Submitted by “Researchers said they’ve uncovered a security vulnerability that could allow attackers to take full control of smartphones running Google’s Android mobile operating system.” So, how bad is this? Can anybody with knowledge of Android’s inner workings explain?
Must not be “generally critical” otherwise Google would have publicly disclosed/fixed it per their 60 day policy. 😐
http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsi…
First of all, this is a risk for people installing applications that appear to be from reputable developers but from sketchy app stores. Most in the EU/USA who stick to installing apps from google play are not really in danger of it.
This is a vulnerability in how applications are signed, I think. So a person installing an app could be fooled at a deeper level than before. However, there are already malicious clones of apps out there that fool people that don’t make use of this vulnerability. Like the recent Jay-Z app.
http://www.bbc.co.uk/news/technology-23194413
No, this is a risk for Google Play – apps, too: it has been shown multiple times that the heuristics that Google uses to detect malign code is easy to fool, so you could make a legitimate app and publish it on Google Play, but add a payload there that adds itself to any and all of your currently-installed applications. Then, even if the user removed the app with the payload the system would still be hosed and the only way to fully remove the payload would be a complete system format and a clean install from a firmware image.
Basically this is a “Oh f–k!” – moment for Android.
Edited 2013-07-05 14:42 UTC
Surely Google will screen/virus check all apps being submitted to the app store, otherwise all sorts of stuff could be in there, with no way to separate the good from the bad!
I think it would be pretty difficult to get this on Google play. If I understand it correctly, it allows malicious app devs, to modify existing apps outside of the device while keeping the signature valid.
I don’t think Google’s malware detection is bad enough to allow me to upload an app signed by rovio.
I also don’t think there is a way to infect other apps once on the device. I haven’t read anything that says that it could.
Edit:
From the article:
Edited 2013-07-05 15:01 UTC
I guess, I jumped to conclusions. My apologies.
Don’t get me wrong it still sucks donkey balls for anyone who lives in a country that doesn’t have access to the play store. Like China. They’re all kind of screwed through no fault of their own.
Out of the articles making the rounds this morning, this one is the most detailed, non-hyperbolic, and worth reading.
http://www.computerworld.com/s/article/9240556/Android_flaw_lets_at…
The funny thing is that only if you enable the ability to sideload apps are you susceptible to this. There is also a pretty stern “you are potentially f*8&ing yourself if you do this” warning pops up if you enable the “allow apps from unknown sources” feature. I believe that warning has been there since 1.6.
Not trying to downplay the criticality of this problem, but sideloading has always been a risky business.
Just don’t enable “unknown sources” and you should be fine…
So… I see that yet another “security” startup need some more seed capital and think some PR will do the trick.
WOW! No, really? You don’t say?
Edited 2013-07-06 03:01 UTC