Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-by Android Malware Exploits Unpatchable Vulnerability

Posted by timothy on from the bad-people-are-out-there dept.

An anonymous reader writes "Attackers have crafted the E-Z-2-Use malware code that exploits a 14-month-old vulnerability in Android devices. The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell into the system with the permissions of the hijacked application. Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market. The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."

27 of 120 comments (clear)

  1. errr that's Unpatched not Unpatchable by Anonymous Coward · · Score: 3, Informative

    it was fixed in v 4.2 so it is patchable
    QED

  2. Fragmentation not an issue eh? by Anonymous Coward · · Score: 5, Interesting

    Some carriers still sell android 2.x devices. If you don't buy a mainstream/high end device your phone will likely never see a patch, ever.

    Not saying my iphone is invulnerable, but my almost 4 year old iphone4 still gets patches. So does my 5s, and I expect it will 3-4 years from now.

    And no, normal users can't and don't install Cyanogen. Sorry.

    1. Re:Fragmentation not an issue eh? by Penguinisto · · Score: 4, Interesting

      This will perhaps finally break Android's staggering left-behind numbers, once someone writes malware to abuse such an unpatched issue in a way that effects people in a serious way (not just people installing illegal or otherwise wildly non-mainstream apps).

      No, it will more likely drive the average consumer to buying iPhones (if they have the money) or WinMo devices (if they don't.)

      You see, people aren't all that technically in-depth, and so they're not going to (rightly) blame the manufacturers or carriers for blocking patches/upgrade - they'll blame "Android", and avoid it like the plague, even if the newer versions are fully patched against it.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    2. Re:Fragmentation not an issue eh? by vux984 · · Score: 4, Insightful

      Not saying my iphone is invulnerable, but my almost 4 year old iphone4 still gets patches.

      The iphone 3GS was discontinued in september 2012 (as in up until sep 2012 people were still buying them new on 2 year contracts usually "free") and it isn't supported with ios7 released in september 2013 one year later.

      Don't get me wrong, Apple is by far one of the best phone manufacturers out there for longevity of software updates for phones, but even they drop support on users who would still be under contract, only 1 year in.

      As for android... that's not really an android vs ios thing, that Apple vs Samsung etc. There is nothing preventing a good Android manufacturer to provide patch longevity, and some phones have been well supported by some manufacturers.

      But sure, again, I readily concede that a lot of android manufacturers have really dropped the ball there.

      On the other hand, apple supports like 2 skus at a time. Android collectively covers dozens of skus available at any given time, all over the feature and price map and I prefer having that range of choices, even if some of the choices are crap.

  3. Cognitive dissonance by Dachannien · · Score: 4, Informative

    Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market.

    The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google.

    But apparently not so difficult as to make it impossible? Is there something I don't understand here, or was this summary just horribly written?

    1. Re: Cognitive dissonance by PixetaledPikachu · · Score: 2

      If the vulnerability is on GTS, Google can patch it directly, as long as those devices are registered to Google services. Since it's in android, it's up to the device makers, or in USA case, device maker and carriers to push android 4.2 to the affected devices

    2. Re:Cognitive dissonance by Zocalo · · Score: 2

      I think they mean it's something that would need to be pushed out by each of the hardware vendors as a 4.2 OS update, not something that Google could patch via the Play Store update mechanism as would be the case if the issue was with one of their apps built on top of GMS. Kind of like expecting Microsoft to fix a bug in a PC's BIOS. Given how badly vendors are doing at upgrading to new versions of the OS, I suspect that getting them to go back and patch a version that is already out of date is going to be an even harder mountain to climb.

      --
      UNIX? They're not even circumcised! Savages!
    3. Re:Cognitive dissonance by wonkey_monkey · · Score: 2

      It's very horribly written.

      The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell

      Missing some punctuation, or something.

      Vulnerable devices are any device that is running a version earlier than 4.2

      That's a pretty poorly written sentence. "Android versions prior to 4.2 are vulnerable" would have been much better.

      The vulnerability is in Android itself rather than the proprietary GMS application platform

      What does GMS stand for?

      --
      systemd is Roko's Basilisk.
  4. Re:errr that's Unpatched not Unpatchable by Penguinisto · · Score: 5, Interesting

    it was fixed in v 4.2 so it is patchable
    QED

    Not exactly QED: Most Android phones are unpatchable due to the carrier not giving a damn (for various reasons), the phone hardware being too old (or too low-end), and/or the manufactuer not giving a damn (they'd prefer you buy a new phone from them instead). There are of course jailbreaks, if your carrier doesn't cut you off for using it, and if there's one that works on your phone, and if you have the technical 'oomph to install it without bricking the thing.

    To put it bluntly? Unless you paid at least $300 for your Android smartphone and it's less than 3 years old (if you're lucky), you're pretty much screwed.

    (Before anyone gets butthurt about it, no, I don't own an iPhone. I have a cheap Android device, but as I bought it recently, it has 4.2 on it.)

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  5. Everything old is new again by mt1955 · · Score: 3, Informative

    Android feels like it is steadily becoming the new Windows.

    -- It's showing up everywhere.

    -- The version issues hark back to the days of "DLL hell"

    -- This drum beat of exploits has a familiar rhythm too.

    -- As a multi-platform developer I find I'm always having to reboot my device, and the IDE just to get a clean test run.

    Call me a fan boy but iOS is a much better world to work and play in

    1. Re:Everything old is new again by cheesybagel · · Score: 4, Informative

      Impossible of course.

    2. Re:Everything old is new again by gnoshi · · Score: 2

      You mean like Windows, which in the case of XP has received updates for 12 years which can be installed on any XP computer irrespective of manufacturer-included crapware? I wish Google provided updates for Android like Microsoft did for Windows.

      Also, I think you're overstating:
      1. the version issues - Google's compatibility libraries are pretty damn good. Inter-device compatibility is a bigger problem, and is more similar to trying to support a range of video cards well on PCs
      2. the 'drum beat' of exploits? The 'master key' vulnerability, which only affected users who sideloaded apps (which is significant, no denying) and this one which affects apps which use WebView content in an insecure way. There are also the exploits used to gain root on devices, of course, but iOS has them too in order to jailbreak - although some exploits to gain root on Android don't require being plugged in (but usually require debugging to be enabled which is in a hidden menu).

  6. Re:All software is shit by Penguinisto · · Score: 2

    Can we PLEASE work on writing CORRECT code before adding ever more features?

    Welcome to the consumer electronics industry! You must be new here, so I'll try to be helpful: these things are, in the industry's eyes, disposable. Bugs and vulns simply mean that the next phone models will get the fixes, and unless you shelled out enough money for yours? You most likely won't.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  7. Re:errr that's Unpatched not Unpatchable by aztracker1 · · Score: 3, Insightful

    Given that the manufacturer and carriers are distributing software devices without proper updates for at least the expected life of the device (2 years at least for the terms of a contract), perhaps a massive lawsuit is in order?

    --
    Michael J. Ryan - tracker1.info
  8. Tried Cyanogenmod for this very reason by sparkyradar · · Score: 3, Informative

    My HTC One X has been abandoned last year at 4.1.2, with still more 2yrs left on the contract :-O :-( While that sucks, I did move to Cyanogenmod, through a few different flavours. I'm running CM11 Milestone 2, but I think I can safely predict what will and will not work for anyone who goes this route (because these issues have persisted through several releases in Cyanogenmod):

    1) you will have Bluetooth for audio, but not for keyboards, game-controllers (no HID stuff)
    2) you will not have IPv6. Not a big deal for most people, but this is News for Nerds :-)
    3) returning to a previous WiFi location may require toggling Airplane Mode to get it to reconnect

    But for a non-technical person like my wife, using CM11 / KitKat 4.4.2 truly *IS* a viable answer (hahaha - using. Getting to CM11 is most definitely not for her... that's my thing). For the future, Nexus devices or Play devices are likeliest.

  9. Re:errr that's Unpatched not Unpatchable by Nemyst · · Score: 4, Informative

    With 4.4 a lot of low-end phones could technically be supported when they couldn't run 4.3. The largest hurdles are carriers and manufacturers dropping support after an obscenely short time.

  10. Re:errr that's Unpatched not Unpatchable by chuckugly · · Score: 2

    Cyanogenmod

  11. Re:If I understand TFA by noh8rz10 · · Score: 5, Informative

    the attacker can gain the same access that the Android built in web browser has That doesn't sound that bad on the face of it

    FTFA:

    The code exploits a critical bug in Android's WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone's camera and file system and in some cases also exposes other resources, such as geographic location data, SD card contents, and address books.

    The easiest way to exploit the bug is to lure a vulnerable user to a booby-trapped webpage. Within seconds, the site operator will obtain a remote shell window that has access to the phone's file system and camera. In some cases, the exploit can also be triggered by performing a man-in-the-middle attack while the victim is on an unsecured Wi-Fi network.

    I would say this is a big deal.

  12. err not 4.2 by nazsco · · Score: 2, Informative

    The still most widely deployed version, 2.3, is fine. At least if you don't run apps with ads, but then, there's no hope left for you anyway.

    Nobody mentions which version introduced the bug in the browser, but I'm guessing it's 3.1. But i know very little.

    1. Re:err not 4.2 by AC-x · · Score: 2

      2.3? Your statistics are very out of date, 2.3 now only accounts for 20% of users, with 4.0 - 4.2 making up 68% of Android users.

  13. Re:errr that's Unpatched not Unpatchable by gl4ss · · Score: 2

    switch to a different web browser...

    only fix, really. and make sure it doesn't use the built in webkit renderer.

    --
    world was created 5 seconds before this post as it is.
  14. Re:errr that's Unpatched not Unpatchable by pepty · · Score: 5, Informative

    Chrome. Or firefox. Or Opera ... So long as you skip the Android browser (and Webview) the exploit can be avoided.

  15. This is why you unlock/root/ROM your phone by Thanosius · · Score: 4, Insightful

    If you're gonna get an Android phone and care at all about updates, before you spend ANY money make sure you can find instructions on how to unlock/root your phone as well as check the level of development of ROMs available for the phone. If the phone of interest is sufficiently popular that there's good instructions on how to unlock and root it and there's a reasonably healthy community involved in developing ROMs for it (and hence updates), then it's probably a good phone to get. Short of buying a Nexus, this is really the only way to guarantee that you'll be able to keep updating your phone as time goes on.

    I bought my Samsung Galaxy S2 in February of 2012. My carrier (Telstra) has long forgotten about supporting my particular phone (I think the last official Telstra supported update was 4.1.2). However, I'm running 4.4.2 and can only run that due to the wonderful community that's still developing ROMs for this thing, long after corporate interest has dried up. I have absolutely no intention of replacing it until it breaks, since it's still quite fast and capable.

    --
    Account abandoned. I can't fucking spell for shit and Slashdot doesn't even allow time-limited edits of posts. Plus you'
  16. Re:Take a look at Reddit by bminuk · · Score: 2

    I must clarify that the WebView vulnerability affects all Android versions before 4.2. The new exploit in question affects the built-in web browser, not just third party apps that make use of WebView. This, of course, makes this even more dangerous.

  17. Re:errr that's Unpatched not Unpatchable by GNious · · Score: 3, Informative

    There is an unofficial Cyanogenmod version for my phone - the instructions for installing it is incomplete, and refers to multiple articles that basically lead in circles.

  18. Re:Take a look at Reddit by ChunderDownunder · · Score: 2

    They should really deprecate the stock browser and retrofit a lightweight Chrome instance (Chromium in the AOSP) to implement the API.

    That way, carriers and vendors can bundle Chrome but since it's in the Play Store, it gets automagically updated.

    But, in having a plain-Jane webkit browser, I guess they didn't want the iexplorer grief from euronazis demanding that they remove Chrome as a dependency. Savvy users like me will install firefox from f-droid anyway...

  19. Re:Attention Fanboys by teg · · Score: 2

    iOS: No, your fingerprint scanner does not make your phone more secure. Get over it.

    Apple doesn't say its safer. In fact, Apple considers LESS safe than the PIN, because you can always enter the PIN. Or if the reader fails to get a valid fingerprint, you need the PIN to unlock. Or if you reboot. PIN trumps reader every time

    The only way it's "safer" is that it encourages you to use a PIN where you might not have used one before because it's less annoying to unlock.

    Another big advantage: Since you don't have to enter it as often, you can use a password rather than a pin. I exchanged my 4 digit pin code for an alphanumeric password of length 9 after I got a 5s. Thus, it has increased safety for my phone.