Slashdot Mirror

← Back to Stories (view on slashdot.org)

BadKernel Vulnerability Affects One In 16 Android Smartphones (softpedia.com)

Posted by BeauHD on from the staggering-statistics dept.

An anonymous reader writes from a report via Softpedia: A security bug in Google's V8 JavaScript engine is indirectly affecting around one in 16 Android devices, impacting smartphone models from all major vendors, such as LG, Samsung, Motorola, and Huawei. Despite this bug being public for more than a year, only in August 2016 have Chinese security researchers discovered that the V8 issue also affected a whole range of Android-related products where the older V8 engine versions had been deployed. Affected products included Google Chrome Mobile, Opera Mobile, apps that use the WebView component (Gmail, Facebook, Twitter, WeChat, etc.) and apps that deploy the Tencent X5.SDK (a bunch of Chinese apps). It is estimated that around one in 16 Android devices is vulnerable to this issue, nicknamed BadKernel. The flaw leads to a RCE on Android devices, allowing attackers to take full control over one's smartphone. Despite BadKernel being discovered in August 2016, because all research was only published in Chinese, most E.U. and U.S. users have no clue they might be affected. One of the best ways to protect yourself, as noted in the report, is to keep your apps and operating system updated. You can view this list via Trustlook's website to see if your device is affected. There's also a dedicated BadKernel security scanner you can download from the Play Store to check for the vulnerability.

8 of 58 comments (clear)

  1. Well by Ol+Olsoc · · Score: 2, Funny

    At least they have a headphone jack, so no problem.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  2. Ahhh yes by wbr1 · · Score: 4, Informative

    A slashvertisment for a 'security' app that ostensibly tests for a vulnerability, whilst simultaneously asking for every permission my phone has. No thanks. And have a mode finger while you're here.

    --
    Silence is a state of mime.
    1. Re:Ahhh yes by Anonymous Coward · · Score: 3, Informative

      Indeed, and on their site "Trustlook" (never heard of them) claim that "AV-Test" gives them the OK.
      Funny, on the "AV-test" site, they're not even in the list of (about 25) tested products...

      https://www.av-test.org/en/antivirus/mobile-devices/
       

  3. Best ways, huh? by Bob+the+Super+Hamste · · Score: 4, Interesting

    One of the best ways to protect yourself, as noted in the report, is to keep your apps and operating system updated.

    So how many of the devices listed are basically unsupported since initial sale and will never be update?.

    I really wonder if things like this should be treated as manufacturing defects and since carriers and phone vendors don't seem to want to support these devices people should start bringing them back and getting them replaced for free as they are obviously defective.

    I don't know warranty law but maybe someone one could chime in who has some idea as it would seem that if these issues aren't fixed then the customer is due a replacement or refund because their device does have a manufacturing or design defect.

    --
    Time to offend someone
    1. Re:Best ways, huh? by Aaden42 · · Score: 2

      The devices were never warrantied as being secure. They're sold as telephones. As long as they still make calls, they're not defective. There's no way you'll get phone makers or cell carriers to make good on these without a law telling them they have to. And you can rest assured they'd pass the cost of any such law directly on to consumers.

      Buyers need to vote with their wallets. You're not just buying a dumb telephone. You're buying an always-on, always-connected computer that you're going to store some of the most private things about your life on. Pay attention to the hardware maker's upgrade record as well as your carrier's and choose accordingly.

      For most users, that probably means either spending the extra on a Nexus device or going Apple or saving the money up front and knowing that you're buying a dead end device that will almost certainly fail to get some critical security update before its reasonable useful life has passed. At that point, your choices are live with the risks of the vulnerability or spend more money to replace the device.

  4. Sigh. by ledow · · Score: 5, Insightful

    "Install this piece of random software to see if you're safe from this vulnerability that affects a ton of devices."

    Yeah, right. It's precisely that mentality that causes more problems in the first place.

  5. Re:My Nextbit Robin isn't on the list by mlw4428 · · Score: 2

    Yes, nothing says security like sending your data up to a third party's cloud.

  6. Re:The list is just about worthless by Nemyst · · Score: 4, Interesting

    I don't know about you, but I don't think I'd trust the results of a security app made by a company I've never heard of before.