New Android 'Fake ID' flaw empowers stealthy new class of super-malware

1235

Comments

  • Reply 81 of 103
    froodfrood Posts: 771member
    Quote:

    Originally Posted by Tallest Skil View Post

     

    Please no. Between “polar vortex”, “supermoon”, “superstorm”, and all the other ludicrously idiotic, meaningless, and misleading buzzwords the media seems to want to invent this decade, we don’t need “super malware” thrown in.


     

    =(

     

    Mal-zilla?

  • Reply 82 of 103
    Quote:

    Originally Posted by sprockkets View Post



    This is hilarious. I haven't posted here in so long, but Daniel or Mr. DED just posted at Ars Technica on its own version of the article.



    http://arstechnica.com/civis/viewtopic.php?f=2&t=1251045&p=27300557#p27300557



    Of course, Daniel failed to mention that AOSP is already patched here back in April:



    https://android.googlesource.com/platform/libcore/ /android-cts-4.1_r4





    and despite him saying Google won't fix it, already updated Google play services to detect apps that try to take advantage of the flaw for any handset or tablet, thus negating any issues for handsets that won't get updated, even though phones like the 2 generation old Samsung GS3 are running 4.4.2.



    And of course, Flash hasn't been in any Android device since 4.1.



    I guess in the years since I've been here, nothing has changed. DED still posts bull sht about Google and Android. And you guys fall for it every time.



    Don't you mean "Prince McLean"?

  • Reply 83 of 103

    Quote:

    Originally Posted by AppleInsider View Post



    Among the trusted apps that can be spoofed by Fake ID is Adobe Flash, which Google deeply integrated into Android's web browser in an attempt to prove that Steve Jobs was wrong about Flash not being a good idea on mobile devices.



    Quote:


    Originally Posted by Formosa

    There's some incredible synergistic irony going on here... Flash + Android (vs. SJ)

     



     

    Yep, the man's doing a pretty good job fighting even from beyond. He's a regular Jobi-Wan

     

    Android Ludicrous (beta) - Ha, ha, haa

  • Reply 84 of 103
    Bugs are bugs and all software has them. So, this is not a story about a security flaw in Android. It's a story about multiple OSes named Android with some common code over which Google has no ability to patch when the inevitable flaws are discovered.

    Android buyers wanted cheap and choice. Some wanted open source and freedom to operate the android devices based upon their perceived needs. Many simply wanted anything non-Apple.

    There is a balance and there are costs to be paid whichever choice one goes with. I've been happy with my choice of Apple. My costs have been easily measured by the prices I pay for Apple products and software. The costs of going with Android are not measurable by the costs of the software or devices and are harder to quantify. But they are significant.
  • Reply 85 of 103
    reefoidreefoid Posts: 158member
    Quote:
    Originally Posted by Corrections View Post

     

     

     

    As the article clearly points out: the last time Bluebox pointed out a major design failing in Android's security architecture, there was malware in the wild within the month. 

     

    You lob personal attacks at the author, but the real issue is Google's sloppy work and the difficulty of fixing things in the "open paradise" that is Android. That, and the droid groupies who makes excuses for the company and its half baked products.


    I really wish you'd stop referring to yourself in the third person, its the same in every one of your threads.

     

    At best its misleading, at worst its dishonest.  For someone who claims to be a serious tech journalist, it does your credibility no favours.

  • Reply 86 of 103
    nexusphannexusphan Posts: 260member
    Quote:
    Originally Posted by Corrections View Post

    This isn't even remotely true. Google has started issuing some updates and patches via Google Play Services, but this happened all of twice this year. The last update is 5.0, from June 25. Check your phone to see if you have an update. You do not, because a new one hasn't been released yet.   

     

    I guess you don't understand how Google updates their OS. Very understandable, because most Android users don't even know.

    The core security features of Android are included in an app called Google Play Services, completely independent of the OS version running. Because it is an app, Google updates this outside of software updates under carrier control. Google uses this power to automatically push security updates to ALL of its phones (v2.3 and later = ~99.3%) behind the scenes once every two weeks. This makes security updates to Android faster and reaching more users than even iOS.

    Yes, this flaw should have been caught from the start and yes Google didn't push the fix in AOSP until recently but even before this went public Google pushed an update to play services to squash any chance of this security flaw ever being abused on all phones v2.3 and up (those that support Google play services).

     

    Bluebox sells security software and has been called out before for fear mongering to sell it's software. That's what you're seeing here and AI is using it to generate views (which works and is good business). But this story is not what AI makes it out to be.

     

    Edit: I checked my Google play services like you suggested. They updated it July 28, 2014.

    Link showing last Google play services update: https://play.google.com/store/apps/details?id=com.google.android.gms&hl=en

  • Reply 87 of 103
    MacProMacPro Posts: 19,822member
    reefoid wrote: »
    I really wish you'd stop referring to yourself in the third person, its the same in every one of your threads.

    At best its misleading, at worst its dishonest.  For someone who claims to be a serious tech journalist, it does your credibility no favours.

    I disagree totally. In the situation of defending the editorial against attacks, while wearing a different hat, it makes far more sense and reads better by others done that way. If it were written in the first person it would come across as too personal and a bit weird. IMHO. Imagine if a painter were also an art lecturer at a college and one of his paintings came up and was criticized in a class by a pupil. The professor would respond referring to 'the painter' in the third person while trying to explain. If he started saying 'I did this or I did that' it would be very unprofessional unless he had introduced the painting in class and asked for criticism in the first person to start with.
  • Reply 88 of 103
    negafoxnegafox Posts: 480member
    Quote:
    Originally Posted by digitalclips View Post





    I disagree totally. In the situation of defending the editorial against attacks, while wearing a different hat, it makes far more sense and reads better by others done that way. If it were written in the first person it would come across as too personal and a bit weird. IMHO. Imagine if a painter were also an art lecturer at a college and one of his paintings came up and was criticized in a class by a pupil. The professor would respond referring to 'the painter' in the third person while trying to explain. If he started saying 'I did this or I did that' it would be very unprofessional unless he had introduced the painting in class and asked for criticism in the first person to start with.

    I realize this is small website, but at any company I worked at, if employees posted on the forums, you did one of two things:

     

    1. Post under an account that was clearly flagged and identified as an employee;

    2. Post under a smurf account and nobody can know your true identity because your words can reflect upon the company.

     

    Posting under an account not identified as the author/employee/representative yet people knowing said poster's identity is typically viewed as unprofessional at any company and their associated community I have worked for.

  • Reply 89 of 103
    knowitallknowitall Posts: 1,648member
    Scott Forristal?
  • Reply 90 of 103
    The danger this exploit presents might be judged by how much damage has been done by those who try to exploit it. This "new" flaw has been around since 2010.

    It exists inside an Apache Harmony library file and while it may still be exploitable there are several ways to block the vulnerability.

    If you need to know how then you might want to look into methods such as turning on 'Verify Apps' in Android settings, installing CyanogenMod, only downloading apps from the Play Store or installing the Re-key app which blocks it (or by installing the Master Key multi-fix Xposed module, which is not a simple process.)

    If you don't need to know how to protect yourself from it and just need a good laugh or something to mock then a trip to the closest mirror should set you right.
  • Reply 91 of 103
    MacProMacPro Posts: 19,822member
    negafox wrote: »
    I realize this is small website, but at any company I worked at, if employees posted on the forums, you did one of two things:

    1. Post under an account that was clearly flagged and identified as an employee;
    2. Post under a smurf account and nobody can know your true identity because your words can reflect upon the company.

    Posting under an account not identified as the author/employee/representative yet people knowing said poster's identity is typically viewed as unprofessional at any company and their associated community I have worked for.

    This is DED we are talking about here. That's like having Don Henley writing editorials on a pop music blog and also as a blogger, it would be pretty neat eh? Have some respect will ya! :D
  • Reply 92 of 103
    cnocbuicnocbui Posts: 3,613member
    Quote:

    Originally Posted by Corrections View Post

     

     

     

    As the article clearly points out: the last time Bluebox pointed out a major design failing in Android's security architecture, there was malware in the wild within the month. 

     

    You lob personal attacks at the author, but the real issue is Google's sloppy work and the difficulty of fixing things in the "open paradise" that is Android. That, and the droid groupies who makes excuses for the company and its half baked products.




    The real sloppy work at issue is you not checking your facts and publishing yet another chicken little article informed by ignorance.

     

    You are some hypocrite to be complaining about personal attacks.  You once called me a liar. I subsequently proved that I wasn't but you typically didn't apologise..

  • Reply 93 of 103

    It has been used by hackers to allow Android phones to be rooted.  My Moto X was rooted via this exploit.

     

    But, yes, there are dozens of articles on how dangerous and widespread it is but so far there don't seem to be any saying that it has been used to steal from anyone.  But it could have been.  Maybe.  I guess.

  • Reply 94 of 103
    Quote:

    Originally Posted by RalphMouth View Post

     

    How do you fix the flaw on all those billions of Android phones that have been sold since 2010?

     

    This is the main difference between Android and iOS that the anti-iOS crowd ignores. Flaws and security breaches are found in both OSes all the time. However it is a lot easier to get the fix out to all the iOS devices. 




    Yes, iOS updates are much more readily available and timely.

     

    This flaw is addressed by an Android setting under Security that causes new apps to be verified before installing them.  There is also an app that you may install that blocks the flaw.  I don't know of any features like that in iOS or The App Store, but I'm really not very familiar with it, so there might be and I wouldn't know.  There are other way to block it as well.

  • Reply 95 of 103
    Quote:

    Originally Posted by dasanman69 View Post





    You can also get apps from Amazon. They only allow apps after vetting them.



    And F-Droid, and a few other places that might be deemed "reliable" depending one one's perspective.

  • Reply 96 of 103
    tallest skiltallest skil Posts: 43,388member
    Originally Posted by digitalclips View Post

    I disagree totally. In the situation of defending the editorial against attacks, while wearing a different hat, it makes far more sense and reads better by others done that way. If it were written in the first person it would come across as too personal and a bit weird. IMHO. Imagine if a painter were also an art lecturer at a college and one of his paintings came up and was criticized in a class by a pupil. The professor would respond referring to 'the painter' in the third person while trying to explain. If he started saying 'I did this or I did that' it would be very unprofessional unless he had introduced the painting in class and asked for criticism in the first person to start with.

     

    Your analogy is good (and I agree with it out of context), but that’s not what is happening here. He’s no teacher and we’re not learning anything. There’s no master/apprentice relationship here. It would be very fitting, particularly since he has now confirmed it, to refer to himself in the first person.

  • Reply 97 of 103
    m3mm3m Posts: 7member
    Even if the actual damage this flaw causes is zero, the real headline is that Android software updates are not made universally available by all service providers.
  • Reply 98 of 103
    Dan_DilgerDan_Dilger Posts: 1,584member
    Quote:

    Originally Posted by sprockkets View Post



    This is hilarious. I haven't posted here in so long, but Daniel or Mr. DED just posted at Ars Technica on its own version of the article.



    http://arstechnica.com/civis/viewtopic.php?f=2&t=1251045&p=27300557#p27300557



    Of course, Daniel failed to mention that AOSP is already patched here back in April:



    https://android.googlesource.com/platform/libcore/ /android-cts-4.1_r4





    and despite him saying Google won't fix it, already updated Google play services to detect apps that try to take advantage of the flaw for any handset or tablet, thus negating any issues for handsets that won't get updated, even though phones like the 2 generation old Samsung GS3 are running 4.4.2.



    And of course, Flash hasn't been in any Android device since 4.1.



    I guess in the years since I've been here, nothing has changed. DED still posts bull sht about Google and Android. And you guys fall for it every time.

     

    Google issuing a fix for AOSP does not result in a patch being delivered to the hundreds of millions of phones using a distribution that includes AOSP code.

     

    Also, you simply lied when you represented the article stating "Google won't fix it." The article actually states that Google is expected to issue patches, but that those patches are unlikely to ever reach most Android users for the usual reasons. 

     

    Flash doesn't need to be "in" Android for there to be remaining vulnerabilities related to Google's hardwiring of Flash into the Android webview.

     

    Also, "Google Play Services is not Android. It is a proprietary layer of Google APIs, apps and services that runs on top of Android. When the vulnerability is in core Android, Google Play Service updates will have no impact on any device not running this layer (most devices in China or Kindle Fire, for example) or protect against any malicious app that uses the core vulnerability directly, since that vulnerability will continue to exist until the core OS is updated. Google Play Services is great for distributing bug fixes and new functionality - it's usefulness for addressing Android's security patch issues is less cut and dried."

     

    So stop lying "sprockkets."

     

    Android is a mess, and no character assassination by you changes that fact. 

  • Reply 99 of 103

    What the hell? You removed my first line again, you fucking bastard!

     

    If you don't like being called out Mr. Correction for being a sock puppet for Daniel, then don't fucking do it!

     

    "Google issuing a fix for AOSP does not result in a patch being delivered to the hundreds of millions of phones using a distribution that includes AOSP code."

     

    Uh, so? They gave the patch to OEMs. Any of the OEMs who took the code from AOSP for their own phones can grab it the same way they did it initially.

     

    "Also, you simply lied when you represented the article stating "Google won't fix it." The article actually states that Google is expected to issue patches, but that those patches are unlikely to ever reach most Android users for the usual reasons. "

     

    BULL SHIT. You flat out omitted information.

     

    Every android phone is perfectly capable of receiving the update. Android phones get security udpates all the time, from the HTC One S recently who got patched for heart bleed (as being one of the few phones to be on 4.1.x who stopped getting updates over a year ago) to Motorola's phones to patch the bootloader to Samsungs' who were patched for a root exploit on Verizon.

     

    You can pretend all you like that phones don't get patches, but that hasn't been the case ever. Upgrades to Android!=security updates. 

     

    "Flash doesn't need to be "in" Android for there to be remaining vulnerabilities related to Google's hardwiring of Flash into the Android webview."

     

    No shit Daniel. It only makes your argument that much weaker. Next strawman please.

     

    "Also, "Google Play Services is not Android. It is a proprietary layer of Google APIs, apps and services that runs on top of Android. When the vulnerability is in core Android, Google Play Service updates will have no impact on any device not running this layer (most devices in China or Kindle Fire, for example) or protect against any malicious app that uses the core vulnerability directly, since that vulnerability will continue to exist until the core OS is updated. Google Play Services is great for distributing bug fixes and new functionality - it's usefulness for addressing Android's security patch issues is less cut and dried.""

     

    Well if they want to update the patch is in AOSP for them to grab. Various Linux distros do the same - take patches in the kernel then package them for users.

     

    Not google's fault if OEMs build their own devices and not update their own devices.

     

    edit: STOP REMOVING MY POST, YOU DON'T LIKE IT, TOUGH SHIT

     

    "So stop lying "sprockkets."

     

    You first Daniel, and seeing how you can't tolerate me calling you out, tough shit, I'm reposting this and copying and pasting it. Good luck with that.

     

    "Android is a mess, and no character assassination by you changes that fact. "

     

    Nor is your ability to handle the truth, or even any fucking shred of journalism.

     

    But oh, we can't have this pic here cause it exposes my pathetic character!

     

     

     

    Dude, I don't really care about your pathetic web site, nor your stupid articles. I only came here cause you tried to troll us intelligent ars readers with your bull shit. 

     

    Keep your fapping articles for your lemmings. **** off.

  • Reply 100 of 103
    Quote:

    Originally Posted by Corrections View Post

     

     

     

    As the article clearly points out: the last time Bluebox pointed out a major design failing in Android's security architecture, there was malware in the wild within the month. 

     

    You lob personal attacks at the author, but the real issue is Google's sloppy work and the difficulty of fixing things in the "open paradise" that is Android. That, and the droid groupies who makes excuses for the company and its half baked products.


    Oh look, he's referring to himself again in the third person, while not realizing he said the same thing on ars...

     

    Call bullshit on you again Daniel.

Sign In or Register to comment.