Security experts release software to attack Android phones
A tool for attacking devices running Google's Android operating system was released by security researchers today at the Defcon hackers conference in Las Vegas.
The root-kit tool was released to "to persuade manufacturers to fix a bug that lets hackers read a victim's email and text messages," according to report by Reuters.
"It wasn't difficult to build," said Nicholas Percoco, who leads Spider Labs. Working with a colleague, Percoco said it took about two weeks to develop the tool, which allows nefarious users to take control of the device and steal email and text messages.
Percoco distributed the root kit on DVDs at the Defcon conference, which is a meeting of around 10,000 security experts who can attend anonymously. Reuters noted that "law enforcement posts undercover agents in the [Defcon] audience to spot criminals and government officials recruit workers to fight computer crimes and for the Department of Defense."
Security issues hitting Android are contradicting the perception that malicious attacks are primarily directed at the largest installed base. The global installed base of Apple's iOS devices is at least four times as large as Android, which despite a lot of media attention, is still similar to Microsoft's beleaguered Windows Mobile in terms of market share.
Android's open-ended security defended
A day ago, security researchers at Lookout reported the potential for mobile software to take invisible actions that users were not aware were happening, noting that many apps on all platforms can gain access to private data, and specifically calling out a wallpapers app on Android for collecting device data, phone numbers, and voicemail numbers of users who downloaded the app, forwarding the information to servers in China.
At least one Android blog, Android Tapp, rushed to defend the platform, insisting that an initial report by Venture Beat was inciting "fear. uncertainty and doubt" by describing the data collection as "malicious."
The blog indicated that there was nothing wrong with developers collecting Android users' data without disclosure and for unknown purposes, suggesting instead that users should anticipate the full consequences of downloading third party software based on the permissions that software requests during installation.
While defending the developer involved in harvesting Android users' phone numbers, voicemail phone numbers, and device IDs through his "Jackeey Wallpaper" app, the Android fan blog pointed out that other Android wallpaper apps request permissions to read phone call information, read SD Card storage, and access contact data.
Following Lookout's report, Google pulled the wallpaper app in question, but other apps that do the same thing while requesting even more access to users' data are still available for download.
"True all users should indeed be aware of what they are installing from the Android Market," the Android blog concluded. "But was the mass negative press without covering the complete story warranted???"
The root-kit tool was released to "to persuade manufacturers to fix a bug that lets hackers read a victim's email and text messages," according to report by Reuters.
"It wasn't difficult to build," said Nicholas Percoco, who leads Spider Labs. Working with a colleague, Percoco said it took about two weeks to develop the tool, which allows nefarious users to take control of the device and steal email and text messages.
Percoco distributed the root kit on DVDs at the Defcon conference, which is a meeting of around 10,000 security experts who can attend anonymously. Reuters noted that "law enforcement posts undercover agents in the [Defcon] audience to spot criminals and government officials recruit workers to fight computer crimes and for the Department of Defense."
Security issues hitting Android are contradicting the perception that malicious attacks are primarily directed at the largest installed base. The global installed base of Apple's iOS devices is at least four times as large as Android, which despite a lot of media attention, is still similar to Microsoft's beleaguered Windows Mobile in terms of market share.
Android's open-ended security defended
A day ago, security researchers at Lookout reported the potential for mobile software to take invisible actions that users were not aware were happening, noting that many apps on all platforms can gain access to private data, and specifically calling out a wallpapers app on Android for collecting device data, phone numbers, and voicemail numbers of users who downloaded the app, forwarding the information to servers in China.
At least one Android blog, Android Tapp, rushed to defend the platform, insisting that an initial report by Venture Beat was inciting "fear. uncertainty and doubt" by describing the data collection as "malicious."
The blog indicated that there was nothing wrong with developers collecting Android users' data without disclosure and for unknown purposes, suggesting instead that users should anticipate the full consequences of downloading third party software based on the permissions that software requests during installation.
While defending the developer involved in harvesting Android users' phone numbers, voicemail phone numbers, and device IDs through his "Jackeey Wallpaper" app, the Android fan blog pointed out that other Android wallpaper apps request permissions to read phone call information, read SD Card storage, and access contact data.
Following Lookout's report, Google pulled the wallpaper app in question, but other apps that do the same thing while requesting even more access to users' data are still available for download.
"True all users should indeed be aware of what they are installing from the Android Market," the Android blog concluded. "But was the mass negative press without covering the complete story warranted???"
Comments
Note: Yes, They're ALL Vulnerable in one way or another).
I don't really see how this changes things. The app is still malicious and they are distributing it through the Android app store. We don't see the same things happen in the AppStore. I can't see enterprise customers interested in this platform. Imagine someone cold calling all your clients in your address book as you?
At least one Android blog, Android Tapp, rushed to defend the platform, insisting that an initial report by Venture Beat was inciting "fear. uncertainty and doubt" by describing the data collection as "malicious."
...
"True all users should indeed be aware of what they are installing from the Android Market," the Android blog concluded. "But was the mass negative press without covering the complete story warranted???"
Android fans should be happy. If FUD is being created about Android, it means they are being recognized as significant. Welcome to the bigtime (unless you can't stand the taste of your own medicine).
Android fans should be happy. If FUD is being created about Android, it means they are being recognized as significant. Welcome to the bigtime (unless you can't stand the taste of your own medicine).
Here in NZ the media was painting it as an issue that affects the iPhone 'and other smartphones'. A cursory mention was made of Android.
Why do people even buy papers anymore?
Android blog concluded. "But was the mass negative press without covering the complete story warranted???"
[ View this article at AppleInsider.com ]
Really, as mentioned, questionably poor reception is headline news (for the iPhone), but such seriously malicious apps are not? If that is so, then the world is truly upside down.
I personally am 100% behind the concept of the walled garden of the App store, and loth the idea of being a Droid user downloading bad stuff that I don't even know about (and who really reads all of the warning pop ups carefully, and understands the implications of touching 'OK'? Seriously.)
Uncurated App store = PC virus, malware, spyware Hell! That is so last decade and has no place in the now and future.
This has not gotten enough press, let alone too much.
Probably will end up being some crap you have to compile into a device-specific OS image, copy over via USB, and manually install after rebooting into recovery mode.
(Or as iPhone users call it, "jailbreaking")
Uncurated App store = PC virus, malware, spyware Hell! That is so last decade and has no place in the now and future.
My Macs do not have a curated, walled App store... and yet I have never heard of a single legitimate virus/malware threat. The App store has nothing to do with it, other than being a means to protect idiots from themselves.
Really, as mentioned, questionably poor reception is headline news (for the iPhone), but such seriously malicious apps are not? If that is so, then the world is truly upside down.
I personally am 100% behind the concept of the walled garden of the App store, and loth the idea of being a Droid user downloading bad stuff that I don't even know about (and who really reads all of the warning pop ups carefully, and understands the implications of touching 'OK'? Seriously.)
Uncurated App store = PC virus, malware, spyware Hell! That is so last decade and has no place in the now and future.
This has not gotten enough press, let alone too much.
Indeed. As Android becomes more popular, the marketplace is going to become a bigger threat as malicious developers take advantage of people who expect Google's "superior" platform to be as safe as the App Store (no, it's not perfect, but at least its users don't have to be paranoid about every single app on there). Expecting users to waste their time researching the app on forums, reading all the fine print, and knowing by the vague warnings what exactly will happen is not the way to build a platform for the masses. Not everybody with a phone is tech-savvy nor should they be expected to be (though, from a casual reading of Android blogs, they do) to use a phone, and they won't be as patient with the shortcomings of Android as they are with Windows. People expect phones to work much more reliably than they ever expected computers to.
My Macs do not have a curated, walled App store... and yet I have never heard of a single legitimate virus/malware threat. The App store has nothing to do with it, other than being a means to protect idiots from themselves.
With the latest iterations of OS X, Apple has introduced many initiatives to prevent security issues. One of the most interesting is known as address space layout randomization (ASLR) which is more commonly known as memory randomization. ASLR is important because it makes one of the most common security issues, the buffer overflow, almost impossible to exploit.
For those of you who don?t understand it, think of it this way. Imagine the memory of your computer like a map of your hometown. Some vandal wants to change some of the street names to mess with your map. In order for him to do that, he needs to know the exact longitude and latitude of those streets. It?s easy for him because he can buy a map of your hometown and get that same information.
The latest version of OS X chops that map up into little squares and randomly rearranges them, but is also smart enough to know how to continue reading the map unhindered by the confusing rearrangement. Nobody is able to buy a map arranged exactly like that so nobody can get the exact information they need to vandalize your map. It doesn?t mean they can?t. They just can?t quite zero in on exact targets anymore.
On top of that, OS X also offers tagged downloading of applications (a system that watches very closely what gets downloaded and run on your computer and alerts the user before it runs for the first time), stronger forms of built-in encryption, more robust firewall features that watch for malware-like activity and application sandboxing to prevent hackers from targeting program-specific vulnerabilities.
This isn't even in the news yet if some idiot grips an iPhone hard enough to lower the signal it's front page.
They released it on a Friday to be kind to Google. A late Friday story won't get picked up quickly and very likely by Monday there will be something else going on to capture people's attention
My Macs do not have a curated, walled App store... and yet I have never heard of a single legitimate virus/malware threat.
Please don't become too cocky or shawnb will become shornb.
There are threats out there. Mac OS X makes exploits harder but they're not impossible by any means. You did change your router password, didn't you? If not, do it RIGHT NOW !
The App store has nothing to do with it
Yes it does. The characteristics of Mac OS X and iOS are different, although they come from the same code base. I am very much a supporter of the App store concept, but I do my own Mac development. I manage my Macs closely but expect my iPhone to "just work"
CRAPPY. INSECURE. SECOND-RATE.
My Macs do not have a curated, walled App store... and yet I have never heard of a single legitimate virus/malware threat. The App store has nothing to do with it, other than being a means to protect idiots from themselves.
Your Macs are not ultra-portable devices running Mobile OSes either. And the fact that you have not heard doesn't mean malware and vulnerabilities don't exist. The App Store is part of the ecosystem that maintains security and reliability for the iOS platform, and therefore has a lot to do with it.
Android = The Windows XP of Mobile.
CRAPPY. INSECURE. SECOND-RATE.
Really dude? I thought we were better than that...
suggesting instead that users should anticipate the full consequences of downloading third party software based on the permissions that software requests during installation.
Damn! We bought the phone and we need to do this extra work every damn apps we downloaded?