Archive for the ‘Android’ Category

Inexpensive, unpatched phones put billions of users’ privacy at risk

October 7th, 2019
Cellphones of all design clutter a table in order to share a single cluttered power outlet.

Enlarge / Cellphones charging in the Philippines at a station run by generator in 2013, while power was out in the wake of tyhpoon Haiyan. (credit: Jacob Maentz | Corbis via Getty Images)

Privacy, it seems, is increasingly a luxury reserved for those who can afford it. "Free" services are rarely free, and in the 21st century, the adage seems to be that if you aren't paying with your money, you're paying with your personal data. But while a user at the higher ends of the income scale can afford to be choosy with both their cash and their privacy, users of the cheap, mostly Android-based smartphones that dominate the market worldwide are bearing the burden.

Apple's iPhone might be the single most popular device line among US consumers, but the iPhone's high-end cachet comes with a matching price tag. Likewise, a premium flagship Android phone, such as a new Google Pixel or Samsung Galaxy device, runs in the $500 to $1000 range.

Connectivity, however, is happily not limited to just the global wealthy. Billions of users in both developing and mature economies to whom the price tag puts a high-end phone out of reach still have access to lower-spec devices. Nearly all of the lower-end phones available worldwide run Android, giving Google's OS a greater than 80% market share globally.

Read 11 remaining paragraphs | Comments

Posted in Android, income inequality, Policy, Privacy | Comments (0)

New 0-Day Flaw Affecting Most Android Phones Being Exploited in the Wild

October 4th, 2019
Another day, another revelation of a critical unpatched zero-day vulnerability, this time in the world's most widely used mobile operating system, Android. What's more? The Android zero-day vulnerability has also been found to be exploited in the wild by the Israeli surveillance vendor NSO Group—infamous for selling zero-day exploits to governments—or one of its customers, to gain control of

Posted in Android, Android Vulnerability, Cyber Attack, hacking android phone, hacking news, how to hack android, Vulnerability, Zero-Day Vulnerability | Comments (0)

Attackers exploit 0day vulnerability that gives full control of Android phones

October 4th, 2019
Attackers exploit 0day vulnerability that gives full control of Android phones

Enlarge (credit: Maurizio Pesce)

Attackers are exploiting a critical vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night.

There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customization to fully root vulnerable phone models. The vulnerability can be exploited two different ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”

Read 10 remaining paragraphs | Comments

Posted in Android, Biz & IT, exploits, pixel, vulnerabilities, zeroday | Comments (0)

Egypt used Google Play in spy campaign targeting its own citizens, researchers say

October 3rd, 2019
Indexy was removed from Google Play after Check Point researchers discovered it was being used in a campaign to spy on Egyptian citizens.

Enlarge / Indexy was removed from Google Play after Check Point researchers discovered it was being used in a campaign to spy on Egyptian citizens. (credit: Check Point Technologies)

Hackers with likely ties to Egypt’s government used Google’s official Play Store to distribute spyware in a campaign that targeted journalists, lawyers, and opposition politicians in that country, researchers from Check Point Technologies have found.

The app, called IndexY, posed as a means for looking up details about phone numbers. It claimed to tap into a database of more than 160 million Arabic numbers. One of the permissions it required was access to a user’s call history and contacts. Despite the sensitivity of that data, those permissions were understandable, given the the app’s focus on phone numbers. It had about 5,000 installations before Google removed it from Play in August. Check Point doesn’t know when IndexY first became available in Play.

Behind the scenes, IndexY logged whether each call was incoming, outgoing, or missed as well as its date and duration. Publicly accessible files left on indexy[.]org, a domain hardcoded into the app, showed not only that the data was collected but that the developers actively analyzed and inspected that information. Analysis included the number of users per country, call-log details, and lists of calls made from one country to another.

Read 10 remaining paragraphs | Comments

Posted in Android, Biz & IT, Egypt, google play, malware, surveillance | Comments (0)

Zero-day privilege escalation disclosed for Android

September 5th, 2019
Zero-day privilege escalation disclosed for Android

Enlarge (credit: portal gda / Flickr)

Researchers have disclosed a zero-day vulnerability in the Android operating system that gives a major boost to attackers who already have a toe-hold on an affected device.

The privilege-escalation flaw is located in the V4L2 driver, which Android and other Linux-based OSes use to capture real-time video. The vulnerability results from a "lack of validating the existence of an object prior to performing operations on the object," researchers with Trend Micro's Zero Day Initiative said in a blog post published Wednesday. Attackers who already have untrusted code running with low privileges on a device can exploit the bug to access privileged parts of the Android kernel. The severity score is rated a 7.8 out of a possible 10 points.

Modern OSes have become increasingly hard to compromise in recent years thanks to exploitation mitigations that prevent untrusted code from interacting with hard drives, kernels, and other sensitive resources. Hackers have responded by chaining two or more exploits together. A buffer overflow, for instance, may allow an attacker to load malicious code into memory, and a privilege-escalation flaw gives the code the privileges it needs to install a persistent payload.

Read 6 remaining paragraphs | Comments

Posted in Android, Biz & IT, exploits, privilege escalation, vulnerabilities, zeroday | Comments (0)

Expanding bug bounties on Google Play

August 29th, 2019

Posted by Adam Bacchus, Sebastian Porst, and Patrick Mutchler — Android Security & Privacy

[Cross-posted from the Android Developers Blog]

We’re constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support. At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don’t always come from within. It is for this reason that we offer a broad range of vulnerability reward programs, encouraging the community to help us improve security for everyone. Today, we’re expanding on those efforts with some big changes to Google Play Security Reward Program (GPSRP), as well as the launch of the new Developer Data Protection Reward Program (DDPRP).

Google Play Security Reward Program Scope Increases

We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.

Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the App Security Improvement (ASI) program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed.

To date, GPSRP has paid out over $265,000 in bounties. Recent scope and reward increases have resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program.

Introducing the Developer Data Protection Reward Program

Today, we are also launching the Developer Data Protection Reward Program. DDPRP is a bounty program, in collaboration with HackerOne, meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. It recognizes the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.

The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty.

As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe. Happy bug hunting!

Posted in Android, Android Security, security | Comments (0)

Google Play app with 100 million downloads executed secret payloads

August 27th, 2019
Google Play app with 100 million downloads executed secret payloads

Enlarge (credit: NurPhoto | Getty Images)

The perils of Google Play are once again on display with the discovery of an app with 100 million downloads that contained a malicious component that downloaded secret payloads onto infected Android devices.

Throughout most of its life, CamScanner was a legitimate app that provided useful functions for scanning and managing documents, researchers from antivirus provider Kaspersky Lab said on Tuesday. To make money, the developers displayed ads and offered in-app purchases.

Then, at some point things changed. The app was updated to add an advertising library that contained a malicious module. This component was what’s known as a “Trojan dropper,” meaning it regularly downloaded encrypted code from a developer-designated server at https://abc.abcdserver[.]com and then decrypted and executed it on infected devices. The module, which Kaspersky Lab researchers named Trojan-Dropper.AndroidOS.Necro.n, could download and execute whatever the developers wanted at any time. The researchers said that they have previously found Trojan-Dropper.AndroidOS.Necro.n lurking inside apps that are preinstalled on some phones sold in China.

Read 4 remaining paragraphs | Comments

Posted in Android, apps, Biz & IT, google play, malware, security | Comments (0)

85 Google Play apps with 8 million downloads forced fullscreen ads on users

August 19th, 2019
85 Google Play apps with 8 million downloads forced fullscreen ads on users

Enlarge (credit: Trend Micro)

Researchers found 85 Google Play apps with more than 8 million downloads that forced users to view fullscreen ads.

The apps, which posed as photography and gaming programs, contained a family of adware that was highly disruptive to end users. Once installed, the apps displayed ads in full screen—a setting that forced users to view the entire duration of an ad before being able to close the window or get back to the app. The apps showed an ad every five minutes, but the people operating the platform had the ability to remotely change the frequency.

AndroidOS_Hidenad.HRXH, as the adware is called, used several tricks to evade detection and removal. A half-hour after being installed, for instance, an app would hide its icon and create a shortcut on the device home screen. (That's according to a write-up from Trend Micro, the security firm that found the apps.) Hiding the icon prevented the apps from being uninstalled by dragging and dropping the icon uninstall section of the device screen. Android 8 and later versions require user confirmation before an app can create a shortcut, but even if users of these versions didn't agree, the icon would nonetheless remain hidden.

Read 7 remaining paragraphs | Comments

Posted in adware, Android, Biz & IT, google play | Comments (0)

Galaxy Note10 hands-on: Samsung falls behind the competition

August 8th, 2019

NEW YORK CITY—Samsung showed off its next flagship smartphone last night: the Galaxy Note10. It comes in two variants—large (the Note10) and larger (the Note10+).

In person, the larger Galaxy Note10+ is absolutely huge. And I say this not as someone who carries around a tiny phone all day, but as someone who is used to the already-giant Android phones out there. First the display is actually bigger, with the Note10+ screen topping out at 6.8-inches diagonally, a new high-mark this year. The "smaller" Note10 is a mere 6.3-inches, which is still extra huge. The other thing contributing to the imposing presence is the sharper display corners. The heavily rounded corners of yesterday are out, and the Note10 is a big ol' sharp rectangle.

The front and back of the device is curved along the long edge, which helps you wrap your tiny, pathetic human hands around Samsung's giant slab of glass and pixels. Width is really the thing that makes a phone feel big in your hand, and the Note10+'s 77.2mm-wide body has got to be a new high watermark in phone girthiness. The bigger size is actually quite nice to use with the S-Pen, which always feels like it needs as much real estate as possible for drawing or handwriting. I still never want to do any handwriting or drawing on my phone, but for those that do, bigger is better probably.

Read 11 remaining paragraphs | Comments

Posted in Android, flagship phone, galaxy note10, note10, Samsung, samsung galaxy, samsung galaxy note, Tech | Comments (0)

Google Pixel 4 will reportedly jump on the 90Hz display bandwagon

August 8th, 2019

Pixel 4 rumor season never stops, even if Samsung is having a major smartphone launch. 9to5Google, which had its earlier Pixel 4 rumors confirmed by Google before the phone has even launched, has a fresh set of Pixel 4 rumors for us.

First up: The Pixel 4 will supposedly have a 90Hz "smooth display" feature, just like the OnePlus 7 Pro. This means the entire interface should refresh at 90 frames per second instead of the usual 60, which—on the OnePlus 7 Pro at least—proved to be an absolute revelation for UI smoothness and making the phone feel fast and responsive. Until 90Hz displays came along, Google was the leader in Android UI "smoothness," so it'll be interesting to see what the company can do with a faster display.

Quicker display refresh rates are rapidly becoming the next big upgrade for Android phones—as evidenced by the aforementioned 90Hz OnePlus phone and even a 120Hz OLED screen from Asus with the ROG Phone 2. At the Note10 launch, we were disappointed to see Samsung shipping a regular old 60Hz display on its $1000 flagship, and now it looks like even Google is going to beat Samsung to the punch.

Read 4 remaining paragraphs | Comments

Posted in 90 hz, 90 hz display, Alphabet, Android, google, Google Pixel, google pixel 4, pixel 4, Tech | Comments (0)