Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image

An innocent-looking image -- sent either via the internet or text -- could open your Android phone up to hacking. "While this certainly doesn't apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids -- those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0)," reports CSO Online. From the report: The latest bulletin lists 42 vulnerabilities in total -- 11 of which are rated as critical. The most severe critical flaw is in Framework; it "could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process." Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.

So not Flash?

Really glad all these software engineers who railed against malicious PDFs delivered through the Flash plugin, can't do any better when left to their own devices.

Re: So not Flash?

Who the fuck cares what google thinks?

Re: So not Flash?

This is no big deal. Since there is no hope of getting any security updates for my Android devices from the fantastic hardware vendors and network providers, I'll just browse the web on my Android devices using lynx from now on. Thanks guys! Thanks a lot! Really appreciate ya'll locking down these devices so hard to prevent malicious third-party open source developers from flashing custom boot ROMs over your fantastic OEM build.

Re: So not Flash?

Ahhh yes its wonderfull

Png? Like I would ever open teenlesbians.png oh.. Wait...

Re:So not Flash?

[LordHighExecutioner]

Actually, if you want to exploit the png hack in total darkness, you need flash to take the picture.

Re: So not Flash?

So that we can have all their bugs plus all the flash bugs? No thanks.

Re: So not Flash?

[aliquis]

Lesbian porn is gay.

In before smug Apple fans

In before the smug Apple fans who want desperately to pretend this is as bad as FacePalm.

It's not. It's a theoretical exploit that may lead to actual exploits, but even then, they likely have to be crafted for the specific phone. Compare that to a broken feature that you can use from any device with FaceTime on it.

And at least you'll be able to get the bug fix with a simple security update, without having to also "upgrade" the rest of the phone's OS and accept random UI changes and new software designed to throttle the speed of old phones "for battery reasons" that, strangely, no phone from any other manufacturer suffers from.

Re: In before smug Apple fans

Truly sorry that you have to be suspicious about all the anime pictures on your Android phone

Re:In before smug Apple fans

only one can be disabled.

Re:In before smug Apple fans

Dude, it's Android: you can choose any one of zero security patches provided by your OEM.

Re:In before smug Apple fans

It just shows what a shitty pile of garbage Android has become and how weak your arguments are.

Re:In before smug Apple fans

[bobstreo]

Dude, it's Android: you can choose any one of zero security patches provided by your OEM.

I got one update to my phone, once, to 5.5.1.

Re:In before smug Apple fans

went to RTFA, it has jack squat, =TFS

went and checked monthly android bulletin, poked into the bug submissions. it's admittedly over my head so I can't authoritatively declare what I suspect: newshype monkey trying to keep his numbers up with a proof of concept that had room for dramatic interpretation, whether android apple or IoT dildo

Re:In before smug Apple fans

And at least you'll be able to get the bug fix with a simple security update, without having to also "upgrade" the rest of the phone's OS and accept random UI changes and new software designed to throttle the speed of old phones "for battery reasons" that, strangely, no phone from any other manufacturer suffers from.

The problem with modern android phones is most of them have some variant on stock android that won't get many updates. PCs are the same way, but then I haven't bought a new PC with windows on it, um, ever I think. (They come with so much crap, that an update may be challenging, to say nothing of just using them..) I've bought windows separately a half dozen or so times, but try to stick to Linux where possible. With Linux Mint lately I can image a system over what 20 minutes top?

We need that kind of thing for phones. Download a cryptographic ally signed live usb image, that uses UEFI and such then boot it on a stock PC. Once that image is up, it should allow you to simply plug a usb cable between your computer and phone and do a full wipe/reinstall to stock current android. I'm not talking any exotic process. It needs to be simple enough for best buy geek squad to do, not that I'd ever recommend them to well anyone I actually liked. Basically it should be the first thing you do when you get a phone, but right now I think its more trouble than its worth, and phones tend to be locked by default. Bonus points if you can save your preferences somewhere and get an image just with those.

Re: In before smug Apple fans

Ever hear of android one?

Old iPhone devices aren't getting updates either. The difference is they cost 3x more than Android devices

Re: In before smug Apple fans

I could buy a new android phone for the cost of a ifruity battery

Re: In before smug Apple fans

I actually asked whether this was possible some time back, because I was suspiscious of some anime photos on my iPhone. I doubt Apple would ever admit to such a vulnerability.

Re:In before smug Apple fans

[_merlin]

As an Android user, this is pretty shitty. If it allows arbitrary code execution in privileged context, that means your phone can be rooted just by looking at a web page. Once that happens, you need to restore a clean firmware image or you simply can't trust the phone. That's far worse than being able to access camera/mic if a feature isn't disabled.

Re: In before smug Apple fans

Go buy an Android device from Lenovo and see how many updates you get. Go on. I'm waiting.

Re:In before smug Apple fans

[SuperKendall]

It's not. It's a theoretical exploit that may lead to actual exploits, but even then, they likely have to be crafted for the specific phone.

Apple's issue is already patched for all devices that it can occur on (that support Group FaceTime). Millions (hundreds of millions?) of Android devices have this exploit that will never see this patch.

And on top of that, the Apple bug affected only people who received a FaceTime call and did not answer, and the attacker knew the secret combo to activate the bug. In short it ALSO was a theoretical exploit, that was a one time deal that never impacted basic phone security.

Android people like you that defend this inexcusable flaw are the worst kind of scum.

they likely have to be crafted for the specific phone

Nope.

And at least you'll be able to get the bug fix with a simple security update

Which for millions will never come. Meantime anyone who can craft a good meme can and will own your phone. Good luck with that.

also "upgrade" the rest of the phone's OS and accept random UI changes and new software designed to throttle the speed of old phones

iOS 12 sped up phones. That speed throttling that protected phones from sudden shutdowns is now in Android as well, since it was inherently a good idea.. but on Apple if you are and idiot you can choose to disable it.

Re: In before smug Apple fans

[GrahamJ]

But youâ(TM)re not smug at all right?

You don't know if it 's being exploited. You don 't know if it has to be crafted for a specific phone. You don 't know how many phones will actually get that update.

The FaceTime bug was mitigated very soon after disclosure for every single device simultaneously.

Most Android users would love to have the "problem " of having to have the latest OS. Any iPhone user susceptible to the bug already had iOS 12.

All phones suffer when their batteries are old. It's harder to notice when the device runs like shit out of the box.

Re:In before smug Apple fans

[Harlequin80]

Reading the bulletin though it only works when the process that triggers it is privileged in the first place. So there is no privilege escalation. So there isn't a way that this exploit could root a phone.

I'm sure there are things that this could be used for. But it can't get out of the particular sandbox the application that views the PNG is sitting it.

Re: In before smug Apple fans

I get them monthly for my 1 year old Note 8...

Re: In before smug Apple fans

Sure, if your phone is older than the iPhone 5S (from 2013).

Re:In before smug Apple fans

Wait are you talking about a malware installing with root from the webpage, or simply rooting your phone? A rooted phone is a lot more trustworthy (and better able to fend off viruses by enabling better adblocking) than one where you can't do anything about all the crap from Google and the carrier running.

Re: In before smug Apple fans

Sure you do. Despite all the other products they still actively sell the only device Lenovo actually supports with updates at the moment is the Tab 4, https://support.lenovo.com/au/....

Re:In before smug Apple fans

[_merlin]

If, as the summary suggests, this allows arbitrary code to run with elevated permissions simply by viewing a PNG image, then this could be exploited to install malware that runs as root with access to all the data on your device, all your accounts, ability to modify any app, etc. That's pretty fucked up. (Yeah I know summaries can be misleading, but I have a relatively low UID so I've been conditioned over years to never RTFA.)

Re: In before smug Apple fans

[Ken_g6]

So if they email you a malicious PNG then they can read all your emails? That's not good. Plus who knows how many privilege escalation zero days may be out there?

Does this apply to all Android apps or just Google Chrome based ones?

Re: In before smug Apple fans

Of course not

Courage

But

Apples are much better for you than cake

Re:In before smug Apple fans

[phantomfive]

To be fair, privilege escalation exploits are rather common on all OSes. That's not something we've figured out how to solve.

Re:In before smug Apple fans

[Joce640k]

Dude, it's Android: you can choose any one of zero security patches provided by your OEM.

I get regular patches for mine (Xioami Mix).

Re: In before smug Apple fans

Actually, Android has developed this new technique where it releases security updates monthly to address issues like this. It reduces the modifications OEMs need to do and limits QA testing. Novel approach, right? (yes, I'm being sarcastic about it being a new technique, but funnily enough MS & others seem to be going the other way of including the kitchen sink in "security updates")

I obtained the update about the time it was released a week ago. Apple weren't that quick, except for disabling Facetime Groups.

I also seem to remember being able to jailbreak my work iPhone (3gs, I think, but 4 might have been out too) just by viewing a pdf on a website. Swings and roundabouts.

Re: In before smug Apple fans

I know, I'm stuck on the Jan 2019 update with my old moto x4

Re: In before smug Apple fans

My iPhone 4S still makes calls, send and receives texts fine - why would I replace it? Too bad I can't update it though.

Re: In before smug Apple fans

No one is wasting their time on malware for the 3 % or less of iPhones that are not getting security updates.

Re: In before smug Apple fans

Actually, the bug might be mitigated even faster.

Many of the Android system components are updatable through the play store. Updating just the gallery and browser to look for these pngs would eliminate 90% of the attack vectors faster than even Apple did with their patches.

Re:In before smug Apple fans

[slack_justyb]

Android people like you that defend this inexcusable flaw are the worst kind of scum.

Laying it on a bit thick don't you think? Being a platform apologist is bad, but I wouldn't rank it as "worst kind of scum", even if just limiting to the tech industry or even more so to just mobile OS platforms. Save some room for the real criminals who are making money off your data.

Re: In before smug Apple fans

[strikethree]

Hm. My iPhone 3GS didn't get the update to ios12. As a matter of fact, I think I had to stop updating it around IOS 5 or so. The newer versions of IOS slowed it down to unusability.

Yeah, yeah. I know. I didn't buy hardware, I bought access to ios and the hardware that came along with that purchase was not fit for duty 3 years after purchasing said access to ios. I was supposed to know even if it wasn't printed on the side of the box: This hardware will become unusable after 3 years and there is NOTHING (other than block further software upgrades) you can do about it. Have a nice day.

But yeah, feel smug about your IOS always being up to date.... completely ignoring the fact that you have to keep paying for hardware every couple years in order to keep your ios up to date.

Re: In before smug Apple fans

[GrahamJ]

iOS 12 runs on 5 year old hardware. Being smug is not necessary to understand the benefits of that.

Your 3GS is not susceptible to this bug.

Re: In before smug Apple fans

[Harlequin80]

No I don't think so. My reading is that it ONLY works if the process that triggers it is already privileged. It won't work on an unprivileged process at all.

Re: In before smug Apple fans

On the other hand, universal root exploit!

Re: In before smug Apple fans

Why can't I just apt install libpng and get a non-broken libpng.so in /usr/lib?

So older Androids need to upgrade to LineageOS?

[schwit1]

Since the carriers are no longer providing updates.

Re:So older Androids need to upgrade to LineageOS?

Google guarantees security update for its own phones for three years. We'll need to wait and see if older phones get a security update to fix this problem.

Re:So older Androids need to upgrade to LineageOS?

Ha. I bet lineage 14.1 won't get updates.

Re:So older Androids need to upgrade to LineageOS?

[tsqr]

I have a 6 uear old Galaxy tablet that still gets security updates from Samsung. I've never kept a phone for longer than two years or so, so I can't speak to that.

Re:So older Androids need to upgrade to LineageOS?

my s5 stopped getting updates in march 2017

Re:So older Androids need to upgrade to LineageOS?

[Athanasius]

Or at least if it does, they'll be slow. The security level for LineageOS 14.1 on Samsung Galaxy S4 (jfltexx) only got bumped to the January 2019 level in the past couple of days (and this only in the source code tracker, no new build yet), just as these February updates were released. They're building about one nightly a month for the device now, so I'd have to compile my own to even be just one patch level behind.

No snark intended at LineageOS. They're doing what they can with the resources (developer time) they have. If said S4 wasn't merely my emergency "crap my main phone broke/was lost" device I might see if I have the skills to help out.

But alternate ROMs are by no means a complete solution to this issue as things currently stand.

Re:So older Androids need to upgrade to LineageOS?

Since the carriers are no longer providing updates.

Just buy an iPhone already, It has everything you will need, including security.
If you stand in line, you can be one of the first cool guys to buy one when a new phone comes out.

Re:So older Androids need to upgrade to LineageOS?

[Errol+backfiring]

And planned obsolescence. Just like Android.

Re:So older Androids need to upgrade to LineageOS?

[coofercat]

You're lucky - I have a Galaxy tablet that stopped getting updates 18 months after I bought it (about 2 years after it came out - not enough sales, so not worth looking after those of us that bought it). It's not a problem though, I've just bought any-brand-except-Samsung ever since, and get updates all over the place when I need them. My little Doogee phone might not get an upgrade, but then it cost about £40, so I'll just throw it out and buy a new one instead.

Re:So older Androids need to upgrade to LineageOS?

Actually it is probably the ideal solution, but the real underlying problem is that there isn't a nimble company doing the work to ship select model phones with Lineage OS at a sufficient enough profit that can sufficiently help fund regular releases. It's not that it is impossible as we can point to companies who have been wildly successful in driving funds to projects like this. ThinkPenguin is the reason EOMA68 had funding to get to a point that manufacturing could commence (an effort to fix the fact all laptops are dependent on proprietary pieces including RYF systems). The company also is the reason libreCMC exists and has regular releases and occasionally releases outside of the 3 month release window for security updates. There are also package updates as well where needed. So it's clearly not impossible. The company is also the reason we have a complete set of source code for a modern USB wifi chipset and wifi adapters that are still being manufactured with that chipset.

Android OS Pie is horrid

Regretfully, I upgraded yesterday.

Hacked by a JPEG!

Wow, did the NSA ask for that to be added or is Google's whiteboard torture interview style just not selecting good candidates?

Re:Hacked by a JPEG!

[sjames]

It turns out riddles aren't the same as software engineering. Who knew?

This is one reason

[hcs_$reboot]

let's get real: Even if your Android still receives security updates, there's no telling how long it will be before manufacturers and carriers get it together to push out the patches

...I still prefer an iPhone.

Re:This is one reason

[subk]

let's get real: Even if your Android still receives security updates, there's no telling how long it will be before manufacturers and carriers get it together to push out the patches

...I still prefer an iPhone.

Don't believe the hype about update lag, it's not reality. de facto, per se. I'm using an Essential PH-1. I got the patch today.

Re:This is one reason

I have an LG from 2016 and they haven't released any OS updates since 2017.

Re:This is one reason

[sjames]

If we're hoping to ever see those updates, we better invest in cryogenics.

Re:This is one reason

Bullshit.

I bought a Note 2 back when it was `the phone` in Singapore, and about a month later discovered not only was it discontinued per-say, but it won't get any updates anymore as focus was shifted to the next model(s) in line. I had to root it and get custom roms to stay up to date on it.

Swore never again to touch a Samsung phone (and most probably any other Android for that matter). I'm happy `holding my current phone the wrong way` to get a signal.

Re:This is one reason

Very, very, very few people have those phones. It's statistically irrelevant to this topic.

Re:This is one reason

I still prefer an iPhone.

Honestly, if you're doing anything sensitive on your phone, especially if it involves banking or money, you're crazy.

Re:This is one reason

Unless you have a more recent example, then your anecdote is irrelevant. Given the phone is over 5 years old, and Samsung have improved their responsiveness to upgrades and how long they will upgrade the phone for and on top of that Android now has monthly security patches that make it easier for OEMs to test & deploy.

Re:This is one reason

[hcs_$reboot]

Sure, but the risk is not only money, the exploit can also strongly affect your privacy since the attacker has access to the whole device (photos, emails, discussions, mic, camera...)

Re:This is one reason

[AmiMoJo]

Because Apple ignores critical security flaws like he Facetime bug?

In this case TFA is wrong. While the patches fix the underlying issue, mitigations are already available to all Android users via the Play Store and component updates which have already rolled out to users regardless of manufacturer.

Re:This is one reason

[drinkypoo]

iPhones prior to 5S don't get the OS update that is for some reason required to fix Apple's recent "FaceTime as spy tool" bug, even though that's a bug in an app, and not in the OS. Tell us again how smug you are about Apple's support strategy.

Re: This is one reason

Those devices also didn't get iOS 12, thus they never had group Facetime and hence weren't affected by the bug. Your point is irrelevant.

Re: This is one reason

[drinkypoo]

Those devices also didn't get iOS 12, thus they never had group Facetime and hence weren't affected by the bug. Your point is irrelevant.

Genuine LOL. Those devices couldn't have a mere app upgrade because they couldn't get the OS upgrade that Apple made a deliberate decision not to bring to them in order to drive sales of newer models, and my point is supposed to somehow be irrelevant? The situation is actually worse than I imagined. How Applethetic.

Re: This is one reason

Wait, so the fact that phones 6+ years old now (you said "prior to the iPhone 5s") should still be supported? Can you name one single phone, Android or otherwise, that gets updates that far out?

Re: This is one reason

[drinkypoo]

Wait, so the fact that phones 6+ years old now (you said "prior to the iPhone 5s") should still be supported? Can you name one single phone, Android or otherwise, that gets updates that far out?

You can install most current apps (especially google apps) on JellyBean, from 2013. Play Services was still supported on ICS (from 2011) until December of last year . Looks like decoupling all that stuff into Play Services was a savvy move for Google. And their support for older hardware is going to be even better going forward, since they've adopted a HAL.

Re: This is one reason

Android is known for not supporting devices longer than a couple of years on average. Many popular apps don't work on specific recent phones due to lack hardware features on them. I still think you're making an invalid comparison because the discussion here is about whether OS updates would leave users exposed to security flaws. Android is known for that due to how manufacturers don't care about it. And older Apple devices did not get affected by the flaw you mentioned, despite on average, Apple devices getting much longer support.

Block sources of malicious images... apk

Here's how: APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

* ONLY 1 of its kind in GUI 4 MacOS!

(Better vs. Windows model in speed/efficiency)

APK

P.S.=> Protects against ALL known & unknown vulnerabilities. Now supports port filters in hosts. My work is world-class & China copied it because they can't do better. I am God's gift to Slashdot... apk

Re:Block sources of malicious images... apk

Yea I am replying to your spam (I shall be flogged for this I am sure), but I don't see an android installer AND this can't possibly block every png image hosted on the internet - your host file is useless, and as such, off-topic to this whole subject. Plus, no one trusts a spammer, so why bother?

Re:Block sources of malicious images... apk

Yea I am replying to your spam (I shall be flogged for this I am sure), but I don't see an android installer AND this can't possibly block every png image hosted on the internet - your host file is useless, and as such, off-topic to this whole subject. Plus, no one trusts a spammer, so why bother?

You cannot reason with APK. No matter what you say, no matter what great point you make, he will hand-wave all around it and declare himself "the victor". He will probably also accuse you of being someone you are not, thus enhancing his imagined "victory".

Think of him as being like a religious fanatic who views contrary evidence as testament to the depth of his faith. It's fun to goad him because he nearly always responds (usually multiple times to your single provocation) but that's all you're going to get. He simply cannot properly respond to a rational argument with the intent of reaching some kind of agreement. He is just not prepared to be reasoned with in such an adult way. Take him for what he is (a spammer, a jester, a sideshow) and move on.

His ass-licking fans who may or may not be his sock-puppets are amusing too the way they defend him to the end. See: religious fanatics. If they are not sockpuppets, perhaps they want to bask in his imagined glory? Maybe they are the downtrodden who feel a need to root for the underdog? Perhaps they are truly impressed by the "elite skills" of his text-file manipulation program (Delphi/Lazarus, Visual Basic, etc) that he still refuses to release the source of? Maybe they are simply ignorant of the problems with blacklists because APK himself refuses to acknowledge them (you mean, there is no Ultimate Solution, that all approaches have advanrages and disadvantages?? Say it isn't so!!) Just enjoy the ride, man.

Re:Block sources of malicious images... apk

Apk obviously has taken you down decisively in his favor over you at some point since you hide by unidentifiable anonymous trollings from him.

Re:Block sources of malicious images... apk

Look it is APK's even more retarded friend AlecStaar here to defend him. Even APK won't defend himself because he knows his is a loser and gets his ass beaten every time he pipes up because all the criticisms of him and his work are true,

Re:Block sources of malicious images... apk

You can't defend yourself hiding behind unidentifiable anonymous harassment of apk you do. You only prove you're an obsessed nut. I reply that way so you don't stalk me like the obsessed mentalcase you are doing that to apk.

Re: Block sources of malicious images... GAYpk

Block all images of naked women and replace them with dicks that I am ready to HOST... GAYpk

Privileged Code?

[crow]

You can use this bug to execute privileged code? I assume that means as root. If someone publishes example code at some point, we could get a really convenient way to root phones. Maybe I should avoid updates for a while.

Re:Privileged Code?

[locopuyo]

Use the exploit as a way to apply a patch.

Re:Privileged Code?

[tangent3]

Not unless for some reason Android is decoding PNG files as root... which it doesn't. This bug cannot be used to escalate privileges.

Re:Privileged Code?

wtf? why does anything data/'content' downloaded from an external source (internet) get touched by any privileged process?!

External content should always be parsed by something that needs no privileges, or has them.

Re:Privileged Code?

That is a *brilliant* idea!!

Memory Access Bugs

[mentil]

More OS memory access bugs, yay.
According to this breakdown, 88% of Android OS is written in Java, C, and C++ -- all of which are notorious for memory access bugs (in the runtime environment, in the case of Java). Perhaps the #1 security best practice should be to use a language designed to be memory safe. Right below that would be "don't try to bolt on security to insecure software."

Re:Memory Access Bugs

[duke_cheetah2003]

"don't try to bolt on security to insecure software."

Oh you mean, like the TCP/IP protocols we all use today? Security wasn't even close to on the minds of the original specs.

Kind of shows.

Re:Memory Access Bugs

[dromgodis]

all of which are notorious for memory access bugs (in the runtime environment, in the case of Java).

Android does not run a JVM as far as I know, but Dalvik. And the only famous JVM memory access bug a five-second search gave me was from 2002.

Re:Memory Access Bugs

Android does not run a JVM as far as I know, but Dalvik.

Actually, Dalvik was discontinued since Android 5/Lollipop in 2014, and was replaced with Android Runtime (ART).

Re:Memory Access Bugs

Let's write the entire OS and kernel in javascript! That'll be efficient!

Re:Memory Access Bugs

Android doesn't use Oracle HotSpot (the standard Java Runtime Environment bytecode VM), which is where your impression of "Java runtime environment" bugs comes from. It doesn't even use the same bytecode format.

Google has been EXTREMELY self-destructive!

[Futurepower(R)]

Google has been EXTREMELY self-destructive by allowing Android to be a method of abusing customers, in my opinion.

Android generally gets NO updates. That policy is intended to make more money for cell phone providers.

Re:Google has been EXTREMELY self-destructive!

Yet I've had a Pixel phone for several years with day one upgrades. Including monthly security updates! How is that self destructive?
If you're referring to Google allowing OEMs to lapse on their updates, well Google have now contractually required OEMs to ship security updates in a responsive time frame. OS updates don't matter as much since it's very rare for apps to not work on 3 year old Android OS.

Re:Google has been EXTREMELY self-destructive!

Unless you bought your phone from some company that only existed for a week, Android phones get security updates for a long time after release.

Re:Google has been EXTREMELY self-destructive!

Android generally gets NO updates. That policy is intended to make more money for cell phone providers.

That isn't true at all. For example, my phone and many Samsung phones get monthly security updates, and others get quarterly updates. https://security.samsungmobile.com/workScope.smsb

Re:Google has been EXTREMELY self-destructive!

Android phones [from major manufacturers] get security updates for a long time after release

Mod that up funny!

I have bought a flagship phone from a major manufacturer in 2016. There are two different SKUs of this model: a carrier version and an unlocked version. I bought the unlocked version. The manufacturer stopped releasing updates in 2017 for the unlocked SKU; a couple of carriers continued to release updates into 2018, but those updates will not install on the unlocked SKU and they won't be releasing further updates either (although the hardware specs would still place it in about the top third tier of new phones). Several people contacted the vendors support team multiple time inquiring about updates (even in 2017 when they did release updates they lagged about six months behind Google's security releases) and were given a B.S. excuse that since it's not a carrier specific ROM they can't release any updates until it has passed every carriers validation test suites.

Re:Google has been EXTREMELY self-destructive!

Oh and lineage only releases a ROM for the carrier SKU :-(

Android is worry-free

With Apple, you have to worry whether your device is up-to-date and secure.

With Droid, we can always be sure that we'll never be secure. It's refreshing and assuring.

Baking roms for each device needs to be outlawed

[WaffleMonster]

Why can't non-x86 world ever get its shit together? One unified Windows or Linux image installs on countless hundreds of different x86 things.

Meanwhile everywhere else it's always bake a custom rom specific to each and every variant of every device. Why is it still tolerated? The old excuses of abstraction costing too much made sense 20 years ago. Today it's a joke/lame excuse for tolerating the indefensible.

Wwwwaaaaayyyy past time to fire the cooks.

THERE ARE ALWAYS CONSEQUENCES NAZI FAGGOT KEN DOLL

THERE WILL ALWAYS BE CONSEQUENCES FOR YOUR LIES AND PROPAGANDA NAZI FAGGOT KEN DOLL UNTIL YOU DIE.

Filter error: Don't use so many caps. It's like YELLING. Filter error: Don't use so many caps. It's like YELLING. Filter error: Don't use so many caps. It's like YELLING.

PNG needs JavaScript internally.

[aberglas]

Obviously we need complex multimedia formats that are decoded by C code complete with buffer overflows all running in Kernal mode.

But what would be even better is if the PNG could contain JavaScript inside it. Why limit the output to just a few algorithms? With JavaScript running actually inside the PNG much greater compression could be achieved for many applications. More importantly, a whole new plethora of animation techniques could be developed.

Indeed, if that JavaScript within the PNG was used to implement a Virtual Machine, a whole sub operating system could run inside that image. Just think of the possibilities!

We need more, Lots more. Of stuff.

Re: PNG needs JavaScript internally.

Weird. I know this a completely new idea but... the deja vu is overwhelming!

Re:PNG needs JavaScript internally.

[dromgodis]

You thinking of this? https://linux.slashdot.org/sto...

Re:PNG needs JavaScript internally.

lmao this sounds like something you would see on hn. "Why I switched my startup to JPEGwJS and you should too!" followed by 100 gushing comments about how this is the smartest idea they've seen since they took a lisp class at Stanford two semesters ago.

Re:PNG needs JavaScript internally.

[cordovaCon83]

Did we learn nothing from Jurassic Park???

Re:PNG needs JavaScript internally.

[scamper_22]

I know you joke, but I really want to see more details on this. I've gotten older and I don't know the internals of android, but maybe someone can help. The article is just vague.

1. How does this get root access? If your app or webbrowser views an image, isn't that in some kind of 'user-space' running with the rights of the application?

2. I'd really like to see the actual source flaw. I remember a JPEG bug a long time ago with arbitrary code execution. How does this happen exactly. What is the exact lack of input validation that is occurring? I can see a lot of potential for flaws in inputs that allow scripting or what have you. But an image? Is there something funny about PNG files that I don't know about. Like can they embed some kind of algorithem in the PNG file itself as to how to decode it? Or is this just plain stupid not validating the input?

Re:PNG needs JavaScript internally.

PNG is an image format that lets you payload all kinds of stuff in custom ancillary chunks that libpng will just gloss over because it doesn't understand them. So Javascript (jSrx) and an entire OS (anOS) are certainly possible to embed in a PNG. However, there's just nothing out there that will read and process such chunks though and some software will strip unknown chunks (e.g. pngcrush).

The most natural thing to embed into a new ancillary chunk would be audio. Then your static images could be annoying.

Solution: Electrical Tape

Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image

I NEVER let my phone view PNG (or any other) images without supervision. I keep a small piece of electrical tape over the camera to make sure.

Re:Baking roms for each device needs to be outlawe

The x86 - or rather, the IBM-compatible - world is vastly different to the ARM world when it comes to system design. The entire family tree of x86-derived machines have gravitated towards open, or at least easily-licensed and inter-operable, hardware standards over the decades. Manufacturers want to keep their hardware reasonably compatible with everyone else, lest they be shut out of the market for being too 'niche'.

ARM, on the other hand, is almost the exact opposite. An ARM computer is often a custom-built hodge-podge of licensed hardware modules fitted around whatever ARM core the manufacturer licensed and etched onto silicon. Sound, graphics, memory. and other functions are not plug-and-play replaceable add-ons, but a custom chipset that the system designer picked out and configured. These bespoke system configurations will also have to contend with limitations on driver support and possibly the need to hand-configure settings.

Google has tried to correct this, and pull manufacturers to a more standardized system that would let Google handle a lot of the hard work, but this was never the norm in the embedded space.

Sounds like a rapper's stage name

[jfdavis668]

Malicious PNG

Re:Baking roms for each device needs to be outlawe

[phantomfive]

All of those ARM chips (in Android) use GCC, an open compiler, so it isn't the chip that's causing problems. Most of the drivers are all open-sourced (the kernels is GPL, so they more-or-less have to), so it's not the hardware that's a problem.

The main problem is locked boot-loaders. If you can't install a custom ROM on a phone, that's probably the reason.

HOW?

[duke_cheetah2003]

How do these things keep happening? What happened to sanity checking your input? Geezus, this is inexcusable.

Safety Proof

[snadrus]

How: C, C++, and Java making errors easy.

It's early days & we trade for speed with grossly unsafe situations. It's like a shortcut though a warzone.

We need contacts requiring:
- provably zero: buffer overflows, use-after-free, double-free, stack overflows, memory race conditions
- Malloc failures must crash if unrecoverable.

Then we could begin to have software with greater peace of mind.

Rust does this, as does JavaScript without extensions. Go does most and can be limited to a subset that does all. Some provers exist for C subsets.

Re:Safety Proof

You can write shite in any language. Stop pretending there are silver bullets, start taking responsibility for your code instead.

Re:Safety Proof

Ah yes, the king of buffer over runs Java.... we can all see your immense technical prowess.

Android security updates

[tangent3]

Not sure what's up with all the FUD about Android security patch irregularity. My Sony Xperia and One Plus phones are 3 years old and they are still receiving the monthly security updates from the manufacturer, so lag time is at most 2 months. It shouldn't be much different for Samsung and the other more popular brands and models.

It's true that updates between the major versions of Android are slow or even non-existent, but security updates are different. You can remain on an older version of Android and still receive security updates.

Re:Android security updates

[xonen]

In this topic only Samsung and Sony are mentioned receiving regular updates.
From own experience i can assure you most phones from less respected brands don't receive updates at all, or at most one or two updates right after the release to fix some vendor bugs - and typically introduce new ones. Like how i had a phone receiving an update to fix a battery charging issue. It broke the front camera functionality. No way to uninstall the update either.
It makes me seriously consider my next phone to be a Samsung, Sony or Pixel, despite the price tag. But that seems to be the price to protect data.

Re:Android security updates

Receiving updates on 3-year-old flagships is good, but this is a sign of low expectation. Security updates on 5-year-old low end even if you bought the "wrong" LG would be good.
I'm in for the wait, I don't see a fundamental reason why we can't have linux phones eventually (well, radio firmware is the biggest one. can the GSM/3G/4G/5G chip be left external to the CPU/GPU SoC, cost-effectively even on lower end hardware?)
Firefox OS had a focus on low end and is dearly missed for this (their biggest fuck up is to not release something at the high end of the low end, such as - back then - a $99 phone with 5" display and both front and back cameras instead of 4" and back camera only).
Low end users aren't necessarily dumb fucks and deplorables or ones who don't like privacy. Some GNU/Linux users have Core 2 Duo desktops, Atom netbooks. Same thing.

It takes new hardware to get long supported drivers and shit. This is expensive but older silicon processes never stop existing and they're even improved. There is now 22nm planar (i.e. non-FinFET) built up from the old 28nm. This would be paired up with older/lower end display, battery, flash, camera etc. then you can release new phone version with slightly better display, battery, flash, camera while keeping the same forward-thinking SoC.. At worst, I bet this is what happens with low end Android 9.1 or Android 10.0 phones.

Re:Android security updates

[Katatsumuri]

Counter-example: I have an Alcatel Idol phone, and while I love it for the form factor, the value/price, and the original functionality, I had to roll back and *disable* system updates, because Alcatel chose to push some horrible, intrusive bloatware with them, which pops up annoying dialogs at inconvenient moments, and slows the phone to a crawl. You know, those "optimizers" and "inspectors" trying to upsell you to some antivirus or "über-optimizer". Exploits like this one scare the hell out of me. I might be better off.

Samsung phone I tried earlier, on the other hand, worked fine in Germany where I bought it, but locked itself out when traveling abroad, which took over a month to work out with their "support".

Android ecosystem is completely fucked up. I might just bite the bullet and switch to iPhone on next upgrade. At least it works and is (slightly more) updatable.

Re:Android security updates

Sorry for the weird hanging editing artifact ("I might be better off")

Re:Android security updates

I have a Sony Xperia z3v and then haven't issued an update for it since Android 5. It's ridiculous, the thing still has more or less modern hardware specs, they just won't update the software. And the boot-loader is locked.

Re:Android security updates

Huawei is only a couple of weeks behind Google in issuing the monthly security patches. I guess that is how long it takes to find and remove the NSA backdoors and insert the Chinese ones.

Re: A Dingo Ate Your Support Contract Mate!

Move out of your shithole country and youll find plenty of devices with support, Drongo.

YES! Root without unlocking bootloader!

The reason I haven been installing updates in the past year! Common people, where is online no click root?

Android is bad designed

At least in comparison with any other Linux distribution.

I can understant the personalization and kernel issues to customize for a specific vendor. But kernel and drivers are a very specific piece of software.

Most components should be unified and distributed from a unique source, so Android should update without vendor intervention with most of the pieces of the Android base.

Actual way of Android only makes our phones completely insecure.
It seems a flaw made pointedly just to force us to update the hardware just because old hardware hasn't the needed software updates.

Good

my vendor never pushed update beyond 6.0

Re:Baking roms for each device needs to be outlawe

[AmiMoJo]

Actually drivers are the problem. Particular drivers for radios.

In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels, and I imagine that the network operators wouldn't be too happy about it either.

This affects the x86 world too. Some laptops have a list of acceptable wifi cards baked into the BIOS. If you try to fit a non-certified one it won't work. Reason being that when you have 3 antennas they could potentially all be used to exceed acceptable transmission power limits if the user fits any random card, so the manufacturer has to limit to ones tested by the FCC etc. to never do that.

Having said that, Google has largely fixed this now. Modern versions of Android can be patched by the Play Store services directly, and indeed in this case the issue has been mitigated that way even if the manufacturer doesn't supply updates.

Re:Baking roms for each device needs to be outlawe

Ok, so you've successfully argued that they need to deliver a binary kernel module for IO. The rest of the OS and all the libraries need to be upgradeable on the play store, even between Android versions.

(Isn't that what Android 8.0's Project Treble was supposed to do? And if not, WTF didn't they do that?)

Re:Baking roms for each device needs to be outlawe

What you say is true, but there aren't that many SoC vendors. Support for just 5 chipsets would probably cover 90% of phones, and if you had support for 100 chipsets, you'd probably cover 99.99% of smartphones in use today.

It's totally possible to create a single OS which auto detects which of the 100 chipsets it's running on and behaves accordingly.

simple solution

[sad_]

this just sucks, as we all know a lot of phones are not going to get any fix for this and even the ones that do will have to wait for a longer then normal time. i'm used to almost always same-day fixes on my linux desktop/servers, which is nothing more then normal.

how do we fix this for devices other then pc's/servers?

in this case i see no other way but to make it a law. if, for example, the EU can dictate the standard connector to use for phone-chargers, they should be able to do the same for something way more serious.

make it a law that all devices must get a lot of years of security updates (i don't even care about OS upgrades at this point), make it a long enough time, something like 6 to 8 years.

what will happen is that companies MUST design the software part better otherwise it will be too expensive to maintain all these security fixes for all these different devices with different implementations. to keep their costs down, they will have to have one build that can be installed and used on their whole range.
again, don't tell me it is impossible, we've been doing it with linux distro's for more than 20 years.

Re:simple solution

Just pass a law saying any device OS that is obsolete, that contains security flaws that render it not fit for purpose, looses all IP and reverse engineering protections, and any 3rd party can sell updates in including original rom images, and modified ones.

Once support ends - it should be open season.

Who do you think you're fooling?

> But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.

Let's get even more real: I own 4 Android devices, and not a single one of them has ever got a single OS patch.

I'm not going to own a fifth. And I refuse to get my electronics from a fashion accessories maker. Who does that leave out?

And people are surprised I don't carry a smartphone.

Re:Baking roms for each device needs to be outlawe

[Chris+Mattern]

Because custom ROMs serve the interests of the people selling the phones, allowing them to issue the phone with undeletable adware or bloatware that they're paid to ensure is on every phone (and which is also undeletable). The fact that they do not serve the interests of the people using the phones is of no concern to them.

Android 5

[aliquis]

So my Galaxy S5 is still safe? ...

Android is so shit. With all this spying. Touch interface (on the whole surface too) and with the lack of updates.

Where's the PC equivalent?
20 years of support rule yourself.

Re:Baking roms for each device needs to be outlawe

[bill_mcgonigle]

Dude, your comment is 4 years too late. Google released its Hardware abstraction layer with Android version 8, it's now on Version 9, and yes, current phones get security updates very quickly from reputable vendors.

This month, my non-google phone got the February patch update a few hours before the Pixel release was available.

The worst kind of scum

Worse than murderers and pedophiles, poisoners and spies? I think you may need to reassess.

Re: Baking roms for each device needs to be outlaw

[phantomfive]

I am sure you read that somewhere, but wherever you read that, I would not trust them as a source anymore. What phone can get past the bootloader, have a custom ROM installed, and then can't use the radio?

IMPERSONATING ME AGAIN? Please... apk

MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen in my work https://news.slashdot.org/comm...

U IMITATING me means ya WISH ya were me! Imitation IS the sincerest form of FLATTERY you know...

* HILARIOUS you ADMIT you have a registered 'luser' account & yet you STALK me by UNIDENTIFIABLE anonymous too https://hardware.slashdot.org/... - YOU have ISSUES, lunatic!

APK

P.S.=> Hopefully, this 'sinks in' to your DULL BRAIN @ last, finally (for the 200th time now)... apk

Re:IMPERSONATING ME AGAIN? Please... apk

Looks like Android PacKage is mad that people are mocking him again. He keeps trying to tell himself that people want to be him but deep down he knows that no one wants to be him suffering from debilitating mental illness and severe mental retardation. Nor do they want to live in a $1 house in the slums of the dumpy city of Syracuse.

Re:IMPERSONATING ME AGAIN? Please... apk

One thing is certain. You don't like yourself. You stalk and harass apk using unidentifiable anonymous proving it. I do so to you so you don't stalk me the same way in your immature teen angst.

That wasn't I you replied to moron... apk

See subject & https://yro.slashdot.org/comme...

APK

P.S.=> Of course, I also KNOW it's you doing the initial impersonating me too (you can't beat me on tech or fact so you pull PUSSY bullshit like impersonating me OR stalking me by UNIDENTIFIABLE anonymous posts like the LOSER you are)... apk

Re: Baking roms for each device needs to be outlaw

[AmiMoJo]

The custom ROMs use the binary blob radio drivers from the official ROMs.

Re:Baking roms for each device needs to be outlawe

The x86 - or rather, the IBM-compatible - world is vastly different to the ARM world when it comes to system design. The entire family tree of x86-derived machines have gravitated towards open, or at least easily-licensed and inter-operable, hardware standards over the decades. Manufacturers want to keep their hardware reasonably compatible with everyone else, lest they be shut out of the market for being too 'niche'.

ARM, on the other hand, is almost the exact opposite. An ARM computer is often a custom-built hodge-podge of licensed hardware modules fitted around whatever ARM core the manufacturer licensed and etched onto silicon. Sound, graphics, memory. and other functions are not plug-and-play replaceable add-ons, but a custom chipset that the system designer picked out and configured. These bespoke system configurations will also have to contend with limitations on driver support and possibly the need to hand-configure settings.

Google has tried to correct this, and pull manufacturers to a more standardized system that would let Google handle a lot of the hard work, but this was never the norm in the embedded space.

Yep. So much for a "hand computer" [rollseyes]

Likely doesn't affect most browsers

[Fencepost]

One of the Firefox for Android developers confirmed that they're using their own built-in libpng (with a link to its place in the source), so Firefox is likely unaffected. I didn't check separately on Firefox Focus, but I suspect it shares much of the code base.

I saw a reference to Chrome also having its own built-in PNG code (how could it not given its 51+MB download size?) but don't have the same details on it.

This mostly leaves email, messaging and social media as likely vectors for a malicious PNG.

It's usually SYSTEM, not root.

[emil]

That can still get you far, though.

Re: Baking roms for each device needs to be outlaw

Custom ROMs typically get all the drivers from the available update ROMs.
Aside the radio drivers, the camera drivers are often not open source.
That is not by coincidence the one aspect of smartphones that phone makers are still trying to differentiate in.

Project treble, on phones that got released with Oreo / Android 8 or later, should have all drivers sit on one partition, the Android OS should be on another, leading to a much easier update path.

Then, it's up to the manufacturer.

I know from experience that Nokia is doing well, one security update each month, 2 system version updates per device at least.

Support (chat) via built in app, also available when the phone is started with the pure system image, which I know from first hand experience.

Reason 2 for me to recommend Nokia.
Reason 3 is that they are newly set up to unlock boot loaders. Haven't tried yet.

Hope this helps,
aRTee

Captcha image...

That's funny! My captcha image was %#*(@NO CARRIER

Sent from my Android

Re:Baking roms for each device needs to be outlawe

[WaffleMonster]

In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels

This is what RIL is for. Cell phones communicate with baseband processor using a standardized interface so the argument makes no sense on its face as the OS does not have the capability to command baseband to do something it isn't willing to.

The argument is further frustrated by the fact anyone can buy a USB stick with a GSM radio in it or a laptop with similar hardware to communicate over cellular networks. Yet the presence of such hardware does not preclude the successful installation of generic Linux distros nor detract from the ability to communicate with said radio.

This affects the x86 world too. Some laptops have a list of acceptable wifi cards baked into the BIOS. If you try to fit a non-certified one it won't work. Reason being that when you have 3 antennas they could potentially all be used to exceed acceptable transmission power limits if the user fits any random card, so the manufacturer has to limit to ones tested by the FCC etc. to never do that.

The FCC explicitly rejected this assertion. Systems need to be designed such that the radio interface cannot be commanded to exceed limits / bypass TDR detection..etc. They never said the entire operating system has to be locked down to achieve this.

Having said that, Google has largely fixed this now. Modern versions of Android can be patched by the Play Store services directly

No, Google play cannot update the operating system. They can only update shit that used to be part of Android but got moved into proprietary Google play malware stack as part of Google's never ending bid to own everything.

Re:Baking roms for each device needs to be outlawe

[WaffleMonster]

Dude, your comment is 4 years too late. Google released its Hardware abstraction layer with Android version 8, it's now on Version 9, and yes, current phones get security updates very quickly from reputable vendors.

This month, my non-google phone got the February patch update a few hours before the Pixel release was available.

In what year I will be able to install a generic Linux or Android distro on my cell phone?

Re:Baking roms for each device needs to be outlawe

[segin]

Android also requires device maps to give you state-of-the-1980s base memory addresses for device MMIO.

There's no PCI(e) interface on your phone, or any other "safe" means of software discovering what hardware is in the device. Just like any 8-bit microcomputer you grew up with, hardware control is done by writing memory values to various hardcoded memory addresses. If the sound driver, for example, doesn't know the exact base address of the sound controller, it won't init the sound at all and may even accidentally crash the system if it ends up feeding the wrong commands into the wrong hardware subsystem.

Remember when Windows 95 and 98 would do auto-detect for non-PnP hardware and the ever-present warning that the process could hang the machine was present? Yep, exact same story here.