Slashdot Mirror
Many Android Users Susceptible To Plug-In Exploit -- And Many Of Them Have It
Ars Technica reports that a recently reported remote access vulnerability in Android is no longer just theoretical, but is being actively exploited. After more than 100,000 downloads of a scanning app from Check Point to evaluate users' risk from the attack, says Ars, In a blog post published today, Check Point researchers share a summary of that data—a majority (about 58 percent) of the Android devices scanned were vulnerable to the bug, with 15.84 percent actually having a vulnerable version of the remote access plug-in installed. The brand with the highest percentage of devices already carrying the vulnerable plug-in was LG—over 72 percent of LG devices scanned in the anonymized pool had a vulnerable version of the plug-in.
I just realized that my LG G3 has the exploit vulnerability - and I'm freaking out because I know that it has been exploited!!!
Oh, wait...I put that on there so I could root my device.
Nevermind.
Is it just my observation, or are there way too many stupid people in the world?
The article states it "discovered installed on an infinitesimal percentage of devices". These are devices with TeamViewer installed, an application DESIGNED to allow someone to remotely control your device over the network.
If you install TeamViewer on Windows, people can take over your machine over the internet. If you install TeamViewer on Mac, people can take over your machine over the internet. That's what it's designed for. Therefore, from a security perspective TeamViewer is a very bad idea.
It's no surprise that an application designed to give someone else full control of your machine is imperfect, and therefore can sometimes allow full access by someone who shouldn't have access.
> Check Point researchers found an app that is actively exploiting the vulnerability. A tool called “Recordable Activator” from UK-based Invisibility Ltd is advertised as an “EASY screen recorder” that doesn’t require root access to the device. But in fact once installed from the Google Play store, the app downloads a vulnerable version of the TeamViewer plug-in from another source... "“it’s [the plug-in] considered trusted by Android, and is granted system-level permissions. From this point ‘Recordable Activator’ exploits the authentication vulnerability and connects with the plug-in to record the device screen.”
Am I the only one that thinks this is incredibly cool? It's not clear to me whether this is exactly the same thing as a root exploit, but some screen recording app developers figured out they could hijack an old version of a well-known app that can do screen recording. This is just a beautiful hack.
But I didn't think having system-level permissions was enough to root a device. And furthermore, does this hack let you do arbitrary actions, or only the actions that the plugin would do?
A cat can't teach a dog to bark.
What is the fix?
Buy an iPhone?
If you install TeamViewer on Mac, people can take over your machine over the internet. That's what it's designed for. Therefore, from a security perspective TeamViewer is a very bad idea.
It's no surprise that an application designed to give someone else full control of your machine is imperfect, and therefore can sometimes allow full access by someone who shouldn't have access.
Wee difference there. On Android, nobody is supposed to get full control of the system. If someone is using TeamViewer to control it, they should not need more permissions than the local user has. After all, it's a screen sharing app. The remote user can only do what the local user can do.
It seems like the app has additional permissions to do things that normally wouldn't be possible (screen capture is what the article mentions), but somehow these extra permissions are made available to one of the users. That must be the vulnerability.
A cat can't teach a dog to bark.
It doesn't bother to mention that the plugin in question is Team Viewer, which apparently comes pre-installed on some phones.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
> If someone is using TeamViewer to control it, they should not need more permissions than the local user has. After all, it's a screen sharing app. The remote user can only do what the local user can do.
The local user can root the device and can replace operating system files. As expected (but not exactly as designed), TeamViewer can be used to get quite a bit of access.
The design is that the local user has some limits, or at least that it's _inconvenient_ for the local user to do certain things, including installing a new OS. The local user has to be technically saavy in order to install a new OS. The psuedo-local user using Team Viewer has to be technically saavy to use TM to do exceed the designed permissions. Same thing, really.
The permissions are more than designed, and exactly as expected.
Really?, i can disable preinstalled crap on my Android phone, i can choose what to run and what not to, can you or are you limited to what your phone's manufacturer allows you to?
Pretty much any non-Google Android phone has crapware you can't get rid of, and it's been the source of many of the horrible security problems of recent months. Samsung's keyboard app, for example, which downloads unsigned files to anywhere on the device.
Who the hell would voluntarily install software from Check Point on their phone?!?
It does so for a reason. They want you on a support contract, and the more unreasoning fear, the better. Google designed it that way.
The M7 was released in March 2013. By May 2013, there were youtube videos showing how to root it.
http://www.xda-developers.com/...
"Unless you use HTC tools", what kind of criterion is that? If HTC provides a tool to root the phone, why wouldn't you use it? You _could_ write your own tool that does the same thing as the HTC tool, but why bother? With your M7, like all other devices, local access is in fact full access. (Btw I do this stuff for a living.)
My claim is that if you install Team Viewer, you can expect security vulnerabilities. As it turns out, Team Viewer does indeed cause vulnerabilities, so that's correct.
Sometimes I work with explosives. From time to time, you'll find that an explosive device might go off under certain conditions other than when it's designed to. The "bug report" would look like:
XYZ can explode if heated to 280F rather than the design temperature of 350F.
So the device isn't quite within design spec, but you shouldn't be surprised that an explosive can explode. Team Viewer is made give other people control of your device. Don't be surprised when Team Viewer gives other people control of your device.
No, it's true for people who don't care about security.
Which appears to make up a majority of users.
The first thing I ever do when I get a new phones or tablet is wipe it and install a custom Android firmware sans-manufacturer's and Google's garbage software.
The necessity of this convoluted process - where it is even an option - is probably the reason the statistics show the majority are vulnerable.