Slashdot Mirror
Prototype Clickjacking Rootkit Developed For Android
ShipLives writes "Mobile security researchers have identified an aspect of Android 4.0.4 (Ice Cream Sandwich) and earlier models that clickjacking rootkits could exploit. As part of an effort to identify potential weaknesses in smartphone platforms, the team was able to develop a proof-of-concept prototype rootkit that attacks the Android framework, rather than the underlying operating system kernel."
Thanks?
It's not like malware exists just to make things run slower and crash. And most reasons software does that isn't because of malware.
>And most reasons software does that isn't because of malware.
The most significant symptom of malware infection to Joe User is "my computer is slow." Basically because once you have *one* malware infection, others soon follow, because you haven't kept up with updates, install software from random untrusted sites, or are the victim of a leveraged vulnerability or all three. All these bits of malware fight over the same resources and kill the device's usability.
I have personally seen machines with hundreds of infections. This is typical. The user will muddle along until a certain frustration level is met or the computer simply refuses to finish booting, because the virus load is too much for the poor machine to handle.
"My Computer is Slow" is likely a sign that your system has been compromised for quite a while and there is no malware removal tool that can fix it - a wipe and reinstall of the OS is in order.
--
BMO
It's not security model difference between iOS and Android, it's a design philosophy difference. Android isn't designed to keep you in the walled garden. As such, iOS will always be more secure. Giving users a choice invariably leads to some of them making the wrong choice. That isn't a fault of Android, it's a fault in the rest of society.
>There has to be a balance between free/open and secure.
>implying that closed source is more secure
>implying
No.
>Apple almost nailed it right on
No, no they didn't. They are anti-FOSS. The only thing they got right was taking the software repository idea from the FOSS world and calling it a store. Where they failed is that they don't allow other stores/repositories in spite of the fact that the FOSS world has been living with multiple trusted repositories for many, many years now.
--
BMO
[quote]It's not security model difference between iOS and Android[/quote] Seems to me that's exactly what it is. Part of it is design philosophy, too, of course.
I wasn't talking about source code.
Opera for Tablets works a lot better than the default browser on my Galaxy Tab 10.1. Now I need to learn how to diagnose malware.
>That isn't a fault of Android, it's a fault in the rest of society.
This.
The rest of society wants its purple gorillas in spite of the fact that it's badware.
--
BMO
Where they failed is that they don't allow other stores/repositories in spite of the fact that the FOSS world has been living with multiple trusted repositories for many, many years now.
Heh. It's just Android that hasn't.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
That's awesome. Windows 8 is the best.. it's like GNOME 3 but from Microsoft.
Some people might feel that way, I do not. I wouldn't take all blame away from MS for some of the things about their OS. But, the blame for installing crap software lies on the user.. regardless of the OS.
Both Google Play Store and Amazon Appstore tend to be trusted by Android users, as do several lesser-known repositories. Do you plan to explain whether or not each deserves that trust and why?
I do think proprietary software sucks just because it's proprietary. I've never claimed it to have anything to do with security, I'm sure the Linux desktop will get malware too if it ever has it's year, just as OS X has now. Anything with a large enough (end-)user base and no totalitarian walled garden will - making security-wise perfect code is really hard and comes with tradeoffs many aren't willing to make especially in consumer software. I still wouldn't touch a totalitarian walled garden OS with a 6.096m long pole. Security becomes useless when it reaches the point where it prevents you from doing with your device what you wanted to do with it in the first place.
My point is that it was a design choice to allow a freedom to install apps. It isn't a situation where you can compare security models and just say iOS is better. You can make arguments about which method is preferred, but not which is better.
You could always buy a dumbphone from Virgin Mobile or your country's counterpart. Sure, those are technically also computers, but it takes a computer to modulate and demodulate voice signals on a digital network. Depending on how many calls you need to make away from home, and whether you have an unmetered land line available to make long calls, a dumbphone might cost you $7 per month or less, and unused minutes roll over as long as you keep paying the minimum every 90 days.
Feature phones are still widely available, everywhere I've seen. So, either you aren't looking.. or just want to bitch about a problem that doesn't exist yet.
Okay, I'll buy that. A lot of this debate does come down to personal choice. I have much more confidence in Apple's walled garden (which is a massive garden, btw) as opposed to the chaos that seems to plague Android.
I got his by 3 pieces of malware over the years. None of them were installed by choice but were drivebyes.
As a result I stopped using Firefox which does not have sandboxing, I switched to a decent AV package as I was one of those users who felt I didn't need AV as I never click on things and get infected so kept old AVG etc. I only have flash on Chrome which is sandboxed by default. I keep it UPDATED as no one updated flash prior to 2011. I manually disabled Java in all my browsers as I still use Eclipse etc. Created a seperate non admin account and have secure DNS now.
The average user does not go to these extremes to protect themselves and shouldn;t. My phone is not as flexible as a real PC is to lock down and have access to control by security software. It is not the users fault that they use XP which is horrible in terms of security and use flash 9 and adobe reader 7. This is a typical home PC BTW and non IT professionals have no idea these are holes and have no reason to leave XP.
Yes not using IE 6 is common sense today and statistics show they don't. That doesn't mean Firefox which is now much bigger and has no sandboxing is better.
Phones are worse as I can not update past Android 2.2 without rooting my phone. AT&T wants me to throw it away for another $450 phone and a 2 year contract to get the security fixes instead which is outrageous. Yes this is a problem and the platform sucks for AV software to find and remove these on the phone.
http://saveie6.com/
>I love it how this fact only comes up when it's Slashdot's darling OS
That the there is a problem that sits in the chair that confuses the part in the seat with the part looking at the screen has been brought up time and again with other OSes. I have actually come out and said that encryption and all the security in the world doesn't effin' matter if you can get the user to trade the key for a candy bar, which has actually happened.
You just have selective hearing, which means you are an asshole.
--
BMO
http://www.penny-arcade.com/comic/2004/03/19/
--
BMO
It all makes sense, when you realize Slashdot is made of more than one person. There are people on slashdot who are not happy with malware on Windows and advocate more of a walled garden, and then there are people who believe in freedom to install malware if they wanted to. So you have more than one set of people, moderating at different points of time, carrying different opinions at different strengths. And thus you have, what you call, hypocrisy in slashdot, when all individuals are perfectly non-hypocritical.
There isn't as much chaos on the Android side as people like to think, but it is there. Anyone that takes the time to actually learn and understand the devices they buy, is usually fine on Android. iPhones, however, require less effort for entry level use. This isn't meant as a slight, just an observation. I would much rather support people on an iPhone than an Android because they likely don't have a clue either way and iOS is iOS... I can walk through the settings in my sleep.
You seem to be suggesting that it's impossible for it to be simultaneously true that users are lax about security AND the OS is insecure. But why would there be any conflict between those two claims? It's perfectly possible that many Windows users have poor security practices and Windows itself is less secure than other OSes.
No OS is without fault, no program is without fault, and no user is without fault. You need to base your decisions upon what you feel you can handle with your level of competence. Use AV. Use a more secure browser. But, the biggest security hole in any system is the user. If you can't figure out that you shouldn't be installing every app you see, go with iOS. If you choose something else, accept that you open yourself to potential risk.
Does this excuse the manufacturer, or Google, from all responsibility... no. But, I do think they're doing a decent job of balancing the open nature with need for security. As for your issue with firmware updates, I don't disagree. But, Google has been working to improve that with the carriers and manufacturers.
It all makes sense, when you realize Slashdot is made of more than one person. There are people on slashdot who are not happy with malware on Windows and advocate more of a walled garden, and then there are people who believe in freedom to install malware if they wanted to. So you have more than one set of people, moderating at different points of time, carrying different opinions at different strengths. And thus you have, what you call, hypocrisy in slashdot, when all individuals are perfectly non-hypocritical.
Yeah no kidding I was modded down to 0 because I said there is a problem with AV software not having the access in the walled garden to clean up a rootkit infection. Sigh moderators
There needs to be a balance though. Yes security is important but that does not mean banning all javascript except for the OS browser that came with it IE 10, Chrome, Safari, and no one else. Also at least with things like SecureBoot MS is nice enough to have an API for AV scanners to detect and remove rootkits.
I think AV software and alternative browsers should be installed. Walled Gardens are only effective if they block 100% of all exploits 100% of the time and protect the dumb user from themselves. Then it is hell as if one gets through the tools are all walled away from doing anything about it and detecting it. That is a bad design if you ask me.
http://saveie6.com/
You only had to look at the link to know this very much legitimate research.
Even if it was not, for Gods sake dont try to redefine the word. I hope some journalist does not pick this up and start using it as definition of 'researchers'. Just call them researchers, and you can use an adjective to describe them as what ever kind of researchers you think they are.
Agressive pricing frightens slashdotters newly accustomed to Linux's increased market share.
Like every other slashdotter I'll buy a copy for photoshop, mixcraft and games. (Windows is for ralaxation - lol)
15TW = 15,000 Nuclear Reactors. (Approx. one accident a month.)
Just as on a PC: The only way to guarantee an infection is gone (without hours of work) is a full OS install from scratch... Pull yourself out of the kiddy pool, root your device and flash a brand new rom that will probably run _faster_ than the original phone. You could then also run a good firewall if you wanted :]
Can a person program a new solution to a problem? Why should anyone be able to stop such a thing? -Richard Stallman
Exactly! I know I can trust you because you write everything from the bootloader and firmware upwards! After all, Google wouldn't be doing anything to invade your privacy, like the did with iPhone.
via Google's Play Store. This is a KNOWN FACT, not bs.
The official repository IS the problem main. Haven't heard about a single malware being distributed on the Amazon App Store.
wish I have modpoints. Don't understand why people don't understand this point.
No, no they didn't. They are anti-FOSS.
Not quite. What Apple really is against is "open hardware", or, more precisely, "open OS", at least when it comes to the one (hardware and OS) they themselves sell. As for individual pieces of software, they don't care whether it's FOSS or not. On the other hand, if your FOSS license of choice happens to prevent others from uploading it to their app store, see VLC for iOS, killed, if I remember correctly, by the VLC folks themselves, what guilt do they objectively have? When an open source project selects a license that forbids end-users of closed hardware from running said project's software, that's precisely one of the "features" the project aimed for, meaning it's working as intended.
(It could be argued that the project actually intends to encourage hardware makers to not close the hardware. But that's the positive side of things, the negative being that, if the hardware maker doesn't opt to open it, end users will suffer no matter what. You can't have one without the other, the alternative being to have neither.)
Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
No, no they didn't. They are anti-FOSS.
And they release so many large and widely used open source projects because... they hate it so much?