would be a good idea to go with a late model Google made phone or at least the S4 special & others that are being offered with the pure Android operating system


     


    The "pure Android" Google Nexus models have not been updated yet. Google has known about it since February. That's four months of being quiet about a serious security vulnerability.


     


    On an "open" platform.

  • Reply 36 of 275
    gtrgtr Posts: 3,231member


    Unlikely to affect the majority of Android "users"... 


     



     


    image

  • Reply 37 of 275
    mjtomlinmjtomlin Posts: 1,819member


    Wow! Reading comprehension goes out the window when you're blinded by bias.


     


    Anyone who thinks this is a minor threat really needs to get their head examined. This vulnerability affects ALL apps in so much that any UPDATE made to that app regardless of where it was originally installed, can potentially be infected without the operating system knowing. Obviously any curated app store will be immune to this if they are diligent in checking for malware. But a user tricked into an update from another source is at risk and this is the real problem as most users aren't aware of what's happening... this was the biggest problem with most Windows epidemics; clueless users clicking things they shouldn't.


     


    A user could go to a website that's been hacked and a message pops up that looks like a system message, saying something like...


     


    "There is a new version of the Calculator app... Would you like to update?"


     


    Well, how threatening is a calculator app... not at all, most people who didn't realize what was happening would probably click Yes. Then their device would be infected. The same thing could happen from an official looking email.

  • Reply 38 of 275
    droidftwdroidftw Posts: 1,009member

    Quote:

    Originally Posted by lkrupp View Post


     


    Correct. Go to any tech blog where Android sycophants hang out and they'll be happy to tell you that the ability to root and side load apps is what makes Android so "popular" with the masses. It's all about openness and freedom to do whatever you want, they say. Now we have an Android apologist claiming otherwise.



     


    The fact that you have come across an abundance of tech nerds frequenting tech blogs doesn't surprise me.  Of course they're going to say that it's a hugely popular feature because in their circle it is.  I'm a tech nerd and I love that I can root and side load apps.  If I had an iPhone I'd jailbreak it and sideload the occasional app too.  Not much difference in that department.

  • Reply 39 of 275
    drblankdrblank Posts: 3,383member

    Quote:

    Originally Posted by GTR View Post


    Unlikely to affect the majority of Android "users"... 


     



     


    image



    I wonder what's going to happen with regards to returns once this news gets widely distributed around the world in local newspapers and TV?

  • Reply 40 of 275
    drblankdrblank Posts: 3,383member

    Quote:

    Originally Posted by DroidFTW View Post


     


    The fact that you have come across an abundance of tech nerds frequenting tech blogs doesn't surprise me.  Of course they're going to say that it's a hugely popular feature because in their circle it is.  I'm a tech nerd and I love that I can root and side load apps.  If I had an iPhone I'd jailbreak it and sideload the occasional app too.  Not much difference in that department.



    The number of people actually rooting their system, etc. is very small, but I think those kind of geeks collect devices so they represent a lot of sales in units.  The average person doesn't have or want to spend time being a phone geek, they have other things to do with their life than geeking out with a smartphone.

Sign In or Register to comment.