Slashdot Mirror

← Back to Stories (view on slashdot.org)

Active Drive-By Exploits Critical Android Bugs, Care Of Hacking Team (arstechnica.com)

Posted by msmash on from the ransomware-on-android,-no-big-deal dept.

Dan Goodin, reporting for Ars Technica: An ongoing drive-by attack is forcing ransomware onto Android smartphones by exploiting critical vulnerabilities in older versions of Google's mobile operating system still in use by millions of people, according to research scheduled to be published Monday. The attack combines exploits for at least two critical vulnerabilities contained in Android versions 4.0 through 4.3, including an exploit known as Towelroot, which gives attackers unfettered "root" access to vulnerable phones. The exploit code appears to borrow heavily from, if not copy outright, some of these Android attack scripts, which leaked to the world following the embarrassing breach of Italy-based Hacking Team in July. Additional data indicates devices running Android 4.4 may also be infected, possibly by exploiting a different set of vulnerabilities.Blue Coat, a California-based provider of security and networking solutions writes: This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal "application permissions" dialog box that typically precedes installation of an Android application. After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach. Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the "futex" or "Towelroot" exploit that was first disclosed at the end of 2014.

45 comments

  1. Bang Bang Shoot Em Up! by Anonymous Coward · · Score: 0

    To the moon!

  2. Here is more proof by Anonymous Coward · · Score: 3, Insightful

    That when a backdoor is held by the "good guys" (I use that term loosely but Hacking Team sold primarily to governments) it's just a matter of time before the bad guys get ahold of it and start fucking everyone over. Pay attention, Mrs. Feinstein.

    1. Re:Here is more proof by Hentes · · Score: 5, Informative

      Towelroot has never been a secret or a backdoor. It is an exploit discovered and published by geohot, these guys just copied it. As any exploit, it can be used both for good and bad. In my case it helped me put Cyanogenmod on my phone instead of the outdated Android on it, making it more secure.

    2. Re:Here is more proof by hankwang · · Score: 1

      Moreover, I used Towelroot to root an Android 4.4.4 phone, even though TFS talks about 4.3 and before. Or had the internals of the Towelroot app been changed a lot between 4.3 and 4.4? I do remember that the phone (or Google) warned me that the APK for Towelroot was possibly malicious; I had to confirm installation one more time.

      --
      Avantslash: low-bandwidth mobile slashdot.
    3. Re:Here is more proof by Anonymous Coward · · Score: 0

      The article is far too light on details. A decent security advisory detailing all attack vectors, including exactly which versions of precisely which software are affected, is what I wanted.

      But from what I've been able to gather, it appears that the initial exploit affects Webkit based browsers. It sounds like those using Firefox for Android (and other non-Webkit browsers) wouldn't be affected. So I guess this is like Internet Explorer in the Win 9x days - using an alternative to what comes with the system is an easy way to be a harder target.

      Good thing Google didn't act like Apple and forbid the use of alternate rendering engines. On iOS your browser selection boils down to stylized skins of Webkit, Webkit ... or Webkit.

    4. Re:Here is more proof by Anonymous Coward · · Score: 0

      cf INSLAW and in whose hands it wound up after the US government stole it from it's rightful owner.

      This has ALREADY HAPPENED.

    5. Re:Here is more proof by Anonymous Coward · · Score: 0

      If you pair the apple watch you can also get baked beans and webkit.

    6. Re: Here is more proof by Karlt1 · · Score: 2

      If Google "acted like Apple", they wouldn't have allowed the carriers to control the update process and they would be providing security updates for all devices introduced since since July 2011.

      Wouldn't any apps using Webviews still be vulnerable?

  3. Thanks for nothing, carriers. by Anonymous Coward · · Score: 5, Insightful
    And thanks to the common practice (looking at you, Verizon) amongst carriers of locking bootloaders and then refusing to supply updates, short of throwing the phone away and "upgrading" to another one, there's literally no way for the customer to update the typical Android phone's OS in a timely fashion.

    Which suits the carriers - who make money off bundling shitware and selling "upgrades" to new phones - just fine, but what the fuck, Google. It's been half a decade. It's long past time for you to tell the carriers to permit users to download their own security patches.

    Imagine if users couldn't get Windows updates from Microsoft, but relied on their own ISP - and whether it's Comcast or AT&T doesn't really matter.

    Fuck. That. Noise. Get the carriers out of the OS business.

    1. Re:Thanks for nothing, carriers. by Archangel+Michael · · Score: 1

      There is an easy fix for this. Suing the carrier into oblivion for not unlocking devices they no longer support, so that the owners of those devices can get support from other sources (like CyanogenMod) .

      The ONLY thing these people understand is economic costs, make it expensive to not support devices, but keep them under lock and key.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:Thanks for nothing, carriers. by Anonymous Coward · · Score: 1

      Google dictates a lot of terms to manufacturers through the licensing of Google Mobile Services (GMS). It's a big part of what's getting them in trouble with EU antitrust regulators. If Google can use GMS licensing for anticompetitive practices, they're certainly capable of doing so to demand security updates are delivered in a timely manner. That Google isn't using GMS licensing for this purpose leads me to seriously question Google's motives.

    3. Re:Thanks for nothing, carriers. by Teun · · Score: 1

      I have little to no sympathy for people who's phone is encumbered by a carriers greed or unwillingness to update, it's generally easy enough to get an unlocked phone, hell, it's even cheaper.
      If you want the best service you get a Nexus.

      I do have a problem with Google stopping OS updates 2 years after the last of a model has been sold.
      Both My Nexus 4 and 7 are working fine but the OS doesn't update beyond 5.1.1, as such not a problem but at least the security updates should be available.
      Now I have to get an independent ROM which works but is not ideal.

      Hey EU commissioner for competition, the market doesn't work so there is work for you!

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    4. Re:Thanks for nothing, carriers. by Anonymous Coward · · Score: 0

      And yet some people here are confounded by the continued popularity of iOS devices.

    5. Re:Thanks for nothing, carriers. by macs4all · · Score: 1

      Fuck. That. Noise. Get the carriers out of the OS business.

      Apple did. Why can't Google?

      Oh, wait! They don't WANT to.

    6. Re:Thanks for nothing, carriers. by Obfuscant · · Score: 1

      it's generally easy enough to get an unlocked phone,

      I just went through this process. I wanted a completely carrier-unencumbered phone. That means no carrier apps, no carrier limitations.

      The only phone I could find like that were "international versions", and unfortunately while being completely carrier agnostic, they weren't really. Neither of the two I went through -- one was a demo unit with manufacturer data collection still installed, the other "international"-- had the specific 4G LTE bands T-Mobile uses.

      So yes, you can get the phone. Whether it is fully compatible with the carrier you intend to use it with is another question.

      And, of course the question of installing cyanogen or other upgrades isn't really whether the phone is unlocked, but whether it is rooted or not. I've sought out the rooting method for the phone I now have, and I sure wish it had TowelRoot. That's the first step for reprovisioning the international phone to turn on the LTE bands I need.

    7. Re:Thanks for nothing, carriers. by Aighearach · · Score: 1

      Fuck. That. Noise. Get the carriers [to do this, that, or some other things consumers would benefit from]

      I don't see how trying to "get" these asshats to do anything is going to improve the situation. The only thing I can see helping is to allow small carriers access to mobile spectrum in a way that encourages competition. When that happens, I can just choose a carrier that isn't in the OS business. Until then, even if they did that, they'd find a way to screw it up so I couldn't enjoy it.

    8. Re:Thanks for nothing, carriers. by Teun · · Score: 1

      That's another great advantage of owning your phone, you are free to root it.
      I don't have experience with LTE but the US is a large market so I would think there must be many phones with the capability.
      Your statement so few phones are 4G LTE capable is very surprising to me.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    9. Re:Thanks for nothing, carriers. by Obfuscant · · Score: 1

      Your statement so few phones are 4G LTE capable is very surprising to me.

      Surprising to me, too, since I didn't say that. I said out of the two "unlocked" phones I tried, neither did the right bands for T-Mobile LTE.

    10. Re: Thanks for nothing, carriers. by Karlt1 · · Score: 1

      Google is far from blameless. Apple never allowed the carriers to block updates. I don't have to wait on Dell or the other OEMs to allow me to update Windows.

  4. A drive by bugging? by Anonymous Coward · · Score: 0

    WTF

  5. Lawsuits against manufacturers and carriers by Anonymous Coward · · Score: 2, Insightful

    Why aren't there more lawsuits against manufacturers and carriers for not providing updates? When I buy a phone, I should be able to expect security updates for at least 24 months, preferably 36 months. Manufacturers aren't interested in supporting older phones because they make money when people update. Carriers seem primarily concerned with loading up the updated versions with crapware that people don't want, can't easily remove, and may well contain vulnerabilities of its own. Why aren't there more lawsuits demanding reasonable support? Android 4 isn't that old; lots of phones still run it.

    1. Re:Lawsuits against manufacturers and carriers by SpankiMonki · · Score: 2

      Why aren't there more lawsuits against manufacturers and carriers for not providing updates?

      Because when you signed up for service you waived your right to sue.

    2. Re:Lawsuits against manufacturers and carriers by Anonymous Coward · · Score: 0

      You first.

    3. Re:Lawsuits against manufacturers and carriers by Anonymous Coward · · Score: 1

      Only 36 months of security updates? You're easy to please, I'd expect at least 60.

    4. Re:Lawsuits against manufacturers and carriers by Teun · · Score: 1

      Only 36 months of security updates? You're easy to please, I'd expect at least 60.

      Amen!

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    5. Re:Lawsuits against manufacturers and carriers by coinreturn · · Score: 1

      Only 36 months of security updates? You're easy to please, I'd expect at least 60.

      And I want a pony!

    6. Re:Lawsuits against manufacturers and carriers by macs4all · · Score: 1

      Manufacturers aren't interested in supporting older phones because they make money when people update

      Apple does. Even though their business model is based on HARDWARE sales.

      Think about that.

  6. unlimited? by Anonymous Coward · · Score: 0

    How many times can you factory reset the stock firmware on these devices?

  7. TowelRoot? by phishybongwaters · · Score: 1

    TowelRoot? That only worked on a handful of devices reliably. And yes, when I used it I got zero sleep for the rest of the week. A single click root? Not good folks, and clearly someone has taken on the task of using that for nefarious purposes. Notice, though, how everyone is blaming hackingteam for this stuff, and not the NSA who likely knew about this long before them.

    1. Re:TowelRoot? by Rakarra · · Score: 1

      TowelRoot? That only worked on a handful of devices reliably. And yes, when I used it I got zero sleep for the rest of the week. A single click root? Not good folks, and clearly someone has taken on the task of using that for nefarious purposes.

      Notice, though, how everyone is blaming hackingteam for this stuff, and not the NSA who likely knew about this long before them.

      Yup. I used TowelRoot as well and decided at that point to never use my phone for anything truly useful. IE, to just assume my phone was compromised.
      Why? Because I needed root access, and TowelRoot was the name of the game when it came to the Galaxy S3 and S5 that I had. So now that S5 is running an old old version of Android with an exploit, because Google hired guys who found these exploits. Later versions of Android have been hardened, and it's currently a bit difficult to do on current versions. I'm not sure 5.1.1 / S5 / AT&T even has a working root at the moment. Since the carriers (and Google) hate it so much, root access is something not allowed to the device owners, so the only way to do it is to exploit a weakness before it's patched.

      So thank you, and fuck you Google, AT&T, Samsung, whoever is involved in working so hard so ensure that a user is not allowed control over his own phone.

  8. So... by Anonymous Coward · · Score: 0

    Basically, unpatched software is vulnerable... seems about right

    1. Re:So... by Aighearach · · Score: 1

      Basically, unpatched software is vulnerable... seems about right

      Basically, software is vulnerable ... seems about right

  9. Google on the way down? by Futurepower(R) · · Score: 0, Troll

    Google is developing an extremely bad reputation. Tracking everyone. Allowing abuse.

    Soon even Microsoft will be jealous.

  10. Does Android need to be rewritten using Rust? by Anonymous Coward · · Score: 0

    Patching is only part of the problem. Avoiding the need to patch to begin with is perhaps more important.

    That's why I need to ask, does Android need to be rewritten using the Rust programming language?

    The Rust web site says that Rust is, with emphasis added, "a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety."

    So I think Rust offers everything that's needed for a rewrite of Android, including the Linux kernel. It's a systems programming language. It's fast. It prevents segfaults. It guarantees thread safety.

    There is no need for patches if software written in Rust doesn't suffer from the kinds of problems that require patches.

    First Google could rewrite the Linux kernel using Rust. This wouldn't just be good for Android, of course, but all users of the Linux kernel. If these other Linux kernel users pitch in, the rewrite could be finished even faster.

    Then Google could rewrite the Android-specific subsystems using Rust.

    Finally, app developers could switch to Rust for their Android apps.

    Once all of this work is done, Android would be Rust code from the very bottom to the very top. It would be nearly impregnable thanks to Rust being so ultra-safe.

    1. Re:Does Android need to be rewritten using Rust? by Anonymous Coward · · Score: 0

      That's why I need to ask, does Android need to be rewritten using the Rust programming language?

      Haven't laughed this hard in a while.

      Thanks.

    2. Re:Does Android need to be rewritten using Rust? by Anonymous Coward · · Score: 0

      If these other Linux kernel users pitch in, the rewrite could be finished even faster.

      But only the non-white non-male non-cisgendered users. Rust's code of conduct demands that a safe and welcoming environment for people such as myself to be maintained, and if I get a whiff of white cis male privilege, I'm gonna be so triggered!

    3. Re:Does Android need to be rewritten using Rust? by Dutch+Gun · · Score: 1

      That's why I need to ask, does Android need to be rewritten using the Rust programming language?

      Well, you can certainly ask... But rewriting over fifteen million lines of code (not to mention the billions of lines written to those C-based APIs) built, tested, hardened, and tested over the course of decades is a non-starter. And besides that, no matter how perfect a *language* is, programmers will still find ways of screwing up by the numbers. C does make that easier, of course, but I don't believe there's a way to avoid the problem completely. And like it or not, our computer infrastructure is likely to remain based on C for decades to come simply due to sheer inertia.

      What we can perhaps *practically* achieve is a new attitude and awareness about patching and supporting these devices for a reasonable lifetime. The carriers and manufacturers simply need to get out of the damned way, or else we may ultimately have to legislate them out of the way - and I don't like going there if it can at all be avoided. Google is slowly moving towards putting core components into the Play store, where they can be patched without interference by anyone. I definitely think that's a move in the correct direction. And manufacturers need to understand that they're selling tiny computers on which people store the most intimate details of their lives, not throwaway hardware toys, with all the responsibility that entails.

      It's hard to predict what will happen when we start to approach "peak smartphone" market saturation as smartphones themselves continue to stabilize in form and function. On the one hand, slowing technical and functional growth is likely to have a stabilizing influence on the software simply because of less churn. Unfortunately, a shrinking market may put pressure on manufacturers to reduce already miserable long-term support.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:Does Android need to be rewritten using Rust? by Anonymous Coward · · Score: 0

      tested, hardened, and tested over the course of decades

      Ah, you must be referring to software like OpenSSL and bash. You're absolutely right, we haven't seen any major security flaws in software like that. OH, WAIT, YES WE HAVE!

      You're eager to discuss the future, but you're hesitant to admit what that future will be like. Let's face it, that future will be Rust.

      Rust is taking the programming world by storm. People like you remind me of those who said that C++ would never go anywhere, back in 1986. Or those people who said that Java would never go anywhere, in 1997. Yet here we are, decades later, and it's C++ and Java that rule the roost.

      Soon we will have Rust displace C++. It will take a few years, but it is inevitable at this point. C++'s days are numbered. Rust is where it's at.

    5. Re:Does Android need to be rewritten using Rust? by Anonymous Coward · · Score: 0

      THE END IS NIGH

  11. Can hacking team be held accountable? by Anonymous Coward · · Score: 0

    Heres my logic. It may be messed up but....

    If a homeowner can own guns, not lock them up and then they get taken and used in a crime, the homeowner can be held accountable.

    If a hacking company has exploits, doesnt lock them up properly, they get taken and used in a crime, can the hacking company be held responsible?

    1. Re:Can hacking team be held accountable? by MobyDisk · · Score: 1

      How do you know the hackers didn't come-up with the exploit themselves? Or that they didn't actually have it before the good guys did?

    2. Re:Can hacking team be held accountable? by BitterOak · · Score: 1

      Heres my logic. It may be messed up but....

      If a homeowner can own guns, not lock them up and then they get taken and used in a crime, the homeowner can be held accountable.

      If a hacking company has exploits, doesnt lock them up properly, they get taken and used in a crime, can the hacking company be held responsible?

      A better gun analogy would be you design a gun which can be manufactured on a 3D printer and leave the plans for the gun unprotected on your server. Someone downloads the plans, makes the gun on their 3D printer and uses the gun to commit a crime. Can the designer who didn't protect the plans adequately be held liable? I really don't know one way or the other, but I think it's a better analogy.

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  12. Dodged a bullet by Qzukk · · Score: 1

    Android versions 4.0 through 4.3

    Thank God my HTC EVO 4G with Android 2.3 is safe

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
    1. Re:Dodged a bullet by Teun · · Score: 1

      Yes, insufficient resources is a valid way of preventing a process from running :)

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    2. Re:Dodged a bullet by Anonymous Coward · · Score: 0

      How about an su-app? Will it help protect the phone?