Researcher Releases Web-based Android Attack

[HardOCP News]

A computer security researcher has released code that can be used to attack older Android based phones. The act of a concerned citizen or a total dick move?

The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference in Houston by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android when the victim visits a website that contains his attack code.

 

[Bahamut]

People that go out of their way - whichever that is - to create such malicious code, then announce it, then release it, for whatever reasons, are dicks plain and simple.

Put that knowledge to some actual good use, please. Enough of this.

 

[DracoDan]

People that go out of their way - whichever that is - to create such malicious code, then announce it, then release it, for whatever reasons, are dicks plain and simple.

Put that knowledge to some actual good use, please. Enough of this.

You think fully disclosing a vulnerability is a dick move? Had this guy not found it first, there is a high likely hood that someone with truly malicious intent that would have kept it a secret within the blackhat community (this kind of thing is way more common than you probably want to believe).

This should really light a fire under the vendors/carriers feet to get serious with updating their android phones to the latest version. Android 2.2 is now for 6 months, and surprisingly, Verizon has been on top of the game with getting phones updated (relative to most other companies) despite them having the highest number of android phones.

Droid incredible owner, yeah, it's 2.2 and I LOVE it!

Dan

 

[Harb]

This should really light a fire under the vendors/carriers feet to get serious with updating their android phones to the latest version. Android 2.2 is now for 6 months, and surprisingly, Verizon has been on top of the game with getting phones updated (relative to most other companies) despite them having the highest number of android phones.

Too bad that it's not the carriers that could be hurt by this malicious code; it's the end-user. And, unfortunately for them, if they own a phone that hasn't been updated to 2.2 yet there is nothing they can do.

 

[DracoDan]

Wow, maybe I should have some coffee and review what I wrote before posting any replies to a front page article... Oh well, the points were still conveyed. Sorry if I broke anyone's brain trying to read that.

 

[slunge]

My X10 is on android 1.6 currently as vodafone uk havent released an update as of yet, and even when they do - sony erricson have only released an update to 2.1 for these phones, so looks like anyone with SE android based phones are going to have problems....

 

[Frobozz]

The exploit would exist if he publicized it or not. Things like this will make vendors and network companies think about how to handle long term support for devices that may not be trashed every 2 years like they want.

 

[Dekoth-E-]

This reminded me that I was one of the unfortunate suckers who bought a Droid eris that won't support 2.2. As such it also reminded me that I had been meaning to call verizon to remedy that situation as the eris is a steaming pile of poo.

One phone call later, Verizon stepped up and upgraded me to a Droid Incredible for a scant $44. I am a happy man.

 

[dr.stevil]

ya know, as much as it goes against the open source golden rule, google should mandate that EVERY android phone gets the exact same OS. Stop screwing around with adding bloat ware and stupid skins that keep a phone out of date for 6-12+ months.

If google pushed the update, instead of the carrier, it would make life easier for everyone involved.

 

[jellisii]

Perhaps this will give Sony/Ericsson the impetus to update their Xperia X10 to something besides 2.1. Oh wait, it took them an absurdly long time to do THAT... It was running 1.6 up until recently.

 

[larryBird44]

ya know, as much as it goes against the open source golden rule, google should mandate that EVERY android phone gets the exact same OS. Stop screwing around with adding bloat ware and stupid skins that keep a phone out of date for 6-12+ months.

If google pushed the update, instead of the carrier, it would make life easier for everyone involved.

I know, but branding is super important to the carriers. There should be more efficient way to get the updates as released by Google/community and also have the branding layer unaffected.

 

[dyzophoria]

well, I still just dont get it, why do I always feel like collateral damage just so "the carriers" will listen to exploits , isnt there are more less - damaging way for end users to suffer from such heroic acts of exploits finders?

 

[pinq]

endorsed and paid for by apple?

 

[RGMBill]

In answer to the question, total dick move.

 

[Hornet]

Dick move, IMO

Its one thing to announce an exploit to the public
But releasing the codes to all script kiddies out there is a dick move

 

[Deleted member 133315]

I say Dick Move.

Fucker should have his hands chopped off so he cant use another pc again to do shit like that.

 

[Azhar]

I know, but branding is super important to the carriers. There should be more efficient way to get the updates as released by Google/community and also have the branding layer unaffected.

not to mention if Google controls the OS, it wouldn't be considered open anymore when they announce that manufacturers can no longer customize their phones.

Besides, once in awhile manufacturers DO come up with neat ideas for Android skins and we'd be remiss if we let that opportunity slip.

Perhaps Google needs to start making some of their core codes consistent so manufacturers can upgrade the phone without breaking the skin.