While it sounds menacing, has the exploit actually been found in the wild? I'm never sure where the terror starts, there is a vast difference between 'can/might' and 'did'.
Considering that he will be telling everyone all about it next week, I'm sure there'll be plenty of people ready to utilise the new method.
What can Google do about it? Release an update to Android? That'll help the 100 or so people who update.
Considering that he will be telling everyone all about it next week, I'm sure there'll be plenty of people ready to utilise the new method.
What can Google do about it? Release an update to Android? That'll help the 100 or so people who update.
If it has to be a system update then you would be right (there is btw a fix for it in 4.4.4 with the only danger there being NFC but who in there right mind installs a Google Wallet app from outside of the Play Store?). But it might also be possible that the security update can be pushed by the Play Store's new Dynamic Security Provider (new since June). It has already been used to fix some OpenSSL issues so it might also be capable of delivering a fix for this. Which would mean that 93% of all devices get the update.
"The problem affects virtually all Android phones sold since 2010. Bluebox calls the flaw "Fake ID" because it allows malware apps to pass fake credentials to Android, which fails to properly verify the app's cryptographic signature. Instead, Android grants the rogue app all of the access permissions of whatever legitimate app the malware claims to be."
So, I guess the specific names will be up to the creators.
You redirected the OP's question. To me it read 'can anyone tells us of any documented infections by a 'super malware' using the Fake ID method?'.
While it sounds menacing, has the exploit actually been found in the wild? I'm never sure where the terror starts, there is a vast difference between 'can/might' and 'did'.
Quote:
Originally Posted by cnocbui
So can anyone actually name an instance of this 'super-malware' or is the title perhaps ever so slightly misleading?
Quote:
Originally Posted by Chipsy
The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware.
I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it, right?
Android is a clusterfu&^ of an OS. A patched together hobbled pile of doo doo. Google is NOT Apple (or Microsoft), who have combined close to 70 years of OS development experience.
I see what you are trying to say there ... but surely not ripping of iOS in the first place would have been a better way to achieve 'good terms' with Apple?
No doubt Android copied iOS. The problem is that 'ripping off' as you say, is apparently not a legal infringement, otherwise Apple would have filed a suit against them. Everyone wants to take advantage of someone else's good idea. The trick is to do it without violating any patents. It is better, in my opinion, that another US company established the predominate alternative to iOS rather than some Chinese or Korean company. At least Google is bound by US law.
I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it, right?
Android is a clusterfu&^ of an OS. A patched together hobbled pile of doo doo. Google is NOT Apple (or Microsoft), who have combined close to 70 years of OS development experience.
lol that's what you have as an answer. You logic completely fails here. It wouldn't be like you said 'I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it'
My reply was more along the lines of: 'Someone found a vulnerability in Windows but there is no known malware that uses that specific vulnerability to its advantage'.
My reply by no means insinuated that there is no malware on Android (or Windows for that matter). Just that there is no malware that exploits this vulnerability. Just like Apple's SSL verification issue it's a theoretical danger for now (which of course needs fixing).
lol that's what you have as an answer. You logic completely fails here. It wouldn't be like you said 'I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it'
My reply was more along the lines of: 'Someone found a vulnerability in Windows but there is no known malware that uses that specific vulnerability to its advantage'.
My reply by no means insinuated that there is no malware on Android (or Windows for that matter). Just that there is no malware that exploits this vulnerability. Just like Apple's SSL verification issue it's a theoretical danger for now (which of course needs fixing).
It fits your original comment which stated "The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware."
I'm dying for you to tell me how you know there are no real world examples.
On a related note:
- If you download apps from Google Play and avoid third party sites, then you won't get malware.
- If you're too stupid to check the permissions of an app you install, you deserve to get malware.
- Google will fix this before anyone uses it.
- BTW, is anyone actually using it? I demand proof.
Does that cover all the excuses usually thrown around? Did I miss any?
Considering that he will be telling everyone all about it next week, I'm sure there'll be plenty of people ready to utilise the new method.
What can Google do about it? Release an update to Android? That'll help the 100 or so people who update.
Sadly, according to market surveys approximately 40% of Google Android users will not be able to receive a security update when and if a security update is ever available.
It fits your original comment which stated "The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware."
I'm dying for you to tell me how you know there are no real world examples.
On a related note:
- If you download apps from Google Play and avoid third party sites, then you won't get malware. - If you're too stupid to check the permissions of an app you install, you deserve to get malware. - Google will fix this before anyone uses it. - BTW, is anyone actually using it? I demand proof.
Does that cover all the excuses usually thrown around? Did I miss any?
Here's a key sentence used by the discoverers:"This can lead to a malicious application having the ability to steal user data, recover passwords and secrets, or in certain cases, compromise the whole Android device."
It can lead to malicious apps exploiting this vulnerability. But at this moment in time there aren't any known.
Btw the discoverers of the exploit will also release a free security scanning tool that protects you from it. So a fix through the Play Store seems possible.
Sadly, according to market surveys approximately 40% of Google Android users will not be able to receive a security update when and if a security update is ever available.
But remember those people don't get apps nor browse the Web, so they're good.
Here's a key sentence used by the discoverers:"This can lead to a malicious application having the ability to steal user data, recover passwords and secrets, or in certain cases, compromise the whole Android device."
It can lead to malicious apps exploiting this vulnerability. But at this moment in time there aren't any known.
Btw the discoverers of the exploit will also release a free security scanning tool that protects you from it. So a fix through the Play Store seems possible.
I agree with [@]EricTheHalfBee[/@] on this one. The researchers have no real knowledge if anyone else has discovered this exploit, and has used it. They used the word 'can' because they don't know definitively if it's been used or not.
I agree with [@]EricTheHalfBee[/@] on this one. The researchers have no real knowledge if anyone else has discovered this exploit, and has used it. They used the word 'can' because they don't know definitively if it's been used or not.
But there is no evidence whatsoever that it has been. Should we just ignore that and just assume it has based on nothing. Then the same could have been done for Apple's SSL verification issue. There were also no known malware exploits but should we have just said then that there were without evidence? That's a bit ridiculous. Furthermore the discoverers have an app that scans apps for it. Surely they used it already to scan apps on the Play Store (of course not all) and if it would have been a wide spread problem when it comes to malware exploiting the issue they would have been able to detect this already.
Edit: apparently Google completely scanned the Play Store and no exploits were found. They also updated Verify Apps and Google Play to protect users from it until the definite fix (which is already sent to OEM's and AOSP) is implemented by OEM's.
How do you fix the flaw on all those billions of Android phones that have been sold since 2010?
This is the main difference between Android and iOS that the anti-iOS crowd ignores. Flaws and security breaches are found in both OSes all the time. However it is a lot easier to get the fix out to all the iOS devices.
No doubt Android copied iOS. The problem is that 'ripping off' as you say, is apparently not a legal infringement, otherwise Apple would have filed a suit against them. Everyone wants to take advantage of someone else's good idea. The trick is to do it without violating any patents. It is better, in my opinion, that another US company established the predominate alternative to iOS rather than some Chinese or Korean company. At least Google is bound by US law.
I guess that was Bill Gates thinking too. The problem is as others posted earlier, it is deliberately calculated that by the time the courts do anything it is too late and the fines are more than covered by ill gotten gains. Only major players can do this, Gates with IBM's backing and now Google and Samsung. If you or I tried to sell a rip off we'd be crushed. There is something not right about the big boys stealing and profiting just because of the system.
A Google spokesperson said that after Bluebox’s disclosure, it quickly issued a patch that was distributed to Android partners and to the Android Open Source Project.
“Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability,” the spokesperson added.
A Google spokesperson said that after Bluebox’s disclosure, it quickly issued a patch that was distributed to Android partners and to the Android Open Source Project.
“Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability,” the spokesperson added.
Loved the comment below that article by this wag BensonBenson ... "I always use Microsoft products, to avoid any sort of fraud or hacking issues..." I nearly snorted my coffee down my nose.
I forgot to say that it's not a Mac, it's an iPad and it's not jailbroken.
The other way to load an app outside of the app store is by using a signed adhoc provisioning profile (which you're typically limited to an audience of 100 devices) or an enterprise provisioning profile (I think has no limit) both of which must have a valid Developer Apple ID account and can be blocked by Apple if it wishes to do so.
Did you get a prompt to install a certificate before installing the update?
Comments
While it sounds menacing, has the exploit actually been found in the wild? I'm never sure where the terror starts, there is a vast difference between 'can/might' and 'did'.
Considering that he will be telling everyone all about it next week, I'm sure there'll be plenty of people ready to utilise the new method.
What can Google do about it? Release an update to Android? That'll help the 100 or so people who update.
Ah ... OK sorry, I am using a Mac as I read and assumed .... my bad.
You redirected the OP's question. To me it read 'can anyone tells us of any documented infections by a 'super malware' using the Fake ID method?'.
While it sounds menacing, has the exploit actually been found in the wild? I'm never sure where the terror starts, there is a vast difference between 'can/might' and 'did'.
So can anyone actually name an instance of this 'super-malware' or is the title perhaps ever so slightly misleading?
The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware.
I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it, right?
Android is a clusterfu&^ of an OS. A patched together hobbled pile of doo doo. Google is NOT Apple (or Microsoft), who have combined close to 70 years of OS development experience.
No doubt Android copied iOS. The problem is that 'ripping off' as you say, is apparently not a legal infringement, otherwise Apple would have filed a suit against them. Everyone wants to take advantage of someone else's good idea. The trick is to do it without violating any patents. It is better, in my opinion, that another US company established the predominate alternative to iOS rather than some Chinese or Korean company. At least Google is bound by US law.
I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it, right?
Android is a clusterfu&^ of an OS. A patched together hobbled pile of doo doo. Google is NOT Apple (or Microsoft), who have combined close to 70 years of OS development experience.
lol that's what you have as an answer. You logic completely fails here. It wouldn't be like you said 'I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it'
My reply was more along the lines of: 'Someone found a vulnerability in Windows but there is no known malware that uses that specific vulnerability to its advantage'.
My reply by no means insinuated that there is no malware on Android (or Windows for that matter). Just that there is no malware that exploits this vulnerability. Just like Apple's SSL verification issue it's a theoretical danger for now (which of course needs fixing).
lol that's what you have as an answer. You logic completely fails here. It wouldn't be like you said 'I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it'
My reply was more along the lines of: 'Someone found a vulnerability in Windows but there is no known malware that uses that specific vulnerability to its advantage'.
My reply by no means insinuated that there is no malware on Android (or Windows for that matter). Just that there is no malware that exploits this vulnerability. Just like Apple's SSL verification issue it's a theoretical danger for now (which of course needs fixing).
It fits your original comment which stated "The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware."
I'm dying for you to tell me how you know there are no real world examples.
On a related note:
- If you download apps from Google Play and avoid third party sites, then you won't get malware.
- If you're too stupid to check the permissions of an app you install, you deserve to get malware.
- Google will fix this before anyone uses it.
- BTW, is anyone actually using it? I demand proof.
Does that cover all the excuses usually thrown around? Did I miss any?
Sadly, according to market surveys approximately 40% of Google Android users will not be able to receive a security update when and if a security update is ever available.
Really? You were either extremely careful, or fortunate, because my old Win XP PC was a malware magnet.
Here's a key sentence used by the discoverers:"This can lead to a malicious application having the ability to steal user data, recover passwords and secrets, or in certain cases, compromise the whole Android device."
It can lead to malicious apps exploiting this vulnerability. But at this moment in time there aren't any known.
Btw the discoverers of the exploit will also release a free security scanning tool that protects you from it. So a fix through the Play Store seems possible.
But remember those people don't get apps nor browse the Web, so they're good.
I agree with [@]EricTheHalfBee[/@] on this one. The researchers have no real knowledge if anyone else has discovered this exploit, and has used it. They used the word 'can' because they don't know definitively if it's been used or not.
Edit: apparently Google completely scanned the Play Store and no exploits were found. They also updated Verify Apps and Google Play to protect users from it until the definite fix (which is already sent to OEM's and AOSP) is implemented by OEM's.
How do you fix the flaw on all those billions of Android phones that have been sold since 2010?
This is the main difference between Android and iOS that the anti-iOS crowd ignores. Flaws and security breaches are found in both OSes all the time. However it is a lot easier to get the fix out to all the iOS devices.
Oops sorry, I do that more and more these days ... I need new glasses or another coffee. Apologies...
I guess that was Bill Gates thinking too. The problem is as others posted earlier, it is deliberately calculated that by the time the courts do anything it is too late and the fines are more than covered by ill gotten gains. Only major players can do this, Gates with IBM's backing and now Google and Samsung. If you or I tried to sell a rip off we'd be crushed. There is something not right about the big boys stealing and profiting just because of the system.
“Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability,” the spokesperson added.
[URL]http://www.theguardian.com/technology/2014/jul/29/android-fake-id-flaw-google-patch [/URL]
Not that I have to worry on my nexus 7.
Loved the comment below that article by this wag BensonBenson ... "I always use Microsoft products, to avoid any sort of fraud or hacking issues..." I nearly snorted my coffee down my nose.
I forgot to say that it's not a Mac, it's an iPad and it's not jailbroken.
The other way to load an app outside of the app store is by using a signed adhoc provisioning profile (which you're typically limited to an audience of 100 devices) or an enterprise provisioning profile (I think has no limit) both of which must have a valid Developer Apple ID account and can be blocked by Apple if it wishes to do so.
Did you get a prompt to install a certificate before installing the update?
something like this: