You’ve probably heard about the latest Android vulnerability that apparently affects over 900 million Android devices. It’s called StageFright, and the worry is that malware can be embedded in a video that could then run roughshod in your device without you initiating any action whatsoever. The malware ridden video would be sent by MMS and your device would download it automatically, thanks to the auto retrieve setting being ticked in settings of the messaging app. While most carriers are waiting for phone manufacturers to issue software patches to block the exploit, Germany’s Deutsche Telekom is taking a more pro-active approach by disabling the MMS auto-retrieve function itself.
Earlier today, a massive security exploit involving Samsung’s default SwiftKey keyboard spread across the internet like wildfire showing the dangers of manufacturers pre-loading third-party software on their phones. The vulnerability was pretty obscure and wouldn’t affect everyone with a Samsung device, but it was still a fairly serious exploit Fortunately, Samsung has issued a relatively quick response about the whole situation.
Samsung has stated that they’re working on a fix, and it will be deployed through a security policy update via Knox. The vulnerability was based in how language packs for Samsung’s SwiftKey-backed keyboard were updated, and doesn’t affect the normal version of SwiftKey that you may have downloaded through the Play Store. Read more
Some recent security work on new Samsung smartphones will likely increase the pressure on manufacturers and carriers to dispense with preloading third-party apps. According to security researchers, they were able to figure out a way to deliver a payload capable of executing remote code via the Swift keyboard app that comes pre-installed on new Samsung devices. The vulnerability gives an attacker the ability to run code as a system user, one step shy of being root, and can be launched without input from the device’s user. Read more
Many were concerned with Google’s decision to unbundle WebView from the core system starting with Android 5.0 Lollipop. Older devices would be left behind, too, without updates and that means compromised security. Fortunately, Google has realized so many Android apps take advantage of WebView that it only makes sense to further support. With the latest version of Android, Google will be able to update WebView independently. Right now, developers can join the new beta channel to gain access to new APIs and other items. Developers will be able to become familiar with the updates before users get to see them.
You can join the beta channel of Android System WebView by clicking here.
Source: Android Developers Blog
A new report that surfaced today claims that Google has ended support for WebView on Android devices running Android 4.3 or older, a move that could leave users exposed to malicious attacks. WebView is considered a “core component” of Android and is used by applications to display web pages without opening an actual browser session. Starting with Android 5.0 Lollipop, Google decided to unbundle WebView from the core system so updates could be pushed out via the Google Play Store.
The source of the news regarding a lack of updates for Android versions 4.3 or older came from a response by Google’s Android security team to a report of a bug in the AOSP browser which is based on WebView. According to the response to Joe Vennix of Rapid7 and independent researcher Rafay Baloch: Read more
Security researcher Rafay Baloch released information about a vulnerability in the Same Origin Policy (SOP) protection used by browsers running on Android devices. The SOP is used to stop malicious code from spreading from one site to sites that a user has open in other tabs. According to some sources, this vulnerability is “a privacy disaster.” It appears to be limited to the Android Open Source Platform(AOSP) Browser, which has been replaced by Chrome on more recent builds of Android, and does not impact users on Android 4.4 or higher. Read more
Metasploit, a popular vulnerability testing framework, added a new test module that would allow users to test how vulnerable some versions of the Android browser are to being hacked from shell access, and that’s when this exploit was found in Glass. The exploit would involve a man-in-the-middle hijacking that WebView instance, which wouldn’t be too difficult to do if you’re on a public WiFi or anything that isn’t well secured. At that point, the malicious code could do anything from taking photos with your device to remotely turning on your microphone. Definitely not a good thing. Read more
Earlier this week Gibson Security tweeted some information it claimed could be used to exploit Snapchat enabling malicious hackers to match usernames with phone numbers and build a profile of users. Gibson Security also claimed the security holes could allow for the creation of dummy accounts in bulk. According to Gibson Security, they notified Snapchat of the problems last August, but after not seeing any move to correct an issue that supposedly could be fixed with ten lines of code, proceeded with making the exploit public. Read more
Remember that little vulnerability we heard about on Nexus devices that could be maliciously exploited to cause a device to lock up and reboot? Looks like Google has finally added a fix for that in Android 4.2.2, which should be rolling out fairly soon. There are no other camera improvements or anything like that in this update, but according to the 4.4.2 changelog, there were a handful of things that got patched. The most major one is that SMS exploit, but that doesn’t mean the few other things that were patched aren’t appreciated. If you’re a Nexus user, keep an eye out for this update.
An IT administrator named Bogdan Alecu has discovered that Nexus phones receiving a flood of texts may start to function a little bit differently. The Galaxy Nexus, Nexus 4, and Nexus 5 are all effected by this new exploit that causes those phones to reboot, crash the messaging app, or even disable a network connection. While other devices seem to be safe, Alecu advises that he hasn’t tested many others. The bug is coming from Class 0 SMS messages that are not regularly stored on a handset.
A developer has already taken to the Play Store to release a fix. Class0Firewall is a free app that prevents the Class 0 SMS messages from sending your handset into a tailspin. Google has told PCWorld that they are looking into the issue; however, we have no timetable on when to expect a patch.
Source: DefCamp, Class0Firewall (Play Store)