A few days ago, independent security firm Zimperium released details about several major security flaws in the popular AirDroid application. In summary, attackers can easily intercept insecure requests to AirDroid's servers, as well as push malicious APKs to devices which appear as AirDroid add-on updates (which AirDroid then prompts the user to accept). Granted, the user has to be on an insecure Wi-Fi network for the attack to work, but it's still a major problem.
That alone is bad enough, but Zimperium informed AirDroid of the problem a whopping seven months ago. During that time, a major 4.0 update was released, which still had the same security issues. Read More
There's an OTA update rolling out to Google devices today, but what sort of holes have been patched? Now you can find out with Google's latest security bulletin. Like the last few months, this one has multiple patch levels that you might see on devices going forward. Read More
Blu took a substantial hit last month when security firm Kryptowire discovered a pre-installed service on several of the company's phones was sending users' data to a server in China. The offending service was part of the OTA update module provided by third-party company Adups. Blu has now promised to get rid of the Adups software after previously neutering it. Read More
AirDroid is one of several services that allows Android users to send and receive text messages, as well as transfer files and see notifications, from their computer. According to the Play Store, AirDroid has somewhere between 10 and 50 million installs (not counting anyone directly installing the APK from the AirDroid website). Mobile security company Zimperium recently released details of several major security vulnerabilities in AirDroid, allowing attackers on the same network to access user information and even execute code on a user's phone. Read More
The battle against Android malware is ongoing, but it's a big world and Android is everywhere. It presents a tempting target for criminals, and the Gooligan malware is just the latest attempt to make a buck off the trusting nature of smartphone users. This attack has compromised more than a million phones in the last few months, and as many as 13,000 new infections are occurring each day. The goal is not to steal your data (although that can still happen), but to make you download apps in an advertising fraud scheme. Read More
Mobile security is a huge issue, but most consumers tend to think that at least a brand new phone is safe. That assumption may be in error, according to security research firm Kryptowire. In a new report Kryptowire documents the inclusion of software tools collectively called Adups, which allegedly shipped on phones like the Blu R1 HD and other devices sold internationally, including the US market via Amazon and Best Buy. Read More
Fingerprint sensors have been a thing on Android for a while, and Google has had official API support in Android for more than a year. Still, there are some apps that inexplicably lack support for fingerprint security. Mint was one of them until today. This app has finally been updated with a fingerprint security option. Read More
One of the more interesting things to emerge from the digital revolution is hacking competitions and prizes, wherein benevolent "white hat" hackers are invited to try and defeat hardware and software in a closed environment. The latest mobile-only edition of the Pwn2Own competition was sponsored by software security company Trend Micro, offering cash prizes to anyone who could get user info, install rogue apps, or completely unlock some of the biggest mainstream phones out there: the Nexus 6P, the Galaxy S6, and the iPhone 6s. Read More
Google started including the security patch version in the About Phone menu last year in the wake of the Stagefright vulnerability. This is simply a date that tells you which patch level a device runs. As of Android 7.1, that line in the settings is more than just a date. It's also a link to the security bulletins. Read More
The SafetyNet API is the bane of root and custom ROM users everywhere. For those unfamiliar, it is part of the Google Play Services API that is designed to detect modified devices. If your system is tampered with in any way, be it rooted or a custom ROM, the SafetyNet check will fail. Android Pay, among other applications, uses this API and will fail to run if SafetyNet fails.
Reports are coming in from Reddit and our own tip box that SafetyNet appears to fail on some bootloader-unlocked devices, even if the device has not been modified in any other way. Devices confirmed to have issues include the Nexus 6P, OnePlus 3, and Nexus 6. Read More