“Millions of Android phones, including the entire line of Nexus models, are vulnerable to attacks that can execute malicious code and take control of core functions almost permanently, Google officials have warned,” Dan Goodin reports for Ars Technica.
“The flaw, which allows apps to gain nearly unfettered “root” access that bypasses the entire Android security model, has its origins in an elevation of privileges vulnerability in the Linux kernel. Linux developers fixed it in April 2014 but never identified it as a security threat,” Goodin reports. “For reasons that aren’t clear, Android developers failed to patch it even after the flaw received the vulnerability identifier CVE-2015-1805 in February 2015.”
“Friday’s advisory didn’t identify the app that was exploiting the vulnerability except to say it was publicly available, both within and outside of Play, and worked on Nexus 5 and Nexus 6 phones,” Goodin reports. “The vulnerability is present in all Android releases that use Linux kernel versions 3.4, 3.10, and 3.14. That includes all Nexus phones, as well as a large number of handsets marketed under major manufacturer brands.”
Read more in the full article here.
MacDailyNews Take: Reason #8,435,236 not to use derivative garbage.
If it’s not an iPhone, it’s not an iPhone.
SEE ALSO:
Android malware hits Aussie bank customers, iOS users unaffected – March 10, 2016
Android malware steals one-time passcodes, a crucial defense for online banking – January 14, 2016
New Android malware is so bad, you’d better off buying a new phone – November 6, 2015
Apple issues iPhone manifesto; blasts Android’s lack of updates, lack of privacy, rampant malware – August 10, 2015
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
[Thanks to MacDailyNews Readers “Fred Mertz” and “Aparajita” for the heads up.]
No need to exaggerate.
This is probably only Reason #8,435,208 not to use derivative garbage.
Dang it, Mark, I’ve told you a million times not to exaggerate!
I’m not willing to say Apple’s iOS doesn’t have vulnerabilities, but we know Apple fixes them ASAP with updates pushed out to all users that can use the update.
It looks like to me that the functions of updates are scattered between kernel, Android, mfgrs add-ons & hardware & 3rd party apps. Each one more or less figures the “next guy” will patch what is needed, so nothing is ever truly up to date.
Yup, there’s rumblings that Google is working to move Android towards more of an iOS model… so much for open-source, eh?
Android is not open source, now, and never really was in the true sense of the term. Google has pulled more and more core functions under the Google umbrella and out of the “open source” area.
Sure, you can get some basics of Android open source. But it won’t do you much good unless you recreate a whole range of functions for yourself independent of Google. Even a large company like Samsung has had trouble with that.
But…but…but it’s open!
/s
That and how many android phones released in 2011 are still getting current security updates?
I know for certain the iPhone 4s still is…
With the plethora of vulnerabilities on Android, it baffles the mind to ponder why anyone would be so “smart” to “trust” Alphashite with their credit card numbers. Android users tout how smart they are and how superior Android is to iOS that it makes me feel so very lowly and stupid. I’m ditching all of my AAPL products pronto! GMAFB
Scamdroid has vulnerabilities…..gee, first I’m hearing of this…..
Bill, I love your sarcasm.
There’s also the sad reality that none of this will be covered by any major news organization. The media’s “we choose what you need to know” model is one of the primary reasons that people have so little trust in them.
> ……..bypasses the entire Android security model.
What security model?
… And thus, this month’s quota of fundamental Android security holes has been fulfilled. That’s an average of TWO fundamental Android security holes every month over the course of the last several months.
Android: Dangerous. If you’re a fragmandroid victim, you’re basically SCREWED. You can’t update with Android patches. You will be PWNed.
There has to be something better (besides iOS).
DON’T WORRY ANDROID TROLL FRIENDS!
Dave is here to help! If your Android phone is infected as it likely is if you didn’t pay attention to the DAILY THREAT and the WEEKLY MOST DANGEROUS Android Malware lists (available on the Best Android sites, usually next to the Samsung phone ads… ) adding to the tens of thousands of android malware, there are WAYS TO (hopefully) FIX IT ! As most procedures are TOO COMPLEX I’ve found a SIMPLE SHORT WAY TO FIX ANDROID MALWARE PROBLEMS (courtesy of Android Central) , read, ENJOY:
“SIMPLE FIX TO ANDROID MALWARE ISSUES:
Damage is already done if there is going to be any damage, and doing something silly like destroying your phone isn’t going to undo anything. Your goals now are to remove the malware, and try to prevent any further data theft or loss. Then you go back and address what may have happened.
Shut your Android off and use another computer to research things if you can here. You’ll want to install and run one of the many Android AV apps (here are some free ones) to see if you can find any malware and get it removed. Read what we have to say about the various applications, read the forums to see what other folks have to say about the different Android AV apps, and decide which one you think is the best. Turn your Android back on, install it from Google Play, and let the app do it’s thing.
Access and address any damage
Never assume that you get away from something like this with no ill effects. Call your bank and change your online credentials. Do the same for your credit card companies, and get new cards sent with different numbers. Change the password for your Google account. Do the same for any other online accounts, like Yahoo or Microsoft or PlayStation or Android Central. If you see anything that looks like you didn’t do it — credit card charges, crazy postings on FaceBook, or wire transfers from your bank to anywhere — be sure to let the people in charge know that it wasn’t you who did it and that you had a bout with some malware during those dates. It happens. There is no need to be embarrassed about it and you’ll find that people are willing to assist you any way they can. That’s because they have seen it often enough to know that one day, they may be in your situation.
Change some habits, maybe.
You might never be able to find out just how you got your phone or tablet infected, but you can evaluate if you need to do things a little differently to minimize the risk of it ever happening again. Maybe you need to stop using pirate app stores, or stop clicking “yes” without reading what you’re agreeing to, or stop installing random email attachments. Nobody is blaming you for getting infected, but you’re the only one who can prevent it from happening again.
If you have reason to believe your Android is infected but normal Android AV apps aren’t finding anything, your last course of action is a factory wipe of all your data. This means all of your data, and the only thing you’ll have left is what backed up online (think Google Play Games services) and media like pictures. We want to remove any and everything local that might be executable.
Back up all your pictures (and music and videos) to your Google account. Google+ is a great place to store your pictures, drop your videos in your YouTube account, and you can store up to 20,000 songs in your Google Play Music account. Utilize this free space Google gives you, even if it’s just to store a few things while you pour digital bleach on everything.
Take the SD card out of your phone if it has one. Visit a computer (or a friend with a computer) and wipe and repartition it using the built-in software for disk management. Don’t save anything — you need to be brutal to make sure anything nasty gets nuked.
On your Android, go into the settings and look for the backup and reset options. You want to perform a full factory reset of all your data, including any local storage space. Let it do it’s thing, and when you set it back up be sure to not restore any backed up data from your Goggle account.
You still want to change passwords and contact your credit card companies. You also want to take a close look at the way you do things to try and prevent this from happening again. None of that changes.
If you rooted your Android, you may have bigger issues here. Forget the app sandbox, forget Google’s Bouncer, and throw out most of the rules that apply to people who didn’t root their phone. The solution is simpler, but more brute-force.
Back up your media as described above. Next, go into a custom recovery and wipe everything. Flash a completely new ROM.
If you don’t have a custom recovery installed, or one isn’t available for your phone, talk to the guys and gals who are hacking and developing custom software with the same phone that you’re using.
Going through the pain of a factory reset then finding out that some malware is written to the system files and not your user data means you did everything in vain. Take a few minutes to talk to other people with the same hardware as you.”
SEE EASY ! 🙂