Active Drive-By Exploits Critical Android Bugs, Care Of Hacking Team

Dan Goodin, reporting for Ars Technica: An ongoing drive-by attack is forcing ransomware onto Android smartphones by exploiting critical vulnerabilities in older versions of Google's mobile operating system still in use by millions of people, according to research scheduled to be published Monday. The attack combines exploits for at least two critical vulnerabilities contained in Android versions 4.0 through 4.3, including an exploit known as Towelroot, which gives attackers unfettered "root" access to vulnerable phones. The exploit code appears to borrow heavily from, if not copy outright, some of these Android attack scripts, which leaked to the world following the embarrassing breach of Italy-based Hacking Team in July. Additional data indicates devices running Android 4.4 may also be infected, possibly by exploiting a different set of vulnerabilities.Blue Coat, a California-based provider of security and networking solutions writes: This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal "application permissions" dialog box that typically precedes installation of an Android application. After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach. Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the "futex" or "Towelroot" exploit that was first disclosed at the end of 2014.

Here is more proof

That when a backdoor is held by the "good guys" (I use that term loosely but Hacking Team sold primarily to governments) it's just a matter of time before the bad guys get ahold of it and start fucking everyone over. Pay attention, Mrs. Feinstein.

Thanks for nothing, carriers.

And thanks to the common practice (looking at you, Verizon) amongst carriers of locking bootloaders and then refusing to supply updates, short of throwing the phone away and "upgrading" to another one, there's literally no way for the customer to update the typical Android phone's OS in a timely fashion.

Which suits the carriers - who make money off bundling shitware and selling "upgrades" to new phones - just fine, but what the fuck, Google. It's been half a decade. It's long past time for you to tell the carriers to permit users to download their own security patches.

Imagine if users couldn't get Windows updates from Microsoft, but relied on their own ISP - and whether it's Comcast or AT&T doesn't really matter.

Fuck. That. Noise. Get the carriers out of the OS business.

Lawsuits against manufacturers and carriers

Why aren't there more lawsuits against manufacturers and carriers for not providing updates? When I buy a phone, I should be able to expect security updates for at least 24 months, preferably 36 months. Manufacturers aren't interested in supporting older phones because they make money when people update. Carriers seem primarily concerned with loading up the updated versions with crapware that people don't want, can't easily remove, and may well contain vulnerabilities of its own. Why aren't there more lawsuits demanding reasonable support? Android 4 isn't that old; lots of phones still run it.