New Android 'Fake ID' flaw empowers stealthy new class of super-malware

1356

Comments

  • Reply 41 of 103
    wonkothesanewonkothesane Posts: 1,599member
    acatomic wrote: »
    I need a little bit of help from you guys, there's one thing I don't understand and I'm hoping you can explain it to me. In January I downloaded a free app from the app store which had free movies and cartoons but was later taken down by Apple. Later I got notified by the app that there was an update available but it can only be downloaded from their webpage, so I did and it worked.

    So my question is how is this possible? I thought it was only possible to download apps from the app store store and nowhere else.

    From your subsequent post I gathered you are referring to an iPad. Assuming it's true this would worry me. I am as well of the opinion that this would be impossible.
    OTOH I seem to recall a couple of occasions where an iPad game upon launch loaded some new content, new levels etc. Thinking about this how can one be sure no malware is introduced in this way?
  • Reply 42 of 103
    acatomicacatomic Posts: 60member
    Ah ... OK sorry, I am using a Mac as I read and assumed .... my bad.

    Still wish I had an answer as this could be a major iOS security hole.
    matt45 wrote: »
    The other way to load an app outside of the app store is by using a signed adhoc provisioning profile (which you're typically limited to an audience of 100 devices) or an enterprise provisioning profile (I think has no limit) both of which must have a valid Developer Apple ID account and can be blocked by Apple if it wishes to do so.

    Did you get a prompt to install a certificate before installing the update?

    something like this:

    <img alt="" class="lightbox-enabled" data-id="46390" data-type="61" src="http://forums.appleinsider.com/content/type/61/id/46390/width/350/height/700/flags/LL" style="; width: 350px; height: 621px">
    matt45 wrote: »
    The other way to load an app outside of the app store is by using a signed adhoc provisioning profile (which you're typically limited to an audience of 100 devices) or an enterprise provisioning profile (I think has no limit) both of which must have a valid Developer Apple ID account and can be blocked by Apple if it wishes to do so.

    Did you get a prompt to install a certificate before installing the update?

    something like this:

    <img alt="" class="lightbox-enabled" data-id="46390" data-type="61" src="http://forums.appleinsider.com/content/type/61/id/46390/width/350/height/700/flags/LL" style="; width: 350px; height: 621px">

    No. I just pushed the download button on the website and it got installed.
  • Reply 43 of 103
    wonkothesanewonkothesane Posts: 1,599member
    acatomic wrote: »
    Still wish I had an answer as this could be a major iOS security hole.

    No. I just pushed the download button on the website and it got installed.

    Would you mind sharing the name of the app?
  • Reply 44 of 103
    Would you mind sharing the name of the app?

    CartoonHD, but their website is gone now.
  • Reply 45 of 103
    cnocbuicnocbui Posts: 3,613member
    Quote:

    Originally Posted by EricTheHalfBee View Post

     

     

    It fits your original comment which stated "The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware."

     

    I'm dying for you to tell me how you know there are no real world examples.

     


     

    That's easy - DED would have been crowing about it from the rooftops instead of spreading FUD on his vegie patch.

  • Reply 46 of 103
    imt1imt1 Posts: 87member

    Removed.  meant to quote another post

  • Reply 47 of 103
    wonkothesanewonkothesane Posts: 1,599member
    acatomic wrote: »
    CartoonHD, but their website is gone now.

    I found http://forums.macrumors.com/showthread.php?t=1732270
  • Reply 48 of 103
    imt1imt1 Posts: 87member
    Quote:

    Originally Posted by acatomic View Post





    Still wish I had an answer as this could be a major iOS security hole.



    No. I just pushed the download button on the website and it got installed.

    Its most likely just a web app. I downloaded a weather program called forecast the same way. Its not a true App.

     

    http://forecast.io/

  • Reply 49 of 103
    negafoxnegafox Posts: 480member
    Quote:



    Originally Posted by WisdomSeed View Post



    While it sounds menacing, has the exploit actually been found in the wild? I'm never sure where the terror starts, there is a vast difference between 'can/might' and 'did'.

    One thing is that in order to be affected by this flaw, one has to enable a checkbox buried in Settings that is disabled by default. Enabling said option triggers a warning message that enabling the option makes the phone and personal data more vulnerable to attacks and you have to accept or decline.

  • Reply 50 of 103
    chandrachandra Posts: 26member
    Deja Vu. Windows "experience".
  • Reply 51 of 103
    flipkalflipkal Posts: 27member
    I really, really wish the folks over at Consumer Reports would factor this data into their glowing reviews of Android phones and tablets. I've only seen the malware issue mentioned in passing in a recent article about cyber security.
  • Reply 52 of 103
    The important thing is that exploits are only a "real concern" on Apple platforms and that Google is above criticism. As long as we agree on that, the forums will run smoothly. :)
  • Reply 53 of 103
    tallest skiltallest skil Posts: 43,399member

    Please no. Between “polar vortex”, “supermoon”, “superstorm”, and all the other ludicrously idiotic, meaningless, and misleading buzzwords the media seems to want to invent this decade, we don’t need “super malware” thrown in.

  • Reply 54 of 103
    nexusphannexusphan Posts: 260member
    Another fear mongering Apple Insider article. 


    Google scanned every app in it's official app store. Found no instances of this exploit.


    Google updated automatically, behind the scenes every android device to add this exploit check to it's verify apps program.


    In order to for this exploit to be used this is what has to happen:


    1. Go into security settings and enable third party app installation (off by default)


    2. Accept the warning saying not to do this.


    3. A developer will have to actually make an app that uses this exploit.


    4. The user will have to download this malicious new, theoretical app from a third party app store.


    5. User will have to accept a prompt asking if they want to install a third party app that could be potentially harmful.


    6. User will have to override the verify app warning that explicitly states that the app was found to be malicious (does it even let you???)


    This is a non-issue. While it's never good to see a a security flaw, like is the case with every Android security flaw out there, Google has in place the necessary defenses.
  • Reply 55 of 103
    darklitedarklite Posts: 229member
    Quote:
    Originally Posted by Suddenly Newton View Post



    The important thing is that exploits are only a "real concern" on Apple platforms and that Google is above criticism. As long as we agree on that, the forums will run smoothly. image

    Am I the only one increasingly suspicious of the huge security flaws turning up in all the most widely used pieces of software (Heartbleed, 'goto fail', and now this)? Groups like the NSA benefit greatly from undetected exploits like these - are they just unfortunate bugs, or something more?

     

    Alternatively, perhaps I need to go and buy a tinfoil hat.

     

    Quote:
    Originally Posted by Tallest Skil View Post

     

    Please no. Between “polar vortex”, “supermoon”, “superstorm”, and all the other ludicrously idiotic, meaningless, and misleading buzzwords the media seems to want to invent this decade, we don’t need “super malware” thrown in.


    I honestly don't understand why they aren't just calling it 'malware'. Privilege escalation exploits do not a different name make. 

    Although perhaps it's just the same people that benefit from 'iOS confirmed as most insecure software ever written' scare stories doing the same thing with Android.

  • Reply 56 of 103
    calicali Posts: 3,494member
    I quite agree with you.  And I might go a step further, because it seems that 9 times out of 10, these theoretical vulnerabilities are found in an Apple platform and the tech press creates a bunch of sound and fury signifying nothing.  I'd be pleased to see Apple Insider document this phenomenon of theoretical threat versus in-the-wild reality.  Today's DED story is like the exception that proves the rule, because in general this phenomenon is used to create anti-Apple FUD.

    you got me thinking....

    what would Apples market share be without all the propaganda and FUD?

    Would iPhone have significantly more marketshare or would sales basically be the same?

    I brought up the iPhone to my dad once and he responded "but doesn't the iPhone suck?"
    He really is a moron but there's probably millions of them.
    I've also gotten a similar reaponse from a female friend. I could go on, but it seems like the brainwashing only affects uneducated people.
  • Reply 57 of 103
    tallest skiltallest skil Posts: 43,399member
    Originally Posted by cali View Post

    ...it seems like the brainwashing only affects uneducated people.

     

    Isn’t that the definition? How people who’ve broken the constitution keep getting elected because their constituencies are too stupid to know, etc.?

  • Reply 58 of 103
    dasanman69dasanman69 Posts: 13,002member
    Isn’t that the definition? How people who’ve broken the constitution keep getting elected because their constituencies are too stupid to know, etc.?

    Is it ignorance of the law breaking, or an affinity for the law breaker?
  • Reply 59 of 103
    tallest skiltallest skil Posts: 43,399member
    Originally Posted by dasanman69 View Post

    Is it ignorance of the law breaking, or an affinity for the law breaker?

     

    Both (usually only the first), the latter founded in the former.

  • Reply 60 of 103
    dasanman69dasanman69 Posts: 13,002member
    cali wrote: »
    you got me thinking....

    what would Apples market share be without all the propaganda and FUD?

    Would iPhone have significantly more marketshare or would sales basically be the same?

    I brought up the iPhone to my dad once and he responded "but doesn't the iPhone suck?"
    He really is a moron but there's probably millions of them.
    I've also gotten a similar reaponse from a female friend. I could go on, but it seems like the brainwashing only affects uneducated people.

    The company I work for handed out Motorola tablets recently. When I inquired about why weren't we getting iPads the answer I got was "nobody uses iPads anymore", and this was from a quite educated, and very tech savvy manager.
Sign In or Register to comment.