Cloak And Dagger Android Malware Owns Your Device And Your Life


Researchers at UC Santa Barbara and Georgia Tech have published details of a weakness in Android which could allow a hacker to take ownership of your phone, capture all of your input (including PINs and passwords) and make hay with the information captured.

The hack uses two permissions granted by default for Play Store installs and all versions up to and including Android 7.1.2 are affected.

Scary stuff.

Google has apparently updated its Play Store security tool to prevent installation of apps with this exploit, although there's no actual fix to the platform as yet.

This kind of weakness is likely to prove common on the Android platform and is a result of the openness of the platform and the ability to customise or change the way it looks or works to a much higher degree than iOS.

The worry is that if and when Google patches this vulnerability the number of devices which actually receive the update will be virtually none. 

No platform is completely secure, that much has become very clear over the last few years. Without an effective way of getting security updates out to all Android devices quickly and reliably, Google is doing the whole community a disservice.

Especially when you look at the timeline for the release of this news on the team's website. Here you'll find out that the Android team were made aware of this weakness in August last year but marked one attack vector as 'moderate' and one as 'works as intended'. That's some pretty shoddy review process on Google's part considering the potential impact to two billion customers.

And the real kicker, the team were able to deploy a proof of concept app to the Play Store, have it vetted and approved and be available for Android users to download within just a few hours. That POC app didn't even try to hide its malicious intent...

On the plus side, it's highly unlikely your Android phone or tablet has been compromised. That's a very small amount of consolation to take away from this whole mess though.

0 comments: