Articles Tagged:

vulnerabilites

Two major vulnerabilities found in OnePlus 3 bootloader - OP has patched one, working on the other

Michael Crider2017/02/09
5:33pm PSTFeb 9, 2017

OnePlus is something of a darling among Android power users, shipping phones that can be bootloader unlocked without any special permissions or codes. But security researcher Roee Hay found that the OnePlus 3 (and the revised OnePlus 3T) are rather more open than was probably intended. With two native fastboot commands, Hay found he could install unverified boot images and disable the verified boot feature, all without actually unlocking the bootloader with the familiar user-accessible command. Which is, well, bad: it basically means anyone can run malicious code on the phone without resetting the user's data.

Google's Project Zero starts its own Android hacking contest with a top prize of $200,000

Michael Crider2016/09/13
4:16pm PDTSep 13, 2016

News

Calling all hackers and security researchers: Google wants to pay you money. Quite a lot, in fact. The top prize for finding a new critical flaw in Android in the new Project Zero Prize competition is a whopping $200,000, with the second prize at $100,000 and $50,000 split among additional entrants. The contest is being run by Project Zero, the company's own internal team of security researchers that documents critical flaws and bugs in wide-reaching software.

Google Promises A Stagefright Security Update For Nexus Devices Starting Next Week

Michael Crider2015/07/28
5:22am PDTJul 28, 2015

So you might have heard about the Stagefright vulnerability that was published yesterday. While there's no evidence of a widely-used hack, the potential for malicious MMS attacks via Android's built-in media handling system (which could theoretically affect the majority of Android devices currently in operation) is certainly cause for concern. As reported on our original post, Google has known about the vulnerability since April and has been working on patches to fix the problem.

We've received a statement attributed to a Google spokesperson [emphasis ours]:

This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected.

[New App] Bluebox Heartbleed Scanner Can Help You Discover An OpenSSL Vulnerability On Your Device

Cody Toombs2014/04/11
12:20pm PDTApr 11, 2014

The Internet has been abuzz over the recently discovered Heartbleed bug. If you're not already familiar, Heartbleed is a vulnerability in the OpenSSL software library that allows an attacker to steal data directly from the memory space of an application and learn the private keys used to keep data securely encrypted as it travels over the Internet. The implications of this kind of leak are certainly severe, and it has everybody rushing to either install updates that fix the bug or implement workarounds to disable it.

As users, there's not a lot you can do to close this security hole on your device, but you might still want to know if you're vulnerable.

SuperSU Security Advisory: Update To Version 1.69 (Available Now) To Avoid Potential Exploits

Cameron Summerson2013/11/13
7:25am PSTNov 13, 2013

If you're a root user, listen up. Chainfire updated SuperSU to v1.69 as of last night, which fixes two exploits that could allow an attacker to leverage root privileges without first prompting the user. Probably nothing to get overly anxious about, but it's definitely a good idea to make sure you're running the latest. Details of these exploits will be released next Monday, so you'll want to grab the update before then.

Fortunately, this one's pretty easy – just install the update from the Play Store and you're covered; no need to flash anything.

This update also includes a handful of other fixes and things:

Changelog
- XBIN mode (some new roots need this)
- Slightly adjusted binary installer
- Backup script installation now available for all backuptool-capable ROMs
- Fixed su-ing to a non-root user not working on some 4.3+ firmwares
- Fixed BOOTCLASSPATH vulnerability (CVE-2013-6774) - Fixed notification sanitization vulnerability (CVE-2013-6775) - Fixed possible closed special files vulnerability
- Updated language files

The update is already live in the Play Store, so make sure to pull it down as soon as you can.

[Security] Vulnerability In Firefox For Android Discovered That Allows Hackers To Steal Files From The SD Card And Firefox's Privately Stored Data [Update]

Cody Toombs2013/09/30
11:54am PDTSep 30, 2013

News

The security of our mobile apps and private data is a very serious matter. This is particularly true for high value targets like web browsers, which often store login credentials that can be used to access many of the websites we use on a regular basis. Unfortunately, browsers are also very complicated applications with an extensive set of features that are difficult to lock down completely. Sebastián Guerrero Selma of viaForensics recently posted a video demonstrating a newly discovered vulnerability in Firefox for Android which would allow hackers to access both the contents of the SD card and the browser's private data.

CyanogenMod 10.1.2 Is Another Small Security Update, Patches Second Master Key APK Vulnerability

Jeremiah Rice2013/07/12
4:30am PDTJul 12, 2013

Second verse, same as the first. Two days ago the CyanogenMod ROM team announced a security update to the CM 10.1 platform, incorporating the "Master Key" security patch that Google had already issued back in February. Yesterday another, more intricate exploit in the same vein was posted by a Chinese blog, and again, Google has rapidly moved to patch the problem in Android... which won't be much comfort to those running an older release. Being the security-minded folks that they are, the CyanogenMod team has already patched the vulnerability in an even newer version of the ROM, CyanogenMod 10.1.2.

It's an easy fix if you know what you're doing: nine lines of code prevent malicious apps from skipping the signature verification built into Android.

Second "Master Key" Style APK Exploit Is Revealed Just Two Days After Original Goes Public, Already Patched By Google

Cody Toombs2013/07/11
10:31am PDTJul 11, 2013

Hot on the heels of Bluebox's disclosure of the "Master Key" exploit, a Chinese blog has posted details of a similar vulnerability. This attack also sidesteps a bug in the signature verification step and allows seemingly innocent APKs to include a potentially dangerous payload; and like its brethren, Google has already patched the flaw and posted it to the Android Open Source Project (AOSP). The information comes to us from a China-based group (or possibly individual) calling itself the Android Security Squad. The original post is in Chinese, but a vaguely comprehensible translation can be had thanks to Google.

CyanogenMod 10.1.1 Stable Rolling Out Now With Security Fixes For Master Key And More

Ryan Whitwam2013/07/10
1:14pm PDTJul 10, 2013

News

While most Android users are waiting on updaters that might patch some of the recently reported security holes, CyanogenMod is already getting a bug fix update out the door. CyanogenMod 10.1.1 is now hitting the stable channel for all supported devices.

The Master Key exploit will be presented by Jeff Forristal at Black Hat 2013 as "One Root To Own Them All." It's essentially a bug in signature verification which can be used to insert malicious code into an APK. Google patched the bug back in February, but the new code hasn't made it into most official ROMs – even Nexus devices have yet to receive the fix.

Dan Rosenberg: 'I See This As The End Of An Era For Motorola Rooting And Modding'

Cameron Summerson2013/04/10
8:48am PDTApr 10, 2013

When it comes to root and mod action on Motorola devices from the last couple of years, all eyes turn to brilliant Android hacker Dan Rosenberg. Since the Droid 3 was released two years ago, Rosenberg has successfully found root exploits for every Motorola device, including the D3, Bionic, RAZR, Droid 4, Xoom 2, Atrix HD, RAZR HD, and RAZR M. Add to that the fact he just released a tool that unlocks the bootloaders on the most modern Moto phones (RAZR HD, M, and Atrix HD), and it's not hard to see why he's such an important part of the Motorola modding community.

Android Police

vulnerabilites

Google Fiber comes to a new city after long expansion hiatus

Moto G 5G Plus is official: Snapdragon 765, quad-cameras, and a 90Hz screen

YouTube Music shows latest library additions for some

The US government is 'looking at' banning TikTok and other Chinese apps

Say hello to the Arlo Video Doorbell for just $110 ($40 off) today only at Woot

Pick up an Arlo Ultra system with two cameras for $450 ($150 off)

Insignia's brand new 4K Fire TVs are already receiving major discounts (up to $100 off)

Get the Wireless Eufy Video Doorbell for $164 ($56 off) on Amazon

Open box first-gen Galaxy Buds are $65 (50% off) on eBay

Galaxy S20 case reviews: Spigen, Samsung, Speck, Ringke, Supcase, dbrand, and more (Update: Pela, Alexander Millano, Whitestone Dome)

Lenovo C340 review: The best cheap Chromebook of 2020

LG Stylo 6 review: Stuttering and lag all but ruin LG's cheap Galaxy Note alternative

Hands on with Crayta, an ambitious Stadia exclusive that will certainly die without a strong creator community

Moto E 2020 review: Cheap and good (enough)

Galaxy S20 case reviews: Spigen, Samsung, Speck, Ringke, Supcase, dbrand, and more (Update: Pela, Alexander Millano, Whitestone Dome)

14 new Android games from the week of June 29, 2020

These are the browser extensions the Android Police staff can’t live without

11 Android widgets that are actually useful

12 new and notable Android apps from the last week including Mi Control Center, JioMeet, and SwissCovid (6/27/20 - 7/4/20)

Google Maps preps displaying traffic lights on Android

Gboard is adding support for the new Android 11 emoji (APK download) 🎉

Firefox for Android fixes critical security vulnerability in latest update (APK Download)

Google adds more accurate visualizations for shorter meetings in Calendar

PUBG Mobile 0.19.0 includes a new Nordic-style map, a monster truck, two new firearms, and more

1 Year Ago Today

Google starts open beta program for Messages app

2 Years Ago Today

19 best new Android games released this week including Old School RuneScape, Dead Island: Survivors, and DERE EVIL EXE

3 Years Ago Today

[Re-review] Last year's Nextbit Robin is an entirely different (and better) phone at $130

4 Years Ago Today

I'm going to use Amazon's "Prime Exclusive" $60 smartphone for a month

5 Years Ago Today

[APK Download] Google Messenger v1.4 Adds Location Sharing, Stickers, And Fast Scrolling (And Maybe More)

6 Years Ago Today

The Weather Channel's Big 5.0 App Redesign Is Now Very Slowly Rolling Out To Users Via The Play Store [Updated]

7 Years Ago Today

[Bonus Round] Z End: World War, Way Of The Dogg, Snake HD, And QWOP

8 Years Ago Today

[Deal Alert] Sprint's Galaxy S III Is Available For $149 From Amazon Wireless For New And Upgrading Customers

9 Years Ago Today

HTC Thunderbolt OTA Update 1.70.605.0 (Froyo) Rolling Out Now, Fixes Reboots, Enhances Data Connectivity, More

10 Years Ago Today

Trillian To Bring Cross-Platform Chat To Android

Last 24 Hours

Upcoming Google Home improvements include Assistant routines from device makers

WhatsApp begins rolling out dark mode to its desktop and web apps

Android 10 (Go Edition) comes to the entry-level Nokia 1

First evidence of WhatsApp integration pops up in Facebook Messenger

Samsung updates A51 and A71 phones with flagship features from the Galaxy S20

Last 7 Days

The best cheap Chromebooks that are actually in stock right now

T-Mobile shuts down Sprint's 5G network to redeploy spectrum

The best Android power user features you may have forgotten about

JioMeet is basically a completely free 1:1 copy of Zoom

Google confirms the Pixel 3a has been discontinued

Last 30 Days

The best cheap Chromebooks that are actually in stock right now

OnePlus posts downloads for OxygenOS Open Beta 5 and 15 for the OnePlus 7 and 7T series

Google has declared open war against its videoconferencing rivals

How to block spam notifications and rogue ads on Android

Here are 460 apps and games available on Google Play Pass right now

Tip Us