News  Android
Android Task Hijack

Android on the ropes ... again

Oh man, is Android taking a battering at the moment. Right after the infamous Stagefright bug, and its botched fix, we have the Android Task Hijack bug, which this time puts every single release of Android at risk.

The exploit was presented at the USENIX Security 15 conference in Washington DC recently and is detailed in a pdf. Proof-of-concept demonstrations were shown which could result in UI spoofing, denial-of-service and user spying attacks.

The 5 man team from Pennsylvania State University who discovered the vulnerability have notified Google.

News  Android
Monkey facepalm

If at first you don't succeed...

Google just rushed out a fix for the notorious Stagefright bug but in their haste appears to have missed something critical, leaving even "fixed" devices still open to attack. That's the finding from Exodus Intelligence who have detailed the code provided in the patch, along with the vulnerability which was missed.

Google rolled out their patch to 950 million devices this week but it looks like they'll have to do it all over again once they've wiped the egg from their face. Exodus said "Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?"

News  Android

Google in "World's largest" software update

The Stagefright attack is the nightmare perfect storm for smartphone users because it doesn't need the user to do anything to succeed.  Most exploits need a user to at least install something first to compromise their handset, and are duly warned constantly against using apps from untrusted sources. The Stagefright vulnerability, however, was baked in from the day the smartphone left the factory door which means it's up to the manufacturer to fix it. Google have announced they are about to do this for all current Nexus models, which is easier for them since they directly control the OTA updates for those, and in partnership with all the major manufacturers in what has been dubbed the "World's largest software update" of just under a billion devices.

News  Android
Google starts an Android bug bounty

Google Announces Android Security Rewards

Fancy a cool $40,000? That's how much Google will pay up to if you disclose a new critical flaw in Android. Also, in recognition of many weaknesses being found in older libraries, they have announced a program to discourage developers from using them.

Naturally, there are a few conditions - fora start, they must be found in the current Nexus device line up. That's not too surprising, since those are the only "pure" Android devices in the wild which Google directly controls. They are in effect saying the carriers are responsible for any non-core Android bugs.