Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Android Users Susceptible To Plug-In Exploit -- And Many Of Them Have It

Posted by timothy on from the disheartening-news dept.

Ars Technica reports that a recently reported remote access vulnerability in Android is no longer just theoretical, but is being actively exploited. After more than 100,000 downloads of a scanning app from Check Point to evaluate users' risk from the attack, says Ars, In a blog post published today, Check Point researchers share a summary of that data—a majority (about 58 percent) of the Android devices scanned were vulnerable to the bug, with 15.84 percent actually having a vulnerable version of the remote access plug-in installed. The brand with the highest percentage of devices already carrying the vulnerable plug-in was LG—over 72 percent of LG devices scanned in the anonymized pool had a vulnerable version of the plug-in.

61 comments

  1. Nope... by sudden.zero · · Score: 1

    ...I'm not being exploited!

    1. Re:Nope... by exomondo · · Score: 1

      Oh well this must be all lies then.

    2. Re:Nope... by Anonymous Coward · · Score: 0

      No, it's true for people who don't care about security. The first thing I ever do when I get a new phones or tablet is wipe it and install a custom Android firmware sans-manufacturer's and Google's garbage software.

    3. Re:Nope... by exomondo · · Score: 2

      No, it's true for people who don't care about security.

      Which appears to make up a majority of users.

      The first thing I ever do when I get a new phones or tablet is wipe it and install a custom Android firmware sans-manufacturer's and Google's garbage software.

      The necessity of this convoluted process - where it is even an option - is probably the reason the statistics show the majority are vulnerable.

  2. I know I'm shocked by JustAnotherOldGuy · · Score: 1

    I know I'm shocked...how about you? Is this shocking tech news or what??

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:I know I'm shocked by Anonymous Coward · · Score: 0

      I've enjoyed the reverse trend of exploit reports for smartphones. Android, Apple, then Windows

    2. Re: I know I'm shocked by JohnNemesh · · Score: 1

      In order of popularity. Duh.

  3. OMG - Mine is INFECTED! by Overzeetop · · Score: 5, Funny

    I just realized that my LG G3 has the exploit vulnerability - and I'm freaking out because I know that it has been exploited!!!

    Oh, wait...I put that on there so I could root my device.

    Nevermind.

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:OMG - Mine is INFECTED! by TheBilgeRat · · Score: 1

      Funny - I have root access, alternate ROM, twrp, and an LG-G3. My phone is clean.

    2. Re:OMG - Mine is INFECTED! by hAckz0r · · Score: 2

      Actually, I think WE were the ones exploited, when they talked us into buying a phone with a built-in OEM back door. Rooting may be the only way to fix the actual problem, being pwn'ed by the OEM and service provider.

    3. Re:OMG - Mine is INFECTED! by ememisya · · Score: 1

      A good chunk of alternate ROMs have proved to be more secure than official ones. Cyanogen Mod comes to mind, if you can flash it on there of course.

    4. Re:OMG - Mine is INFECTED! by Anonymous Coward · · Score: 0

      ASUS seems to be pretty decent in updating their phones, even the older ones, BUT I still have a subset of zperium vulnerability although I suspect that ASUS is waiting to roll out either 5.1 or if they skip that maybe a patch later on then the M update. *

      I picked up a zf2 as it wasn't ridiculously overpriced(MSRP), wanted to try out atom in actual usage(pretty snappy, snappier than my old nexus 5), and it had 4GB of RAM.

      I haven't checked for updates in a couple of days(set to manual as I like to let other beta test the releases after the beta testers of the beta) so it might be patched...(usually get at least one patch a month, sometimes several).

  4. story fails to answer important questions by Khashishi · · Score: 1

    1. Am I affected?
    2. What is the fix?

    1. Re:story fails to answer important questions by 0123456 · · Score: 2, Funny

      What is the fix?

      Buy an iPhone?

    2. Re:story fails to answer important questions by amicusNYCL · · Score: 5, Informative

      It doesn't bother to mention that the plugin in question is Team Viewer, which apparently comes pre-installed on some phones.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    3. Re:story fails to answer important questions by hyperar · · Score: 1

      What is the fix?

      Buy an iPhone?

      H, that won't stop third parties accessing your data.

    4. Re:story fails to answer important questions by 0123456 · · Score: 1

      H, that won't stop third parties accessing your data.

      But, if it comes with buggy crapware preinstalled by the manufacturer, you at least have some chance of getting a fix.

    5. Re:story fails to answer important questions by hyperar · · Score: 1, Funny

      H, that won't stop third parties accessing your data.

      But, if it comes with buggy crapware preinstalled by the manufacturer, you at least have some chance of getting a fix.

      Really?, i can disable preinstalled crap on my Android phone, i can choose what to run and what not to, can you or are you limited to what your phone's manufacturer allows you to?

    6. Re:story fails to answer important questions by 0123456 · · Score: 2, Informative

      Really?, i can disable preinstalled crap on my Android phone, i can choose what to run and what not to, can you or are you limited to what your phone's manufacturer allows you to?

      Pretty much any non-Google Android phone has crapware you can't get rid of, and it's been the source of many of the horrible security problems of recent months. Samsung's keyboard app, for example, which downloads unsigned files to anywhere on the device.

    7. Re:story fails to answer important questions by hyperar · · Score: 1

      Really?, i can disable preinstalled crap on my Android phone, i can choose what to run and what not to, can you or are you limited to what your phone's manufacturer allows you to?

      Pretty much any non-Google Android phone has crapware you can't get rid of, and it's been the source of many of the horrible security problems of recent months. Samsung's keyboard app, for example, which downloads unsigned files to anywhere on the device.

      You're wrong, i can disable pre-installed crap. Is it Andriod's fault that Samsung modifies the system?. I'm really not interested in what you or pretty much anybody thinks it's best, is up to everyone to choose which one they prefer. I was a Samsung user, and i'm pretty sure that it'd be a long time before i spend money on another of their products, that being said, i'll never buy an Apple product, they're not better, they don't have more features and they are waaaay more expensive than any of their alternatives.

    8. Re:story fails to answer important questions by 0123456 · · Score: 1, Interesting

      You're wrong, i can disable pre-installed crap. Is it Andriod's fault that Samsung modifies the system?

      Uh, I'm right. Just because you can disable preinstalled crap on your magic not-Google-but-not-locked-down Android phone, doesn't mean that most Android users can.

      Again, I was pointing out that, if you buy an iPhone, the only preinstalled crap comes from Apple, and they can quickly ship a fix. If you buy Android, the preinstalled crap comes from Xonaxzuing Enterprises, Inc, and... you'll never get a fix.

    9. Re:story fails to answer important questions by hyperar · · Score: 1, Funny

      You're wrong, i can disable pre-installed crap. Is it Andriod's fault that Samsung modifies the system?

      Uh, I'm right. Just because you can disable preinstalled crap on your magic not-Google-but-not-locked-down Android phone, doesn't mean that most Android users can.

      Again, I was pointing out that, if you buy an iPhone, the only preinstalled crap comes from Apple, and they can quickly ship a fix. If you buy Android, the preinstalled crap comes from Xonaxzuing Enterprises, Inc, and... you'll never get a fix.

      No you're not, i did it on my previous SAMSUNG Galaxy S3 and on my new Motorola X, so, you're wrong. If you don't know how to do it, doesn't mean that it isn't true. Since i did it, SEVERAL times, you're wrong, and i my phones were not rooted nor modified in any way. You'll get a fix IF Apple decided to provide one, your assumption that Apple will do it because it's Apple and that any Andriod phone won't because it's Google is meaningless and shows that you don't know what you're talking about.

    10. Re:story fails to answer important questions by hyperar · · Score: 1

      To be "that guy".

      Any android user on any build from any manufacturer has the ability to disable built in bloatware. Yes, it takes extra steps that novices won't know, to actually REMOVE them, but any android user can, and usually does, disable them.

      That's not the point. And it's not the point that apple crapware only comes from apple, no one gives a shit about your iphone. No one but you.

      The issue here is this plugin is getting system level access, this is something a non-rooted user is NOT supposed to be able to do. Yes, in this case, you need a bad version of teamviewer, but some roms have this baked in. The issue is, if this "undocumented feature" can allow this application to gain system level access, what other apps can exploit this?

      Is the "plugin" installed as root by manufacturers/carriers or is it actually a vulnerability on Andriod that allows it to access system privilege level?

    11. Re:story fails to answer important questions by Anonymous Coward · · Score: 1

      I'll give both of you a dollar to shut up.

    12. Re:story fails to answer important questions by Ol+Olsoc · · Score: 1

      You're wrong, i can disable pre-installed crap. Is it Andriod's fault that Samsung modifies the system?.

      Is who's fault it is supposed to make some difference?

      It is exactly what it is.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    13. Re:story fails to answer important questions by Anonymous Coward · · Score: 0

      As usual on slashdot

    14. Re:story fails to answer important questions by Ol+Olsoc · · Score: 1

      Is who's fault it is supposed to make some difference?

      Yes of course it is! I bought an Android device and my choice created an emotional investment in the platform.

      Someone steals my shit, I don't care exactly who. I just know my shit's been stolen. Must be the difference between myself and the normal person. Although I've liked Apple products best for years, I have all manner of computing tools, from my iPhone and iMac, on which I run bootcamp and W7, a sacrificial Windows 10 box, to a number of linux computers and even a ChromeOS laptop. I have even have an old touchpad that I rooted to run Android with Cyanogen.

      But I avoid emotional attachments with my electronic devices, and tend to use the tool that works best. Otherwise it feels like the boys down at the corner gas arguing about Fords and Chevies.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  5. What they should really fear by Anonymous Coward · · Score: 0

    Is Confederate submarines. You're sailing along peacefully. Next thing you know you're sunk. BOOM! Glug, glug, glug.

  6. "infinitesimal percentage of devices". For remote by raymorris · · Score: 3, Insightful

    The article states it "discovered installed on an infinitesimal percentage of devices". These are devices with TeamViewer installed, an application DESIGNED to allow someone to remotely control your device over the network.

    If you install TeamViewer on Windows, people can take over your machine over the internet. If you install TeamViewer on Mac, people can take over your machine over the internet. That's what it's designed for. Therefore, from a security perspective TeamViewer is a very bad idea.

    It's no surprise that an application designed to give someone else full control of your machine is imperfect, and therefore can sometimes allow full access by someone who shouldn't have access.

  7. This is what happens by Anonymous Coward · · Score: 1

    When you DON'T make the user able to administrate the machine, s/he cannot secure it because of insufficient rights.
    The carriers of course DON'T care because more bandwidth being fraudulently used by malware equals MORE MONEY.

    The same problem exists with tablets.

    And yes, I know there is a way to root the devices but this is not within the reach of even the most technical users.

  8. Can't update my applications :( by Anonymous Coward · · Score: 0

    Just bought a new Android here and I only installed ONE third party app (Ustream)

    Problem: I can't update my phone because: Insufficient storage: This device doesn't have enough space to download....

    Yet....

    Phone storage: 4.00GB Total
    Total Space 1.57GB
    Available 140MB
    Apps 1.15GB
    Pictures, videos: 265MB
    Music Ringtones Podcasts 220KB
    Downlaods 5.84MB
    Cached data: 22.98MB
    Miscellaneous: 19.09MB

    What the fuck? The above does not add up to 4GB! I can't uninstall anything except Ustream
    Am I infected?

    1. Re:Can't update my applications :( by Anonymous Coward · · Score: 0

      Yes, you're infected. You should immediately destroy the phone and all computing devices that you own, then hide in a cave in the wilderness where the big bad technology exploits can't get to you.

    2. Re:Can't update my applications :( by Anonymous Coward · · Score: 0

      Add items 3 to 9 is approximately the total space you indicated
      4.00GB - 1.57GB = 2.43GB, which is likely taken up by the Android OS, boot loader, recovery firmware, etc.

      Sound familiar? That's because Apple was sued earlier this year over the iOS 8 firmware size, taking up a large portion of an iDevice storage. For example, my work phone (iPhone 5 running iOS 8.4.1) only has 12.6GB capacity. That's 3.4GB just for the iOS firmware.

    3. Re:Can't update my applications :( by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Hi, I'm a friend of parent AC above, and he's asking how long it's going to take before he can safely leave the cave?

    4. Re:Can't update my applications :( by Anonymous Coward · · Score: 0

      Don't forget most electronic devices require some working space. Most Android phones I've used will prevent install / updates when you hit 5-15% of total space remaining because it requires some working space.

      Desktops tend to let themselves die and become horribly unstable on a completely full disk.

  9. That is so cool by piojo · · Score: 4, Insightful

    > Check Point researchers found an app that is actively exploiting the vulnerability. A tool called “Recordable Activator” from UK-based Invisibility Ltd is advertised as an “EASY screen recorder” that doesn’t require root access to the device. But in fact once installed from the Google Play store, the app downloads a vulnerable version of the TeamViewer plug-in from another source... "“it’s [the plug-in] considered trusted by Android, and is granted system-level permissions. From this point ‘Recordable Activator’ exploits the authentication vulnerability and connects with the plug-in to record the device screen.”

    Am I the only one that thinks this is incredibly cool? It's not clear to me whether this is exactly the same thing as a root exploit, but some screen recording app developers figured out they could hijack an old version of a well-known app that can do screen recording. This is just a beautiful hack.

    But I didn't think having system-level permissions was enough to root a device. And furthermore, does this hack let you do arbitrary actions, or only the actions that the plugin would do?

    --
    A cat can't teach a dog to bark.
    1. Re:That is so cool by Anonymous Coward · · Score: 0

      ...But I didn't think having system-level permissions was enough to root a device....

      It is, I don't know if you're familiar with that "rooting the device" actually means, but it's putting the su binary into /system/, that's it.

      Once su is in the proper directory, other applications can use su somecommand, this is what "root access" is on Android, nothing more.

    2. Re:That is so cool by Anonymous Coward · · Score: 0

      A vulnerability that is used to gain elevated privileges that the user wants in a convenient app form is:

      on Android: OMG THE WORLD IS COMING TO AN END ACTIVE EXPLOIT MALWARE
      on i thing: hey cool, I can jail break! USER FEATURE

      LOL

    3. Re:That is so cool by swillden · · Score: 1

      ...But I didn't think having system-level permissions was enough to root a device....

      It is, I don't know if you're familiar with that "rooting the device" actually means, but it's putting the su binary into /system/, that's it.

      True, but system-level permission isn't sufficient to allow you to remount the /system partition as read-write and install su. You need to find a privilege escalation attack that allows you to obtain root first. However, once you have system-level permission you have access to an enormous attack surface for priv escalation attacks. Odds are you can find a way to do it.

      Also, even without rooting an attacker with system-level privileges has enormous power to get the data from your device.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:That is so cool by piojo · · Score: 1

      It is, I don't know if you're familiar with that "rooting the device" actually means, but it's putting the su binary into /system/, that's it.

      Once su is in the proper directory, other applications can use su somecommand, this is what "root access" is on Android, nothing more.

      That's one definition. Opening a root shell (regardless of the state of /system and su) is another. I've seen this called "temproot".

      I'm familiar with rooting, but not with exactly what system-level permissions entails. And whether system permissions imply root-ability or not, I agree with you that it's dangerous.

      But here's another question, if you know more about this than me: Once /bin/su is installed, and the user launches a "SU" app, how does the SU app prevent other apps from accessing /bin/su? Does it simply inject itself into the OS functions that let a process execute a file?

      --
      A cat can't teach a dog to bark.
    5. Re:That is so cool by Anonymous Coward · · Score: 0

      ...Once /bin/su is installed, and the user launches a "SU" app, how does the SU app prevent other apps from accessing /bin/su? Does it simply inject itself into the OS functions that let a process execute a file?...

      It doesn't, but you can use su management apps such as SuperSU or Superuser to alert you that "some application" is trying to use su, and you can allow or deny "some application" from prepending whatever it is trying to do with su, most rooting methods will include both su and a tool for managing use of su.

  10. Re:"infinitesimal percentage of devices". For remo by piojo · · Score: 2

    If you install TeamViewer on Mac, people can take over your machine over the internet. That's what it's designed for. Therefore, from a security perspective TeamViewer is a very bad idea.

    It's no surprise that an application designed to give someone else full control of your machine is imperfect, and therefore can sometimes allow full access by someone who shouldn't have access.

    Wee difference there. On Android, nobody is supposed to get full control of the system. If someone is using TeamViewer to control it, they should not need more permissions than the local user has. After all, it's a screen sharing app. The remote user can only do what the local user can do.

    It seems like the app has additional permissions to do things that normally wouldn't be possible (screen capture is what the article mentions), but somehow these extra permissions are made available to one of the users. That must be the vulnerability.

    --
    A cat can't teach a dog to bark.
  11. Another win for Android! by Anonymous Coward · · Score: 0

    Lol

  12. bug yes, and local access is full access by raymorris · · Score: 2

    > If someone is using TeamViewer to control it, they should not need more permissions than the local user has. After all, it's a screen sharing app. The remote user can only do what the local user can do.

    The local user can root the device and can replace operating system files. As expected (but not exactly as designed), TeamViewer can be used to get quite a bit of access.

    The design is that the local user has some limits, or at least that it's _inconvenient_ for the local user to do certain things, including installing a new OS. The local user has to be technically saavy in order to install a new OS. The psuedo-local user using Team Viewer has to be technically saavy to use TM to do exceed the designed permissions. Same thing, really.

    The permissions are more than designed, and exactly as expected.

    1. Re:bug yes, and local access is full access by piojo · · Score: 1

      I don't believe you've understood Android's security model (though I'm not an expert myself). The local user cannot do those things, and the user does not have ultimate permission. Unless there is an exploit on the device. There have been plenty of devices that were un-rootable. My HTC One M7 was un-rootable (probably still is), unless you use HTC tools to perform operations on the device when it is not booted into Android. There was literally no way for the OS's local user to gain escalated permissions. If this new exploit changes that, it's not because "remote user == local user" or because "access to the device == complete pwned". You're simplifying it. This is only possible because TeamViewer is somehow running arbitrary commands with system permissions. Prior to this exploit, a local user could not do that.

      --
      A cat can't teach a dog to bark.
  13. FWIW by argStyopa · · Score: 1

    the check point scanner page (not the app itself, that would be silly to link to in this context) is https://play.google.com/store/...

    --
    -Styopa
  14. Check Point = Mossad by Anonymous Coward · · Score: 2, Insightful

    Who the hell would voluntarily install software from Check Point on their phone?!?

    1. Re:Check Point = Mossad by Anonymous Coward · · Score: 0

      Is there any evidence to that claim besides the Tel Aviv HQ?

    2. Re:Check Point = Mossad by Anonymous Coward · · Score: 1

      It isn't Mossad. This rumor doesn't make sense since it is the job of signal intelligence to analyze foreign data and that work falls onto Unit 8200 of the IDF, which is equivalent to the NSA in the United States. Well, the founders of Checkpoint came from 8200. Since service in the IDF is mandatory through conscription, all Israeli technology companies have connections back to IDF and most security related firms were founded by former 8200 members.

    3. Re:Check Point = Mossad by flubby! · · Score: 1

      So basically, the founders of Checkpoint have ties through their military service to the Israeli NSA and this is proof that Checkpoint doesn't have any connection whatsoever to Mossad.

      You're kidding right ?

  15. corporate sales by emil · · Score: 2

    It does so for a reason. They want you on a support contract, and the more unreasoning fear, the better. Google designed it that way.

  16. ewwww by Anonymous Coward · · Score: 0

    Android, ewwww, rip off of the real thing.

  17. your HTC One M7 was rooted within two months by raymorris · · Score: 2

    The M7 was released in March 2013. By May 2013, there were youtube videos showing how to root it.

    http://www.xda-developers.com/...

    "Unless you use HTC tools", what kind of criterion is that? If HTC provides a tool to root the phone, why wouldn't you use it? You _could_ write your own tool that does the same thing as the HTC tool, but why bother? With your M7, like all other devices, local access is in fact full access. (Btw I do this stuff for a living.)

    My claim is that if you install Team Viewer, you can expect security vulnerabilities. As it turns out, Team Viewer does indeed cause vulnerabilities, so that's correct.

    Sometimes I work with explosives. From time to time, you'll find that an explosive device might go off under certain conditions other than when it's designed to. The "bug report" would look like:

    XYZ can explode if heated to 280F rather than the design temperature of 350F.

    So the device isn't quite within design spec, but you shouldn't be surprised that an explosive can explode. Team Viewer is made give other people control of your device. Don't be surprised when Team Viewer gives other people control of your device.

    1. Re:your HTC One M7 was rooted within two months by piojo · · Score: 1

      I was referring to the firmware it had when I bought it. *My* M7 was unrootable from within the OS. Those HTC tools don't operate within the Android OS, so that's why they get a pass in my book. This tool isn't launched from the phone, but from a computer, and it can only connect when the phone is in a hardware debugging mode (no apps, no configurability, not even a touchscreen interface).

      I think I see our disagreement. If you consider playing with chips to be part of local access, then indeed local access is full access. I meant "local user" (i.e., local account). TeamViewer in theory shouldn't be able to do things the local user cannot do. The local user cannot escalate privileges (without an exploit). Hence, TeamViewer was designed in a naughty way (with Google's permission) and has access that in theory it should not have. Otherwise it could not be a gateway for a local or remote user to escalate permissions.

      I would also expect vulnerabilities from TeamViewer: unwanted remote access. And unwanted remote access can do a lot of bad things, but it should not be able to circumvent Android's security model: it should not be able to sniff keys, nor capture the screen. It should not do anything a local app can't do. The fact that it can do these things is what makes this exploit notable, and that tells us that TeamViewer is not running as a normal app (subject to Android's security model).

      --
      A cat can't teach a dog to bark.
  18. Exchange Connector by nyet · · Score: 1

    If you are using the Exchange Connector for gmail, your phone is already chowned. Why hasn't google suspended that component?

  19. Reported remote access vulnerability in Android? by nickweller · · Score: 1

    "Check Point discovered that one application in the Google Play store is exploiting the vulnerability .. While the app was discovered installed on an infinitesimal percentage of devices checked by Check Point"

    Download and install a compromised app from the Google Play store - doh !

  20. Revokation by manu0601 · · Score: 1

    I understand the problem is that vulnerable software was signed and is therefore trusted. Google did not set up any way to revoke certificates?

  21. I wish I could get updates without it costing me p by Anonymous Coward · · Score: 0

    I wish i could get security updates for my (very well known brand) phone without it costing me aggreeing to pages and pages of conditions.

  22. "should", "supposed to" vs "unsurprising" by raymorris · · Score: 1

    I think our apparent "disagreement", might stem from talking about different things. You seem to be talking about how things _should_ work, how it would be if people were perfect, their designs were perfect, and their implementation was perfect. I hear you saying "this shouldn't be, it's an error".

    I agree it's an error. I _expect_ errors. I've looked at a lot of code over the last 20 years, thousands of examples written by thousands of different programmers. I can count the bug-free instances on one hand. So bugs are not surprising, they are expected. Team Viewer is doing something it's not supposed to do - well yeah, practically all software does something it's not supposed to do.

    So we have some software which is designed to allow someone remote access. Because it's software, it has bugs. One of those bugs affects the remote access. That's not surprising. That's expected. If you install a remote-access app, you will probably have remote-access bugs, because apps have bugs.