Android Police

Articles Tagged:

vulnerability

...

Verizon Rolls Out Its First Stagefright Fix, And It's For The Galaxy Note Edge - Build LRX22C.N915VVRU2BOG5

Verizon has begun rolling out an update for the Galaxy Note Edge that should address the vulnerability in Stagefright, one of Android's media libraries, that could potentially compromise a user's device. This is the first Stagefright-related fix we're aware of Verizon rolling out.

thewholething

Of course, the changelog doesn't specifically mention Stagefright... but it's really obvious that's what it's for, given the timing of the update and terseness of the document.

Read More
...

[Update: Samsung Rolling Out A Fix] PSA: Keyboard Security Flaw Impacting "600 Million+" Samsung Phones Is Probably Nothing To Worry About

This morning, a company called NowSecure published an exploit claiming to affect SwiftKey on Samsung devices that they assert could impact "600 million+" devices. Well, maybe.

While we cannot verify the true seriousness of the security flaw were an attacker to successfully manage to exploit it, we were able to verify something substantially more important to end user safety - it does not affect the SwiftKey app, only the built-in Samsung IME which is partly developed by SwiftKey.

Read More
...

Critical Vulnerability In Verizon FiOS Mobile API Allowed Easy Access To Any User's Email Info

Verizon isn't making many friends when it comes to keeping private information private. Just two days after news broke that Verizon Wireless is collecting and in some cases selling web browsing info, its parent company has been given a black eye for insecure practices associated with the FiOS Internet service. Security researcher Randy Westergren discovered a way to access any FiOS user's Verizon email account by using the mobile API.

unnamed (11)

The message is, "You really shouldn't be using this app. Or the free email we gave you. At all."

Westergren's discovery and his explanation are highly technical, but what it boils down to is that he could substitute the username (and only the username) of a Verizon FIOS email user in a particular API script in order to access that account.

Read More
...

Android 4.4.3 Patch Finally Closes Up An Ancient Vulnerability, Shuts Down Several Serious Security Exploits

Ask anybody that spends time in the security circles and they'll tell you that every large software project is bound to have a few long-standing vulnerabilities in the code. Fortunately, there are usually a few people who are paid to close up those holes so you, the customer, don't find yourself the victim of nefarious evildoers someday. Like so many before it, the latest update to Android came with a boatload of changes, at least one of which fixes a potentially dangerous vulnerability that can be used for numerous attacks, including a way to acquire root.

The Vulnerability

As described in a post on the Cassidian CyberSecurity blog, the vulnerability exists in a system component known as VOLD (Volume Management daemon).

Read More
...

Samsung Addresses The Knox Vulnerability That Wasn't

Described by the Wall Street Journal as "a vulnerability that could allow malicious software to track emails and record data communications," a potential vulnerability in Samsung's Knox platform was discovered in late December by researchers at Israel's Ben-Gurion University. The researchers said the vulnerability would allow those with malicious intent to "easily intercept" secure data from Knox users. Samsung's initial response was that the problem may be less serious than researchers implied, and that it would investigate the situation thoroughly. Resolving - or at least addressing - the issue would be an important step for Samsung, as it hopes to position its Knox-enabled devices as viable options for those in need of tight security.

Read More
...

SMS Vulnerability In Nexus Phones Can Be Exploited To Force A Reboot Or Kill Cellular Connectivity

Today, at the DefCamp Security Conference in Bucharest, Romania, details were revealed about a potentially serious SMS vulnerability found in all current Nexus phones. The person responsible for the discovery is Bogdan Alecu, a system administrator at Levi9 and independent security researcher in Romania. When exploited, the attack can force the phone to reboot or destabilize certain services.

2013-11-29_10-53-59

The method of attack simply relies on sending a series of Class 0 "Flash" messages to the target phone. Flash messages are typically used for emergency or security purposes, appearing on the screen immediately instead of going to the default SMS application.

Read More
...

Second Mobile Pwn2Own Competition Announced With Plenty Of Android Targets To Crack And $300,000 In Prizes

The second annual Mobile Pwn2Own competition, run by HP TippingPoint's Zero Day Initiative, is fast approaching. This year's event will take place at the PacSec Applied Security Conference in Tokyo from November 13-14, and over $300,000 in cash and prizes is up for grabs. The Pwn2Own contest challenges security researchers to find and exploit vulnerabilities on mobile devices and rewards them by giving them the device they were able to compromise. In short, a contestant must "pwn" a device in order to own it. This year's event is sponsored by Google's Android Security Team and BlackBerry.

Pwn2Own

Contestants can receive $50,000 for compromising a mobile device using Bluetooth, Wi-Fi, USB, or NFC.

Read More
...

[Update: Fix In Place] Serious Security Hole Discovered In Cerberus Anti Theft, Gives Attackers Near-Total Access To Your Phone, Fix In The Works

When it comes right down to it, few things are much scarier than finding out somebody can track your movements, read your call log and text messages, and even record audio and take pictures of whatever the phone can get, all without your knowledge. Here's the thing - as careful, security-conscious people, many of us already install software like that for our own purposes, usually to recover a phone in the event it should fall into the hands of thieves. Like a weapon intended for protection, sometimes our best defenses can be turned against us.

It was recently discovered that Cerberus anti theft, a tool we've talked about a few times in the past, has a weakness in its network protocol that allows a determined hacker to use brute-force methods to find the IMEI numbers of user devices and ultimately invoke any of Cerberus's functions.

Read More
...

[New App] Duo Security And NEU SecLab Releases ReKey Master Key Vulnerability Patch For Rooted Android Users Still Waiting On Their Carriers

A few weeks ago the "Master Key" APK verification vulnerability rocked the Android security landscape... then immediately stopped rocking it, once Google revealed that they had patched the vulnerability months ago. Still, that's little comfort to users who aren't on a brand-new 4.2 phone (or, you know, a Nexus device that gets real updates). CyanogenMod has responded by patching all of its official ROMs (twice), and now noted security firm Duo has teamed up with Northeastern University's SecLab to do the same for all Android rooted users, regardless of their device. The patch is called "ReKey," and it's from both the Play Store and the ReKey website.

Read More
...

Security Researcher Demonstrates GPS Vulnerability That Could Let Hackers Track Users' Location, Take Over Phone

Over at Black Hat USA 2012, security researcher Ralf-Phillip Weinmann demonstrated a vulnerability in several Android devices that utilized A-GPS to send illicit messages to the device which could, he explained, be used to send a report of the device's location any time an A-GPS message was sent or even be used to gain complete control of the device.

In describing the attack, Weinmann pointed out that, for example, a malicious WiFi network could instruct a phone to relay all future A-GPS requests, even once the device has left the WiFi network's range. This even further drives home the point that you should not join any networks you don't trust.

Read More
Page 1 of 3123
Quantcast