'Stagefright' vulnerability compromises Android phones with 1 text message, may affect 950M devices

1234568»

Comments

  • Reply 141 of 157
    waterrocketswaterrockets Posts: 1,231member
    Quote:

    Originally Posted by sog35 View Post

     

     

    and that's why Android sucks.

     

    Your phone will be unable to update after 12 months.  Or if you buy a cheaper phone, never updated.


     

    We have four Android devices in the family and all are on 5.1.1 from automatic updates, and they are from 2012 to 2014.

     

    We also have four iOS devices, and only two of those are on 8, because the user of the other two got burned by upgrades vs. usability.

  • Reply 142 of 157
    solipsismysolipsismy Posts: 5,099member
    dasanman69 wrote: »
    What's a 'high value target'? That phrase is definitely part of the FUDish language.

    There is no fear, uncertainty or doubt associated with that common term. It means what the three words state, that the targets have a high value. Thieves employ this all the time. There is also a consideration for difficultly and/or penalty, but that's also weighed against the value to determine the highest possible yield for the given effort and/or risk. But even if you aren't an international jewel thief or carjacker this same concept should still be known to known to you in other aspects of your life.
  • Reply 143 of 157

    Somewhere, in an alternate plane of existence, Gatorguy is telling off Eric Schmidt...

     

     

    Quote:

    Originally Posted by Gatorguy View Post

     Not nice to be dishonest Eric. image

  • Reply 144 of 157
    sphericspheric Posts: 2,290member
    dasanman69 wrote: »
    Has any single one of these vulnerabilities been used in a widespread attack? Any instances of millions of people being infected?

    (Keep a large pile of salt handy for the caveats I'll list at the end of this post!)

    I didn't check which of those vulnerabilities corresponded, but in the second half of 2014, a very conservative estimate from Alcatel-Lucent’s Motive Security Labs claimed 16 million malware-infected Android devices:

    http://www.securityweek.com/16-million-mobile-devices-infected-malware-2014-alcatel-lucent

    That puts them on par with Windows computers in terms of absolute numbers AFAICS.

    Oddly, numbers appear to be constantly rising, despite the number having been at 32.8 million in 2012:

    http://www.techlicious.com/blog/32-million-android-phones-infected-with-malware/

    So, two points:

    1.) It seems like adware has been taken out of the statistics as "normal" and not "malicious".

    2.) there is no real way of telling whether those numbers represent exploited vulnerabilities, or inadvertently installed trojan malware. (If it says in the articles, sue me for not reading them closely.)
  • Reply 145 of 157
    gatorguygatorguy Posts: 23,522member
    sog35 wrote: »
    Bottom line is Google does not want to be responsible for all the security flaws of Android.

    So when OEM's sell hundreds of millions of Android phones Google takes the credit.
    But when those same OEM's face security threats from Android they wash their hands clean and say it isn't their responsibility. send them patches or OS updates to test with the devices they built. Sending them out to the users is the OEM's responsibility and Google should pressure them to do so IMO, and perhaps they do now.
    Fixed it for 'ya
  • Reply 146 of 157
    linkmanlinkman Posts: 1,029member
    Quote:

    Originally Posted by spheric View Post



    1.) It seems like adware has been taken out of the statistics as "normal" and not "malicious".

     

    Because someone finally realized that Android is inherently adware in itself?

  • Reply 147 of 157
    solipsismysolipsismy Posts: 5,099member
    linkman wrote: »
    Because someone finally realized that Android is inherently adware in itself?

    Yeah, well your Fisher Price OS on your precious I-Phone is fadware. Enjoy it, sheep! :p j/k
  • Reply 148 of 157
    dasanman69dasanman69 Posts: 13,002member
    solipsismy wrote: »
    dasanman69 wrote: »
    What's a 'high value target'? That phrase is definitely part of the FUDish language.

    There is no fear, uncertainty or doubt associated with that common term. It means what the three words state, that the targets have a high value. Thieves employ this all the time. There is also a consideration for difficultly and/or penalty, but that's also weighed against the value to determine the highest possible yield for the given effort and/or risk. But even if you aren't an international jewel thief or carjacker this same concept should still be known to known to you in other aspects of your life.

    Sure there's FUD involved because we don't know what a hacker values. It could be banking info, or nude photos of celebrities. A carjacker wants cars, and a jewel thief wants jewelry. A hacker could want an infinite number of things. Just look at the one(s) that hacked Ashley Madison, they only wanted them to get rid of the fee to cancel the service.
  • Reply 149 of 157
    solipsismysolipsismy Posts: 5,099member
    dasanman69 wrote: »
    Sure there's FUD involved because we don't know what a hacker values. It could be banking info, or nude photos of celebrities. A carjacker wants cars, and a jewel thief wants jewelry. A hacker could want an infinite number of things. Just look at the one(s) that hacked Ashley Madison, they only wanted them to get rid of the fee to cancel the service.

    FUD would be taking some fringe and making into an absolute, kind of like how the news will say something shitty like, "There's in a killer in your home and you probably don't even know it," just to have them repeat that at every commercial break just to release some mundane info at the end that has a 1:1,000,000,000,000 of even injuring anyone. Thats FUD. Making a general, truthful statement, like, "most accidents happen in the home," is not FUD, just like pointing out that criminal typically go for the highest value target, which obviously doesn't mean value in terms of monetary gain.
  • Reply 150 of 157
    dasanman69dasanman69 Posts: 13,002member
    solipsismy wrote: »
    dasanman69 wrote: »
    Sure there's FUD involved because we don't know what a hacker values. It could be banking info, or nude photos of celebrities. A carjacker wants cars, and a jewel thief wants jewelry. A hacker could want an infinite number of things. Just look at the one(s) that hacked Ashley Madison, they only wanted them to get rid of the fee to cancel the service.

    FUD would be taking some fringe and making into an absolute, kind of like how the news will say something shitty like, "There's in a killer in your home and you probably don't even know it," just to have them repeat that at every commercial break just to release some mundane info at the end that has a 1:1,000,000,000,000 of even injuring anyone. Thats FUD. Making a general, truthful statement, like, "most accidents happen in the home," is not FUD, just like pointing out that criminal typically go for the highest value target, which obviously doesn't mean value in terms of monetary gain.

    But this is fringe. We don't know what can be done once a device is infected. Is it just to be able to spam our contacts with emails to buy property in Belize? Something less benign, or something more nefarious?
  • Reply 151 of 157
    solipsismysolipsismy Posts: 5,099member
    dasanman69 wrote: »
    But this is fringe. We don't know what can be done once a device is infected.

    1) Not even remotely the same thing.

    2) We know exactly what can be done.
  • Reply 152 of 157
    gatorguygatorguy Posts: 23,522member
    Ars has an article up saying much the same as I said early in this thread. Google simply has to take back some control of Android they had ceded to OEM's and carriers. Those two are selfishly protecting their own interests over the security of users devices. As it stands it's nearly impossible to get all the needed changes out to user devices despite the best intentions of Google engineers as there's little pressure on the manufacturers to do much about it. They'd be much happier to sell you a new phone every two years than expend engineering effort on making OS updates compatible and available for older devices. So take it out of their hands like Microsoft has done.

    Android might dodge the bullets this time but eventually someone's bullet is going to hit the mark unless all the parties agree on the needed changes to secure the ship. Google Play Services, Verify Apps and Safety Net can do a lot to mitigate security problems but they have limits and it will take a lot more time before Google can move the majority of services out of Android itself so that updates can be directly delivered. Some things can NEVER be handled outside of the OS. Carriers and OEM's need to move out of the way and be part of the fix instead of the problem.

    This is a really good read.
    http://arstechnica.com/gadgets/2015/08/waiting-for-androids-inevitable-security-armageddon/
  • Reply 153 of 157
    tmaytmay Posts: 5,825member
    Quote:
    Originally Posted by Gatorguy View Post



    Ars has an article up saying much the same as I said early in this thread. Google simply has to take back some control of Android they had ceded to OEM's and carriers. Those two are selfishly protecting their own interests over the security of users devices. As it stands it's nearly impossible to get all the needed changes out to user devices despite the best intentions of Google engineers as there's little pressure on the manufacturers to do much about it. They'd be much happier to sell you a new phone every two years than expend engineering effort on making OS updates compatible and available for older devices. So take it out of their hands like Microsoft has done.



    Android might dodge the bullets this time but eventually someone's bullet is going to hit the mark unless all the parties agree on the needed changes to secure the ship. Google Play Services, Verify Apps and Safety Net can do a lot to mitigate security problems but they have limits and it will take a lot more time before Google can move the majority of services out of Android itself so that updates can be directly delivered. Some things can NEVER be handled outside of the OS. Carriers and OEM's need to move out of the way and be part of the fix instead of the problem.



    This is a really good read.

    http://arstechnica.com/gadgets/2015/08/waiting-for-androids-inevitable-security-armageddon/

    From the article:

     

    "Android was originally designed, above all else, to be widely adopted. Google was starting from scratch with zero percent market share, so it was happy to give up control and give everyone a seat at the table in exchange for adoption. The sales pitch was simple: "Apple locked you all out of the iPhone and with Microsoft you're just a customer, but on Android, you'll all have a say in the end product." The open source nature of Android allowed anyone to adapt its code to their hardware, and OEMs and carriers could (theoretically) alter or fork it to their hearts' content."

     

    You are quite aware that Apple had at one point a zero percent market share, and Apple obviously didn't make those same decisions as Google. All of these Android device security issues, all of these difficulties in Android device support, are by design. Google can't "take back" what they never controlled, and after day one, all Google controlled was some Android OS code and a services bundle.

     

    OHA was designed to create a rapidly expanding market for Android devices. I'd say they succeeded beyond their wildest dreams.

  • Reply 154 of 157
    gatorguygatorguy Posts: 23,522member
    tmay wrote: »
    From the article:

    "Android was originally designed, above all else, to be widely adopted. Google was starting from scratch with zero percent market share, so it was happy to give up control and give everyone a seat at the table in exchange for adoption. The sales pitch was simple: "Apple locked you all out of the iPhone and with Microsoft you're just a customer, but on Android, you'll all have a say in the end product." The open source nature of Android allowed anyone to adapt its code to their hardware, and OEMs and carriers could (theoretically) alter or fork it to their hearts' content."

    <span style="line-height:1.4em;">You are quite aware that Apple had at one point a zero percent market share, and Apple obviously didn't make those same decisions as Google. All of these Android device security issues, all of these difficulties in Android device support, are by design. Google can't "take back" what they never controlled, and after day one, all Google controlled was some Android OS code and a services bundle.</span>


    <span style="line-height:1.4em;">OHA was designed to create a rapidly expanding market for Android devices. I'd say they succeeded beyond their wildest dreams.</span>

    Well this is a surprise! Noted an article this morning at Wired reporting that Samsung, LG and Google themselves are all committing to monthly security updates for their devices . Hopefully the other OEM's will make the same commitment. Maybe cooperation is closer than I thought.
  • Reply 155 of 157
    solipsismysolipsismy Posts: 5,099member
    gatorguy wrote: »
    Well this is a surprise! Noted an article this morning at Wired reporting that Samsung, LG and Google themselves are all committing to monthly security updates for their devices . Hopefully the other OEM's will make the same commitment. Maybe cooperation is closer than I thought.

    I hope so, but we've gotten lip service too many times for me to be convinced anything has fundamentally changed at this point. Perhaps a future version of Android will have better foundation for allowing Google to issue security updates quickly, but that may require pulling back some control from carriers and OEMs to preventing bricking devices.
  • Reply 156 of 157
    sphericspheric Posts: 2,290member
    gatorguy wrote: »
    Well this is a surprise! Noted an article this morning at Wired reporting that Samsung, LG and Google themselves are all committing to monthly security updates for their devices . Hopefully the other OEM's will make the same commitment. Maybe cooperation is closer than I thought.
    ä

    Notably absent: the carriers.
Sign In or Register to comment.