Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-by Android Malware Exploits Unpatchable Vulnerability

Posted by timothy on from the bad-people-are-out-there dept.

An anonymous reader writes "Attackers have crafted the E-Z-2-Use malware code that exploits a 14-month-old vulnerability in Android devices. The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell into the system with the permissions of the hijacked application. Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market. The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."

3 of 120 comments (clear)

  1. Fragmentation not an issue eh? by Anonymous Coward · · Score: 5, Interesting

    Some carriers still sell android 2.x devices. If you don't buy a mainstream/high end device your phone will likely never see a patch, ever.

    Not saying my iphone is invulnerable, but my almost 4 year old iphone4 still gets patches. So does my 5s, and I expect it will 3-4 years from now.

    And no, normal users can't and don't install Cyanogen. Sorry.

    1. Re:Fragmentation not an issue eh? by Penguinisto · · Score: 4, Interesting

      This will perhaps finally break Android's staggering left-behind numbers, once someone writes malware to abuse such an unpatched issue in a way that effects people in a serious way (not just people installing illegal or otherwise wildly non-mainstream apps).

      No, it will more likely drive the average consumer to buying iPhones (if they have the money) or WinMo devices (if they don't.)

      You see, people aren't all that technically in-depth, and so they're not going to (rightly) blame the manufacturers or carriers for blocking patches/upgrade - they'll blame "Android", and avoid it like the plague, even if the newer versions are fully patched against it.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
  2. Re:errr that's Unpatched not Unpatchable by Penguinisto · · Score: 5, Interesting

    it was fixed in v 4.2 so it is patchable
    QED

    Not exactly QED: Most Android phones are unpatchable due to the carrier not giving a damn (for various reasons), the phone hardware being too old (or too low-end), and/or the manufactuer not giving a damn (they'd prefer you buy a new phone from them instead). There are of course jailbreaks, if your carrier doesn't cut you off for using it, and if there's one that works on your phone, and if you have the technical 'oomph to install it without bricking the thing.

    To put it bluntly? Unless you paid at least $300 for your Android smartphone and it's less than 3 years old (if you're lucky), you're pretty much screwed.

    (Before anyone gets butthurt about it, no, I don't own an iPhone. I have a cheap Android device, but as I bought it recently, it has 4.2 on it.)

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?