“An Android flaw has been uncovered that lets malware insert malicious code into other apps, gain access to the user’s credit card data and take control of the device’s settings,” Leo Kelion reports for BBC News. “BlueBox Labs said it was particularly concerning as phone and tablet owners did not need to grant the malware special permissions for it to act.”
“The company added it had alerted Google to the problem in advance to allow it to mend its operating system. Google confirmed it had created a fix,” Kelion reports. “However, the many thousands of devices still running versions of the operating system ranging from Android 2.1 to Android 4.3 and have not been sent the fix by relevant network operators and manufacturers remain vulnerable if they download apps from outside the Google Play store.”
Jeff Forristal, chief technology officer of BlueBox, gave three examples of how a faked certification signature might be used to cause harm:
• The app pretends to be created by Adobe Systems – Adobe is granted the privilege of being able to add code to other apps in order to support their use of its Flash media-player plug-in. The malware can take advantage of this to install Trojan horse malware into otherwise authentic programs.
• The app uses the same ID used by Google Wallet – the search firm’s mobile payment software is usually the only app allowed to communicate with the secure hardware used to make credit card transactions via a phone’s tap-to-pay NFC (near field communication) chip. By exploiting this, the malware can obtain financial and payment data that would otherwise be protected.
• The app impersonates 3LM software – many manufacturers add their own skins to Android to customise their devices’ user interfaces and functions. In the past, HTC, Sony, Sharp, Motorola and others did this by using extensions created by a now defunct business called 3LM. By masquerading as 3LM’s software, malware could take full control of the relevant devices and both uninstall their existing software as well as adding spyware, viruses and other damaging content of its own.
Read more in the full article here.
MacDailyNews Take: Fragmandroid. Open – as in, wide.
Smart buyers don’t settle for insecure knockoffs of Apple revolutions.
[Thanks to MacDailyNews Readers “Brawndo Drinker” and “Dan K.” for the heads up.]
Crucial security flaw found in Google Play: Thousands of secret keys found in Android apps – June 19, 2014
With iOS 8, Apple makes iOS even more secure ahead of smartphone security competition – June 10, 2014
iOS 8′s extensions explained: Opening the platform while keeping it secure – June 9, 2014
New iOS 8 feature lets users cloak their iPhones from tracking by retailers, marketers, other companies – June 9, 2014
New malware takes Android phones hostage, demands ransom for unlock – June 5, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
FBI issues warning over Android malware attacks – October 15, 2012
Researchers discover serious flaw in Android app security, say HTC and Samsung ignore issue – September 28, 2012
Apple’s iPhone has passed a key security threshold – August 13, 2012
Android permissions flaw allows eavesdropping, data theft, location tracking – December 2, 2011
Massive HTC Android security flaw leaves security expert speechless – October 2, 2011
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010