95% Of Android Phones Open To Attack

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Security researchers are saying these six vulnerabilities are the worst Android flaws ever uncovered. Yikes!

Six critical vulnerabilities have left 95 per cent of Google GOOGL +0.64% Android phones open to an attack delivered by a simple multimedia text, a mobile security expert warned today. In some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have little chance of defending their data.
 
Have no worries, Google has released patch information to OEM partners who can sit in the code for three months. Then the partners can pass it on to carriers who will sit on the code for another three months before deciding to only update their latest handset.

Get rekt Android, this may finally be the wake up call that they need to treat updates seriously.
 
ocellaris said:
Have no worries, Google has released patch information to OEM partners who can sit in the code for three months. Then the partners can pass it on to carriers who will sit on the code for another three months before deciding to only update their latest handset.

Get rekt Android, this may finally be the wake up call that they need to treat updates seriously.
Click to expand...

No it won't. It'll take a class action lawsuit or some big wig's kid who has daddy's personal contact information to get leaked to the press and he ends up getting SWAT'd at all hours.

When it pisses people off in power then android will get updates the way apple does. Until then let's break out the popcorn and enjoy the fallout.
 
Breaking news: Android is the new Windows so people are going to find ways to exploit it!
 
DPI said:
Breaking news: Android is the new Windows so people are going to find ways to exploit it!
Click to expand...

Which is what irritates me about all these ignorant Anti-Microsoft people. You want security? Sorry, but it's a pipe dream. As long as other people have access to you in one way or another, you are not safe. The reason why your Linux Box, or Mac Box, or phones, etc. haven't been compromised yet is because they weren't really popular enough to waste time breaking into. Give it the max market share, and bye-bye to privacy and welcome bugs, viruses, etc.

I mean, even Steam, the much revered gaming store, only recently fixed an obvious loophole which allowed anyone to commandeer an account without the user's password.

There's no such thing as security, only an illusion of security.
 
It's an extremely critical problem if Google Hangouts is installed since that app does background processing on received SMS media files, automatically triggering the exploits. Jellybean and older Android versions back to 2.2 lack mitigation techniques.

This is really bad, but not as bad as the exclamation pointed non-information "news" sources are implying. The 95% number is how many devices are vulnerable to various Stagefright exploits. The automatic attack via SMS affects many fewer.
 
Nytegard said:
Which is what irritates me about all these ignorant Anti-Microsoft people. You want security? Sorry, but it's a pipe dream. As long as other people have access to you in one way or another, you are not safe. The reason why your Linux Box, or Mac Box, or phones, etc. haven't been compromised yet is because they weren't really popular enough to waste time breaking into. Give it the max market share, and bye-bye to privacy and welcome bugs, viruses, etc.

I mean, even Steam, the much revered gaming store, only recently fixed an obvious loophole which allowed anyone to commandeer an account without the user's password.

There's no such thing as security, only an illusion of security.
Click to expand...

Actually the reason Linux doesn't have exploits is because the *nix community is damned active about patching flaws. From LKML to individual distributions.

How much of the world's servers run Apache? What were you saying about insignificant marketshare?
 
This is why Google should have the the control of the updates. Not the phone carriers. Phone companies sit on the patches forever. I will give Apple kudos for keeping there updates separate from the phone carriers.
 
Skripka said:
Actually the reason Linux doesn't have exploits is because the *nix community is damned active about patching flaws. From LKML to individual distributions.

How much of the world's servers run Apache? What were you saying about insignificant marketshare?
Click to expand...

There have been a number of high-profile Apache & Linux vulnerabilities brought to light in the last year, including ones that have been unpatched for over 20 years so there is no panacea in there either.
 
Quix said:
There have been a number of high-profile Apache & Linux vulnerabilities brought to light in the last year, including ones that have been unpatched for over 20 years so there is no panacea in there either.
Click to expand...

As soon as someone says "hey knuckleheads there's this critical flaw"...it tends to get patched practically overnight on *nix.

Which is faster service than you get from anyone else.
 
This is one of the reasons why I simply don't want to use android, I like the os however I simply don't like the lack of security. iOS sucks I find it very lacking in features however good with apps, Windows Phone OS I like the best out of the 3 however still behind on apps (hopefully change soon).
 
the problem with android is it's not always easy to update to the latest secure android because of firmware support. not every model will be able to get the latest android update.

usually there a bunch of excuses, but mostly people suspect they intentionally do it that way in order to get you to buy a newer phone ....

a phone thats connected online, and is susceptible to attacks is a big no no. and this is the sort of environment android users face when they buy an android phone :/

Almost makes you want an iphone because the updates are almost guaranteed.
 
jkerr2 said:
This is why Google should have the the control of the updates. Not the phone carriers. Phone companies sit on the patches forever. I will give Apple kudos for keeping there updates separate from the phone carriers.
Click to expand...

:rolleyes:
 
I was an Android user for years until I finally got fed up with the lack of updates in the Android world. There I was with a flagship model phone and where were the updates? Nowhere to be seen. Now I have an iPhone 6 Plus and have had every iteration of iOS 8.x the day it was released to the public.

If you ask me, Google lost control of Android the moment they decided to license it the way they did. Open and free may be nice and all but it's also got it's serious issues. You've basically handed a group of companies that care only about profits something free. What did you seriously think was going to happen? Rainbows and kittens falling from the sky? Nope.
 
Google is an exploit. Why is it a big deal if their products and services are littered with security flaws? No one using Android has any expectation of privacy to begin with.
 
He said devices running Android versions prior to Jelly Bean, version 4.1, representing roughly 100 million devices, have “inadequate exploit mitigations” that wouldn’t prevent Stagefright attacks over MMS.
Click to expand...

If I read that right Google fixed this July 9, 2012...

Yeah, Google needs to get OEMs and carriers out of the mix so that devices actually get updates but it's Android, for the most part you're free to update it yourself.

I've updated all my phones and tablets myself, having never seen an OTA update from any carrier.
 
jkerr2 said:
This is why Google should have the the control of the updates. Not the phone carriers. Phone companies sit on the patches forever. I will give Apple kudos for keeping there updates separate from the phone carriers.
Click to expand...

That is the last thing I want; Google sabotages everything they come in contact with. Android need to be completely separated from Google, carriers, and manufacturers.

Manufacturers can only add necessary hardware drivers to Android.
Google can only add Play store/services/apps to Android.
Carriers can only resell untouched manufacturer phones.

Full source of everything must be release before the device can legally be sold.
Google's crap is not pre-installed and optional during the user's initial setup process.
 
I get updates all the time on my phone, those arn't security updates too? What does the OEM or carrier have to do with anything? Don't they just push updates directly through the OS?

Either way this sounds pretty serious. I'm always on wifi but never even considered the fact that when I'm on data it's basically like being connected directly to the internet, so could very well be exploited that way. :eek: Though this particular exploit is even more serious as no firewall is going to protect you from that. Is there a way to confirm whether or not I'm protected? I don't want to punch my number into any random site but is there a reputable one where you can do put your number in and it sends a text to test it?
 
lord_emperor said:
I've updated all my phones and tablets myself, having never seen an OTA update from any carrier.
Click to expand...
Your device's bootloaders must not be locked. Unfortunately, most flagship devices have locked bootloaders so you can't do what you described on many of them.
 
Moogle Stiltzkin said:
the problem with android is it's not always easy to update to the latest secure android because of firmware support. not every model will be able to get the latest android update.

usually there a bunch of excuses, but mostly people suspect they intentionally do it that way in order to get you to buy a newer phone ....
Click to expand...

Even though version 4.4 is available for the S3, T-Mobile decided that there wasn't enough demand to roll it out for their model of the S3.
Gave the reason that it wasn't fast enough since it's only a dual core. Complete nonsense since 4.4 is actually more efficient than 4.3, and there are plenty of reports showing 4.4 is faster.


Moogle Stiltzkin said:
Almost makes you want an iphone because the updates are almost guaranteed.
Click to expand...

Not even close. I'd rather switch back to Blackberry than get use an iPhone :)
 
It really comes down to simple economics here.

Want security updates? Software updates? Silly user, go buy a new phone.

That's basically what the OEMs have told users. And why not? It's incredibly profitable but very dangerous for users who have older, unsupported devices. We've done it to ourselves with our want for the latest and greatest devices. Every year, it never changes, new models come out and what do people do? They practically stand in line to get them and even if they don't stand in a physical line they stand in a virtual line with pre-orders. The OEMs know this and all they see is $$$, lots of $$$. So they figure, why should we put the time and money into developing security patches when we can get the suckers... I mean users to buy a new device instead. Simple economics here.
 
ocellaris said:
Have no worries, Google has released patch information to OEM partners who can sit in the code for three months. Then the partners can pass it on to carriers who will sit on the code for another three months before deciding to only update their latest handset.

Get rekt Android, this may finally be the wake up call that they need to treat updates seriously.
Click to expand...

This is why I think Google should have been a little more controlling with their third party phone makers. They should have required that any additions (UI elements, etc.) are separate from core functionality. This way security patches to the core could still be applied underneath something like TouchWiz without the need of a custom ROM.

Other makers that forked the code would be on their own of course.
 
@Spidey329, I've been saying that for years now. But the problem is that when Android first started Google wanted so badly to have an answer to Apple's iPhone that they just about gave anyone and everyone the right to take and change Android in any way they wanted to and to put it on anything they wanted as well.

If you ask me, and obviously hindsight is 20/20, if Google had licensed Android with a specific clause in the software license agreement when they started the Open Handset Alliance that anyone who uses Android must keep it up to date on all of the devices that they sell that's running Android we would not be in the mess we are in today.

But no, in Google's haste to one-up Apple they pretty much handed Android out with absolutely no strings attached. "Here, take Android... go have your away with it." And in a lot of ways, that's exactly what the OEMs did, they had their way with Android and figuratively speaking they f**ked it and f**ked it hard.
 
Nytegard said:
Which is what irritates me about all these ignorant Anti-Microsoft people. You want security? Sorry, but it's a pipe dream. As long as other people have access to you in one way or another, you are not safe. The reason why your Linux Box, or Mac Box, or phones, etc. haven't been compromised yet is because they weren't really popular enough to waste time breaking into. Give it the max market share, and bye-bye to privacy and welcome bugs, viruses, etc..
Click to expand...

Sorry, no. Both of those have a managed software distribution model which makes it extremely hard to pass through malicious code. It's being reviewed before release.

Only Windows with it's default admin role and general requirement to point and click install things from the net will remain vulnerable (and obviously Android but for general backwardness of software release model). Where Apple store verifies first, then releases (and bans the dev if he tries funny stuff) Android store releases first, then starts to scan for malware.

This combined to most Android phones never getting OS upgrades makes Android the security nightmare I've always said it was. I laugh at you all who trolled and posted excuses and flat out lies when I've brought this issue up previously.
 
If you're version of Android or Phone isn't high end an isn't newer than 4 months old, Google couldn't give a fuck.
 
jpm100 said:
If you're version of Android or Phone isn't high end an isn't newer than 4 months old, Google couldn't give a fuck.
Click to expand...

My Nexus 7, launched in July of 2013 is on 5.1.1, the latest version of Android, released 3 months ago.

How recent is the software on your 2 year old device?
 
trparky said:
Your device's bootloaders must not be locked. Unfortunately, most flagship devices have locked bootloaders so you can't do what you described on many of them.
Click to expand...

HTC One M7 and Samsung Galaxy S4 and Tab 4.

HTC will unlock the bootloader for any of their phones right on their website, for that reason my phone will always be an HTC.

The Samsungs were just as easy with Odin.
 
Zarathustra[H];1041758159 said:
My Nexus 7, launched in July of 2013 is on 5.1.1, the latest version of Android, released 3 months ago.

How recent is the software on your 2 year old device?
Click to expand...

"f you pre-kit kat owners"
http://www.zdnet.com/article/google-why-we-wont-patch-pre-kitkat-android-webview/

My 18 month old moto G is on Kit Kat.

I have a couple of low end pre-paid phones I use for media devices I don't mind losing. $20 on sale. But they represent the level of phone that most of the world uses. They became useless from updates. The firmware updates hurt, hard to say how much is Android and how much is vendor, (idk), but the main updating that killed them was the Google App Bloat. I've salvaged them by uninstalling the update to most of the Google Apps and disabling them so I'd have some space left.

Google mangled their directory structure to remove most of the utility of an SD card, a cheap way to expand memory. This means you need a phone with a bunch of built in memory or use data like it was water.
 
Bigdady92 said:
No it won't. It'll take a class action lawsuit or some big wig's kid who has daddy's personal contact information to get leaked to the press and he ends up getting SWAT'd at all hours.

When it pisses people off in power then android will get updates the way apple does. Until then let's break out the popcorn and enjoy the fallout.
Click to expand...

Or buy a Nexus branded Android phone that updates pretty fast, only downside is a rollout, latest features that release may take a few weeks OTA, or you can just flash the official newer image from Google servers... There are options of phones to buy. If this particularly is important to someone they can buy a phone that suits their wants/needs.
 
And yet, everyone makes fun of people with these kinds of phones:

buy-used-cell-phones-1.jpg


I'm starting to see a bit of irony, here.
As much as I don't care for Apple, I don't see the same level issues presented here on iOS.
 
Its weird that such an inferior company like Apple would have fewer issues.

INB4 the fappening...which was a brute force issue. But that's none of my business.

But seriously, if you weren't happy that happened, I've got news for you.
 
lord_emperor said:
HTC will unlock the bootloader for any of their phones right on their website
Click to expand...
But there goes your warranty. The moment you decide to unlock your bootloader on the web site is the moment you forfeit your phone's warranty.

Broke your glass? Do you have an unlocked bootloader? You're SOL.

amddragonpc said:
Eh, no hurt here. Just that Google DOES provide its updates to its phones and tablets, the NEXUS brand.
Click to expand...
Except that most Nexus devices suck, that is, the hardware sucks. For instance, take the Nexus 6 phone for instance, it has had multiple reports in which the screen suffers from higher than normal image burn-in than other devices. The camera isn't that great. Google (like Microsoft) can't seem to do hardware right.
 
You must log in or register to reply here.
Back
Top