Forgot your password?
typodupeerror
Android Cellphones Handhelds Security IT

Poking Holes In Samsung's Android Security 107

Posted by timothy
from the ethical-hacking dept.
Orome1 writes "Tired of waiting for Samsung to fix a string of critical flaws in their smartphones running Android, Italian security researcher Roberto Paleari has decided to inform the public about the seriousness of the matter and maybe make the company pick up the pace. Mindful of the danger that the vulnerabilities present to the users if they are exploited by malicious individuals, he decided not to share any technical details, but to just give a broad overview of what their misuse would allow. This includes a silent installation of highly-privileged applications with no user interaction and an app performing almost any action on the victim's phone."
This discussion has been archived. No new comments can be posted.

Poking Holes In Samsung's Android Security

Comments Filter:
  • by SirJorgelOfBorgel (897488) on Thursday March 21, 2013 @08:36AM (#43233669)

    The Exynos memory bug (often referred to as ExynosAbuse exploit) was released publicly and fixed rather quickly. This seems to be the way for Samsung - responsible disclosure just doesn't work with them. This has been proven time and again.

    • by SirJorgelOfBorgel (897488) on Thursday March 21, 2013 @08:40AM (#43233695)

      After some further investigation, it seems all these exploits are fixed in the latest 4.2 leaked firmware for the SGS3, so ... they're actually fixed, just maybe not rolled out yet.

    • by Andy Dodd (701) <atd7@cCOWornell.edu minus herbivore> on Thursday March 21, 2013 @09:23AM (#43234183) Homepage

      Yup. And look at the eMMC "Superbrick" defect on many of the GS2 family. Many of those devices had a defect in the eMMC wear leveller such that the chip could be unrecoverably corrupted if you issued a secure erase command to the chip. (Probably about a 5% chance of it happening, it's similar if not identical to the defect that hit some of their desktop SSDs in late 2012). Not even JTAG could bring a "Superbricked" device back to life.

      After discovery of exynos-abuse, the only thing standing between Samsung and permanent damage to thousands of devices was the fact that modern blackhats care more about obtaining information (money) than doing damage. Samsung knew about this bug for many months - they were aware of the defect in the eMMC chips as early as Galaxy Nexus prototype development in 2011. Yet they released updates for devices in 2012 with kernels that allowed secure erase through to the eMMC chip. The only safe device was the I9100 - which had MMC_CAP_ERASE removed from the kernel to protect the chip. In June 2012, Samsung publically acknowledged the bug and claimed to be "working hard" on it - in July 2012 they released updates for the I9100 that turned the MMC_CAP_ERASE flag ON, putting those devices in danger.

      They had an official fix that blocked only secure erase merged into the mainline Linux kernel in September 2012, but not a single affected device had the fix deployed until 2013. Their "stuff takes time to get through carrier testing" line is bullshit. Sprint FI27 was *built* (as in, testing STARTED not ended) on September 27, 2012 (nearly a month after the official fix had been mainlined), and deployed to customers in early-mid October.

      As to the I9100 XWLPM MMC_CAP_ERASE fiasco, Samsung's answer was that the lack of MMC_CAP_ERASE in earlier source code was a mistake and that the source code did not match binaries running on devices (yes, that's right, Samsung's defense was "yeah bitches, we violated the GPL"). The strange thing is, this was one of the cases where Samsung's source actually DID match binaries - not a single I9100 ICS kernel prior to XWLPM and XXLQ5 had MMC_CAP_ERASE turned on. (This was obvious by the fact that no one experienced "Superbrick" on such devices.)

      Samsung's stance was that it was an "open source" problem, but the fact is, with a privilege escalation exploit, any malware could permanently destroy many of Samsung's devices to the point where a motherboard replacement (instead of mere JTAG) was required.

      In short, Samsung's "SAFE" marketing crap is bullshit. "Samsung Approved for Enterprise" - who did the approval? Samsung! Hardly an independent certification authority.

      • by AmiMoJo (196126) *

        You forgot to mention that you need root to issue this command. It's like suddenly panicking because root can overwrite the BIOS or use the ATA password feature to brick your HDD.

        • by koshatul (198070)

          The exynos exploit allowed any application direct write access to all memory (essentially they can become root).

          It was pretty serious and they did take their time fixing it. Still I prefer my Android to an iPhone.
          There was third party fixes for the exynos exploit as well, but a user shouldn't be expected to know that.

        • by Andy Dodd (701)

          What part of "Samsung's stance was that it was an "open source" problem, but the fact is, with a privilege escalation exploit, any malware could permanently destroy many of Samsung's devices to the point where a motherboard replacement (instead of mere JTAG) was required."

          Exynos-abuse is a perfect example of such an exploit. ANY application could get root access with ZERO user interaction. The very article we are discussing is talking about privilege escalation exploits.

    • by fermion (181285)
      This has been going on long before the smart phone,or even when it was common for people to have mobile phones.

      The only way to prove, and the only thing to do when a developer refuses to fix a bug, is to put the exploit in the wild. This is the only way to prove the exploit actually works in the real world. Until this happens the developer can just say it is a theoretical problem with no practical route to success, and as such does not warrant the resources necessary. One the exploit is wild, however, t

  • by Anonymous Coward

    I still can't use my phone as a WiFi access point without paying an additional $10-$20 per month.

    On the other hand, I doubt that the rhinestone case crowd will care about this much/at all.

    • by tepples (727027) <<tepples> <at> <gmail.com>> on Thursday March 21, 2013 @09:16AM (#43234087) Homepage Journal
      Anonymous Coward wrote:

      I still can't use my phone as a WiFi access point without paying an additional $10-$20 per month.

      That's an ISP problem more than an Android problem. During this transition from 2G to 3G to 4G-lite,* wireless carriers rely on subscribers not using all their monthly megabytes, and subscribers who use multiple devices on one plan tend to use more megabytes per month than subscribers who do not. Even a phone that obeys its owner (that is, one with a custom ROM) can't hide tethering-like behavior unless you run everything through a VPN. Carriers are reported to use traffic to Internet sites that host desktop OS updates, antivirus updates, and desktop application updates as evidence of tethering. By the time you've paid extra for a higher cap and paid extra for a VPN so that the ISP doesn't see what you're visiting, you might as well have paid for the tethering rider.

      * "Lite" because LTE isn't really 4G.

      • by TyIzaeL (1203354)
        I get by by running a VPN server at my house and then connecting to that while I'm on the go.
        • by tepples (727027)

          server at my house

          For one thing, running a server at your house requires that your home ISP's terms of service allow running a server accessible from the public Internet. A lot of ISPs don't allow those on home SLAs. For another, when you bounce off a VPN at home, you're still transferring a larger volume of data per month when you tether than when you don't. How did you manage to work through those issues?

    • by Krojack (575051)

      If you're still on Verizon unlimited then this is the case (unless you root). If you're on a 2 or 4 gig then you should raise hell and threaten to contact the FCC.

  • by Silentknyght (1042778) on Thursday March 21, 2013 @08:47AM (#43233755)

    Say what you will about Apple & the iPhone, but I appreciate the tight integration of OS & hardware and their desire to provide a consistent & reliable user experience. I own and use a (Sprint) Samsung Galaxy S2 Epic 4G Touch, and it was a series of broken promises on ever getting ICS. When finally rolled out, it wasn't the true android experience, but some half-baked Samsung-proprietary interface aka "Touchwiz." Great, that wasn't what I was sold when I purchased the device. I want android, not Samsung's half-baked, bug-filled, garbage-software-filled version of it.

    Eventually, I rooted and installed JB, because Samsung sure as heck wasn't going to do that. And then, as you venture deeper into the rooting environment, you find out a bunch of hardware/software issues directly caused by Samsung, including but not limited the EMMC super-brick bug. These security issues in TFA are just more of the same. For me, their handling of their android phones and my experience with them has tarnished their image across their entire product fleet. Will I buy a Samsung brand washer/dryer? There's a lot of digital tech in even washing/drying machines nowadays. Before this, their name wasn't an issue. Now, maybe I consider some other brand.

    • I swore off Samsung a few years ago when the 2.5 year old HDTV I had paid $1400 for died, and they wanted as much to repair it as a new TV would cost. Their products are shoddily made, and they don't stand behind them. They could produce the snazziest Jesus phone on the market and I wouldn't touch it with a ten foot poleaxe.

      • Given your animosity, I say you would want to touch it with a ten foot poleaxe.

      • by alen (225700)

        are you one of these crazy old people who still repairs stuff?

        always cheaper to buy new these days. and a lot of times you can buy a better TV or whatever for the price to repair or replace

        • by Nerdfest (867930)

          It's currently the trend to throw things out and replace them but it's not particularly environmentally responsible.

          • by exomondo (1725132)

            It's currently the trend to throw things out and replace them but it's not particularly environmentally responsible.

            And repair isn't economically viable, so make your choice.

            • by Nerdfest (867930)

              If I ran the world (and I really think I should), I would make manufacturers responsible for environmentally responsible disposal of their products, making it more worthwhile to repair things.

        • by Waffle Iron (339739) on Thursday March 21, 2013 @09:33AM (#43234323)

          are you one of these crazy old people who still repairs stuff?

          I am. I have a ~7 year old Samsung 1600x1200 monitor that still looks nice. I like this form factor, and it's hard to get in these days of HDTV LCDs. Unfortunately, Samsung was known for using shoddy capacitors in that time period, and a few years ago my monitor started blacking out shortly after power up.

          I found a video on YouTube where they showed how to fix my exact model, and I fixed mine with $5 of new caps. Now it's still going strong.

          • by TheGratefulNet (143330) on Thursday March 21, 2013 @09:59AM (#43234701)

            it would be hard to find someone who does NOT use cheap 'china caps' inside instead of proper panasonic (japan) or nichicon or any of the other *reliable* electrolytic makers.

            badcaps.net is informative for those that have not heard of this 15+ yr old problem in the parts industry. worldwide! china fucked the world on this and we're still paying with blown caps on nearly everything that uses them.

            buy the parts from known places (digikey, mouser, newark, jameco, etc) and you'll get guaranteed real parts, not fakes. even the vendors who build boards tend to use fake caps (bad formula) and they last about a year before they fail.

            • by Anonymous Coward

              This is mixing the circa 2000 bad cap plague with the circa 2007 problem. The difference doesn't summarize easily, but for the interested there's a pretty reasonable attempt at wikipedia.
              http://en.wikipedia.org/wiki/Capacitor_plague [wikipedia.org]

              Both have some overlap with, but are not the same thing as, the problem of fake parts. These days automated x-ray machines that run through your reels of components looking for fakes are pretty common. Things are bad. Digi-mouser et al do try hard and are good about returns, but

        • by Trogre (513942)

          Are you one of those thoughtless young people who throws stuff away when it no longer satisfies your whims?

      • Re: (Score:1, Flamebait)

        by rasmusbr (2186518)

        I swore off Samsung a few years ago when the 2.5 year old HDTV I had paid $1400 for died, and they wanted as much to repair it as a new TV would cost. Their products are shoddily made, and they don't stand behind them. They could produce the snazziest Jesus phone on the market and I wouldn't touch it with a ten foot poleaxe.

        True, but much of the same could be said about Apple.

        IIRC Apple's 30" $3000+ monitor shipped with a 1 year warranty (seriously?!). Apple has also, going on for years and years, routinely offered customers to pay extra upfront for warranty/insurance beyond the first year in markets where the law says you have to have more than 1 year of warranty on electronics.

        Apple Jesus is a bit like Catholic Jesus. They know you'll come back even if you occasionally a**rape some of them...

        • by the_B0fh (208483) on Thursday March 21, 2013 @01:18PM (#43237165) Homepage

          Funny how in a thread about Samsung, someone must come out and say "but Apple also sucks" like this then makes it all better.

          And comparing Apple to rape is a bit much, isn't it?

          And all the idiot moderators that modded this interesting, WTF are you smoking?

          • by rasmusbr (2186518)

            Okay, I have to say in retrospect I am sorry if anyone who's actually been the victim of or otherwise afflicted by rape read my comment and felt that it diminished their suffering.

            The thing is though, any discussion about the merits and flaws of one company's offering is always going to become about that and it's competition and Apple is a company that should expect harsh criticism, not so much for it's practices in the west, but for the repeated allegations that it has been looking aside from what's happen

            • by the_B0fh (208483)

              Then perhaps you should educate yourself first before making allegations that are untrue? Apple has raised working conditions at their factories far above most others.

              You can do a simple google search and find articles and interviews where factory workers are bitching about not being able to work overtime - a lot of them work for 3-4 years, and take their savings back to their village and can start their own small business, buy a home, and get married.

              Just a comparison - in China, an Apple factory worker m

              • by rasmusbr (2186518)

                Well, my understanding is that the working conditions have improved from outright dangerous to merely bad, which is par for the course in poor countries (and arguably better than subsistence agriculture) but certainly not something to be proud of for a market leading company with a profit margin above 20%.

                Where did you find the salary figures? I guess $700 would be about median wage in China, which would be fantastic for a manual worker, but I doubt anyone who works at the factory floor actually makes anywh

      • by mk1004 (2488060)
        Repair it yourself. I fixed an off brand HDTV's power supply awhile back. Repaired, not replaced. Took a few hours, including driving to get some replacement components. The cost of gas was more than the parts. If you repair it yourself, maybe you'll appreciate how long it takes to fix electronic equipment today. Even ignoring the cost of replacement assemblies, a few hours of labor charges and you will have paid for a brand new TV. This issue is not limited to Samsung either.
      • by Krojack (575051) on Thursday March 21, 2013 @09:32AM (#43234305)

        I had problems start with my Samsung TV. It would take 10 minutes to turn on. Just sit there clicking on, off, on, off. I called Samsung and it was a known problem. They contacted a local repair shop and had the shop come out to my house and fix it THAT NIGHT. Zero cost to me.

        • by CCarrot (1562079)

          I had problems start with my Samsung TV. It would take 10 minutes to turn on. Just sit there clicking on, off, on, off. I called Samsung and it was a known problem. They contacted a local repair shop and had the shop come out to my house and fix it THAT NIGHT. Zero cost to me.

          Ditto for our 5 year old (at the time) 52" Samsung LCD TV. It wasn't quite the next day, but definitely within a week of us calling them they had a local contractor come by, and he fixed it right in our living room in about an hour, soldering and all. No bill for us, because it was a known capacitor issue, and it's worked great ever since.

          That's a big part of why our new 65" LED is also a Samsung :o)

        • by rsborg (111459)

          I had problems start with my Samsung TV. It would take 10 minutes to turn on. Just sit there clicking on, off, on, off. I called Samsung and it was a known problem. They contacted a local repair shop and had the shop come out to my house and fix it THAT NIGHT. Zero cost to me.

          Similar problems with my Samsung monitor - it has serious issues switching between input sources (HDMI, D-SUB) and sometimes would get confused to where it required a shutoff and cooldown for a few min before reuse - a major pain switching between my work and home laptops which use different sources respectively.

      • Is there a company out there that charges you reasonable prices for repair on consumer electronics? Not to excuse samsung, just saying if I swore off all brands that tried to keep you tossing out slightly broken electronics, I feel like I'd have to go Amish.
      • I swore off Samsung a few years ago when the 2.5 year old HDTV I had paid $1400 for died, and they wanted as much to repair it as a new TV would cost. Their products are shoddily made, and they don't stand behind them. They could produce the snazziest Jesus phone on the market and I wouldn't touch it with a ten foot poleaxe.

        I agree that a TV should not fail after 2.5 years but Samsung's warranty on TVs is for 1 year, similar to all other manufacturers. Name me one TV manufacturer that would fix a 2.5 year old TV for free? You do realize that TVs are deliberately built to last 3 to 5 years? and that it has cost more to repair a TV than buying a new one for the last 10 years or more? and you blame Samsung because you gambled on the manufacturers warranty and lost?

        The warranty period on all electronics has been reduced to s

        • by GreatDrok (684119)

          "I agree that a TV should not fail after 2.5 years but Samsung's warranty on TVs is for 1 year, similar to all other manufacturers. Name me one TV manufacturer that would fix a 2.5 year old TV for free? You do realize that TVs are deliberately built to last 3 to 5 years? and that it has cost more to repair a TV than buying a new one for the last 10 years or more? and you blame Samsung because you gambled on the manufacturers warranty and lost?"

          In New Zealand, we have a little law called "The Consumer Guaran

          • "I agree that a TV should not fail after 2.5 years but Samsung's warranty on TVs is for 1 year, similar to all other manufacturers. Name me one TV manufacturer that would fix a 2.5 year old TV for free? You do realize that TVs are deliberately built to last 3 to 5 years? and that it has cost more to repair a TV than buying a new one for the last 10 years or more? and you blame Samsung because you gambled on the manufacturers warranty and lost?"

            In New Zealand, we have a little law called "The Consumer Guarantees Act" which means that even if a manufacturer only puts a 1 year guarantee on a TV, it is expected to last a fair and reasonable time for a device costing upwards of $1000 and that means (in the eyes of the law) ten years.

            After reading your post, I did some research and found this on ConsumerReports.org. They say that there is an implied warranty on most items of 4 years in the US. However, you may have to sue to assert your rights. Even so, it's obvious that some countries have much stronger consumer protection laws than the US.

            - - -

            Your refrigerator dies three months after the manufacturer's warranty expires. The store and manufacturer say you have to pay to get it fixed.

            The law

            The Uniform Commercial Code, fully adopted

    • Look for Nexus (Score:5, Insightful)

      by tepples (727027) <<tepples> <at> <gmail.com>> on Thursday March 21, 2013 @09:03AM (#43233941) Homepage Journal

      When finally rolled out, it wasn't the true android experience, but some half-baked Samsung-proprietary interface aka "Touchwiz."

      Lesson learned: If you want a full-baked true Android experience, always look for the word "Nexus".

      • Re:Look for Nexus (Score:4, Insightful)

        by Silentknyght (1042778) on Thursday March 21, 2013 @09:35AM (#43234349)

        Lesson learned: If you want a full-baked true Android experience, always look for the word "Nexus".

        Agreed, that is the lesson I've learned.

        • by Threni (635302)

          And who makes the best Nexus devices...

          • by Andy Dodd (701)

            Currently - LG and Asus.

            • by Threni (635302)

              Took me 3 attempts to get a working nexus 7. I know several other people who had identical problems. Shit build quality and testing. Google's customer support in the UK is shit too, as is the courier company they use. I understand you can actually buy nexus 4s here now though. Let's hope the battery, NFC and touch screens work on them.

              • by Andy Dodd (701)

                I admit I still need to return my Nexus7, headphone jack is busted. Other than that it's perfect.

                My Nexus 4 has no issues, but I was not one of the people who joined in on the launch day zerg - mine was ordered sometime in Jan or Feb.

                First few batches of any device are almost always problematic.

    • by Anonymous Coward

      I got a Samsung UE40ES6710 Smart TV and once again the problem is the software. It's ridiculously buggy. It's not uncommon having to reboot it... Reboot a fucking TV!!!

      • by Ancil (622971)

        Never ever ever buy a smart TV.

        TVs should be beautiful and dumb as dirt. They should be like a computer monitor: turn on when they sense a video signal. That's all the smarts they need.

        Seriously, why would anyone ever want to build things like Netflix streaming and who-knows-what-else into a TV? What happens next year when you want to switch to Amazon's service, or Google's, or Apple's, or...? And your TV doesn't support it? What, buy a new TV??

        You think a TV manufacturer is going to be Johnny On The

    • by Krojack (575051)

      When finally rolled out, it wasn't the true android experience, but some half-baked Samsung-proprietary interface aka "Touchwiz."

      Welcome to EVERY non Nexus phone buddy. If you don't like it then root it and put CM10.x on the device.

      I will admit, Touchwiz is better then HTC Sense.

    • by yosifkit (2488062)

      I own and use a (Sprint) Samsung Galaxy S2 Epic 4G Touch, and it was a series of broken promises on ever getting ICS.

      Ever tried another Android device like Motorola, HTC, Sony, Acer, Asus, Amazon, Barnes & Noble, Toshiba, or ViewSonic? All of them add their own crap to Android to differentiate themselves instead of focusing on the hardware and updates. They all promise to do updates and then never deliver. It would be much easier if they did not spend all their time developing things to replace core features of Android (Samsung and their crappy SMS replacement with custom Applesque "notifications"). The fact that

    • by GreatDrok (684119)

      Having bought a few pieces of Samsung gear myself, I'm not in the least surprised. It was a blu ray player that did it for me - they pushed out a firmware update that knocked the sound out of sync and then didn't release a fixed one. Ever as far as I know because I got sick of waiting months and not being able to watch a film so I returned the player, it was replaced with another of the same model which didn't have the audio sync problem until I tried to play a new BD and then it insisted I had to update

    • by thegarbz (1787294)

      When finally rolled out, it wasn't the true android experience, but some half-baked Samsung-proprietary interface aka "Touchwiz." Great, that wasn't what I was sold when I purchased the device. I want android, not Samsung's half-baked, bug-filled, garbage-software-filled version of it.

      Erm nice try, but let me educate you a bit. Touchwiz is the home launcher and app drawer interface. It has nothing to do with the underlying Android system and is simply the app that shows you the home screen. EVERY Samsung phone uses Touchwiz including the ones running Bada instead of Android. This is what you're paying for when you buy a Samsung phone.

      This is what you pay for when you buy a Samsung phone, value added features. Samsung had face detect before it was rolled into Android 4. Samsung had voice

  • by synapse7 (1075571) on Thursday March 21, 2013 @08:54AM (#43233815)

    the network carriers approve a security patch seems to be a very, VERY, long time!

    Do not use ROMs dependent on the carriers.

    • by Elbart (1233584)
      Factory-unlocked don't get updates before the local carriers got theirs for the locked handsets.
  • by SpinningCone (1278698) on Thursday March 21, 2013 @09:02AM (#43233913)

    "any patches [Samsung] develops must first be approved by the network carriers."

    Well there's your problem. if I had to call up my ISP every time I wanted to patch windows I'd be screwed.

    • by tepples (727027) <<tepples> <at> <gmail.com>> on Thursday March 21, 2013 @09:07AM (#43233973) Homepage Journal
      PCs don't require the user to bring in the computer to have it reprogrammed to use a different ISP. CDMA2000 without CSIM, the typical setup on U.S. prepaid carriers such as Ting and Page Plus, does.
      • by Anonymous Coward

        PCs don't require, yet, the user to bring in the computer to have it reprogrammed to use a different ISP. CDMA2000 without CSIM, the typical setup on U.S. prepaid carriers such as Ting and Page Plus, does.

        FTFY. Give them enough time and the trend will eventually spread to tablets, netbooks, laptops and (why not?) even desktops.

      • by wbr1 (2538558) on Thursday March 21, 2013 @10:01AM (#43234743)
        Forgive typos, I'm on a touch screen.
        All of these issues, carrier lock, Cdma reprogramming and carrier approval of roms, and unpatchrd bugs have one root. The fact that most people do npt care as long as the can make phone calls, email, and whatever their app du jour is. We that care about security,openness and gpl, getting software updates in a timely fashion, we are a small fraction of the market and no matter how vocal we are here,we are no threat to profit. You, the earlybadopter, the bleeding edge techie, you have been marginilized by greed. Welcome to now.
    • by gstoddart (321705)

      Well there's your problem. if I had to call up my ISP every time I wanted to patch windows I'd be screwed.

      Well, this is because the carriers all want to make sure to inject their own shit to monetize everything.

      The carriers want to put on their stuff to sell you ring tones, apps, and generally make sure your bill is as high as they can manage.

      They don't care about your security. On my HTC Android phone, I had to go through and disable a lot of the crap my carrier put in because I was never going to use it

    • And why does it take so long for the carriers to sign off on them anyway? How long does it take to make sure people on stock roms won't be able to tether for free?
    • by Mr_Silver (213637)

      Well there's your problem. if I had to call up my ISP every time I wanted to patch windows I'd be screwed.

      Part of the problem also comes from the support model. If you have a problem with Windows or your Dell PC, you don't call your ISP and expect them to resolve it.

      Yet in the phone world, if you have a problem with Android or your Samsung hardware you call Verizon/Sprint/etc.

      The last two (European) carriers I worked for would have more than happily passed handset customer support to the OEMs but, unsurpris

  • Revealing security flaws in Western businesses is automatic jail time lately...
    • Revealing security flaws in Western businesses is automatic jail time lately...

      Yeah, they've really worked hard to round up the evasi0n team...

  • F-Secure reports that in the fourth quarter of last year, 96% of all mobile malware was directed to Android. They also report that 0.7% targeted iOS.

    Most users do not have an updated version of Android to update to that is made available from their carriers.

    Trend Micro’s mobile app reputation service has analyzed over 2 million mobile app samples collected from around the world and 293,091 of them have been classified as outright malicious. Almost 69,000 of those were sourced directly from Googl

    • by Pubstar (2525396)
      And most of those apps are from unsigned app stores or are sideloaded. Sure, there are some in the main all store, but the problem isn't as big as you're making it out to be.
      • If almost 69,000 were from Google Play, and they have around 700,000 apps total, that would mean that approx 9.8% of the apps in the Google store are infected.
    • I dabble in Android security myself, I just want to point out that every single app I have encountered that Trend Micro flagged has been a false positive warning about an exploit that isn't actually present. The cause of this appears to be that those apps include files or snippets of code also used by some well known exploits, but by themselves are not harmful. Rookie mistake.

      Note that if you search well, you will find various security folk slamming Trend Micro all over the place. As such, I wouldn't put to

  • Not fixing their execution of Android gives them an excuse to replace it with their own proprietary OS (including a locked down boot loader). At the very least, the anti-freedom US carriers would cheer such a move.
  • it's necessary to root your phone in order to change the hosts file.

Chairman of the Bored.

Working...