Google and the various major Android device vendors and carriers are scrambling to patch the recently-discovered Stagefright exploit, a weakness in Android's multimedia processing that can allow remote access via a simple MMS message. Google has already begun patching Nexus devices, and Samsung is working its way through its extensive product range starting with flagships. Yesterday Motorola released its plans to update its phones.
So which devices will get the fix? Basically everything Motorola has made since 2013, including carrier variants and DROID models for Verizon in the US. Here's the full list:
- Moto X Style (patched from launch)
- Moto X Play (patched from launch)
- Moto X (1st Gen, 2nd Gen)
- Moto X Pro
- Moto Maxx/Turbo
- Moto G (1st Gen, 2nd Gen, 3rd Gen)
- Moto G with 4G LTE (1st Gen, 2nd Gen)
- Moto E (1st Gen, 2nd Gen)
- Moto E with 4G LTE (2nd Gen)
- DROID Turbo
- DROID Ultra/Mini/Maxx
Some third-gen Moto G phones (released late last month) have been patched from launch, but others will need an over-the-air update. Read More
So you might have heard about the Stagefright vulnerability that was published yesterday. While there's no evidence of a widely-used hack, the potential for malicious MMS attacks via Android's built-in media handling system (which could theoretically affect the majority of Android devices currently in operation) is certainly cause for concern. As reported on our original post, Google has known about the vulnerability since April and has been working on patches to fix the problem.
We've received a statement attributed to a Google spokesperson [emphasis ours]:
This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected.
While the experience isn't felt across the board, many OnePlus One owners have been plagued by touchscreen issues since making the decision to never settle. As a result, the company has pushed out update after update aimed at alleviating an issue that seems to have a tendency to resurface.
Now it has released another one, OxygenOS version 1.01. A link to download the firmware is available directly inside the announcement. The forum post doesn't contain a changelog, but it does mention "a patch for the touchscreen issue."
There's also a tool available for folks who have not yet installed OxygenOS that should let them flash the latest version directly from CyanogenMod 11 or 12 without data loss. Read More
Sprint is rolling out an over-the-air update to customers who own a Galaxy Note II that applies a security patch or two from Google. What vulnerability this update addresses isn't detailed, but it's the first OTA Sprint has sent out since the big KitKat update last May.
Once the goods arrive, they will leave your Note II running software version L900VPUCNK2. There's nothing else on the changelog, so don't go digging around looking for anything exciting.
You can check for the update manually, but do so knowing that you're making your phone just a little bit safer. Don't do it because it's fun. Read More
Blue Spark Technologies has introduced a new wearable device at CES, but it's not a smart watch or a fitness band or even a VR headset. It's a single-use skin patch called TempTraq that connects to your Android (or iOS) phone to track body temperature.
Blue Spark pitches the patch to parents with sick progeny, though it could conceivably be used on or by anyone. The patch affixes to the body under the arm, and transmits temperature information over Bluetooth to its dedicated app. Read More
Back in October, Google announced a rewards program that would give financial incentives for "down-to-earth, proactive improvements" to security across third-party open-source projects that Google deems "vital to the health of the entire Internet."
Starting with core infrastructure services, Chrome foundations and other "high impact libraries," Google vowed to expand the program soon. Today, in an entry to the official security blog, Google announced that the program has been expanded in scope to include open-source bits of Android, found in AOSP, and several other projects.
We started with a fairly conservative scope, but said we would expand the program soon. Today, we are adding the following to the list of projects that are eligible for rewards:
- All the open-source components of Android: Android Open Source Project
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
- Virtual private networking: OpenVPN
- Network time: University of Delaware NTPD
- Additional core libraries: Mozilla NSS, libxml2
- Toolchain security improvements for GCC, binutils, and llvm
According to the patch rewards guidelines, rewards can range from $500 to $3,133.70, with higher rewards going to solutions with unusually high impact or solutions to exceedingly complex issues. Read More
Roughly four years ago, AOL bought a little company called Patch that focuses on local community news. More specifically, "everything you need to know about your town, from local government to school news to what to do with your family this weekend" according to Patch's homepage. Unfortunately it's not available in all areas (or even all states) so there are probably many users who haven't heard of the service (myself included).
Those who have, however, will be happy to know that there's now an official Android app. According to the Play Store listing, the app "delivers a beautiful browsing experience to Android users, with an emphasis on simplicity." Sound like something you'd be interested in? Read More
Second verse, same as the first. Two days ago the CyanogenMod ROM team announced a security update to the CM 10.1 platform, incorporating the "Master Key" security patch that Google had already issued back in February. Yesterday another, more intricate exploit in the same vein was posted by a Chinese blog, and again, Google has rapidly moved to patch the problem in Android... which won't be much comfort to those running an older release. Being the security-minded folks that they are, the CyanogenMod team has already patched the vulnerability in an even newer version of the ROM, CyanogenMod 10.1.2.
It's an easy fix if you know what you're doing: nine lines of code prevent malicious apps from skipping the signature verification built into Android. Read More
Hot on the heels of Bluebox's disclosure of the "Master Key" exploit, a Chinese blog has posted details of a similar vulnerability. This attack also sidesteps a bug in the signature verification step and allows seemingly innocent APKs to include a potentially dangerous payload; and like its brethren, Google has already patched the flaw and posted it to the Android Open Source Project (AOSP). The information comes to us from a China-based group (or possibly individual) calling itself the Android Security Squad. The original post is in Chinese, but a vaguely comprehensible translation can be had thanks to Google. Read More
Scary tales about Android malware have been told since before people started guessing what dessert name would start with the letter 'D' (it's "Donut," in case anybody has forgotten.) Most of those claims came and went, amounting to little more than ghost stories. Unfortunately, there are a few real ghouls and goblins for which we should be afraid. Back in February, one such monster was discovered lurking about that allowed modified APKs to be installed on your device while successfully side-stepping the cryptographic signature used to prevent that very thing. The good news: Google and CyanogenMod have closed the loophole on their own ROMs, and OEMs are in the process of doing the same. Read More