Motorola launching Stagefright fixes, but no word on future strategy

motorola_moto_g_2015_top_right_view_TA

Motorola has announced their plans to address the Stagefright video security flaw on their devices. According to Motorola, the fix will be made available for all devices produced from 2013 onward. This will include devices like the original Moto X and the Droid line of devices produced for Verizon. Although no timeframe other than “soon” is given, Motorola also said the new Moto G that just started shipping after Motorola’s launch last month will get the fix. Motorola plans to release the upcoming Moto X Style and Moto X Play with the patch already applied out of the box. Read more

Samsung prepping security update for SwiftKey keyboard vulnerability

Samsung_Galaxy_S6_Edge_Right_Edge_Slanted_01_TAEarlier today, a massive security exploit involving Samsung’s default SwiftKey keyboard spread across the internet like wildfire showing the dangers of manufacturers pre-loading third-party software on their phones. The vulnerability was pretty obscure and wouldn’t affect everyone with a Samsung device, but it was still a fairly serious exploit Fortunately, Samsung has issued a relatively quick response about the whole situation.

Samsung has stated that they’re working on a fix, and it will be deployed through a security policy update via Knox. The vulnerability was based in how language packs for Samsung’s SwiftKey-backed keyboard were updated, and doesn’t affect the normal version of SwiftKey that you may have downloaded through the Play Store.  Read more

Third-party app exploit reveals remote code attack vector on Samsung smartphones

Samsung_Galaxy_S6_Edge_Right_Edge_Slanted_01_TA

Some recent security work on new Samsung smartphones will likely increase the pressure on manufacturers and carriers to dispense with preloading third-party apps. According to security researchers, they were able to figure out a way to deliver a payload capable of executing remote code via the Swift keyboard app that comes pre-installed on new Samsung devices. The vulnerability gives an attacker the ability to run code as a system user, one step shy of being root, and can be launched without input from the device’s user.  Read more

Flaw in Marriott app puts company back in the news and not in a good way

marriott_logo

Marriott has recently been in the tech news lately due to plans to block customers’ personal Wi-Fi hotspots when visiting one of the company’s properties. That move earned them a lot of negative press and pressure from the likes of the FCC and eventually caused them to reverse their course. Now it has been discovered that Marriott’s app for Android may have exposed customer data, including credit card information, to possible attack and pilfering ever since its launch in 2011. The flaw was discovered by Randy Westergren, a senior software developer with XDA-Developers, who also found a major hole in Verizon’s mobile app. Read more

New Android vulnerability described as “a privacy disaster”

android-bug2

Security researcher Rafay Baloch released information about a vulnerability in the Same Origin Policy (SOP) protection used by browsers running on Android devices. The SOP is used to stop malicious code from spreading from one site to sites that a user has open in other tabs. According to some sources, this vulnerability is “a privacy disaster.” It appears to be limited to the Android Open Source Platform(AOSP) Browser, which has been replaced by Chrome on more recent builds of Android, and does not impact users on Android 4.4 or higher. Read more

Researchers claim discovery of new Android VPN vulnerability

Android Security

Researchers at the Ben Gurion University Cyber Security Lab are back in the news with a claim that they have discovered a new vulnerability in the Android implementation of VPN. According to the researchers, the exploit would allow a malicious app to bypass an active VPN connection and redirect traffic to a different server. The vulnerability can supposedly be installed without root access and does not need any specific VPN permissions. When the data is redirected by the malicious app, it can be sent unencrypted to a target server without the user being aware the data is being redirected.

Read more

Starbucks app stores personal information in plain-text format

Starbucks_Logo_Store_Front

If you use the official Starbucks mobile payment app, you may want to reconsider. According to security researcher Daniel Wood, the application stores information like your email address, password, and GPS location and an unencrypted plain-text format. Anyone who has access to your phone could do a bit of work to steal that information, which is not something you want someone else to have access to. Even worse, because the app makes payments using an on-screen barcode, that barcode method could be manipulated to suck money out of your bank account.

Fortunately, someone would need access to your phone to get this information, but it’s still a vulnerability that you should be aware of. Hopefully Starbucks addresses this soon.

source: Computer World

via: Engadget

Samsung issues response to recent claims of KNOX vulnerability

samsung_knox_logo

Last month security researchers from Ben-Gurion University Cyber Security Labs claimed to have discovered a vulnerability in Samsung’s KNOX security platform. Samsung has issued a statement regarding the claims, indicating the issue identify by the Ben-Gurion researchers was really a classic Man in the Middle (MitM) attack and not a bug or flaw in KNOX or Android. Samsung indicates they reached out and discussed the issue with the security researchers  and were able to verify that the exploit that was identified exists as it “uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device.” Read more

Security researcher highlights risks of Google’s weblogin for one-click authentication in Android

defcon_craig_young

At the recently held Def Con 21 security conference in Las Vegas, security researcher Craig Young with Tripwire demonstrated a proof of concept for a vulnerability in the way Android handles one-click authentication for web sites and apps. The authentication method is called “weblogin” and works by generating a unique token that is used to directly authenticate users via their Google+ accounts. Young’s proof of concept demonstrated how a rogue app could steal the weblogin tokens and redirect them to an attacker. Once they have the tokens, attackers could then impersonate victims with a variety of Google services like Gmail, Google Apps, Drive, Calendar and Voice. Read more

New major security threat for Android devices revealed, but Google already has a patch in place this time

android_trojan

After all the commotion about the latest major security vulnerability to Android devices, you would think things on the security side of the platform would quiet down for a bit. However, that’s not the case, as a Chinese site has posted details about an application exploit similar to Bluebox’s earlier revealed loophole that would allow apps to avoid signature verification to run malicious code on an Android device.  However, the vulnerability was found in older code that was replaced with a security fix, so Google was already aware of the problem and has patched it up as soon as they were made aware of it. It may take awhile for that type of security patch to hit devices in the wild, but like the Bluebox vulnerability, Google has done all they can to take care of things on their end.

If you want to read up on the specifics of the vulnerability, hit the links below. It’s a pretty small, complicated vulnerability that would be pretty tricky for malware to pull off on most devices, but it’s interesting nonetheless.

source: Sina Blog

via: Android Police