Android Police

Articles Tagged:

vulnerabilities

...

Vast Majority Of Android Devices Are Vulnerable To 'Stagefright' Exploit That Can Be Executed Via Text Message, According To Researchers

In a blog post published today by the researchers at Zimperium Mobile Security, the group divulged an extremely widespread security vulnerability that can be exploited with nothing more than a targeted MMS message. The hole exists in the part of the Android operating system called Stagefright, which handles the processing of certain types of multimedia.

How it works

If targeted, the hypothetical hacker needs only to send an MMS message, which in many cases doesn't even need to be read before the attacker gains access to the victim's microphone and camera.

Read More
...

Android 4.4.3 Patch Finally Closes Up An Ancient Vulnerability, Shuts Down Several Serious Security Exploits

Ask anybody that spends time in the security circles and they'll tell you that every large software project is bound to have a few long-standing vulnerabilities in the code. Fortunately, there are usually a few people who are paid to close up those holes so you, the customer, don't find yourself the victim of nefarious evildoers someday. Like so many before it, the latest update to Android came with a boatload of changes, at least one of which fixes a potentially dangerous vulnerability that can be used for numerous attacks, including a way to acquire root.

The Vulnerability

As described in a post on the Cassidian CyberSecurity blog, the vulnerability exists in a system component known as VOLD (Volume Management daemon).

Read More
...

[Security] Firefox For Android Can Be Tricked Into Automatically Downloading And Executing Malicious Code

A very serious security hole has been discovered in Firefox for Android that allows a website to force the browser to download and run potentially damaging files, usually without the user's knowledge or interaction. The vulnerability was first described and demonstrated publicly on September 9th as part of a posting meant to advertise the attack as being for sale. The method for exploiting the weakness simply requires a webserver to instruct Firefox for Android to initiate a download, after which the downloaded file is automatically opened or executed (depending on the file type).

Here's a demonstration using an apk crafted to look like an update to Firefox:

While the demo video above uses an apk and relies on a user being tricked into installing it, the potential vectors of attack aren't restricted simply to apks and can possibly leverage other weaknesses on a device.

Read More
...

Infamous "Master Key" Exploit Was Quietly Patched By Google In February, CyanogenMod Following Suit Today, OEMs... At Some Point

Scary tales about Android malware have been told since before people started guessing what dessert name would start with the letter 'D' (it's "Donut," in case anybody has forgotten.) Most of those claims came and went, amounting to little more than ghost stories. Unfortunately, there are a few real ghouls and goblins for which we should be afraid. Back in February, one such monster was discovered lurking about that allowed modified APKs to be installed on your device while successfully side-stepping the cryptographic signature used to prevent that very thing. The good news: Google and CyanogenMod have closed the loophole on their own ROMs, and OEMs are in the process of doing the same.

Read More
...

Skype App For Android Updated To 1.0.0.983, Fixes Personal Info Vulnerability And Adds 3G Calling In The U.S.

Skype released an update to its Android app this morning, remedying the vulnerability which exposed tons of personal info that we revealed last week. Our own Justin Case who originally found the issue has taken a look at the updated version of the app and confirmed that the exploit he developed to demonstrate the vulnerability no longer functions.

Specifically, Skype has changed the permissions of the databases (which contain the personal information) in question. This update will not remedy the vulnerability on the leaked video version of the app, so continued use is at your own risk. Skype will incorporate the fix into the video version of the app when it is officially released.

Read More
...

[Updated] Exclusive: Vulnerability In Skype For Android Is Exposing Your Name, Phone Number, Chat Logs, And A Lot More

Update #1: Skype is investigating the issue, we've been told.

Update #2: Skype's official first response can be found here.

The safety of our personal information is often a concern of mine - who has my email address, my phone number, my date of birth? How can I keep my private information safe while still enjoying the internet? These concerns have prompted me to take a deeper look at Android apps more than once, and often this can yield some frightening information.

On April 11, a leaked version of Skype Video hit the web and, having a Thunderbolt, I had to try it.

Read More
Quantcast