New Major Android Attack Vector: MMS Videos

[GoodBytes]

So basically Google has already patched it but it's up to OEMs to implement the patch?

 

Good luck Samsung lovers <3

 

This is why I have a Nexus phone

No only manufactures. Service Provider must allow you. Your service provider is more interested that you sign a contract with them with a new phone, than to give you the latest and greatest Android.

[beebskadoo]

No only manufactures. Service Provider must allow you. Your service provider is more interested that you sign a contract with them with a new phone, than to give you the latest and greatest Android.

That is the fault of OEMs, they have only themselves to blame for that. Yes Carriers shouldn't play that game but they're allowed to do it.

[GoodBytes]

That is the fault of OEMs, they have only themselves to blame for that. Yes Carriers shouldn't play that game but they're allowed to do it.

I think the problem is Google. Because if Google has a solid update system like Windows, they can deliver a security update for all builds of Android. When there is a security issue in XP (assuming it is still supported), Microsoft doesn't need to go "Here is Windows 10 with the issue fixed.. to bad if you don't have the drivers or too heavy for your system, because there is no choice."

[beebskadoo]

I think the problem is Google. Because if Google has a solid update system like Windows, they can deliver a security update for all builds of Android. When there is a security issue in XP (assuming it is still supported), Microsoft doesn't need to go "Here is Windows 10 with the issue fixed.. to bad if you don't have the drivers or too heavy for your system, because there is no choice."

Google releases updates that are available to all OEMs at once. It is up to them to implement them. They have a solid update system but when OEMs have to make sure it will work properly with their applications that's when the delay happens. Then you have carriers that have to do the same thing. 

 

And I have seen plenty of forced windows updates that ruin computers. Windows 8.1 for instance. Plenty of issues because OEMs didn't get their software ready for it. 

 

So yes like Microsoft, Google has the updates available but it doesn't force them because it would be bad to do so in the current state of android. That's why I prefer devices that are as close to AOSP android as possible and from manufacturers that keep their software up to date.

[Notional]

Wow Google are a bunch of hypocrites. Not only do they never fix any bugs or security issues (they only release new versions of Android, that never makes it to most handsets), no they threaten to release info on security issues on their competitors, if they do not adhere to Google's demands: http://linustechtips.com/main/topic/310139-google-threatens-to-air-microsoft-and-apples-dirty-code/

 

Seriously fuck you Google.

[Doobeedoo]

That update infographic though.

[beebskadoo]

Wow Google are a bunch of hypocrites. Not only do they never fix any bugs or security issues (they only release new versions of Android, that never makes it to most handsets), no they threaten to release info on security issues on their competitors, if they do not adhere to Google's demands: http://linustechtips.com/main/topic/310139-google-threatens-to-air-microsoft-and-apples-dirty-code/

 

Seriously fuck you Google.

Google can only do so much, the blame for slow updates isn't their fault at this point in time.

[Notional]

Google can only do so much, the blame for slow updates isn't their fault at this point in time.

 

It's not possible for me to apply such an update myself, especially a quick fix. Android should have updates like Windows does. A vendor overlay or widget should not mean you can't update the OS. It's especially unacceptable when they threaten their competition.

[LAwLz]

Below is an interesting, if not undecipherable infographic which helps to visualize the Android update process. It's much more complicated than say for iPhone. Apple maintains extremely strict control of their entire ecosystem (hardware and software), meaning they can push updates much quicker and with certainty that a high percentage of end users with be running the most up-to-date version of the OS.

The update process for Samsung phones using Exynos chips and the iPhone are exactly the same. The only additional steps for other OEMs using for example Qualcomm chips is step 4 and 5.

The difference is that Apple does most of the work before the new OS is announced, while on Android the OS announcement and the OEMs starting to work on the update are much closer together.

 

If we go by the infographic, Google announces the new Android version at step 2 while Apple does it at (carrier) stage 9 or something like that.

 

 

Wow Google are a bunch of hypocrites. Not only do they never fix any bugs or security issues (they only release new versions of Android, that never makes it to most handsets), no they threaten to release info on security issues on their competitors, if they do not adhere to Google's demands: http://linustechtips.com/main/topic/310139-google-threatens-to-air-microsoft-and-apples-dirty-code/

 

Seriously fuck you Google.

Ehm... The "demands" Google had were "fix this security issue in 90 days or we will make it public". Sounds pretty reasonable if you ask me. It was a dick move to not extend the deadline for 2 days but the way you word it makes it seem like Google were blackmailing them when actually Google just did the same as other white hats acting in the interest of consumers.

 

What do you mean they never fix bugs or security issues? The new versions of Android you're talking about has the fixes in them. If OEMs were able to release the updates instantly then this would not be an issue. Sadly that won't happen so for now we are stuck with a really bad update process. Not sure how they could make it better though. A system like Windows Update on desktops would be great, but you can't do that on phones for reasons unknown to me. Even Microsoft said "fuck it, not worth the hassle" and just flat out dropped support for all the Windows phone 7 devices out there when they made Windows Phone 8, so it's not an Android specific issue. If anyone know why updates and OSes on ARM devices are such a pain in the ass then please let me know.

 

On Topic:

Well that sucks. What sucks even more is that most people probably won't get it fixed. It's a very bad situation right now.

[Counter-Strike Player]

So is Google going to again refuse to update phones that are 2+ years old? Sounds like a very convenient attack vector for malicious code. Thanks Google, welcome to the Windows world.

[SeriousDad69]

This is why I'm gonna take a whack at one of those new Windows 10 phones coming out soon. I don't like Apple and the Android environment feels too chaotic and unrefined for me, almost like the wild west.

[LAwLz]

So is Google going to again refuse to update phones that are 2+ years old? Sounds like a very convenient attack vector for malicious code. Thanks Google, welcome to the Windows world.

It's not Google refusing to update phones. It's the OEMs and carriers.

[lvh1]

I've been wondering, do people actually send MMS messages? They just seem way to expensive to me for what they do, especially when there are free alternatives like whatsapp

[Notional]

Ehm... The "demands" Google had were "fix this security issue in 90 days or we will make it public". Sounds pretty reasonable if you ask me. It was a dick move to not extend the deadline for 2 days but the way you word it makes it seem like Google were blackmailing them when actually Google just did the same as other white hats acting in the interest of consumers.

 

What do you mean they never fix bugs or security issues? The new versions of Android you're talking about has the fixes in them. If OEMs were able to release the updates instantly then this would not be an issue. Sadly that won't happen so for now we are stuck with a really bad update process. Not sure how they could make it better though. A system like Windows Update on desktops would be great, but you can't do that on phones for reasons unknown to me. Even Microsoft said "fuck it, not worth the hassle" and just flat out dropped support for all the Windows phone 7 devices out there when they made Windows Phone 8, so it's not an Android specific issue. If anyone know why updates and OSes on ARM devices are such a pain in the ass then please let me know.

 

How arrogant do Google think they are to dictate such a thing. Apple and MS does not owe Google anything. The issue here is that Google directly will help organized crime and making the entire platforms of their competition much more unsafe to use. Reasonable is the very least thing this is.

 

Remember that not all security issues can be solved within a given time, as it can break things or make other security holes. Any arbitrary limit is pointless. Many companies do not auto update either, as updates needs to be tested for compatibility with both software and hardware used. Worst case they will have to opt out of such a fix, if it breaks something, so now their OS is open to attacks by criminals, based on published info by Google. And of course there's Mr. and Mrs. normal, who knows nothing of anything IT related, that might not update that often. They are screwed over too.

 

So no, such threats are unacceptable, and as I stated, hypocritical as Google themselves don't update their OS' ever, but only releases new versions that might be incompatible and/or never released for older handsets, making Android the least secure platform of all.

[LAwLz]

How arrogant do Google think they are to dictate such a thing. Apple and MS does not owe Google anything. The issue here is that Google directly will help organized crime and making the entire platforms of their competition much more unsafe to use. Reasonable is the very least thing this is.

 

-snip-

 

So no, such threats are unacceptable, and as I stated, hypocritical as Google themselves don't update their OS' ever, but only releases new versions that might be incompatible and/or never released for older handsets, making Android the least secure platform of all.

Wow... Do you work for Ford or something? White hats put out deadlines in order to force companies to fix security issues. Without the deadlines there would be no intensive for companies to fix them.

This is not a hard concept to understand, and calling it "organized crime" is just stupid of you.

[Notional]

Wow... Do you work for Ford or something? White hats put out deadlines in order to force companies to fix security issues. Without the deadlines there would be no intensive for companies to fix them.

This is not a hard concept to understand, and calling it "organized crime" is just stupid of you.

 

And I'm saying that is a dumb thing to do, as not all can defend themselves from these security holes, even if a patch is released (due to incompatibilities). The organized crime thing, is when actual organized criminal hackers/crackers gets access to/knowledge of security holes, that Google is directly publicizing.

[DigitalHermit]

This is why I love the classic cellphones...

 

a phone need only send and recieve SMS and calls...

[LAwLz]

And I'm saying that is a dumb thing to do, as not all can defend themselves from these security holes, even if a patch is released (due to incompatibilities). The organized crime thing, is when actual organized criminal hackers/crackers gets access to/knowledge of security holes, that Google is directly publicizing.

But it's not a dumb thing to do... Do you really not understand why putting pressure on companies is important? It's because they don't give a crap unless they have pressure on them. Just look at what happened with the recent IE security hole. Microsoft got the period extended by 4 months and they still didn't fix it. They just applied for another extension and HP got fed up and released the details.

 

Giving disclosure deadlines is a fundamental part in making sure exploits found get fixed. Calling it "helping organized crime" shows a lack of basic understanding for the entire process.

[BcrdRqs]

So as far as I've read and understand, those videos can be transmitted via social media apps like WhatsApp, Facebook+Messenger etc. as well as MMS(+Hangouts) and using browsers on infected sites, am I wrong?

Does anyone know if this kind of video can than be easily send per command to all contacs via the above named apps with this level of access? And how could someone regain access to his one smartphone?

This whole thing makes me feel pretty uneasy