Security flaw opens all modern Android devices to "zombie botnet" takeover [u]

1246714

Comments

  • Reply 61 of 275
    mjtomlinmjtomlin Posts: 1,793member

    Quote:

    Originally Posted by d4NjvRzf View Post


    If android users mostly use their phones as featurephones and don't browse the web much -- as some on these forums have claimed -- this scenario would be quite unlikely.



     


    1. that's not just something some on this forum have claimed... there are numerous statistics to back that up.


     


    2. That's not the point. A link to a download/install can come from anywhere, not just while browsing the web. That was just an example.

  • Reply 62 of 275
    drblankdrblank Posts: 3,383member

    Quote:

    Originally Posted by AaronJ View Post


     


    Well, I suppose it depends on what you mean by "media."  If you mean places like Ars, then it's already there.  If you mean the WSJ or NYT, it won't happen.  They only talk about problems that Apple (and MS, to a lesser extent) have.  I will bet you dollars to doughtnuts that there is no story about this in the WSJ.


     


     



    What's "dollars to doughnuts" mean, exactly?  Yeah WSJ and NYT will cover it.  If Google has to send out outdates on all versions of their OS's dating back to 4 year old OSs for this, they will have to release an official Press Release and that will get picked up. This will affect Google's stock if this is as bad as it sounds.

  • Reply 63 of 275
    aaronjaaronj Posts: 1,595member

    Quote:

    Originally Posted by drblank View Post


    What's "dollars to doughnuts" mean, exactly?  Yeah WSJ and NYT will cover it.  If Google has to send out outdates on all versions of their OS's dating back to 4 year old OSs for this, they will have to release an official Press Release and that will get picked up. This will affect Google's stock if this is as bad as it sounds.



     


    Seriously, you don't know what "dollars to doughnuts" means?  Yeesh, I must REALLY be getting old.  It basically means that I would give you great odds in a bet on whatever subject we're discussing.


     


    Eh.  I'll believe it when I see it.  I doubt anyone outside the insular tech internet "media" will discuss this in the least.

  • Reply 64 of 275
    d4njvrzfd4njvrzf Posts: 797member

    Quote:

    Originally Posted by AaronJ View Post


     


     


    No, it's not one interpretation.  I'm sorry, but people who are using Android are using them for much less than people who are using iOS.  That's a fact.  Do with it what you will.



    Well if that were unambiguously true, it sounds this exploit wouldn't actually affect most android users, since they're not likely to get malicious app updates just by making phone calls, texting their friends, or playing the occasional solitaire -- whatever one usually does on featurephones. Unless of course your average user subscribes to non-google play app sources.

  • Reply 65 of 275
    MacProMacPro Posts: 17,903member
    With news like this they should rename Android, Windroid!
  • Reply 66 of 275
    You should put some music to that post & sell it on iTunes :)
  • Reply 67 of 275
    droidftwdroidftw Posts: 1,009member

    Quote:

    Originally Posted by drblank View Post


    What's "dollars to doughnuts" mean, exactly?  Yeah WSJ and NYT will cover it.  If Google has to send out outdates on all versions of their OS's dating back to 4 year old OSs for this, they will have to release an official Press Release and that will get picked up. This will affect Google's stock if this is as bad as it sounds.



     


    It's not as bad as it sounds as there's already safety guards in place (scroll up to read about them).  However, the fact that something isn't as bad as it sounds has never stopped the media before.  In fact, they love to blow things out of proportion and try to scare people into being afraid of things that aren't nearly the threat they're made out to be.


     


    Maybe DED is becoming a real journalist after all!  image

  • Reply 68 of 275
    aaronjaaronj Posts: 1,595member

    Quote:

    Originally Posted by d4NjvRzf View Post


    Well if that were unambiguously true, it sounds this exploit wouldn't actually affect most android users, since they're not likely to get malicious app updates just by making phone calls, texting their friends, or playing the occasional solitaire. Unless of course your average user subscribes to non-google play app sources.



     


    It IS unambiguously true, as many, many analyses have shown over a long period of time.  It's probably also true that this will affect few Android users, for the reasons you state.  That doesn't mean it's not important.


     


    Quote:

    Originally Posted by DroidFTW View Post


     


    It's not as bad as it sounds as there's already safety guards in place (scroll up to read about them).  However, the fact that something isn't as bad as it sounds has never stopped the media before.  In fact, they love to blow things out of proportion and try to scare people into being afraid of things that aren't nearly the threat they're made out to be.


     


    Maybe DED is becoming a real journalist after all!  image



     


    Oh, get lost.  You're not even a good troll.

  • Reply 69 of 275
    notownnotown Posts: 39member
    mjtomlin wrote: »
    Wow! Reading comprehension goes out the window when you're blinded by bias.

    Anyone who thinks this is a minor threat really needs to get their head examined. This vulnerability affects ALL apps in so much that any UPDATE made to that app regardless of where it was originally installed, can potentially be infected without the operating system knowing. Obviously any curated app store will be immune to this if they are diligent in checking for malware. But a user tricked into an update from another source is at risk and this is the real problem as most users aren't aware of what's happening... this was the biggest problem with most Windows epidemics; clueless users clicking things they shouldn't.

    Also:
    "[Update: a report by Computerworld notes that Samsung has included a patch rectifying the issue for one device: its flagship Galaxy S4. The article noted Forristal as saying that "Google has not released patches for its Nexus devices yet, but the company is working on them."]."

    Wouldn't that mean that all devices besides the S4 (back to 1.6 or whatever they said) are vulnerable, regardless of the App Store users access? Not sure how many that leaves, but some storage boxes in a warehouse somewhere are safe...
  • Reply 70 of 275
    suddenly newtonsuddenly newton Posts: 13,725member



    Quote:

    Originally Posted by drblank View Post


    Does this affect all of the new Gingerbread phones? 



     


    They make phones out of gingerbread? Xmas isn't for another 5 months.

  • Reply 71 of 275
    curtis hannahcurtis hannah Posts: 1,710member
    Man hackers enjoying this, I had heard about 2 years ago "you need to buy security software for smartphones,it's tons easier than windows for security hacks on windows; on the off set IOS has no known security hacks" here we have donut and Ice cream sandwich users have 4 millions ways to be hacked, go google!
  • Reply 72 of 275

    Quote:

    Originally Posted by DroidFTW View Post


     


    In fact, they love to blow things out of proportion



     


    You mean like...antennagate? Mapgate?

  • Reply 73 of 275

    Quote:

    Originally Posted by d4NjvRzf View Post


    If android users mostly use their phones as featurephones and don't browse the web much -- as some on these forums have claimed -- this scenario would be quite unlikely.



     


    Yes of course. Nobody uses an Android phone for things like web surfing. Android phones are for advertising your 1337n355. It's all about having the best specs in the room.

  • Reply 74 of 275


    I love how whenever there's an article about malware or security on Android all the losers/apologists crawl out from their hole with the usual excuses: "you have to be an idiot to get malware", "if you stay in Google Play you're OK" or "this is a minor issue".


     


    Right now there are a large number of people who are continually coming up with malware for Android. It's simple numbers. If people weren't getting their devices infected and allowing people to make money (whether through ID theft, premium text messages or other) then there wouldn't be so many people creating new types of malware.


     


    You whiners can yap all you want about what you "think" but the very fact that so many people are creating so many new versions of malware prove that it's a lucrative business. I don't need to listen to your lame excuses about how hard it is to catch something. They are irrelevant.

  • Reply 75 of 275
    walkopwalkop Posts: 12member
    mjtomlin wrote: »
    Wow! Reading comprehension goes out the window when you're blinded by bias.

    Anyone who thinks this is a minor threat really needs to get their head examined. This vulnerability affects ALL apps in so much that any UPDATE made to that app regardless of where it was originally installed, can potentially be infected without the operating system knowing. Obviously any curated app store will be immune to this if they are diligent in checking for malware. But a user tricked into an update from another source is at risk and this is the real problem as most users aren't aware of what's happening... this was the biggest problem with most Windows epidemics; clueless users clicking things they shouldn't.

    A user could go to a website that's been hacked and a message pops up that looks like a system message, saying something like...

    "There is a new version of the Calculator app... Would you like to update?"

    Well, how threatening is a calculator app... not at all, most people who didn't realize what was happening would probably click Yes. Then their device would be infected. The same thing could happen from an official looking email.
    I'm shocked at the amount of misinformation going around here. I know this is an Apple blog, but please - do some Android research.

    1. This does not affect any app in Google Play. Google has already blocked every application that uses this loophole, including updates, per the article.


    2. This only applies to side-loaded applications. Which have always been a security risk. Google warns you to the effect when you enable them; which is why I download Avast! if I sideload any applications.

    3. Updates are perfectly safe, if you use good developers. And I seriously doubt that any reputable company can simply get "infected" with malware without someone noticing almost instantly. Even IF you don't use major developers all the time, Google catches these things pretty fast - check around the blogosphere historically and you'll see what I mean.

    4. Sideloading apps IS important for some, like me. I.e. a game, Plants vs Zombie (botnets), doesn't work on my Nexus 10. But it works on my Galaxy Nexus. So I found the APK online, scanned it, and installed it manually - now it works like a charm!

    5. @GTR, nice joke - xD but Samsung has 'sold' 20 million Galaxy S4s, apparently. Which is quite a lot, even by Apple's standards.

    6. Finally, none of this really matters anyway, because even if Google HADN'T blocked these applications, it would have to be by an app developer deliberately trying to infect you. All the standard apps - Falcon Pro, Gmail, Instagram, Facebook, Google+, and yes - Plants Vs Zombies - are safe.
  • Reply 76 of 275
    malaxmalax Posts: 1,598member

    Quote:

    Originally Posted by drblank View Post


    What's "dollars to doughnuts" mean, exactly?  Yeah WSJ and NYT will cover it.  If Google has to send out outdates on all versions of their OS's dating back to 4 year old OSs for this, they will have to release an official Press Release and that will get picked up. This will affect Google's stock if this is as bad as it sounds.



     


    Slightly off topic does how does Google even make any money off Android?  It can't be a significant portion of their revenue.

  • Reply 77 of 275
    em_teem_te Posts: 25member

    Quote:

    Originally Posted by runbuh View Post



    So - according to this, I have to load a compromised app (an app originally signed and distributed by a legitimate developer, then compromised by a rogue). Can someone explain how this is supposed to happen via the app store? Doesn't seem likely.


     


    A user can receive an app as an email attachment on their phone. They could also receive it as an MMS (Multimedia SMS). If the app is signed, clicking it should trigger the install screen.

  • Reply 78 of 275
    aaronjaaronj Posts: 1,595member

    Quote:

    Originally Posted by Walkop View Post



    5. @GTR, nice joke - xD but Samsung has 'sold' 20 million Galaxy S4s, apparently. Which is quite a lot, even by Apple's standards.



    6. Finally, none of this really matters anyway, because even if Google HADN'T blocked these applications, it would have to be by an app developer deliberately trying to infect you. All the standard apps - Falcon Pro, Gmail, Instagram, Facebook, Google+, and yes - Plants Vs Zombies - are safe.


     


    Oh for the love of god ...


     


    FROM THE LINK *YOU* PROVIDED:


     


    "That's roughly 1.7 times faster than sales of the Galaxy S3 (that's global channel sales, not sales to consumers) at the same point in that device's life cycle."


     


    (emphasis added)


     


    Please: If you're going to attempt to make some point about how someone else was wrong, at least do it with statistics that back up your point, and not those that undermine it entirely.

  • Reply 79 of 275
    maltamalta Posts: 78member

    Quote:

    Originally Posted by GTR View Post


     




     


    You are more likely to get a virus if you root her than if you rooted the phone...

  • Reply 80 of 275
    aaronjaaronj Posts: 1,595member

    Quote:

    Originally Posted by malax View Post


     


    Slightly off topic does how does Google even make any money off Android?  It can't be a significant portion of their revenue.



     


    They don't -- directly.


     


    Google is an advertising company, not a tech company.  They make money off of advertising.  That's why they give Android away for free: The more devices on which it runs, the more devices that are producing ad revenue for Google (at least in theory; in practice? that's more debatable).

Sign In or Register to comment.