-
After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.
Four-year-old bug could allow attackers steal data from 99pc Android devices
- Thread starter socrates0
- Start date
This just reinforces the common-sense advice frequently given out here at AF; "Be VERY careful if using anything other than Google Play."
gtbarry
Android Expert
If the article wanted to be accurate and informative, it would have stated:
"While there is no way for an infected app to reach the device regardless of what operating system they are using if they always use approved stores for downloading apps or updating them, the risk is very high for the users of third-party stores or consumers who install APK files from unknown sources."
In the case of Android, I would say that only Play Store and Amazon App Store are secure. Other than that, I have only downloaded betas from the swiftkey an swype official sites
"While there is no way for an infected app to reach the device regardless of what operating system they are using if they always use approved stores for downloading apps or updating them, the risk is very high for the users of third-party stores or consumers who install APK files from unknown sources."
In the case of Android, I would say that only Play Store and Amazon App Store are secure. Other than that, I have only downloaded betas from the swiftkey an swype official sites
Stannis the Mannis
Rapscallion
Taking into account that most people DON'T download apps from unknown sources there is no way it can affect 99% of Android Devices. If everyone was downloading from unkown sources then this claim might have some legitimacy. I mean just ask any casual users what an "apk" is -_-
If this affects 99% of Android devices, then i must be Batman.
If this affects 99% of Android devices, then i must be Batman.
Found this little nugget from an article on BBC News:
Uncovering Android Master Key That Makes 99% of Devices Vulnerable
Uncovering Android Master Key That Makes 99% of Devices Vulnerable
jhawkkw
Chinchillin'
Since it isn't about the Razr in particular and more about general Android, I have moved this topic to the Android Lounge. One thing that might settle you nerves is a quote I found from another article about the exploit:
LilBit
Extreme Android User
Same thing covered here.
http://androidforums.com/android-lo...ttackers-steal-data-99pc-android-devices.html
http://androidforums.com/android-lo...ttackers-steal-data-99pc-android-devices.html
jhawkkw
Chinchillin'
LilBit
Extreme Android User
Thanks for the heads up.
Threads Merged.
Nice merge!! I was just about to do it myself!! Got ninja'd though!!
gtbarry
Android Expert
People need to read more than the headline. As Slug pointed out above, this is about people sideloading from third-party sites. Not about Android.
Any OS can be infected when you load on software that you know nothing about. That goes for phones, tablets, servers, laptops, desktops, etc.
Any OS can be infected when you load on software that you know nothing about. That goes for phones, tablets, servers, laptops, desktops, etc.
i can't verify it........but i found something similar in gizmodo:There's a Massive Android Security Flaw Affecting Most of Us That Google Really Needs to Fix | Gizmodo UK
but it sounds like it is more on the play store....as long as you download apps or install apk's that you know are legit, you should be fine.
but it sounds like it is more on the play store....as long as you download apps or install apk's that you know are legit, you should be fine.
thanx gtbarry....i merged the two threads together.
Stannis the Mannis
Rapscallion
You guys should see some of the hysterical comments on G+, the ones from iDrones are particularly funny.
chevanlol360
Android Expert
You read the title correctly, your android device might be at risk for a serious bug that's been around since android 1.5 donut.
All quotations below are from the article that I got it from: http://m.techcrunch.com/2013/07/04/android-security-hole/
" Mobile security startup Bluebox Security has unearthed a vulnerability in Android
All quotations below are from the article that I got it from: http://m.techcrunch.com/2013/07/04/android-security-hole/
" Mobile security startup Bluebox Security has unearthed a vulnerability in Android
chevanlol360
Android Expert
The only manufacturer that has patched this exploit is Samsung, but only one of their device has the patch. The phone that is safe from this exploit is the Galaxy S4.
http://techcrunch.com/2013/07/04/android-security-hole/
"Update: According to a report in CIO, Google has already modified its Play Store’s app entry process so that apps that have been modified using this exploit are blocked and can no longer be distributed via Play."
"Update: According to a report in CIO, Google has already modified its Play Store’s app entry process so that apps that have been modified using this exploit are blocked and can no longer be distributed via Play."
they have yet to remove placebo/fake apps which do nothing except waste your time and battery energy as you shop the play store. Google does a "D" grade job of policing the play store, in my opinion.
Stannis the Mannis
Rapscallion
Ahh another OMG this will bring down android bug.
In reality, this won't affect people who download from the play store, which has always been the suggested method of getting apps
I have a feeling that we're gonna be seeing a lot more of these articles in the future.
SiempreTuna
Android Expert
Seems that a new Android vulnerability has been found that affects 99% of 'droids and could make your phone open to anything from snooping to a complete take over 
All Android apps contain a crytographic signature that ought to be invalidated if a legitimate app is tampered with - e.g. 'infected' with a virus - after distribution. Your phone checks the signature and will refuse to install an app if it's signature is invalid.
This vulnerability means that the apps can be amended without invalidating the signature which in turn means that kosher apps can be 'infected' with dodgy code and your phone will happily install them.
Unfortunately, individual manufacturers will need to fix their firmware and distribute the fix to all phones running any version of Android from 1.x on - good luck anyone with a non-current phone
On the upside, Google have fixed Play so no infected apps can be distributed from there which means that, so long as you avoid 3rd party app stores, you should be - relatively - safe.
All Android apps contain a crytographic signature that ought to be invalidated if a legitimate app is tampered with - e.g. 'infected' with a virus - after distribution. Your phone checks the signature and will refuse to install an app if it's signature is invalid.
This vulnerability means that the apps can be amended without invalidating the signature which in turn means that kosher apps can be 'infected' with dodgy code and your phone will happily install them.
Unfortunately, individual manufacturers will need to fix their firmware and distribute the fix to all phones running any version of Android from 1.x on - good luck anyone with a non-current phone
On the upside, Google have fixed Play so no infected apps can be distributed from there which means that, so long as you avoid 3rd party app stores, you should be - relatively - safe.
rabidhunter
Android Expert
I saw the following in an article. Thought it was worth sharing.
Security Research company BlueBox is reporting that they have uncovered a master key for the Android operating system that will allow a user unfettered access to the phonecontents of any Android phone with O/S versions dating back to 2009. Um
gtbarry
Android Expert
From the verge article:
"How that distribution would actually occur is still theoretical. Exploiting via Google's Play Store isn't possible, since Google has already updated the platform. But a user could still be tricked or lured into installing a bogus update through other avenues, including third party app stores, phishing emails, or malicious websites."
Really? Theoretical flaws get real articles? What's next? In theory an Android phone can't survive a direct hit from a nuclear missile?
Four year old Android bug could allow malicious apps on '99 percent' of devices | The Verge
"How that distribution would actually occur is still theoretical. Exploiting via Google's Play Store isn't possible, since Google has already updated the platform. But a user could still be tricked or lured into installing a bogus update through other avenues, including third party app stores, phishing emails, or malicious websites."
Really? Theoretical flaws get real articles? What's next? In theory an Android phone can't survive a direct hit from a nuclear missile?
Four year old Android bug could allow malicious apps on '99 percent' of devices | The Verge
rabidhunter
Android Expert
It's interesting, but also seemingly irrelevant. Am I worried, absolutely not. A little bit of common sense goes a long way.