(Previously Resolved) More than a Billion Snapdragon-based Android Phones Vulnerable to Hacking

[Wybrem]

Does anyone know if the BlackBerry PRIV is affected by this, and why do we need Android again?

https://thehackernews.com/2016/03/android-root-hack.html
http://blog.trendmicro.com/trendlab...droid-vulnerabilities-allow-easy-root-access/

According to Google’s February security bulletin, CVE-2016-0805 ( https://source.android.com/security/bulletin/2016-02-01.html ) affects versions earlier than 4.4.4 to 6.0.1. We cannot comprehensively test all Android devices, but our own testing indicates the following devices are affected:
Nexus 5
Nexus 6
Nexus 6P
Samsung Galaxy Note Edge
We believe that any Snapdragon-powered Android device with a 3.10-version kernel is potentially at risk of this attack. As mentioned earlier, given that many of these devices are either no longer being patched or never received any patches in the first place, they would essentially be left in an insecure state without any patch forthcoming.
--
Also on my Tablet the Google Play store pretty much only shows me worthless, useless, crappy apps or games. Is there anything of value in that 1 million apps size store and if so, why is it that all I see on the Play home page is crap.

 

[SactoKingsFan]

Second March security update is supposed to patch the vulnerability for Nexus devices.

 

[Wybrem]

Second March security update is supposed to patch the vulnerability for Nexus devices.

Interesting, but that still leaves the majority vulnerable. I really wonder if this is possible with the PRIV. Still using my BlackBerry10 device right now. But whatsapp stoppes so need something new and it's either PRIV or iPhone, I'd like the Nexus too, but these type of news articles makes them worthless to me.

 

[SactoKingsFan]

Interesting, but that still leaves the majority vulnerable. I really wonder if this is possible with the PRIV. Still using my BlackBerry10 device right now. But whatsapp stoppes so need something new and it's either PRIV or iPhone, I'd like the Nexus too, but these type of news articles makes them worthless to me.

The PRIV wasn't tested but even if it's vulnerable you'd have to install a rooting app (not available from Play Store) that exploits the vulnerability. Not sure why these kinds of articles would prevent someone from getting a Nexus. They get major software updates and monthly security updates for at least 2 years.

 

[Golfdriver97]

Also on my Tablet the Google Play store pretty much only shows me worthless, useless, crappy apps or games. Is there anything of value in that 1 million apps size store and if so, why is it that all I see on the Play home page is crap.

Each device filters out apps in Play. It's only going to show you what the device is capable of running. Any app that is incompatible, isn't shown.

 

[Almeuit]

I always look at it liek this .. There will always be security vulnerabilities. Maybe not known ones all the time but they will come out -- it is inevitable. There is no 100% "full-proof" device. What I think should matter more to someone in regards to these vulnerabilities is how they will be patched. With the PRIV / Nexus devices getting these security patches every month it would be safe to say they will get patched pretty quickly. Especially if you're considering the PRIV since BlackBerry tries to pride themselves on security.

 

[Wybrem]

I always look at it liek this .. There will always be security vulnerabilities. Maybe not known ones all the time but they will come out -- it is inevitable. There is no 100% "full-proof" device. What I think should matter more to someone in regards to these vulnerabilities is how they will be patched. With the PRIV / Nexus devices getting these security patches every month it would be safe to say they will get patched pretty quickly. Especially if you're considering the PRIV since BlackBerry tries to pride themselves on security.

Agree but any Android before Android 6.0 is rather insecure and has NO respect whatsoever for my privacy. So while the BB PRIV is great on paper, the fact of the matter is that any Android version lower than 6.0 can't be taken seriously for me and other users who care about their privacy--which is why they use iPhone as they respected your privacy for ages.

 

[Almeuit]

Agree but any Android before Android 6.0 is rather insecure and has NO respect whatsoever for my privacy. So while the BB PRIV is great on paper, the fact of the matter is that any Android version lower than 6.0 can't be taken seriously for me and other users who care about their privacy--which is why they use iPhone as they respected your privacy for ages.

Well privacy and security issues are two different things in a sense. Just because there is a vulnerability doesn't mean they simply don't care about your privacy. Hence why Android made this move to monthly security updates to fix things like this without needing a whole separate OS package / update. Basically they did what they thought would be good for them to give "Apple like" updates for security. I am more than sure the vulnerability will be patched.

 

[Golfdriver97]

But back on topic: That is why Google started to introduce monthly updates. And probably why the new OS setup for Vendors in N.

 

[Almeuit]

More on this here from Jerry --- Nexus devices to get a mid-month security patch after critical Linux kernel exploit discovered | Android Central

 

[Wybrem]

Well privacy and security issues are two different things in a sense. Just because there is a vulnerability doesn't mean they simply don't care about your privacy. Hence why Android made this move to monthly security updates to fix things like this without needing a whole separate OS package / update. Basically they did what they thought would be good for them to give "Apple like" updates for security. I am more than sure the vulnerability will be patched.

They obviously never cared about my privacy, or they'd let me choose the app permissions way before Android 6.

Android can multitask. Apple is much more proactive at stopping background apps than Android is.

I honestly don't see any Android device multitasking. What do you need 4 gigs of memory for when you're not using it, you know pretty much all apps and games have to be reloaded inside Androids. Very very annoying to me.

 

[Almeuit]

They obviously never cared about my privacy, or they'd let me choose the app permissions way before Android 6.

Before hand they just did it a different way -- iPhone didn't have it from the get go either. They all adapted to the changing world.

I am confused .. Were you trying to debate how bad Android is (in your opinion) or looking for an actual discussion on it? Such as we were talking security and how it is being fixed but you seem to then just jump to another topic to simply disagree / put it down so it feels like we're going in circles here. You're welcome to share your opinion I am just trying to figure out what you were trying to get out of this post / discussion.

 

[Kevin OQuinn]

More to the point. If the two devices you're considering get monthly security patches why do you care whether any other devices have vulnerabilities?

So that covers security.

Now for privacy. Enable FDE (pretty sure that's standard on Nexus 6p). Enable two factor authentication. Enable require PIN on boot.

Now your device is as secure and private as it can get.

For the rest of your Google data, just don't allow it to back up to the cloud. Don't sync contacts, pictures, docs, etc.

There's the rest of your privacy.

Anything else?

 

[dpham00]

Mod Note, Cleaned up some off topic posts. Let's keep it to one topic so as to make it easy to understand for everyone. Feel free to start another thread for the other issue

 

[Aquila]

So, Google and other firms regularly look at the maximum number of devices that could be impacted. If security is your highest priority, Nexus is the ONLY device you should be considering. The Priv is a close third place. Keep in mind Trend sells security products, most of which are entirely useless on mobile unless you're a special kind of stupid consumer. On this particular exploit, I think there is some confusion. The three you linked were already patched and are not an issue at all on any Nexus that's been updated, the Galaxy S7 and S7 Edge came patched out of the box and the Priv installed that update already as well. Even on AT&T. What everyone else seems to be responding to is a second exploit that is very similar and was discovered to be in existence in conjunction with an app that users can download and install that would actually use that exploit.

So here's what it takes for your device to become vulnerable:

1. You have to be stupid. Not just normal intelligence, actually stupid.
2. This is really 1B, I say that you have to be stupid because you have to go out of your way to disable some of Google's inherent security features.
3. You have to install some malware. That's not easy to do. You kinda have to go out of your way to find legitimate malware (not adware, malware) and get it installed. Generally this is done by trying to bypass protections on paid features or apps by installing apk's from shady sites, although there are other ways. But this is very specific malware. You can't get it from the playstore, you get it from the naughty parts of the internet that we ban people for advertising.
4. You have to download the specific rooting app that makes the unrelated malware. But you can't just download it to your phone, you have to download it to ADB and install it from your PC. Because Google's "Verify" kills the installation of this app and has for years if you try to do it through the normal installer, such as what happens when you open an APK from the downloads folder.

You cannot get the malware or the rooting app from the playstore and the apps that both come in cannot be installed by normal means. In short, you have to INTENTIONALLY bypass your security, on multiple fronts, in order to get to a state where you are vulnerable. And if you're disabling all that security and then installing things you know nothing about, you're a moron. A specially kind of moron, that shouldn't be playing with ADB because you don't know what it is for or how to use it correctly. Looking up a guide in the forums doesn't count as knowing.

And if you're trying to root a Nexus with a one click app - that's just a special kind of lame. Sorry to be negative about that, but part of the nexus fun, if you choose to go that route, is learning how to actually do this stuff.

So to recap. Most people will never meet all four of the conditions above, so most people are not vulnerable. The chances of you meeting all four criteria are so slim, that there's nothing to call the article by Trend and "The Hacker News" other than FUD. And FUD is garbage and shouldn't be spread here.

Please let me know if there are any questions.

 

[Jerry Hildenbrand]

Interesting, but that still leaves the majority vulnerable. I really wonder if this is possible with the PRIV. Still using my BlackBerry10 device right now. But whatsapp stoppes so need something new and it's either PRIV or iPhone, I'd like the Nexus too, but these type of news articles makes them worthless to me.

Probably not. The Priv uses closed-source and proprietary code inside the kernel to address issues like this. Any exploit written to affect a stock 3.10 Linux kernel isn't very likely to affect the Priv

 

[Jerry Hildenbrand]

I honestly don't see any Android device multitasking. What do you need 4 gigs of memory for when you're not using it, you know pretty much all apps and games have to be reloaded inside Androids. Very very annoying to me.

Now I see you're just here to argue. I'll show myself out.

 

[Aquila]

Added info:

Both the vulnerability described in 0805 and 0819 are required to be active (not patched) in order for the exploit to work as described in 1815. There is no data available as to which security patch, if any, the Nexus 5 had loaded on it. 0805 and 0819 combined or 1815 and 0819 combined still make it possible, however all devices with an April 2, 2016 patch will be immune to both combinations.

 

[Aquila]

Now I see you're just here to argue. I'll show myself out.

But you didn't read my TLR post! Here's the summary: You have to sabotage your device and be extremely stupid and probably also very unlucky in order for these exploits to even be possible.

 

[Wybrem]

I've read the comments, it makes sense, kinda like Windows. You have to be very dumb to get infected--good news.

Now I see you're just here to argue. I'll show myself out.

Well, I am very frustrated as I was about to buy my Passport SE, but noticed Whatsapp and Facebook are ditching on BB10 so I'm trying to figure out what phone to get. While I don't like Android at all, I do like BlackBerry. The Priv is the only reason I'm considering Android, otherwise I'd go for the iPhone. Sadly the BlackBerry doesn't seem much more than a Nexus. Sure there is the HUB, but it's an app. I'd rather have it like Google Now is, you know swype to the left or right to get the HUB--can one modify it to act like that?