Android Police

Articles Tagged:

exploit

...

Amazon Fire TV Cube and 2017 Fire TV Stick rooted using HDMI exploit

Amazon released the Fire TV Cube earlier this year, as a 4K-capable streaming device with far-field microphones (for responding to Alexa responses) and an IR transmitter (for turning devices on/off). Exploitee.rs has now released a root method for the Fire TV Cube and the 2017 Fire TV Stick, which relies on sending commands through the HDMI port and bypassing code verification.

Read More
...

Harmony Hub had a vulnerability, but it's been patched in version 4.15.96

Over the past few days, we've covered an issue with the Harmony Hub not being able to control Sonos speakers' volume properly, which was followed by a fix with firmware 4.15.100. As it turns out, the issue occurred because Logitech may have rushed to release firmware version 4.15.96 for the hub to patch a vulnerability discovered by FireEye.

Read More
...

Tegra X1 processor vulnerability discovered, affects Nvidia Shield, Pixel C, and Nintendo Switch

The Tegra X1 is one of Nvidia's latest mobile processors, powering devices like the Nintendo Switch, Google Pixel C, and Nvidia Shield. It's not uncommon that vulnerabilities are discovered in SoCs, and that has just happened for the Tegra X1. Katherine Temkin and the ReSwitched hacking team have just released details about a security flaw, nicknamed 'Fusée Gelée,' that allows unauthenticated arbitrary code execution on devices using the Tegra chip.

Read More
...

[Update x3: Qualcomm responds] OnePlus left a backdoor in its devices capable of root access

Just a month ago, OnePlus was caught collecting personally identifiable data from phone owners through incredibly detailed analytics. While the company eventually reversed course on the data collection, another discovery has been made in the software of OnePlus phones. One developer found an application intended for factory testing, and through some investigation and reverse-engineering, was able to obtain root access using it.

Read More
...

Recently revealed "Cloak & Dagger" Android attack uses overlays and accessibility services to deceive users

A new series of vulnerabilities in Android have been discovered by researchers at the University of California Santa Barbara and the Georgia Institute of Technology. Titled "Cloak & Dagger" this new class of vulnerabilities and attack vectors makes use of overlays and accessibility service permissions in Android. These services can potentially allow for a malicious application to perform unwanted actions, including collecting data input on the device and so-called "clickjacking." The latter term being when a user might believe they are performing one action, but another is occurring beneath a deceptive overlay.

Read More
...

Exploitee.rs hacked the Samsung Smartcam yet again, this time with a root exploit

The Samsung Smartcam is a great example of why consumers should be wary of 'Internet of Things' devices. Multiple exploits for the camera have been found since the Smartcam initially went on sale, previously allowing for remote command execution and changing the admin password without knowing the original one. Now another exploit has been discovered for the Smartcam, this time allowing commands to be executed as the root user.

Read More
...

SuperSU 2.77 beta available for Note7, but there are caveats

Android developer extraordinaire Chainfire has worked his magic again, releasing a new beta of SuperSU with support for the Galaxy Note7. There are a few caveats though, mostly due to new Samsung security measures inherent in the kernel, stopping Chainfire from using his usual exploits and instead having to apply workarounds.

In short, Chainfire says that Samsung has applied new built-in protection methods directly to the kernel. Any time a 'privileged' process that has a uid/gid value equal to or below 1000, it causes the device to kernel panic, meaning it immediately reboots. As most root processes have a value below 1000, the device restarts as expected, causing headaches for both users and developers.

Read More
...

Verizon Rolls Out Its First Stagefright Fix, And It's For The Galaxy Note Edge - Build LRX22C.N915VVRU2BOG5

Verizon has begun rolling out an update for the Galaxy Note Edge that should address the vulnerability in Stagefright, one of Android's media libraries, that could potentially compromise a user's device. This is the first Stagefright-related fix we're aware of Verizon rolling out.

thewholething

Of course, the changelog doesn't specifically mention Stagefright... but it's really obvious that's what it's for, given the timing of the update and terseness of the document. You can probably expect a slew of Samsung Stagefright fixes (as well as other OEMs, of course) on Verizon to follow, if this is any sign.

Read More
...

Android 4.4.3 Patch Finally Closes Up An Ancient Vulnerability, Shuts Down Several Serious Security Exploits

Ask anybody that spends time in the security circles and they'll tell you that every large software project is bound to have a few long-standing vulnerabilities in the code. Fortunately, there are usually a few people who are paid to close up those holes so you, the customer, don't find yourself the victim of nefarious evildoers someday. Like so many before it, the latest update to Android came with a boatload of changes, at least one of which fixes a potentially dangerous vulnerability that can be used for numerous attacks, including a way to acquire root.

The Vulnerability

As described in a post on the Cassidian CyberSecurity blog, the vulnerability exists in a system component known as VOLD (Volume Management daemon).

Read More
...

SuperSU Security Advisory: Update To Version 1.69 (Available Now) To Avoid Potential Exploits

If you're a root user, listen up. Chainfire updated SuperSU to v1.69 as of last night, which fixes two exploits that could allow an attacker to leverage root privileges without first prompting the user. Probably nothing to get overly anxious about, but it's definitely a good idea to make sure you're running the latest. Details of these exploits will be released next Monday, so you'll want to grab the update before then.

Screenshot_2013-11-13-09-24-12

Fortunately, this one's pretty easy – just install the update from the Play Store and you're covered; no need to flash anything.

This update also includes a handful of other fixes and things:

Changelog
- XBIN mode (some new roots need this)
- Slightly adjusted binary installer
- Backup script installation now available for all backuptool-capable ROMs
- Fixed su-ing to a non-root user not working on some 4.3+ firmwares
- Fixed BOOTCLASSPATH vulnerability (CVE-2013-6774) - Fixed notification sanitization vulnerability (CVE-2013-6775) - Fixed possible closed special files vulnerability
- Updated language files

The update is already live in the Play Store, so make sure to pull it down as soon as you can.

Read More
Page 1 of 41234