Drive-by Android Malware Exploits Unpatchable Vulnerability 120
An anonymous reader writes "Attackers have crafted the E-Z-2-Use malware code that exploits a 14-month-old vulnerability in Android devices. The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell into the system with the permissions of the hijacked application. Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market. The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."
errr that's Unpatched not Unpatchable (Score:3, Informative)
it was fixed in v 4.2 so it is patchable
QED
Cognitive dissonance (Score:5, Informative)
Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market.
The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google.
But apparently not so difficult as to make it impossible? Is there something I don't understand here, or was this summary just horribly written?
Everything old is new again (Score:4, Informative)
Android feels like it is steadily becoming the new Windows.
-- It's showing up everywhere.
-- The version issues hark back to the days of "DLL hell"
-- This drum beat of exploits has a familiar rhythm too.
-- As a multi-platform developer I find I'm always having to reboot my device, and the IDE just to get a clean test run.
Call me a fan boy but iOS is a much better world to work and play in
Tried Cyanogenmod for this very reason (Score:3, Informative)
1) you will have Bluetooth for audio, but not for keyboards, game-controllers (no HID stuff)
2) you will not have IPv6. Not a big deal for most people, but this is News for Nerds
3) returning to a previous WiFi location may require toggling Airplane Mode to get it to reconnect
But for a non-technical person like my wife, using CM11 / KitKat 4.4.2 truly *IS* a viable answer (hahaha - using. Getting to CM11 is most definitely not for her... that's my thing). For the future, Nexus devices or Play devices are likeliest.
If I understand TFA (Score:2, Informative)
the attacker can gain the same access that the Android built in web browser has That doesn't sound that bad on the face of it and you can avoid entirely by using a different browser. It may not get you 100% security from the exploit but should get you pretty near.
Re:Everything old is new again (Score:5, Informative)
Impossible of course [tgdaily.com].
Re:errr that's Unpatched not Unpatchable (Score:5, Informative)
Re:If I understand TFA (Score:5, Informative)
the attacker can gain the same access that the Android built in web browser has That doesn't sound that bad on the face of it
FTFA:
The code exploits a critical bug in Android's WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone's camera and file system and in some cases also exposes other resources, such as geographic location data, SD card contents, and address books.
The easiest way to exploit the bug is to lure a vulnerable user to a booby-trapped webpage. Within seconds, the site operator will obtain a remote shell window that has access to the phone's file system and camera. In some cases, the exploit can also be triggered by performing a man-in-the-middle attack while the victim is on an unsecured Wi-Fi network.
I would say this is a big deal.
err not 4.2 (Score:3, Informative)
The still most widely deployed version, 2.3, is fine. At least if you don't run apps with ads, but then, there's no hope left for you anyway.
Nobody mentions which version introduced the bug in the browser, but I'm guessing it's 3.1. But i know very little.
Re:errr that's Unpatched not Unpatchable (Score:5, Informative)
Re:errr that's Unpatched not Unpatchable (Score:4, Informative)
There is an unofficial Cyanogenmod version for my phone - the instructions for installing it is incomplete, and refers to multiple articles that basically lead in circles.