Waiting for Android’s inevitable security Armageddon

“We’re on day who-the-heck-knows of the Android Stagefright security vulnerability, and there’s really no point keeping track of the days because no one’s going to fix it,” Ron Amadeo writes for Ars Technica. “The Android ecosystem can’t deal with security, and it won’t change until it’s too late.”

“Android still uses a software update chain-of-command designed back when the Android ecosystem had zero devices to update, and it just doesn’t work,” Amadeo writes. “There are just too many cooks in the kitchen: Google releases Android to OEMs, OEMs can change things and release code to carriers, carriers can change things and release code to consumers. It’s been broken for years.”

“The Android ecosystem’s reaction to the ‘Stagefright’ vulnerability is an example of how terrible things are. An estimated 95 percent of Android devices have a have a remote arbitrary code execution just by receiving malicious video MMS. Android has other protections in place to stop this vulnerability from running amok on your smartphone, but it’s still really scary. As you might expect, Google, Samsung, and LG have all pledged to ‘Take Security Seriously’ and issue a fix as soon as possible,” Amadeo writes. “Their ‘fix’ is going to be to patch 2.6 percent of all active Android devices. Tops. That’s the percentage of Android devices that are running Android 5.1 today, nearly five months after the OS was released. And 2.6 percent is a generous estimation for the top-end of “currently supported” Android devices in the wild. In reality, the number of devices getting a Stagefright patch will almost certainly be much lower.”

“The Android update machine is broken, and in order to rebuild it in a way that works, we need to burn it down,” Amadeo writes. “Anyone have a match?”

Much more in the full article – recommendedhere.

MacDailyNews Take: Oh, you need a light? Here ya go!

Thermonuclear

SEE ALSO:
Android fingerprint sensors aren’t as secure as iPhone’s Touch ID – August 10, 2015
Apple iPhone sees highest switching rate from Android ever recorded – August 10, 2015
This is how Apple’s iPhone kills Android phones – August 7, 2015
Certifi-gate: Hundreds of millions of Android devices vulnerable to stealth unrestricted access – August 7, 2015
Malformed video files can be used to crash half of all Android phones – July 30, 2015
Security journalist: Goodbye, Android, hello Apple iPhone! – July 29, 2015
950 million Android phones can be hijacked by malicious text messages – July 27, 2015
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013

[Thanks to MacDailyNews Reader “Tayster” for the heads up.]

17 Comments

    1. Not entirely true. Software “engineering” can be done in such a way that it’s relatively secure. Note the use of “relatively”… because it will always be a cat-and-mouse game. As software gets more sophisticated and technology evolves, the bar continues to be raised. The problem with Android (and Windows) is that the the bar was completely ignored.

  1. Imagine if Windows Update security patches had get the blessing of Dell and your ISP before you could install them, and neither of them cared. That’s Android.

  2. This is a big deal:

    Earlier today I read a post from a security expert that claimed this exploit is the most serious tech issue ever. He claimed sleeper code could lay dormant, and might be able to bring down all cellular networks if activated. He then recommended Android users should immediately replace their phones with Blackberry or iPhones.

    Soon after a poster on another blog claimed that a company he is working with sent a memo to all their employees demanding that those with Android phones should find the patch and install it. Failure to comply with that request could result in a denial of access to that company’s network.

    I imagine this is not an isolated incident and companies across the United States are taking the same precautions. Since most Android users can not get the patch, many employees of many companies will not be able to do things like connect to corporate emails, cooperate calendars, etc.

    This could be the final straw that broke the Android’s back.

  3. All these things are quite encouraging, (for us Apple fans, who are anxious to see Android bludgeoned and on the ropes), but I think none of this will have any significant impact on the public perception of Android security. Ordinary people simply have no clue what is a ‘vulnerability’ and what it means for them from the risk perspective. They are simply oblivious and ignorant, and even if news like this make it onto front pages and prime-time newscasts, they will still remain indifferent.

    What I’m anxious to see is an actual, working, mass-deployed exploit. A piece of malware that will exploit a vulnerability such as this one on a massive scale, infecting hundreds of millions of Android phones, disabling phone calling, internet access, wifi, bluetooth, wiping address books and Google accounts, etc… The only way ordinary ignorant Android users will understand how bad is the security on their phone is if they suffer the consequences. While this may be a very, very malicious way to wish upon ordinary innocent people, in the end, it may be the one thing necessary for such ordinary people to truly get it.

    I am on the one hand perplexed that such an outbreak hasn’t happened long ago, and on the other hand, hopeful that we will witness such calamity (perhaps not on such massive global scale; 20 – 40 million users would be more than enough) will take place soon enough.

    1. I’m surprised at your apocalyptic fantasy, despite its being consistent with MDN nuclear imagery, Biblical metaphors, and rampant fanboyism. You’re a voice of moderation in this forum and seldom let frustration get the better of you.

      Surely you must realise that the Android mentality is a cornerstone of human nature, a part of us that is unconsciously driven. We want what we want, and don’t think about it much, except to rationalise our choices when challenged.

      Punishing so many people whose only transgression is being a bit witless about technology, and a bit casual about security, seems unduly harsh.

      OT I wonder if you are acquainted with a fellow named Kristjan Järvi. I was blown away by a program he put together on Frank Zappa.

      1. Re reading my post, it may well come across as some terrorist manifesto; after all, most of them tend to have similar line of thinking and rationalization (“in every just war innocent people die”).

        My occasional frustration at the state of iOS-Android affairs comes not so much from. Liddell ignorance of most of its users, but from stubborn arrogance of its rabid fans. A moderate global outbreak would go a long way in shutting them up.

        As for Jårvi, I know of his father and brother, of course, but I didn’t realize that he was also successful and acclaimed. I’m going to have to look up that Zappa project now.

    1. android user shappily buy ‘cheaper’ machines not caring that it’s based on stolen technology. It’s not like crime LA NY you’re saying it’s like ” a guy who bought a stolen radio and then found out it doesn’t work .”

  4. You’re welcome MDN. I posted a link to this article here at MDN a few days ago.

    Apparently, I’m just too rad for MDN to ever give me credit. And yet MDN quotes my sarcastic lingo inventions incessantly. An odd sort of flattery. My guess is that they don’t want to let the Neo-Cons know that they secretly <3 me, seeing as I openly hate the Neo-Cons. 😉

    1. At least they’re allowing you to claim credit and not deleting your posts. That has to be worth something.

      As for the Neocons (almost an antiquated term) I hope you realise that there is a spectrum of political ideas emerging, not quite the binary polarisation of the recent past.

  5. The This Happened

    Another day, another stunning security flaw in Android – this time hitting 55% of mobes
    Bug allows ordinary apps to gain control of gadgets

    A privilege escalation hole allows normal apps to gain superpowers to snoop on a device’s owner, smuggle in malware, and wreak other havoc.

    The vulnerability, CVE-2015-3825, affects about 55 per cent of Android handsets – basically version 4.3 and above, as well as the current build of Android M.

    Flaws in the OpenSSLX509Certificate class in Android can be exploited by an app to compromise the system_server process – and gain powerful system-level access on the device.

    “In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device,” said Or Peles, security researcher at IBM’s X-Force application security research team.

    I believe the proper response is OMFG.

    A patch is out, but the question is what devices amidst the fragmentation nightmare of Android will be able to get it and when.

    WIDE open…
    👹👺💀

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.