Android in 2015?

Update HERE: https://sodpit.com/2015/08/07/stagefright-update/

No device is secure and Google has proven that Android is no exception.  Google has sent fixes for some of these problems to device manufacturers and cell phone carriers. They blame the manufacturers and carriers for long delays in pushing these fixes to their users – which is true – BUT… the manufacturers and carriers didn’t write the code OR cause ANY of these problems.

I won’t be signing up for Android Auto any time soon.

Here are some of the most recent vulnerabilities…

(I will follow up when I have more time)


“Matroska” Vulnerability (Low Priority) / Affects 50% of Android devices used today
July 29, 2015

Trend Micro Discovers Vulnerability That Renders Android Devices Silent

Can cause: “No ring tone, text tone, or notification sounds can be heard. The user will have have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other. The UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.”

Mitigation:
None so far. Reboot to fix.


“Stagefright” Hack (Severe) / Affects 95% of Android devices used today
July 27, 2015

Information:
Experts Found a Unicorn in the Heart of Android

Possible Mitigation:
Make sure to disable all the ‘Auto-Download’ features for MMS in your messaging apps (Hangouts, Messaging, etc.)
It’s too early to know as the vulnerability isn’t public; there are no tests or patches available.


“SwiftKey” Vulnerability (Very Low Severity) / Samsung Stock Keyboard Security Risk
June 16, 2015

Samsung Keyboard Security Risk Disclosed: Over 600M+ Devices Worldwide Impacted (nowsecure.com)
Remote Code Execution as System User on Samsung Phones (nowsecure.com)

I’m marking this one as Very Low Severity since it would almost be impossible for this exploit to work: “A user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.

Samsung’s Response…

If the flaw in the keyboard is exploited, an attacker could remotely:
1 – Access sensors and resources like GPS, camera and microphone
2 – Secretly install malicious app(s) without the user knowing
3 – Tamper with how other apps work or how the phone works
4 – Eavesdrop on incoming/outgoing messages or voice calls
5 – Attempt to access sensitive personal data like pictures and text messages

Mitigation:
The Samsung SwiftKey Vulnerability – What You Need To Know, And How To Protect Yourself


“FakeID” Vulnerability (Severe)
July 29, 2014

Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android…

“…Allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of the apps’s data, and being able to do anything the app is allowed to do.”

Mitigation:
Bluebox Security Scanner for Android
Test if your system is vulnerable or patched to any of the “Fake ID” or “Master Key” security flaws affecting most Android devices


“Master Key” Exploit (Severe)
July 3, 2013

Android Master Key Exploit – Uncovering Android Master Key…

“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.”

Mitigation:
Bluebox Security Scanner for Android
Test if your system is vulnerable or patched to any of the “Fake ID” or “Master Key” security flaws affecting most Android devices


Leave a Reply