Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Thursday December 01 2016, @02:46PM   Printer-friendly
from the droids-they-are-looking-for dept.

Check Point reports that more than one million Google accounts were breached, and more than 13,000 accounts continue to be breached every day via compromised Android devices. http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

Check Point reached out to the Google Security team immediately with information on this campaign. Our researchers are working closely with Google to investigate the source of the Gooligan campaign.

The article also notes that Gooligan downloads a rootkit that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153).

Historically, many comments were made about the dangers of monocultures, in particular the MS Windows monoculture. With the migration away from desktops to handheld devices, and with google dominating the field for both the platform (Android) and many services (GMail), there seems no reason not to believe that there'll be the same kind of monoculture-related issues for many more years.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by GreatAuntAnesthesia on Thursday December 01 2016, @02:58PM

    by GreatAuntAnesthesia (3275) on Thursday December 01 2016, @02:58PM (#435443) Journal

    It's not so much the monoculture that's the problem, it's the fact that the handset manufacturers lose interest in the devices 10 minutes after they've been sold and won't release updates and patches to customers, instead pushing them to buy more new and shiny.

    Google should mandate that in order to be part of the Android ecosystem, handset manufacturers should continue to support their hardware with security patches for at least 2 years, preferably a lot longer than that.

    Starting Score:    1  point
    Moderation   +4  
       Insightful=4, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 0) by Anonymous Coward on Thursday December 01 2016, @03:41PM

    by Anonymous Coward on Thursday December 01 2016, @03:41PM (#435466)

    It's not so much the monoculture that's the problem, it's the fact that the handset manufacturers lose interest in the devices 10 minutes after they've been sold

    You mean how Samsung offered Note 7 owners/fire victims a Samsung Whatever 8 once they come out as compensation? It's always about the next device and the next quarter's sales numbers (not even profit, but unit sales).

  • (Score: 1) by Sourcery42 on Thursday December 01 2016, @03:46PM

    by Sourcery42 (6400) on Thursday December 01 2016, @03:46PM (#435469)

    Couldn't agree more. It would be nice if Google would make guaranteed, timely updates one of the terms for an OEM to sell a phone with Google Play Services on it.

    This is a spot where open source shines. I have a 2012 phone that the manufacturer hasn't pushed an update to since 2013. Thanks to the developer community and Code Aurora it is running the latest version of Android on the November 2016 security patch. While it isn't a good solution for the average smartphone user, it is a nice option to have if you have the knowledge to take advantage of it.

    • (Score: 3, Informative) by HiThere on Thursday December 01 2016, @08:05PM

      by HiThere (866) Subscriber Badge on Thursday December 01 2016, @08:05PM (#435633) Journal

      Sorry, but Google *does* make updates available. The handset makers won't bother to make them available on their customized build.

      --
      Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
      • (Score: 2, Interesting) by Sourcery42 on Thursday December 01 2016, @08:58PM

        by Sourcery42 (6400) on Thursday December 01 2016, @08:58PM (#435665)

        That's right, Google pushes a monthly security patch. However, for the most part if you're not on a Nexus or flashing custom ROMs you don't get them. Google has some T's & C's about just what handset manufacturers have to do to ship a phone with Google Play Services installed (the big scary proprietary blob that most people consider a part of android, not the open source part). I was suggesting it would be a welcome change if Google would leverage that to force the Samsungs, LGs, etc. of the android ecosystem to provide some better long term support and timely updates.

  • (Score: 3, Interesting) by Thexalon on Thursday December 01 2016, @03:55PM

    by Thexalon (636) on Thursday December 01 2016, @03:55PM (#435479)

    the fact that the handset manufacturers lose interest in the devices 10 minutes after they've been sold and won't release updates and patches to customers, instead pushing them to buy more new and shiny.

    Maybe if they were held legally responsible for the breaches that result, they would have more interest.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 2) by Nerdfest on Thursday December 01 2016, @04:01PM

    by Nerdfest (80) on Thursday December 01 2016, @04:01PM (#435483)

    The thing is that if these people are downloading stuff from questionable sources to avoid paying for commercial software (the equivalent of warez in the PC world), they're going to get boned in a lot of cases by malware, regardless of exploits. They can still intercept credentials, etc. For the most part, this is just one of the edge cases of being able to install what you want. These infections are not coming from Google, Amazon, or any other 'major' sources.

    Definitely agreed on the patching as part of the contract though. *This* particular problem wouldn't exist if not for that exploit.

  • (Score: 3, Interesting) by TheRaven on Thursday December 01 2016, @04:05PM

    by TheRaven (270) on Thursday December 01 2016, @04:05PM (#435485) Journal
    A simple mandate would be difficult. There's a better solution, which I've proposed to the Android Security Team: Give handset makers a, say, 5% share of revenue from Google Play for anything sold to a device that is completely up to date with all security updates. Apple takes a 30% cut of all apps, which means that they have a financial interest in ensuring that as many apps as possible run on as many devices as possible. The Android ecosystem doesn't have an equivalent, because the company that profits from up-to-date devices is Google and the companies that carry the cost of the updates are handset manufacturers. Basic security economics (the kind that we teach to undergrads) tells you that this will leave you with an insecure ecosystem.
    --
    sudo mod me up
  • (Score: 2) by Runaway1956 on Thursday December 01 2016, @04:09PM

    by Runaway1956 (2926) Subscriber Badge on Thursday December 01 2016, @04:09PM (#435488) Journal

    Good point - but - I tend to agree with the monoculture statement. When a zero day exploit comes out, basically, the exploiters have access to more than half the telephones in the world. If we didn't have that huge monoculture, a new zero day exploit might be capable of accessing as little as 5% of the phones, or maybe as much as 30%. That is the one reason why Windows phones might be desirable, so long as they didn't corner the market. Here in the Linux world, there are a lot of exploits - but an exploit that affects a dedicated server may or may not have any affect on any given desktop. Exploits aimed at desktops are entirely dependent on each user's configuration. I'm immune to a lot of the better known and more serious exploits, simply because I don't want or need various services running. The various mono-cultures don't really give you the options I have on Linux. Your handset runs the services that your telco decided that it should run, and unless you root the device, there is little you can do about that.

    I wish more people would join our chaotic Linux club. I doubt that more then a couple hundred people in the entire world have configurations like my own. I doubt that more than 100,000 people even run my distro, and of those, few run my Desktop Environment. Someone would have to target me specifically, to get into my machine. About the only things my machine has in common with the greater pool of Linux machines, is a Linux kernel, and the directory structure.

  • (Score: 2) by mcgrew on Thursday December 01 2016, @04:18PM

    by mcgrew (701) <publish@mcgrewbooks.com> on Thursday December 01 2016, @04:18PM (#435492) Homepage Journal

    Actually, I'd like to see a federal law mandating that device and software manufacturers keep customers' internet-enabled devices patched for at least fifteen years. I have a couple of perfectly usable XP computers that there's no way in hell I'll have on my network (looking for a decent Linux distro). My TV is fourteen years old!

    And there should be jail time for the sleazebags that make insecure IoT devices.

    When are people finally going to get serious about security?

    --
    mcgrewbooks.com mcgrew.info nooze.org
    • (Score: 2) by Nerdfest on Thursday December 01 2016, @04:27PM

      by Nerdfest (80) on Thursday December 01 2016, @04:27PM (#435496)

      When people start facing fines because of it. Also, perhaps when software developers are required to have the same sort of professional insurance as engineers.

  • (Score: 3, Insightful) by skater on Thursday December 01 2016, @04:47PM

    by skater (4342) on Thursday December 01 2016, @04:47PM (#435502) Journal

    Or Google could do what Apple does and manage the updates themselves.

  • (Score: 2) by gidds on Thursday December 01 2016, @04:48PM

    by gidds (589) on Thursday December 01 2016, @04:48PM (#435505)

    I'm not a smartphone user, so I'm sure this is a naïve view.

    But why shouldn't it be the user's responsibility to keep their device up-to-date?

    The manufacturer has no incentive to do so; that's why they don't, and why you should be suspicious of any claims.

    But the user has every incentive.  Why can't we have smartphones (and tablets, and other devices) which the user can upgrade?  Which use standard distros or whatever that we know will make updates available in the long-term?  Which don't depend upon the manufacturer at all?

    I guess I'm just an old-school hacker, wanting a general-purpose device and not an 'appliance'...

    --
    [sig redacted]
    • (Score: 2) by DECbot on Thursday December 01 2016, @06:30PM

      by DECbot (832) on Thursday December 01 2016, @06:30PM (#435577) Journal

      I would accept the user responsibility argument, except that most handsets are not offered an update once manufactured. If you're lucky, you may get one or two updates offered in the lifetime of the handset. The manufacturer may even make updates, but then the carrier blocks the updates from being offered to the handset for 'network compatibility' reasons. As the Apple handset has shown, most consumers will update if given the opportunity. Click a little button, the handset downloads the update (hopefully over wifi), and the new version is installed. The hold up is the manufacturers not preparing the update for the non-flagship and older phones, and the carriers for not passing the update through their customers.

      --
      cats~$ sudo chown -R us /home/base
    • (Score: 2) by urza9814 on Monday December 05 2016, @11:33PM

      by urza9814 (3954) on Monday December 05 2016, @11:33PM (#437460) Journal

      You might as well be asking why users unsatisfied with Windows 10 aren't switching to Windows 11 yet. It already is the user's responsibility to update mobile devices. Updates aren't forced over the air -- the phone checks, notifies you that it's available, and you do the update yourself. The problem is the updates simply aren't available. You can't update the system if nobody has written the updated software yet...

  • (Score: 2) by darkfeline on Thursday December 01 2016, @06:31PM

    by darkfeline (1030) on Thursday December 01 2016, @06:31PM (#435580) Homepage

    Android is FOSS, Google can't do that. What Google can do is push requirements on manufacturers if they want Google Play et al installed.

    --
    Join the SDF Public Access UNIX System today!
  • (Score: 1, Interesting) by Anonymous Coward on Thursday December 01 2016, @06:41PM

    by Anonymous Coward on Thursday December 01 2016, @06:41PM (#435583)

    There is no reward for the manufacturers. Sony has been offering stock developer devices completely unlocked for years but they have no traction in thE US. Xperia devices are basically nexus phones with SDCard slots but I have never seen one in the wild outside of ones that I have owned. I have an Xperia Z3 compact which is a 3 year old model and they still offer updates. Compared that to Samsung which get reliable updates for about a year or Motorola which are basically abandoned the day of release.
     

  • (Score: 2) by goody on Thursday December 01 2016, @11:12PM

    by goody (2135) on Thursday December 01 2016, @11:12PM (#435727)

    It's not so much the monoculture that's the problem, it's the fact that the handset manufacturers lose interest in the devices 10 minutes after they've been sold and won't release updates and patches to customers, instead pushing them to buy more new and shiny.

    Gee, I thought only iPhone lusers were into new and shiny phones.