Neil Hughes
Yet another serious Android security issue was publicized this week, with the latest exploit rendering devices "lifeless," and said to affect more than half of units currently on the market.
The security flaw in Google's Android mobile operating system was discovered by Trend Micro, which reported the issue in May. But no fix has been issued, as Google acknowledged the report as a "low priority vulnerability" on May 20.
The flaw is said to affect devices running Android 4.3 Jelly Bean up to the latest version, Android 5.1.1 Lollipop.
By either installing a malicious app on an Android device, or directing users to a nefarious website, hackers can cause an Android device to become "apparently dead — Â silent, unable to make calls, with a lifeless screen," Trend Micro explained. If the exploit is installed through an app, it can auto-start whenever the device boots, causing Android to crash every time the device is powered on.
In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability," they explained. "Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs."
The "Stagefright" Android security issue was publicized earlier this week, and has the ability to affect even more Android handsets — Â more than 950 million devices, according to one estimate. Stagefright is the name for a system service in Android that processes various media formats implemented in native C++ Code, and it can be exploited through a simple MMS message.
Unlike the issue discovered by Trend Micro, which has not yet been patched, Stagefright was fixed by Google in the latest versions of Android. But because many users are not running the latest version of the mobile operating system, the vulnerability is said to affect 95 percent of Android device owners, running version 2.2 Froyo all the way up to 5.1.1 Lollipop.
Most Android device owners simply cannot run the latest version of the operating system because of restrictions put in place by handset makers. In contrast, 85 percent of Apple mobile device users are running iOS 8 or later, its latest-generation operating system, while another 13 percent are on iOS 7.
Trend Micro cautioned this week that its new exploit and Stagefright could be just the beginning of other security issues to come.
"Further research into Android — Â especially the mediaserver service — Â may find other vulnerabilities that could have more serious consequences to users, including remote code execution," they wrote.
AppleInsider Staff
Malcolm Owen
Oliver Haslam
Andrew O'Hara
Wesley Hilliard
William Gallagher
Christine McKee
28 Comments
You sure do send me a lot of invites. What excuse do you know of? I don't personally have one to give you. Making one up is perhaps better done by others here with more practice as I'm not very good at it.
[quote name="Gatorguy" url="/t/187425/latest-android-security-exploit-could-leave-more-than-half-of-current-devices-dead-unusable#post_2754499"]You sure do send me a lot of invites. What excuse do you know of?[/quote] He's our version of Donald Trump. Lots of noise, little follow up. Sorry.
This reminds me when Eric Schmidt proudly touted that Android was more secure than the iPhone. It was laughable at the time and lampooned by the tech media, and rightly so - they were (and still are) regularly reporting serious Android security lapses/exploits. Google didn't build Android, and what they did build has been rushed. It's what happens when the direction of the platform is in a constant state of reactionary-change and a company mission that changes with the wind.
Let’s see, the Wild Wild West vs the Walled Garden, what to do, what to do.
[quote name="sog35" url="/t/187425/latest-android-security-exploit-could-leave-more-than-half-of-current-devices-dead-unusable#post_2754500"] You keep making excuses for Google and their total lack of concern for customers who buy Android phones. Basically Google does not give two shits about an Android's customers security as long as they keep feeding them ads. Google/Android's entire business plan revolves around feeding the users ads at maximum ad rates. Security does not matter. IMO Android users should take Google to court for gross negligence. [/quote] Kudos. The "making stuff up" is good to go. :rolleyes: Of course security matters, particularly business-wise. If Android devices aren't relatively secure then users eventually look elsewhere, Apple or even perhaps Microsoft. As someone mentioned yesterday Google decided early on that the best way to distribute Android was via OEM's and making it attractive was the best way to get them on board. Now that the platform is established it's time for Google to take better control of it, and maybe they are. Many of the OEM's appear to be putting a greater emphasis on timely updates. If they'd do as Moto does it would work well. Their OS updates sometimes get delivered to users devices even quicker than Google themselves get it out to Nexus models. No particular reason that other manufacturers could not do the same if they'd just make better choices on how Android is integrated with their handsets. But as mobile OS's take over the market you can expect more and more of these "exploits" to pop their heads out of the ground. iOS recently had their own exploit that could cause the same continuous reboot if making a connection to a bad player with wi-fi. https://www.yahoo.com/tech/no-ios-zone-exploit-lets-hackers-continuously-117171131494.html iOS had it's own recent exploit that potentially affected every device via key-chain. (Has that been [B]completely[/B] patched yet? I don't think so but maybe.) http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ But advantage Apple here by far. I don't think they necessarily respond to security issues faster than Google does or perhaps even have fewer problems, but without hands being tied by outside manufacturers and carriers they can usually get the fixes out to users faster and[B] that's [/B]what's important. Google is just going to have to take firmer control of Android IMHO. While the original plan worked well, perhaps too well even, it's time to move on and be more Apple-like in the way Android is controlled. That's of course if regulatory folks in the EU will allow it. :\ They think they're doing consumers a favor by meddling, not realizing they may be shooting their own toes off. Just my opinion. AnywayiIn general mobile operating systems are considered far more secure than "desktop" ones. Maybe as they become even more intricate and interactive that might change. I hope not. In the meantime look for many more "discovered exploits" in mobile.