latest
Android 13 QPR2 Beta 1 finally addresses major Pixel 6 and 7 series vulnerabilities
Google's superusers put on elbow grease to test some Arm-work
A few weeks ago, Google's Project Zero security research team tore the bandage off on disclosing patched exploits affecting the driver for Arm's Mali GPUs — components found in millions upon millions of Android phones. The sting, however, came from the fact that manufacturers had and still have yet to pass the patches onto their end users some five months (and counting) after Arm did its part. Google itself has had a share of the blame, but, with Android 13 QPR2 Beta 1, it's well on its way to catching up and making sure that Pixel owners and everyone in Android Land remain safe.
Google recorded the most zero-day exploits ever in 2021
Last year had more than double the published vulnerabilities of 2020
Online security and user experience go hand-in-hand — no one's going to want to use even the fanciest phone in the world if it leaves you wide open to hackers. That’s why developers are constantly working behind the scenes to keep users secure, but inevitably, some security flaws go through unnoticed. Maybe the scariest class is zero-day exploits, for which no patch to fix these holes exist when attacks first land. This week Google's looking back over efforts to discover these vulnerabilities, and with 58 of them were detected and disclosed in 2021, 0-days had their single busiest year yet.
In the early days of Android, ES File Explorer was one of the better ways to manage your storage. That hasn't been true for a long time, though. Not only is the app rather cluttered and buggy, security researcher Elliot Alderson (@fs0c131y on Twitter) points out this app makes your files vulnerable to theft. All you have to do is open it once.
Popular e-commerce website Newegg is the latest victim of cyber attacking by Magecart, according to Volexity, a cyberthreat monitoring firm. Newegg is one in a string of high profile cyber attacks making use of the card skimming code which recently compromised British Airways, Ticketmaster, and Feedify. Most critically, customer names and complete card details were stolen using exploited code between August 16th and September 18th.
T-Mobile customers, your data has been put at risk by your carrier, once again. In what seems like copypasta at this point, a security researcher recently found a bug in a publicly discoverable subdomain on T-Mobile's website that gave anyone access to customer data using just a phone number. It's almost like T-Mobile wants to award those bug bounties.
In the words of a famous disc jockey: "Another one." A young hacker-turned-security researcher in England found a critical vulnerability on T-Mobile's website that basically left records of user logins exposed online for hackers to pillage. The bug was reported and patched in December, and T-Mobile says no customer information was compromised as a result of this flaw.
Android is a hulking beast as far as global user share is concerned — hell, it's the most-used operating system in the world, surpassing even Windows (in terms of internet usage). When Samsung announced that it was creating its own open-source alternative to Google's mobile OS, it was not really a surprise. We've had several upstarts over the years, like Sailfish, Firefox OS, Ubuntu Touch, and so on, but all of them have failed in some form or another. There were a few people, however, who thought Sammy could be the one to unseat Google and Android with a mobile operating system that it called Tizen.
Google started taking security updates much more seriously last year after the Stage Fright vulnerability hit. Samsung followed suit, and even launched a monthly security bulletin mirroring Google's. Now, LG has a security bulletin site where it will post updates on vulnerabilities. First up, the May security bulletin, the most recent one Google has published.
Google released a small update to Android Studio today to address a pair of potentially serious vulnerabilities recently identified in the IntelliJ platform. A blog post on the JetBrains website briefly describes the issues, both of which expose users to attack if they visit a specially crafted web page. The vulnerabilities exist in all versions of Android Studio before v2.1.1 and most or all IDEs based on the intelliJ platform. So far, there have been no reports of malicious attacks exploiting these security holes.
A zero-day vulnerability in the Linux kernel was disclosed a few days ago, and that usually spells bad news for anything based on Linux. That includes Android, of course. When Perception Point announced the exploit (CVE-2016-0728), it claimed 66% of Android devices were affected. Google's Adrian Ludwig says the real number is much, much smaller.
Read update
In a blog post published today by the researchers at Zimperium Mobile Security, the group divulged an extremely widespread security vulnerability that can be exploited with nothing more than a targeted MMS message. The hole exists in the part of the Android operating system called Stagefright, which handles the processing of certain types of multimedia.
Ask anybody that spends time in the security circles and they'll tell you that every large software project is bound to have a few long-standing vulnerabilities in the code. Fortunately, there are usually a few people who are paid to close up those holes so you, the customer, don't find yourself the victim of nefarious evildoers someday. Like so many before it, the latest update to Android came with a boatload of changes, at least one of which fixes a potentially dangerous vulnerability that can be used for numerous attacks, including a way to acquire root.
A very serious security hole has been discovered in Firefox for Android that allows a website to force the browser to download and run potentially damaging files, usually without the user's knowledge or interaction. The vulnerability was first described and demonstrated publicly on September 9th as part of a posting meant to advertise the attack as being for sale. The method for exploiting the weakness simply requires a webserver to instruct Firefox for Android to initiate a download, after which the downloaded file is automatically opened or executed (depending on the file type).
Scary tales about Android malware have been told since before people started guessing what dessert name would start with the letter 'D' (it's "Donut," in case anybody has forgotten.) Most of those claims came and went, amounting to little more than ghost stories. Unfortunately, there are a few real ghouls and goblins for which we should be afraid. Back in February, one such monster was discovered lurking about that allowed modified APKs to be installed on your device while successfully side-stepping the cryptographic signature used to prevent that very thing. The good news: Google and CyanogenMod have closed the loophole on their own ROMs, and OEMs are in the process of doing the same.
Skype released an update to its Android app this morning, remedying the vulnerability which exposed tons of personal info that we revealed last week. Our own Justin Case who originally found the issue has taken a look at the updated version of the app and confirmed that the exploit he developed to demonstrate the vulnerability no longer functions.
Update #1: Skype is investigating the issue, we've been told.