Slashdot Mirror
Drive-by Android Malware Exploits Unpatchable Vulnerability
An anonymous reader writes "Attackers have crafted the E-Z-2-Use malware code that exploits a 14-month-old vulnerability in Android devices. The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell into the system with the permissions of the hijacked application. Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market. The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."
it was fixed in v 4.2 so it is patchable
QED
Can we PLEASE work on writing CORRECT code before adding ever more features?
Some carriers still sell android 2.x devices. If you don't buy a mainstream/high end device your phone will likely never see a patch, ever.
Not saying my iphone is invulnerable, but my almost 4 year old iphone4 still gets patches. So does my 5s, and I expect it will 3-4 years from now.
And no, normal users can't and don't install Cyanogen. Sorry.
not every phone has the ability to get to 4.2 though... mine is 4.1.2 :(
Android: Tell me again why you think your platform is more secure when the vast majority of the user base cannot access software updates?
BlackBerry: Anyone at BlackBerry can easily intercept everything your phone does, so don't even try.
iOS: No, your fingerprint scanner does not make your phone more secure. Get over it.
Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market.
The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google.
But apparently not so difficult as to make it impossible? Is there something I don't understand here, or was this summary just horribly written?
Because all those Indian programmers produce perfect code *rolls eyes*
it was fixed in v 4.2 so it is patchable
QED
Not exactly QED: Most Android phones are unpatchable due to the carrier not giving a damn (for various reasons), the phone hardware being too old (or too low-end), and/or the manufactuer not giving a damn (they'd prefer you buy a new phone from them instead). There are of course jailbreaks, if your carrier doesn't cut you off for using it, and if there's one that works on your phone, and if you have the technical 'oomph to install it without bricking the thing.
To put it bluntly? Unless you paid at least $300 for your Android smartphone and it's less than 3 years old (if you're lucky), you're pretty much screwed.
(Before anyone gets butthurt about it, no, I don't own an iPhone. I have a cheap Android device, but as I bought it recently, it has 4.2 on it.)
Quo usque tandem abutere, Nimbus, patientia nostra?
Android feels like it is steadily becoming the new Windows.
-- It's showing up everywhere.
-- The version issues hark back to the days of "DLL hell"
-- This drum beat of exploits has a familiar rhythm too.
-- As a multi-platform developer I find I'm always having to reboot my device, and the IDE just to get a clean test run.
Call me a fan boy but iOS is a much better world to work and play in
If I never browse the web on my android device and just use it to read novels or play games, am I safe?
I like my Droid 4 just fine, but it's running 4.1, and Verizon has pretty much promised they're not updating it ever again... So I guess I'll break down and switch over to CyanogenMod.
Because of Motorola's locked (probably forever more, thanks Verizon) bootloader, you have to do the ridiculous rigamarole of SafeStrap bootload intervention before romming.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Maybe there is good reason I am confused here, but this sounds very much like the drive by google war drivers caught a couple of years ago stealing passwords.. from home computer systems, a crime for which g00GLe was fined $1 US by a judge. Is this a coincidence, or do I hate g00GLe even more now?
The issue with Android is the same old issue. Some device get updates to OS some don't. Android to me is a mess and always has been a mess.
Given that the manufacturer and carriers are distributing software devices without proper updates for at least the expected life of the device (2 years at least for the terms of a contract), perhaps a massive lawsuit is in order?
Michael J. Ryan - tracker1.info
"The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."
Unpatchable by design? [face-palm]
With the mobile movement, brought the same problem we have all been facing since the start of the PC. If the code is locked(no root/ priority software) then the software makers should be Liable.
With all these malware exploits there is nothing the user can do Legally. If you could Root your phone, watch the processes, and fix your device it might help.
The problem is that there is a Windows standerd, Software Companies are not responsible for flaws. Seems Legit
My HTC One X has been abandoned last year at 4.1.2, with still more 2yrs left on the contract :-O :-( While that sucks, I did move to Cyanogenmod, through a few different flavours. I'm running CM11 Milestone 2, but I think I can safely predict what will and will not work for anyone who goes this route (because these issues have persisted through several releases in Cyanogenmod):
:-)
1) you will have Bluetooth for audio, but not for keyboards, game-controllers (no HID stuff)
2) you will not have IPv6. Not a big deal for most people, but this is News for Nerds
3) returning to a previous WiFi location may require toggling Airplane Mode to get it to reconnect
But for a non-technical person like my wife, using CM11 / KitKat 4.4.2 truly *IS* a viable answer (hahaha - using. Getting to CM11 is most definitely not for her... that's my thing). For the future, Nexus devices or Play devices are likeliest.
"Hey Steve, it looks like that vulnerability is in our layer, not that proprietary layer."
"Our layer? Shit. That's going to be difficult to fix. It's practically impossible to change our layer. If only it had been in the proprietary layer I know nothing about it could have been easily fixed."
it was fixed in v 4.2 so it is patchable
There's no patch for the vulnerable versions though.
the attacker can gain the same access that the Android built in web browser has That doesn't sound that bad on the face of it and you can avoid entirely by using a different browser. It may not get you 100% security from the exploit but should get you pretty near.
So, a better title would be:
"It's a problem we could fix but we won't cause you're in our slave OS contract (ha ha ha) so we'll call it unmatchable to confound the simple folk."
you mean unpatchable not unmatchable - I presume
With 4.4 a lot of low-end phones could technically be supported when they couldn't run 4.3. The largest hurdles are carriers and manufacturers dropping support after an obscenely short time.
Cyanogenmod
The Ars article says it affects the stock Android browser. The "dead && end" blog post they reference, however, discusses apps that load untrusted content in Javascript-enabled WebViews and inject Java objects via addJavascriptInterface(). That's very specific, and much less of a big deal than an exploit affecting the stock Android browser. So which is it?
My HTC phone, ~1 1/2 years old, ~$400,- is and will remain stuck at 4.1.2.
And not supported by Cyanogenmod or anything else.
The still most widely deployed version, 2.3, is fine. At least if you don't run apps with ads, but then, there's no hope left for you anyway.
Nobody mentions which version introduced the bug in the browser, but I'm guessing it's 3.1. But i know very little.
switch to a different web browser...
only fix, really. and make sure it doesn't use the built in webkit renderer.
world was created 5 seconds before this post as it is.
Chrome. Or firefox. Or Opera ...
So long as you skip the Android browser (and Webview) the exploit can be avoided.
can I use this to run a root shell on my old android device? or is this like a "you're facing lotsa prison time for trying this exploit" type of scenario?
If you're gonna get an Android phone and care at all about updates, before you spend ANY money make sure you can find instructions on how to unlock/root your phone as well as check the level of development of ROMs available for the phone. If the phone of interest is sufficiently popular that there's good instructions on how to unlock and root it and there's a reasonably healthy community involved in developing ROMs for it (and hence updates), then it's probably a good phone to get. Short of buying a Nexus, this is really the only way to guarantee that you'll be able to keep updating your phone as time goes on.
I bought my Samsung Galaxy S2 in February of 2012. My carrier (Telstra) has long forgotten about supporting my particular phone (I think the last official Telstra supported update was 4.1.2). However, I'm running 4.4.2 and can only run that due to the wonderful community that's still developing ROMs for this thing, long after corporate interest has dried up. I have absolutely no intention of replacing it until it breaks, since it's still quite fast and capable.
Account abandoned. I can't fucking spell for shit and Slashdot doesn't even allow time-limited edits of posts. Plus you'
This is covered in a Reddit conversation involving a person involved in the exploit here.
It seems that Android 4.0 and 4.1 are affected by the web browser vulnerability, and apparently some OEMs have patched it, but it is still a big deal. A web site is provided to test for the problem, but I can not vouch for it. I can confirm that the site indicates a vulnerability in the browser in the Android 4.0.3 emulator, and that it does not in in a 2.2 emulator.
Not exactly QED: Most Android phones are unpatchable due to the carrier not giving a damn (for various reasons), the phone hardware being too old (or too low-end), and/or the manufactuer not giving a damn (they'd prefer you buy a new phone from them instead).
Should be trivial enough to remind the relevant party that if you get hacked from a severe bug they are aware of and not fixing, that you will hold them liable...
There is an unofficial Cyanogenmod version for my phone - the instructions for installing it is incomplete, and refers to multiple articles that basically lead in circles.
Just remember to skip using all the apps that use the WebView widget too.
- chrish
Really? Let us know how that works out... Maybe you should read that big agreement you have to click “Agree” to when you activate a phone. All liability for software bugs, known or unknown is disclaimed.
You have zero chance of seeing a penny from any such attempt.
Here it would fall under the general rules regarding selling electronics - the firmware is specifically stated as being part of the electronic device, and therefore subject to the same requirements.
If you've chosen to live in a 3rd world country where you can sign away consumer rights, and where known (severe) flaws are ignored trivially, thats really a reflection on you, not the party selling you a phone.
Actually if the hardware will run 4.x it will certainly run Kitkat since Kitkat was optimized for low end hardware. In fact many devices running Gingerbread could run Kitkat if the industry gave a damn. If I hadn't just upgraded my wife from her Optimus V to a Moto X I'd probably work on porting CM11 M2 to it since there's already a CM10 (aka ICS) port. Since the Optimus V can run ICS pretty much any piece of hardware released in the last 4 years can (it was $99 off contract at release 3.5 years ago, hardware doesn't get much cheaper or low end than that).
Btw these kind of issues do point out that RMS isn't completely wrong, if it weren't for the poor quality binary drivers and the locked bootloaders anyone who wanted to could easily upgrade since there are plenty of people willing to make upgrades even with the current anti-consumer state of affairs, with an open system there would be no need for these kinds of vulnerabilities to stick around.
Also it makes me feel good about running adaway, most of the sites hosting this kind of crap will be blocked by one of the ad or malware blocklists I've got in the subscription.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
There is a phone manufacturer out there that has 0.0% US marketshare who has proven for almost a decade that 3 years of updates is no problem for them to offer.
Too bad people prefer "OMG NEW APPS" and "OMG FEATURE" over security.
"WebView.addJavascriptInterface requires explicit annotations on methods for them to be accessible from Javascript"
Google appears to have treated this as an API issue. I.e., "the API up to 4.1 was insecure. We now will require method annotations going forward for the JS to execute them." I could care less if backporting this change to earlier versions broke a bunch of apps. It's an easy enough change for those apps to go and insert the explicit annotations. I think Google has made a conscious choice here to not cause apps to break in the name of security, so that their platform can appear to be "more stable".
-- Who am I? How did I get here? My God, what have I done?!
Yes, because everyone has the resources to migrate to another country at any moment, just because they dislike their phone contract. Your username is incorrect, it should be IDiot.