Security flaw opens all modern Android devices to "zombie botnet" takeover [u]

1356714

Comments

  • Reply 41 of 276
    apple ][apple ][ Posts: 9,233member


    Yo, you peeps be bugging out, for real bro. Damn Apple fanboys always writing about such trivial issues.


     


    This is not even an issue at all, I'm telling y'all. First of all, on my Android phone (it's huge, much bigger than those puny Apple phones), I just have to write and maintain my own suite of security apps and install them, it's not that difficult to do. It's also a fun thing to do, since I never use my phone for anything useful like surfing the web and silly stuff like that, so this keeps me busy. I also root my phone at least three times a week, completely wiping the system and starting from scratch. Last night I installed a test build of 4.0.3, moving up from 4.0.2. Life doesn't get much more exciting than that, for real bro. And besides, anybody who gets a virus or has an infected Android phone is a complete moron. It's their fault, not Google's. 

  • Reply 42 of 276
    richard getzrichard getz Posts: 1,142member

    Quote:

    Originally Posted by drblank View Post


    I wonder what's going to happen with regards to returns once this news gets widely distributed around the world in local newspapers and TV?



     


    I hope Apple can ramp production up quickly : )

  • Reply 43 of 276
    d4njvrzfd4njvrzf Posts: 797member

    Quote:

    Originally Posted by mjtomlin View Post


     


    A user could go to a website that's been hacked and a message pops up that looks like a system message, saying something like...


     


    "There is a new version of the Calculator app... Would you like to update?"


     



    If android users mostly use their phones as featurephones and don't browse the web much -- as some on these forums have claimed -- this scenario would be quite unlikely.

  • Reply 44 of 276
    gtrgtr Posts: 3,231member

    Quote:

    Originally Posted by DroidFTW View Post


    I'm a tech nerd and I love that I can root and side load apps.



     


  • Reply 45 of 276
    murmanmurman Posts: 159member


    my god am I going to enjoy the specific grief of all those Apple hating, openess exuding twats.

  • Reply 46 of 276
    aaronjaaronj Posts: 1,595member

    Quote:

    Originally Posted by drblank View Post


    I wonder what's going to happen with regards to returns once this news gets widely distributed around the world in local newspapers and TV?



     


    It won't hit the media.  We know that.

  • Reply 47 of 276
    aaronjaaronj Posts: 1,595member

    Quote:

    Originally Posted by Apple ][ View Post


    Yo, you peeps be bugging out, for real bro. Damn Apple fanboys always writing about such trivial issues.


     


    This is not even an issue at all, I'm telling y'all. First of all, on my Android phone (it's huge, much bigger than those puny Apple phones), I just have to write and maintain my own suite of security apps and install them, it's not that difficult to do. It's also a fun thing to do, since I never use my phone for anything useful like surfing the web and silly stuff like that, so this keeps me busy. I also root my phone at least three times a week, completely wiping the system and starting from scratch. Last night I installed a test build of 4.0.3, moving up from 4.0.2. Life doesn't get much more exciting than that, for real bro. And besides, anybody who gets a virus or has an infected Android phone is a complete moron. It's their fault, not Google's. 



     


    This made me laugh out loud.  Thanks for that. :)


     


    Quote:

    Originally Posted by d4NjvRzf View Post


    If android users mostly use their phones as featurephones and don't browse the web much -- as some on these forums have claimed -- this scenario would be quite unlikely.



     


    "As some on these forums have claimed?"  It's NOT a claim.  It's statistics.  My god.

  • Reply 48 of 276
    aaronjaaronj Posts: 1,595member

    Quote:

    Originally Posted by GTR View Post


     




     


    You know, Heidi may be a complete freak, dumb as a brick, and have 10 cosmetic procedures in ONE day -- but I would "root" that in a heartbeat.

  • Reply 49 of 276
    mrrodriguezmrrodriguez Posts: 215member
    mjtomlin wrote: »
    Wow! Reading comprehension goes out the window when you're blinded by bias.

    Anyone who thinks this is a minor threat really needs to get their head examined. This vulnerability affects ALL apps in so much that any UPDATE made to that app regardless of where it was originally installed, can potentially be infected without the operating system knowing. Obviously any curated app store will be immune to this if they are diligent in checking for malware. But a user tricked into an update from another source is at risk and this is the real problem as most users aren't aware of what's happening... this was the biggest problem with most Windows epidemics; clueless users clicking things they shouldn't.

    A user could go to a website that's been hacked and a message pops up that looks like a system message, saying something like...

    "There is a new version of the Calculator app... Would you like to update?"

    Well, how threatening is a calculator app... not at all, most people who didn't realize what was happening would probably click Yes. Then their device would be infected. The same thing could happen from an official looking email.
    Except when you have an update that changes permission needed the system tells you the new permission the app needs. So it you read a permission that says "Allow remote wipe" from a calculator app and you update the app anyways, then you deserve to get your phone remote wiped.
  • Reply 50 of 276
    os2babaos2baba Posts: 262member

    Quote:

    Originally Posted by Corrections View Post


     


    If nobody "sideloads" apps, then why do Android proponents cite it as a primary feature of the platform? 


     


    Also, 2% of statistics unfavorable to one's personal wishes are just pulled from your ass, apparently.



     


    Because when you do have to use it, it's enormously useful!  Before Swype was added to the PlayStore, that's how I installed it.  That's how I installed SwiftKey betas.  That's how I install a bunch of really really useful root apps from XDA.  That's how I installed the Amazon App Store App when I was using it.  That's how I install Ad blocking apps when Google decided to get a little evil and removed them from the Play Store.  And even then I'm very careful to disable side loading of apps as soon as I'm done installing the app.


     


    The reason this doesn't get too much play (even though in concept it's very dangerous) is because it'd be extremely unlikely for someone to install an app from *any* store and then side load an updated app.  Why wouldn't they simply update the app from the store?  There are far more likely scenarios for them to get malware by sideloading apps in the first place if they got it from unreputable sources - basically pirating the apps.  And if they did that, well, serves them right.  I really can't understand how anyone can pirate apps that cost about a cup of coffee or a lunch at most.

  • Reply 51 of 276
    rot'napplerot'napple Posts: 1,839member
    Well we know these will never be Obama phones, however, NSA phones has a familiar ring to it!
  • Reply 52 of 276
    os2babaos2baba Posts: 262member

    Quote:

    Originally Posted by Corrections View Post


    Imagine how easy it would be to send out update notices for Facebook that install a new version of the app that looks to the system like the one it "securely" installed via Google Play. Broken. This is a real issue, and its not easy to solve. Curious why you're so interested in nobody hearing about it. Security through obscurity? Market share through incompetent dumping?


     



     


    Because that's not how updates work.  That's not in the normal workflow.  You don't get emails with updates.  You get notifications which takes you straight through to the Play Store.  Assuming the person is not savvy enough to know that, then they will not be savvy enough to enable the "Unknown Sources" setting, which is disabled by default.  And even if they do enable it *and* ignore the big warning that pops up stating it's dangerous, the chain is broken.  Google was smart enough to remove the download complete notification which would initiate the install again.  They will have to go back to the email and start the process again. Basically, they would have to be pretty persistent in getting the update.


     


    But theoretically, sure.  It's possible.  There could be someone out there who could do that.  As I have said before, I have been using Android for almost 5 years now and I have never had a single malware on any of my devices.  I periodically check my devices with the security apps these guys typically sell and in 5 years, not a single one of them has found a single malware on my phone.  Yes, I'm a techie.  But that also goes for the phones of my wife, my kids, my sister and my niece who are most decidedly non-techie (well, except my son).

  • Reply 53 of 276
    drblankdrblank Posts: 3,385member

    Quote:

    Originally Posted by fuwafuwa View Post



    That's Android for you.


    That's Google for you. Never trust a company who's name rhymes like Schmoogle.  


     


    Google is now to be referred to as SCREWGLE.

  • Reply 54 of 276
    droidftwdroidftw Posts: 1,009member

    Quote:

    Originally Posted by drblank View Post


    The number of people actually rooting their system, etc. is very small, but I think those kind of geeks collect devices so they represent a lot of sales in units.  The average person doesn't have or want to spend time being a phone geek, they have other things to do with their life than geeking out with a smartphone.



     


    I don't think too many of them collect devices or represent a lot of sales, but other then that I totally agree.  I also believe that the number of people who root/jailbreak their phones is relatively small.  That's exactly what I was getting at.


     


    Quote:

    Originally Posted by GTR View Post


     




     


    2/10  Would not bang.

  • Reply 55 of 276
    atashiatashi Posts: 59member

    Quote:

    Originally Posted by drblank View Post


    I wonder what's going to happen with regards to returns once this news gets widely distributed around the world in local newspapers and TV?



     


    Ahaha, good one!


     


    As if the 'news' media are going to report a problem with something that isn't Apple tech.

  • Reply 56 of 276
    drblankdrblank Posts: 3,385member

    Quote:

    Originally Posted by AaronJ View Post


     


    It won't hit the media.  We know that.



    Yeah it will.  it may take a little time, but the bigger markets will cover this one.   Google's going to have to put out a Press Release about it once they figure out what to tell everyone.  Maybe this will help S4 sales since it's supposed to be not affected by it.  But as the article suggests, practically all Android phones.

  • Reply 57 of 276
    d4njvrzfd4njvrzf Posts: 797member

    Quote:

    Originally Posted by AaronJ View Post


     


     


    "As some on these forums have claimed?"  It's NOT a claim.  It's statistics.  My god.



     


    To be more accurate, it's one _interpretation_ of some statistics. I was merely pointing out that the posited scenario of android users getting exploited through shady websites is unlikely to happen if the vast majority use their phones as featurephones.

  • Reply 58 of 276
    koopkoop Posts: 337member

    Quote:

    Originally Posted by Corrections View Post


     


    If nobody "sideloads" apps, then why do Android proponents cite it as a primary feature of the platform? 


     


    Also, 2% of statistics unfavorable to one's personal wishes are just pulled from your ass, apparently.



     


    Because Android proponents are fans. They use all the available feature sets, and tweak around with their phones. 


     


    I have no "personal wishes" about who side loads applications, I do not care. I don't own an Android phone. I cannot see my Mother, or friend or colleague digging through the settings of their phone to uncheck an option so they can load some APK. So yeah, the 2% is just a guess, there are no official stats on it. But i'm confident that it's incredibly low. Which is why contrary to Window's PCs in my family/friends that get infected, I never have a friend come to me with an android malware problem...not once, not ever.


     


     


    Quote:


    Originally Posted by Corrections View Post


     


    But that isn't true.


     


    "if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That's the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play"


     


    Imagine how easy it would be to send out update notices for Facebook that install a new version of the app that looks to the system like the one it "securely" installed via Google Play. Broken. This is a real issue, and its not easy to solve. Curious why you're so interested in nobody hearing about it. Security through obscurity? Market share through incompetent dumping?


     


    Also: putting one's head in the sand and saying there is no malware problem didn't work for Windows XP a decade ago. 



     


    If you read my last line you quoted, that's social engineering. Being 'tricked' to install a trojan is the name of the game. That happens on Mac OSX and every other computing device on the planet outside of iOS which does not allow side loading apps (one of the very few platforms if not only platform that does this)


     


    If you were to trick someone via Facebook, and they click that app update button it will download an APK file that could not launch because Android by default would restrict it from running. They would have flip some settings and go through a fair amount of warnings before being allowed to run that file. 


     


    ---


     


    Is there a security flaw? yes. It's just not a big deal. Security analysts love to get their name in the news cycle with this stuff. Get back to me when people are infecting themselves with malware out of the default app channels such as Google Play. 

  • Reply 59 of 276
    koopkoop Posts: 337member

    Quote:

    Originally Posted by os2baba View Post


     


    Because that's not how updates work.  That's not in the normal workflow.  You don't get emails with updates.  You get notifications which takes you straight through to the Play Store.  Assuming the person is not savvy enough to know that, then they will not be savvy enough to enable the "Unknown Sources" setting, which is disabled by default.  And even if they do enable it *and* ignore the big warning that pops up stating it's dangerous, the chain is broken.  Google was smart enough to remove the download complete notification which would initiate the install again.  They will have to go back to the email and start the process again. Basically, they would have to be pretty persistent in getting the update.


     


    But theoretically, sure.  It's possible.  There could be someone out there who could do that.  As I have said before, I have been using Android for almost 5 years now and I have never had a single malware on any of my devices.  I periodically check my devices with the security apps these guys typically sell and in 5 years, not a single one of them has found a single malware on my phone.  Yes, I'm a techie.  But that also goes for the phones of my wife, my kids, my sister and my niece who are most decidedly non-techie (well, except my son).



     


    Ok you made my point a lot better. Good job! 


     


    :)

  • Reply 60 of 276
    aaronjaaronj Posts: 1,595member

    Quote:

    Originally Posted by drblank View Post


    Yeah it will.  it may take a little time, but the bigger markets will cover this one.   Google's going to have to put out a Press Release about it once they figure out what to tell everyone.  Maybe this will help S4 sales since it's supposed to be not affected by it.  But as the article suggests, practically all Android phones.



     


    Well, I suppose it depends on what you mean by "media."  If you mean places like Ars, then it's already there.  If you mean the WSJ or NYT, it won't happen.  They only talk about problems that Apple (and MS, to a lesser extent) have.  I will bet you dollars to doughtnuts that there is no story about this in the WSJ.


    Quote:

    Originally Posted by d4NjvRzf View Post


     


    To be more accurate, it's one _interpretation_ of some statistics. I was merely pointing out that the posited scenario of android users getting exploited through shady websites is unlikely to happen if the vast majority use their phones as featurephones.



     


    No, it's not one interpretation.  I'm sorry, but people who are using Android are using them for much less than people who are using iOS.  That's a fact.  Do with it what you will.

Sign In or Register to comment.