Slashdot Mirror

← Back to Stories (view on slashdot.org)

Active Drive-By Exploits Critical Android Bugs, Care Of Hacking Team (arstechnica.com)

Posted by msmash on from the ransomware-on-android,-no-big-deal dept.

Dan Goodin, reporting for Ars Technica: An ongoing drive-by attack is forcing ransomware onto Android smartphones by exploiting critical vulnerabilities in older versions of Google's mobile operating system still in use by millions of people, according to research scheduled to be published Monday. The attack combines exploits for at least two critical vulnerabilities contained in Android versions 4.0 through 4.3, including an exploit known as Towelroot, which gives attackers unfettered "root" access to vulnerable phones. The exploit code appears to borrow heavily from, if not copy outright, some of these Android attack scripts, which leaked to the world following the embarrassing breach of Italy-based Hacking Team in July. Additional data indicates devices running Android 4.4 may also be infected, possibly by exploiting a different set of vulnerabilities.Blue Coat, a California-based provider of security and networking solutions writes: This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal "application permissions" dialog box that typically precedes installation of an Android application. After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach. Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the "futex" or "Towelroot" exploit that was first disclosed at the end of 2014.

6 of 45 comments (clear)

  1. Here is more proof by Anonymous Coward · · Score: 3, Insightful

    That when a backdoor is held by the "good guys" (I use that term loosely but Hacking Team sold primarily to governments) it's just a matter of time before the bad guys get ahold of it and start fucking everyone over. Pay attention, Mrs. Feinstein.

    1. Re:Here is more proof by Hentes · · Score: 5, Informative

      Towelroot has never been a secret or a backdoor. It is an exploit discovered and published by geohot, these guys just copied it. As any exploit, it can be used both for good and bad. In my case it helped me put Cyanogenmod on my phone instead of the outdated Android on it, making it more secure.

    2. Re: Here is more proof by Karlt1 · · Score: 2

      If Google "acted like Apple", they wouldn't have allowed the carriers to control the update process and they would be providing security updates for all devices introduced since since July 2011.

      Wouldn't any apps using Webviews still be vulnerable?

  2. Thanks for nothing, carriers. by Anonymous Coward · · Score: 5, Insightful
    And thanks to the common practice (looking at you, Verizon) amongst carriers of locking bootloaders and then refusing to supply updates, short of throwing the phone away and "upgrading" to another one, there's literally no way for the customer to update the typical Android phone's OS in a timely fashion.

    Which suits the carriers - who make money off bundling shitware and selling "upgrades" to new phones - just fine, but what the fuck, Google. It's been half a decade. It's long past time for you to tell the carriers to permit users to download their own security patches.

    Imagine if users couldn't get Windows updates from Microsoft, but relied on their own ISP - and whether it's Comcast or AT&T doesn't really matter.

    Fuck. That. Noise. Get the carriers out of the OS business.

  3. Lawsuits against manufacturers and carriers by Anonymous Coward · · Score: 2, Insightful

    Why aren't there more lawsuits against manufacturers and carriers for not providing updates? When I buy a phone, I should be able to expect security updates for at least 24 months, preferably 36 months. Manufacturers aren't interested in supporting older phones because they make money when people update. Carriers seem primarily concerned with loading up the updated versions with crapware that people don't want, can't easily remove, and may well contain vulnerabilities of its own. Why aren't there more lawsuits demanding reasonable support? Android 4 isn't that old; lots of phones still run it.

    1. Re:Lawsuits against manufacturers and carriers by SpankiMonki · · Score: 2

      Why aren't there more lawsuits against manufacturers and carriers for not providing updates?

      Because when you signed up for service you waived your right to sue.