WireLurker, Masque Attack malware only a threat for users who disable Apple's iOS, OS X security

2

Comments

  • Reply 21 of 51

    And FakeID is just one of tons of exploits that exist for Android that will never be patched.....

    You may think that it's clever to mix around the facts....

    Speaking of not checking facts....

    http://www.zdnet.com/google-fixes-androids-fake-id-security-hole-7000032108/
  • Reply 22 of 51
    Quote:

    Originally Posted by Lord Amhran View Post





    Speaking of not checking facts....



    http://www.zdnet.com/google-fixes-androids-fake-id-security-hole-7000032108/

     

    Incorrect



    Google can issue a patch to AOSP and even deliver patches to its own Nexus devices less than 18 months old, but that does not actually solve any problems for most of the Android user base, which is not running a device from Google nor tethered to a Linux console of a IT admin who compiles his own kernel several times a week.  

     

    The majority of Android devices around the world -- you know, that "80%" that your sources CNET likes to prattle about -- is not patched and will never be patched.

  • Reply 23 of 51
    Quote:

    Originally Posted by DroidFTW View Post

     

    Quote:

     

    So you're saying that Wirelurker and Masque are security vulnerabilities that have been added to iOS recently?  When were these security vulnerabilities introduced?


     

    You don't get it. Android didn't "introduce" Fake ID accidentally. It just never actually finished writing the code to verify certificates.

     

    WireLurker is a con in China developed to spy on users who trade pirated software by tricking them into installing a trojan horse.  

    Fake ID is like Android didn't finish its OS.

     

    Not similar.

  • Reply 24 of 51
    The majority of Android devices around the world -- you know, that "80%" that your sources CNET likes to prattle about -- is not patched and will never be patched.

    Moving the goalposts once again Daniel?

    https://play.google.com/store/apps/details?id=tungstwenty.xposed.fakeidfix&hl=en

    It's been patched for Gingerbread on up. Or are you saying that 80% of the Android world is running Froyo or earlier?
  • Reply 25 of 51
    Quote:

    Originally Posted by Corrections View Post

     

     

    Incorrect



    Google can issue a patch to AOSP and even deliver patches to its own Nexus devices less than 18 months old, but that does not actually solve any problems for most of the Android user base, which is not running a device from Google nor tethered to a Linux console of a IT admin who compiles his own kernel several times a week.  

     

    The majority of Android devices around the world -- you know, that "80%" that your sources CNET likes to prattle about -- is not patched and will never be patched.


    Devices running Gingerbread or newer also maintain a malware blacklist similar to Xprotect called "Verify Apps" (https://blog.malwarebytes.org/mobile-2/2013/07/android-as-a-service-verify-apps-for-gingerbread-and-up/).

  • Reply 26 of 51
    Quote:
    Originally Posted by Lord Amhran View Post





    Moving the goalposts once again Daniel?



    https://play.google.com/store/apps/details?id=tungstwenty.xposed.fakeidfix&hl=en



    It's been patched for Gingerbread on up. Or are you saying that 80% of the Android world is running Froyo or earlier?

    That "fix" is laughable since installing it requires you to first hack your phone to get root privileges; unless you have a Nexus device or otherwise have an unlocked bootloader, the process of getting root requires itself a security exploit. The real solution for the average user is to do nothing and let Verify Apps deal with the problem as that was updated to detect FakeID similarly to how XProtect was recently updated to catch Wirelurker and Masque.

  • Reply 27 of 51

    Man, reading this thread with @Lord Amhran, @DroidFTW and @d4NjvRzf versus Corrections reminds me of those Kung-fu movies I watched as a child with one guy taking on 3-4 people. Or like Neo versus Agent Smith in Matrix Reloaded!

  • Reply 28 of 51
    Quote:

    Originally Posted by DroidFTW View Post



    iOS now lets the user install apps outside of the Apple App Store without jailbreaking? That's a shame. I always considered protecting users from themselves as a good selling point. It's why I've recommended iPhone's to some people.



    It's been like that for about 5 years, for enterprise support.

     

    The feature is to let businesses keep their apps of Apple App Store, and still deploy to hundreds, potentially thousands of devices. App's can be downloaded from a website, but then Apple warns it's from a nontrusted developer.

  • Reply 29 of 51
    droidftwdroidftw Posts: 1,009member
    Quote:
    Originally Posted by Corrections View Post

     

     

    You don't get it. Android didn't "introduce" Fake ID accidentally. It just never actually finished writing the code to verify certificates.

     

    WireLurker is a con in China developed to spy on users who trade pirated software by tricking them into installing a trojan horse.  

    Fake ID is like Android didn't finish its OS.

     

    Not similar.


     

    Interesting answer to that question as it doesn't answer it in any way.  Allow me to repeat:

     

    So you're saying that Wirelurker and Masque are security vulnerabilities that have been added to iOS recently?  When were these security vulnerabilities introduced?

  • Reply 30 of 51
    Typical DED. When it's Apple he defends it by saying you need to disable some of the security features in order to get it, and this is true, but the same counts for 99.99% of Android malware but then he forgets to mention that of course. Just like with these malware programs in order to get infected by the vast majority of Android malware you need to download from a third party source, enable installations from unknown sources (disabled by default), install the malware program manually and then ignore the 'verify apps' warning you get.
    The chances of getting malware when only downloading from Play Store and with all security features enabled on your device are ridiculously small. But when talking about Android malware that's not important right? Then you only talk about malware without making a distinction.
  • Reply 31 of 51
    gatorguygatorguy Posts: 24,176member
    Incorrect


    Google can issue a patch to AOSP and even deliver patches to its own Nexus devices less than 18 months old, but that does not actually solve any problems for most of the Android user base, which is not running a device from Google nor tethered to a Linux console of a IT admin who compiles his own kernel several times a week.  

    The majority of Android devices around the world -- you know, that "80%" that your sources CNET likes to prattle about -- is not patched and will never be patched.

    I'm convinced you know better so why continue with FUD Daniel? iOS doesn't need your half-truths to support it. It's a great mobile system all on it's own.

    From back in July:
    "We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."
  • Reply 32 of 51

    OMG the droid super army of idiots has come!

  • Reply 33 of 51
    When Android malware comes along and works only when someone installs apps manually, something most users never do, I don't see you guys treated it as not a huge issue. It's amazing how much fanboyism goes on here. I personally use both OS (iOS on the iPad), and while I agree it's an Apple site, it's amazing to see what lengths you go to to show Apple is superior.

    P.S: Not saying Android is that safe, but still, most never get affected, especially by malware that need the option to install apps manually enabled.
  • Reply 34 of 51
    andreid wrote: »
    OMG the droid super army of idiots has come!
    Well when Daniel/Prince/Corrections comes out and blatently lies about things not being patched that are in fact patched all in an effort to write yet another Android slur piece he deserves to be called on it.
  • Reply 35 of 51
    misamisa Posts: 827member
    droidftw wrote: »
    iOS now lets the user install apps outside of the Apple App Store without jailbreaking? That's a shame. I always considered protecting users from themselves as a good selling point. It's why I've recommended iPhone's to some people.

    Only if they're paying 99$/yr for a developer account. Which would require either being part of an enterprise, or you compile every single app from source you wish to sideload.

    Many developers want to develop software only for iOS, because as soon as their app goes on the Google Play store, it's pirated.
  • Reply 36 of 51
    Does AI pay DED by the word?
  • Reply 37 of 51
    droidftwdroidftw Posts: 1,009member
    [QUOTE name="MazeCookie" url="/t/183345/wirelurker-masque-attack-malware-only-a-threat-for-users-who-disable-apples-ios-os-x-security#post_2637866"]
     


    It's been like that for about 5 years, for enterprise support.

    The feature is to let businesses keep their apps of Apple App Store, and still deploy to hundreds, potentially thousands of devices. App's can be downloaded from a website, but then Apple warns it's from a nontrusted developer.
    [/QUOTE]

    [QUOTE name="Misa" url="/t/183345/wirelurker-masque-attack-malware-only-a-threat-for-users-who-disable-apples-ios-os-x-security#post_2638087"]
    Only if they're paying 99$/yr for a developer account. Which would require either being part of an enterprise, or you compile every single app from source you wish to sideload.


    Many developers want to develop software only for iOS, because as soon as their app goes on the Google Play store, it's pirated.[/QUOTE]

    So your normal, everyday user can't go into their iPhone settings and allow the installation of 3rd party apps.  Thanks for the clarification as the article appeared to suggest otherwise.
  • Reply 38 of 51

    Well written and super informative. Priceless.

     

    Thank You!

  • Reply 39 of 51
    muppetrymuppetry Posts: 3,331member
    droidftw wrote: »
    mazecookie wrote: »
     


    It's been like that for about 5 years, for enterprise support.

    The feature is to let businesses keep their apps of Apple App Store, and still deploy to hundreds, potentially thousands of devices. App's can be downloaded from a website, but then Apple warns it's from a nontrusted developer.
    misa wrote: »
    Only if they're paying 99$/yr for a developer account. Which would require either being part of an enterprise, or you compile every single app from source you wish to sideload.


    Many developers want to develop software only for iOS, because as soon as their app goes on the Google Play store, it's pirated.

    So your normal, everyday user can't go into their iPhone settings and allow the installation of 3rd party apps.  Thanks for the clarification as the article appeared to suggest otherwise.

    I'm not sure about that - I have one app that I loaded from a website without any changes to the default iOS security posture. It was not approved for the App Store because it broke a couple of video API rules.
  • Reply 40 of 51
    Apple could do a better job (with dialogue boxes popping up) to explain the significance of
    "identified developers" of downloadable software and the risks of selecting "anywhere" in the security/privacy settings. I don't have any quarrel with the basic thrust of the article, which is that IOS/OX users don't have to worry Masque Attack or Wirelurker unless they've disabled the effective, built-in security safeguards Mac offers. And I particularly appreciate Apple making the "walled garden" even safer. Those who want to jailbreak their IOS devices should accept that they're on their own when it comes to security or privacy. Have fun.
Sign In or Register to comment.