Most active commenters

    ←back to thread

    Google confirms Android attacks; no fix for most Samsung users

    (www.forbes.com)
    208 points mohi-kalantari | 14 comments | 08 Dec 25 16:32 UTC | HN request time: 1.479s | source | bottom
    1. baal80spam ◴[08 Dec 25 17:13 UTC] No.46194865[source]
    This requires user action, right? User needs to install the APK by hand? In other words - if I don't install any crap on my phone I am safe?
    replies(4): >>46195501 #>>46196376 #>>46197180 #>>46197361 #
    2. bigbadfeline ◴[08 Dec 25 18:00 UTC] No.46195501[source]
    > if I don't install any crap on my phone I am safe?

    We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.

    replies(1): >>46197266 #
    3. pajko ◴[08 Dec 25 19:15 UTC] No.46196376[source]
    Both mentioned CVEs seem to be about local privilege escalation. So basically yes, if you don't install crap apps, there's a high chance that you are protected. Problem is that it might not seem to be a crap app, but a nice-looking game, etc. Also an attack can come in with an update of any app you have already installed on your phone.
    replies(2): >>46196813 #>>46198976 #
    4. ajross ◴[08 Dec 25 19:57 UTC] No.46196813[source]
    The point was surely more that apps being exploited via the Play Store can be mitigated there without client OS updates. The only hole here requiring the update needs a sideloaded attack.
    replies(1): >>46200169 #
    5. londons_explore ◴[08 Dec 25 20:25 UTC] No.46197180[source]
    Whilst the play store supposedly scans all apps for malicious behaviour, it's pretty easy to detect the test environment they use for testing and make malicious behaviour only trigger in situations Google doesn't test - eg. 5 days after installation, only if the device IP address changes at least once.
    replies(1): >>46197890 #
    6. ActorNightly ◴[08 Dec 25 20:33 UTC] No.46197266[source]
    CVE records are public. All info is there.
    7. ActorNightly ◴[08 Dec 25 20:40 UTC] No.46197361[source]
    Yes (with caveats)

    In todays world, web based exploits are pretty rare. The only time you really see this happen is with full proprietary systems like IPhones because the software stack on those is all intertwined between kernel code and user code, and things like sending a text message with some formatted characters can lead to reboots of phones. But even then, to gain a full command line shell or steal secrets is either impossible due to attack surface, or requires the phone to be in a specific state, like fully factory reset.

    The only real danger is chains of trust being compromised, as in some attacker manages to insert malitious code into an already trusted app that uses these exploits.

    On a side note i get kick out of reading HN comments about exploitation and hacking. I think people firmly believe that with enough time, a hacker can figure out how to basically take over your phone given any exploit, no matter what it is.

    replies(1): >>46205786 #
    8. usrusr ◴[08 Dec 25 21:29 UTC] No.46197890[source]
    I'd imagine the dalvik part to be pretty open to static analysis?

    On the desktop JVM, I've seen bytecode that decompiled to a form more readable than the original source I got access to later...

    replies(1): >>46202869 #
    9. QuadmasterXLII ◴[08 Dec 25 23:11 UTC] No.46198976[source]
    Threat model is probably third party ad and tracking libraries that pay to get into apps. If I caught it, I'd expect it to be from an app to use a parking deck, a colorful desk lamp, an otoscope etc where the developers sold out years ago
    10. array_key_first ◴[09 Dec 25 01:21 UTC] No.46200169{3}[source]
    Except the Play Store is a hot mess, and Google does little to no review of apps. Trusted repositories work best when the repository maintainers build and read the code themselves, like on f-droid or Debian. What Google and Apple are doing with their respective stores is security theater. I would not be surprised if they don't even run the app.
    replies(1): >>46200631 #
    11. ajross ◴[09 Dec 25 02:37 UTC] No.46200631{4}[source]
    Again though, that's mixing things up. The question is whether or not mitigating the exploit requires an OS patch be applied promptly.

    And it seems like it doesn't. If there is a live exploit in the wild (as seems to be contended), then clearly the solution is to blacklist the app (if it exists on the store, which is not attested) and pull it off the store. And that will work regardless of whether or not Samsung got an update out. Nor does it require an "audit" process in the store, the security people get to short circuit that stuff.

    replies(1): >>46205621 #
    12. londons_explore ◴[09 Dec 25 09:07 UTC] No.46202869{3}[source]
    Yes, but the JVM allows so much use of reflection that it's easy to hide an interpreter and then hide everything else from any static analysis.
    13. array_key_first ◴[09 Dec 25 15:00 UTC] No.46205621{5}[source]
    I think it does - playing wack-a-mole with apps using frail heuristics is just not a reliable approach.
    14. subscribed ◴[09 Dec 25 15:15 UTC] No.46205786[source]
    Oh, but they will, given enough time.

    Remember Kevin Mitnick's most successful approach, social engineering :)