Slashdot Mirror
900M Android Devices Vulnerable To New 'Quadrooter' Security Flaw (cnet.com)
An anonymous Slashdot reader quotes a report from CNET:
Four newly-discovered vulnerabilities found in Android phones and tablets that ship with a Qualcomm chip could allow an attacker to take complete control of an affected device. The set of vulnerabilities, dubbed "Quadrooter," affects over 900 million phone and tablets, according to Check Point researchers who discovered the flaws. An attacker would have to trick a user into installing a malicious app, which wouldn't require any special permissions. If successfully exploited, an attacker can gain root access, which gives the attacker full access to an affected Android device, its data, and its hardware -- including its camera and microphone.
The flaw even affects several of Google's own Nexus devices, as well as the Samsung Galaxy S7 and S7 Edge, according to the article, as well as the Blackberry DTEK50, which the company describes as the "most secure Android smartphone." CNET adds that "A patch that will fix one of the flaws will not be widely released until September, a Google spokesperson confirmed."
The flaw even affects several of Google's own Nexus devices, as well as the Samsung Galaxy S7 and S7 Edge, according to the article, as well as the Blackberry DTEK50, which the company describes as the "most secure Android smartphone." CNET adds that "A patch that will fix one of the flaws will not be widely released until September, a Google spokesperson confirmed."
Eds, why not check the article and link directly to zdnet and not the 'sister' publication?
Does this mean I might get to root my otherwise unrootable phone?
I prefer my devices allow me to do as I wish with the content I already own. I like Android devices a lot better, and I'm someone who does pay for content and apps. I just refuse to do it multiple times.
What the fuck does a bug that requires social engineering and ignorant users installing sketchy software have to do with apple's alleged superiority? I have an iPad that a RARELY use. It has its place in my studio, but I haven't set that up since moving. For everything else, I prefer either my Samsung tablet with a proper screen ratio for reading comics without scrolling, or any of my other Android devices that don't try to nickle and dime me for every single fucking thing I do.
So much for Apple haters being silent.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
The Apple haters will be silent tonight
You might want to go read the past Slashdot discussion threads about previous Android flaws, and then reconsider your statement.
#DeleteChrome
If you read the summary you'd know this is a flaw in silicon, not android. Blame qualcomm not google for this one.
That's what me and my mates called ur mum, she's pretty skilled taking 4 at a time.
Why no SSL to m.slashdot.org?
If this were a similar fault on an Apple device,you know that the bulk of the submitters here would be showing them no mercy.
>"Chalk one up for iOS"
Um, no.
1) Don't sideload apps unless you REALLY know what you are doing. You can't even officially DO that on iOS. So if you treat Android like iOS and don't change the default to NOT sideload and ignore all the warnings, then you are probably just fine.
2) All mine are Nexus and likely to be updated quickly.
Not surre what you mean.
APL fans will praise them because they can jb their device. It's not a big, it's a feature.
Also, it'll be just 8 i os versions affected, not 2 billion - anything to make it sound small. 900 million Android devices is less than 1â.... It was almost a year ago Google celebrated 1 billion activated devices.
This is mostly fear mongering. Now if you could root my phone with an MMS or some other function that does not require me to turn of security features first, then I'll worry.
I will worry about all the cheap chinese tabs and phones that come with sideloading (and malware/crapware) installed by default.
Silence is a state of mime.
http://blog.checkpoint.com/201...
you're owned anyways.
what's so special about this? people just hit 'yes' on all permissions on android anyways. am I missing something?
Check Point has an app in the Google Play app store that scans your phone for the vulnerabilities: https://play.google.com/store/...
Personally, I've never understood why people pick sides and root for 500 billion dollar corporation X versus 500 billion dollar corporation Y like they're a sports team. Console vs console or console vs PC wars are equally inane to me. Where's the virtue in being wedded to a single platform? Is being techo-polygamous a bad thing?
Anyhow... considering that this requires installing a malicious app, the chances of most people getting hit with this are pretty low, especially now that app stores know what to look for. These sorts of issues are only a real problem when you can get infected with a drive-by SMS message or something like that.
Irony: Agile development has too much intertia to be abandoned now.
I love it how when a security vulnerability is found on Apple devices it's reported as "New way discovered to jailbreak your phone!", but when it happens to Android it's "Android devices vulnerable to attack!"
No, I will still hate Apple the company. For who they are and who they have been historically. I've hated them since Steve Jobs stood up on a platform and boasted of the new 'Hacker Proof' Macintosh at product introduction.
That was in the old days, and hacker had the meaning we all still wish it did.
Other crimes Apple committed include suing all the third party GUI vendors out of business. They ran the GEM desktop and the GEOS desktop off the market. They sued and drove out of business everybody but Microsoft's GUI. In effect they created the Windows monopoly we have today. Fuckers. Fuck Apple.
I think ALL of us jailbreakers and rooters should celebrate this. Now I might be able to push an adaway hostfile with 875K worth of junk hosts of malware, ads, adware, gambling and other cruft blocked. I cant believe I need to wait for a flaw like this to update the hosts file on the phone I own.
This weaponizing of opensource software to do things like make it impossible to edit /etc/hosts with malware blocks is unreal.
Legalize the constitution. Think for yourself question authority.
Your post is what he means.
Personally, I've never understood why people pick sides and root for 500 billion dollar corporation X versus 500 billion dollar corporation Y like they're a sports team.
I don't get it either. I use the product I want to use and I don't give a flying fark what a bunch of nameless, faceless internet monkeys think or say.
An attacker would have to trick a user into installing a malicious app
That doesn't sound like it's the silicon's fault to me, but what the hell do I know?
“He’s not deformed, he’s just drunk!”
The Blackphone 2 uses a Qualcomm Snapdragon chip. The maintainers (Silent Circle) released a patch a week ago that 'updates to the latest Qualcomm config files' but it's unclear if that fixes this specific vulnerability.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Stopped reading after that.
Mundus vult decipi, ergo decipiatur.
"..One hosts to look them up, one DNS to find them, and in the darkness BIND them."
"An attacker would have to trick a user into installing a malicious app"
Is this what slashdot is reduced to, posting bogus pseudo technical quotes from a known Microsoft shill.
Except Android doesn't use /etc/hosts. That's a function of the stub resolver in the C library you use, and the Android C library simply doesn't support it.
Where's the virtue in being wedded to a single platform? Is being techo-polygamous a bad thing?
It increases your attack surface. It's safer to be a serial-monogamist.
Well, the GP blamed google.. The language of the summary made it sound to me like it was a fault in the silicon.. Turns out both statements are wrong. It's qualcomm's drivers. I stand corrected.
Well, it seemed to me when I first read the summary that it was a hw problem.. It's not. it's drivers provided by qualcomm.. If apple was using the same drivers they'd be just as blameless as google is.
FOR THE LOVE OF GOD, EXPLOIT MY BOOTLOADER, MAKE HER VULNERABLE TO ATTACK! For my Verizon Samsung Galaxy S7 remains invulnerable to any attack outside simple root base exploits. Oh script kiddy gods, I BEG YOU (no sarcasm).
iOS actually has a lot more vulnerabilities than Android. Most of the folks in the press are just enamored by Apple, so they downplay stories about flaws in iOS, while publicizing stories about flaws in Android to try to warp reality to fit their biases.
So that is what you get from switching away from QNX.
If it doesn't trip knox then someone could retool the exploit to root the phones in a good way.
> If this were a similar fault on an Apple device
If it came from the chip that Apple designed, then everyone would be correct to do so.
There's no update, and even if there were it'll come when the providers push it out. With a phone, you just have to accept that if the thing is vulnerable, it is vulnerable. You can't really do anything as a user. Anything you can do is shit you should already be doing like installing apps only from trusted sourced and running a malware scanner.
For me it is not about Google vs Apple, but Android vs iOS and the philosophies behind them.
I believe in open platforms being better for mankind in the end, warts and all.
They sued and drove out of business everybody but Microsoft's GUI.
There's this thing called Linux. I'd recommend taking a look at it.
... grumble, grumble, grumble, mutter, mutter, Millenium... Hand... Shrimp, I tol' 'em, I tol' 'em.
Google decided to do business with apparently an incompetent company. So, of course you can blame Google.
while true, Apple would also spend the time an have 80% of all IOS devices updated in 3 months, were by this time next year less than 100 million andriod devices will have the update.
Andriod has a severe update problem that isn't going away. google was smart enough to bake a decent amount of security in to start with, but I still keep expecting a massive worm attack.
i thought once I was found, but it was only a dream.
Have you ever heard Apple make the excuse that it's the fault of a third party driver when there is a security issue with iOS? I doubt that Apple would accept any binary only drivers from someone who produces its chips.
How would downloading apps only from the Google Play store prevent apps from taking advantage of a security flaw in Android?
Did you notice how many of those vulnerabilities have already been patched? The latest version of iOS 9.3.3 is compatible with every iOS device sold since September 2011 and was available for every iPhone regardless of carrier the day it was released.
It's Google's fault that it has allowed updating being up to the device manufacturers and service providers, so no updates for most devices. It's no help to anyone to know there's a fix, if their phone does not get the fix. The original fault is of course Quallcomm's.
First, Google Play Store has a filter called Bouncer that attempts to detect known malicious attacks in APKs. Second, if a malicious app does slip past Bouncer, it can be reported to Google.
In the 1980s when Apple was busy suing DRI over GEM, XFree86 didn't exist yet.
Just because Android's package format is called "APK" doesn't mean you can use a hosts file. A workaround is to use a firewall app with a DNS filter, and then plug your hosts file into that. I haven't tried NoRoot Firewall to see whether it supports a hosts file, but it does show that a firewall is possible without rooting.
I'm sure the owner does not get root. The attacker just became your parental figure.
And rightfully so, considering Apple designs their own processors and codes the drivers now.
Learning HOW to think is more important than learning WHAT to think.
You're forgetting the difference between a flaw and the path to exploiting a flaw. The flaw can exist in silicon, but it needs software to exploit it. You can safely run flawed code all day if you are in tight control of the software executing on the system. It isn't until you run untrusted code that you have a problem.
This is why Java is such a vector. Once you connect it to a browser, you're blindly running someone else's untrusted code on your JVM.
When Java is used in an EE environment, not hooked to a browser, then it is much safer simply because exploit code doesn't have a path to any flaw.
Learning HOW to think is more important than learning WHAT to think.
So you can root your Android device. Some people think that is a plus.
Not really. This is a root app. Any time an iPhone can be jailbroken, that's because it was vulnerable to a root app.
So why wouldn't checkpoint be exploiting the vulnerability they already discovered and including it in the benign scanner app.
Since it requires installing an app to take control I would say that it is a "feature" that allows users to get root access on their own phones regardless of what the vendor thinks.
See subject: That'll import a custom hosts file to use on ANDROID easily (does it need to be rooted?)
APK
P.S.=> I think it's hilarious (above ALL else) that ALL THOSE YEARS of /. "FUD" of "Windows != Secure, Linux = Secure" falls RIGHT apart when ANDROID comes around (& yes, it uses a Linux kernel - that surely doesn't make it Windows or MacOS X / iOS etc.)... apk
...especially when the real problems are 500 billion companies Samsung and Verizon.
I'm oddly finding myself thinking that this exploit could actually be used to enhance security on phones with locked bootloaders and unreliable updates from their manufacturers. I'm seriously considering buying an Axon 7, because the hardware looks great. But if I can't install ROMs to keep the thing current on security updates, I don't want it. To tell the truth, even if ZTE were to provide timely updates for the first 2 years, I'd be seriously on the fence. My current phone, a Nexus 4, is no longer supported by Google, but I still have it up to date thanks to its unlocked bootloader. I don't know if Google likes that or not, but I suspect they're fine with it. ZTE, on the other hand, would definitely prefer for me to shove the thing in a drawer and buy a new one after two years, which sucks - but happens to coincide nicely with content providers that don't want you to have root access. We've reached the point where buying new hardware in order to keep up with new OS features is a losing game, and the industry needs to learn to live with a 5 year upgrade cycle - cause that's where it's going, if only consumers would insist on it...
Posted from my Android phone. Oh, I can change this? There, that's better...
Find the root image for your device on the XDA developers site.
But hey, at least owners of these devices have a super easy path to root without need to flash any special image.
I think the only way you can possibly make any so-called 'smartphone' secure, is to have a hardware switch that puts the entire phone into 'read only' mode, so nothing new can be installed on it. They're like cheap swisscheese: more holes than cheese. I think I'll just keep sticking with cheap-ass $50 flip-phones. If something happens to it I can break it in half, toss it into the e-waste bin, and go get another one and nothing of value is lost. At least I don't become an unwilling participant in someones bot-net this way.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
So yeah, you could say if you put some malicious code on their OS of course it is already spyware so yeah even moreso if you installed this malicious app like some dickhead.
BUT YEAH. YES. FBI ON SLASHDOT GOT THIS OUT THERE.
Fuck you FBI. Dead spies.
So adaway doesnt work? Wrong. /system/etc/hosts, /data/data/hosts does work. BZZZT.
See subject: I've done the ADB procedure I noted a few times for pals (who had rooted phones like op has https://mobile.slashdot.org/co... OR it sounds like he might @ least...)
APK
P.S.=> Some ANDROID builds don't use HOSTS (Google's SCARED SHITLESS of it, ala KitKat as an 'example thereof') - but in the end? All "smartphones" are TRULY "DUMBPHONES" due to ANDROID being exploited FULL OF HOLES FOR DECADES NOW almost DAILY... they're damn toys - DANGEROUS ONES @ that - & what I call "electric dogcollars" @ times (what I used to call beepers I had to wear decades ago while on the job as a 'wageslave')... apk
I think you misunderstand what "up to date" means...
1. Unless you're positve of the clean & germ-free source, you are making an inherently risky move in installing a Marshmallow ROM or whatever reverse-engineered AOSP clone is floating out there.
2. Speaking of reverse-engineering, taking the ICS 4.0.x drivers and tweaking them to work with Marshmallow does not constitute a good security patching policy.
The updates spoken of here are not merely OS-baked-in ones, but also any actual firmware updates for radio, touchscreen, etc. These are almost never touched by modders and certainly never patched for security reasons.
Full disclosure, I do root & ROM as well, but I accept certain security risks in doing so that I mitigate otherwise.
Try again. Literally the first thing on adaway's front page: https://adaway.org/
Well, it seemed to me when I first read the summary that it was a hw problem.. It's not. it's drivers provided by qualcomm.. If apple was using the same drivers they'd be just as blameless as google is.
Yes they would; however, a YUGE percentage of Slashdotters would still blame Apple, just because.
Don't even try to deny it. Seen it happen too many times...
Have you ever heard Apple make the excuse that it's the fault of a third party driver when there is a security issue with iOS? I doubt that Apple would accept any binary only drivers from someone who produces its chips.
Apple tends to roll their own drivers, even for third-party chips.
The Apple haters will be silent tonight
Unfortunately not.
Don't sideload apps unless you REALLY know what you are doing. You can't even officially DO that on iOS.
Actually, if you have XCode 7, you can. No Jailbreaking needed.
They sued and drove out of business everybody but Microsoft's GUI.
There's this thing called Linux. I'd recommend taking a look at it.
Not strong enough.
There's this thing called Prozac. I'd recommend him taking a look at it.
hey sued and drove out of business everybody but Microsoft's GUI.
They sued the FUCK out of Microsoft, too. Or did you conveniently forget that fact?
XFree86, no but X did exist though
Except Android doesn't use /etc/hosts. That's a function of the stub resolver in the C library you use, and the Android C library simply doesn't support it.
But, but, don't all the Slashtards and Fandroids crow about how Android == Linux, and how Android's popularity (mostly because of the proliferation of shitbox throwaway freephones) somehow means that Linux has some insanely-high marketshare?
So, I guess Android == Linux only for certain limited values of "equals", right?
Well, I'm guessing you wouldn't advise leaving my N4 on the last-supported Kit-Kat version. I'm using Cyanogenmod 13, which is a pretty well-known commodity. It may have some of its own bugs, but it also has some of its own security enhancements - like the ability to turn root on and off on demand.
Posted from my Android phone. Oh, I can change this? There, that's better...
I've had enough with the newest vulnerability to fuck up my life. I quit this shit. I'm throwing away my smartphone, my smartTV, my smartHome, my smartWristband, my computers, my car. Back to the stoneage for me. Off teh grid. No vulnerabilities. good bye
re: your comment... I once, in a /. thread, told an obvious kid who couldn't understand why the two sides (Android & Apple devotees) were always fighting. The teenaged kid just wanted to be able to enjoy his Apple iPhone. I told him that they are both amazing devices that are basically computers with antennas with a different os. Apps are all programs, nothing special to see there. And that if he was happy with his iDevice, that that's all that matters. This b.s. between which company sells us out the least is getting us nowhere.
What you do is use your phone as needed and don't explain to each other how to kill the nearest backstab spy on your phone.
Use post-it notes.
post-it notes, dark of night, and ice pick.
You CAN access the file system on your iOS device. That being said, you HAVE to KNOW what you are doing and this is as it should be; you do not want your children to have the same access to the file system you do because, in as much as they know how, knowing when and why makes more of a difference. You can do a large number of things that Android people can but it is a different way of thinking because the system is rigged against anyone who knows just enough to get into trouble. Apple wants you to either not bother learning and use the intuitive interface (and it is so good that Samsung pays Apple to use all manner of elements from it; just that, lacking iOS experience, you might not know which came first) or learn enough so that if the problem you were trying to solve was a map, you would know the adjacent sheets -good practice anyway.
Downloading an MP3 or a ringtone is not hard but installing takes a side trip to a desktop machine; moreover, it is obviously easier on a Mac. I download images all the time and in the olden days before photos synced everything, I would text them to myself (effectively producing a backup copy on the phone) or emailing them to myself which, while not providing the backup, did allow me to remove the content from storage on the phone --well, there is still, sort of a backup, the sent folder in my iCloud account but that is not physically on the phone. You can also get a PDF of a journal article and treat it in a similar manner.
So many people with Android phones speak with vile hatred of iOS devices without actually knowing iOS or its benefits that in being so busy expressing their unexplainable hatred of (IBM way back when, then it was Lotus or WordStar, then Microsoft, and now, it is Apple's turn) corporation X, they demonstrate a lack of exposure at the least and a petulant disregard or disdain for anything that might be done better or easier on an Apple device. I have used and continue to use both (in no small part due to Samsung and T-Mobile policies) and there are things that are done better by one or the other. The owners of Android phones, much like the owners of a WinTel box running some sort of windows, have a high tolerance for system failures and bugs. iOS and Mac users, accustomed to their device "just working" have a significantly lower tolerance for defects or instability. Thus, your iPhone might not have the latest hardware (IPS vs OLED) but it has been tested to the point that one would be hard pressed to fine a condition Apple has not already exposed the device. Waterproof? I have seen iOS devices soaked for hours spend a fraction of a day in rice and turn on like nothing happened and I have seen supposedly waterproof Android phones fry themselves. However, the most irksome to me remains the all too frequent restarts on Android vs just TWO restarts in the entire time I've own my iOS device. Certainly, that has to give someone a bit of pause.
Owning a Google phone or a Blackberry device is not the same as being adrift in the other side of the Android world. For all intents and purposes, the corporate entity is no different in so far as being a gigantic and faceless monstrosity whose behavior harkens back to a time of unrestrained, unrepentant, and most of all, abusive capitalism. That behavior is only restrained (rather than constrained which implies limits rather than barriers) by governmental efforts driven (when enough people scream, even politicians listen) by sufficient public outcry. Not everyone that purchases an iOS device is unable to code or repair their own hardware and not everyone that clamors for the latest device that uses Android is an absolute tech geek. However, one glaring difference exists and that is this: Apple demands and gets compliance from the carriers so that an update is available to all iPhone owners at once without regards to carrier. Google can only do anything similar -and they do not- with their own phones. For the rest of the Android world, a mishmash of manufacturers and carriers spend time blaming one a
are you insane? how is this google's fault? EVERYONE makes android phones/chipsets. this is like blaming Linus/Bill Gates for a fault in Nvidia's drivers.
are you crazy? how is this google's fault? EVERYONE makes android phones/chipsets. this is like blaming Linus/Bill Gates for a fault in Nvidia's drivers.