Millions of Android phones at risk from software installed by handset makers: Read more: http://www.dailymail.co.uk/sciencetech/article-3189613/Millions-Android-phones-risk-software-installed-handset-makers-Certifi-gate-flaw-let-hackers-listen-conversations-steal-data.



Millions of Android phones could be easily hijacked using software
that was installed on them by their manufacturers, hackers have claimed.
The same ‘remote support’ apps loaded on phones and tablets made by HTC, LG, Samsung, and ZTE and many other manufacturers are vulnerable to the hack.
The apps are given special access to the phone, using digital certificates, which hackers can break into and then use.
Exploiting the privileges could let people ‘steal personal data, track device locations, turn on microphones to record conversations’, according to Check Point, the security firm that found the hack have named it it ‘Certifi-Gate’.
The Check Point mobile threat research team disclosed its findings at a briefing session at Black Hat USA 2015 in Las Vegas, and describe it as ‘a previously unknown vulnerability in the architecture of popular mobile Remote Support Tools (RSTs) used by virtually every Android device manufacturer and network service provider.’
The affected companies have been notified about the hack and are pushing out fixes, according to Check Point.
However, the problem can only be fixed with a security update.
Check Point has made an app that will check whether phones are vulnerable to the hack and whether they have been infected.
‘The issue they’ve detailed pertains to customisations OEMs make to Android devices and they are providing updates which resolve the issue,’ a Google spokesperson told Dailymail.com.
‘Nexus devices are not affected and we haven’t seen attempts to exploit this.’
‘In order for a user to be affected, they’d need to install a potentially harmful application which we continually monitor for with VerifyApps and SafetyNet.
‘We strongly encourage users to install applications from a trusted source, such as Google Play.’
It comes as Google and Samsung said they will release monthly security fixes for Android phones, a growing target for hackers, after the disclosure of a bug designed to attack the world’s most popular mobile operating system.
The change came after security researcher Joshua Drake unveiled what he called Stagefright, hacking software that allows attackers to send a special multimedia message to an Android phone and access sensitive content even if the message is unopened.
‘We’ve realized we need to move faster,’ Android security chief Adrian Ludwig said at this week’s annual Black Hat security conference in Las Vegas.
Previously, Google would develop a patch and distribute it to its own Nexus phones after the discovery of security flaws.
But other manufacturers would wait until they wanted to update the software for different reasons before pushing out a fix, exposing most of the more than 1 billion Android users to potential hacks and scams until the fix.
Ludwig also said Google has made other security changes. In an interview, he told Reuters that earlier this year the team broke out incidence rates of malicious software by language.
The rate of Russian-language Androids with potentially harmful programs had spiked suddenly to about 9 percent in late 2014, he said.
Google made its roughly weekly security scans of Russian phones more frequent and was able to reduce the problems to close to the global norm.
Ludwig said improvements to recent versions of Android would limit an attack’s effectiveness in more than nine out of 10 phones, but Drake said an attacker could keep trying until the gambit worked. Drake said he would release code for the attack by Aug. 24, putting pressure on manufacturers to get their patches out before then.
Nexus phones are being updated with protection this week and the vast majority of major Android handset makers are following suit, Ludwig said.
Samsung Vice President Rick Segal acknowledged that his company could not force the telecommunications carriers that buy its devices in bulk to install the fixes and that some might do so only for higher-end users.
‘If it’s your business customers, you’ll push it,’ Segal said in an interview. Samsung is the largest maker of Android phones.
Ludwig said many Android security scares were overblown. He added that only about one in 200 Android phones Google can peer into have any potentially harmful applications installed at any point.
Drake noted that those figures exclude some products, including Fire products from Amazon, which use Android.
As with Apple’s iPhones, the biggest security risk comes with apps that are not downloaded from the official online stores of the two companies.
Stolen files from Hacking Team, an Italian company selling eavesdropping tools to government agencies around the world, showed that a key avenue was to convince targets to download legitimate-seeming Android and iPhone apps from imposter websites.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s