Check Point reports that more than one million Google accounts were breached, and more than 13,000 accounts continue to be breached every day via compromised Android devices. http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/
Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.
Check Point reached out to the Google Security team immediately with information on this campaign. Our researchers are working closely with Google to investigate the source of the Gooligan campaign.
The article also notes that Gooligan downloads a rootkit that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153).
Historically, many comments were made about the dangers of monocultures, in particular the MS Windows monoculture. With the migration away from desktops to handheld devices, and with google dominating the field for both the platform (Android) and many services (GMail), there seems no reason not to believe that there'll be the same kind of monoculture-related issues for many more years.
(Score: 5, Insightful) by GreatAuntAnesthesia on Thursday December 01 2016, @02:58PM
It's not so much the monoculture that's the problem, it's the fact that the handset manufacturers lose interest in the devices 10 minutes after they've been sold and won't release updates and patches to customers, instead pushing them to buy more new and shiny.
Google should mandate that in order to be part of the Android ecosystem, handset manufacturers should continue to support their hardware with security patches for at least 2 years, preferably a lot longer than that.
(Score: 0) by Anonymous Coward on Thursday December 01 2016, @03:41PM
It's not so much the monoculture that's the problem, it's the fact that the handset manufacturers lose interest in the devices 10 minutes after they've been sold
You mean how Samsung offered Note 7 owners/fire victims a Samsung Whatever 8 once they come out as compensation? It's always about the next device and the next quarter's sales numbers (not even profit, but unit sales).
(Score: 1) by Sourcery42 on Thursday December 01 2016, @03:46PM
Couldn't agree more. It would be nice if Google would make guaranteed, timely updates one of the terms for an OEM to sell a phone with Google Play Services on it.
This is a spot where open source shines. I have a 2012 phone that the manufacturer hasn't pushed an update to since 2013. Thanks to the developer community and Code Aurora it is running the latest version of Android on the November 2016 security patch. While it isn't a good solution for the average smartphone user, it is a nice option to have if you have the knowledge to take advantage of it.
(Score: 3, Informative) by HiThere on Thursday December 01 2016, @08:05PM
Sorry, but Google *does* make updates available. The handset makers won't bother to make them available on their customized build.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2, Interesting) by Sourcery42 on Thursday December 01 2016, @08:58PM
That's right, Google pushes a monthly security patch. However, for the most part if you're not on a Nexus or flashing custom ROMs you don't get them. Google has some T's & C's about just what handset manufacturers have to do to ship a phone with Google Play Services installed (the big scary proprietary blob that most people consider a part of android, not the open source part). I was suggesting it would be a welcome change if Google would leverage that to force the Samsungs, LGs, etc. of the android ecosystem to provide some better long term support and timely updates.
(Score: 2) by krishnoid on Tuesday December 06 2016, @10:47PM
Don't lump Samsung into this. They made a heroic effort in multiple phone models to prevent hacking attempts at all costs [theguardian.com]; it just wasn't received well by the general population.
(Score: 3, Interesting) by Thexalon on Thursday December 01 2016, @03:55PM
Maybe if they were held legally responsible for the breaches that result, they would have more interest.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Nerdfest on Thursday December 01 2016, @04:01PM
The thing is that if these people are downloading stuff from questionable sources to avoid paying for commercial software (the equivalent of warez in the PC world), they're going to get boned in a lot of cases by malware, regardless of exploits. They can still intercept credentials, etc. For the most part, this is just one of the edge cases of being able to install what you want. These infections are not coming from Google, Amazon, or any other 'major' sources.
Definitely agreed on the patching as part of the contract though. *This* particular problem wouldn't exist if not for that exploit.
(Score: 3, Interesting) by TheRaven on Thursday December 01 2016, @04:05PM
sudo mod me up
(Score: 2) by Runaway1956 on Thursday December 01 2016, @04:09PM
Good point - but - I tend to agree with the monoculture statement. When a zero day exploit comes out, basically, the exploiters have access to more than half the telephones in the world. If we didn't have that huge monoculture, a new zero day exploit might be capable of accessing as little as 5% of the phones, or maybe as much as 30%. That is the one reason why Windows phones might be desirable, so long as they didn't corner the market. Here in the Linux world, there are a lot of exploits - but an exploit that affects a dedicated server may or may not have any affect on any given desktop. Exploits aimed at desktops are entirely dependent on each user's configuration. I'm immune to a lot of the better known and more serious exploits, simply because I don't want or need various services running. The various mono-cultures don't really give you the options I have on Linux. Your handset runs the services that your telco decided that it should run, and unless you root the device, there is little you can do about that.
I wish more people would join our chaotic Linux club. I doubt that more then a couple hundred people in the entire world have configurations like my own. I doubt that more than 100,000 people even run my distro, and of those, few run my Desktop Environment. Someone would have to target me specifically, to get into my machine. About the only things my machine has in common with the greater pool of Linux machines, is a Linux kernel, and the directory structure.
(Score: 2) by mcgrew on Thursday December 01 2016, @04:18PM
Actually, I'd like to see a federal law mandating that device and software manufacturers keep customers' internet-enabled devices patched for at least fifteen years. I have a couple of perfectly usable XP computers that there's no way in hell I'll have on my network (looking for a decent Linux distro). My TV is fourteen years old!
And there should be jail time for the sleazebags that make insecure IoT devices.
When are people finally going to get serious about security?
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by Nerdfest on Thursday December 01 2016, @04:27PM
When people start facing fines because of it. Also, perhaps when software developers are required to have the same sort of professional insurance as engineers.
(Score: 3, Insightful) by skater on Thursday December 01 2016, @04:47PM
Or Google could do what Apple does and manage the updates themselves.
(Score: 2) by gidds on Thursday December 01 2016, @04:48PM
I'm not a smartphone user, so I'm sure this is a naïve view.
But why shouldn't it be the user's responsibility to keep their device up-to-date?
The manufacturer has no incentive to do so; that's why they don't, and why you should be suspicious of any claims.
But the user has every incentive. Why can't we have smartphones (and tablets, and other devices) which the user can upgrade? Which use standard distros or whatever that we know will make updates available in the long-term? Which don't depend upon the manufacturer at all?
I guess I'm just an old-school hacker, wanting a general-purpose device and not an 'appliance'...
[sig redacted]
(Score: 2) by DECbot on Thursday December 01 2016, @06:30PM
I would accept the user responsibility argument, except that most handsets are not offered an update once manufactured. If you're lucky, you may get one or two updates offered in the lifetime of the handset. The manufacturer may even make updates, but then the carrier blocks the updates from being offered to the handset for 'network compatibility' reasons. As the Apple handset has shown, most consumers will update if given the opportunity. Click a little button, the handset downloads the update (hopefully over wifi), and the new version is installed. The hold up is the manufacturers not preparing the update for the non-flagship and older phones, and the carriers for not passing the update through their customers.
cats~$ sudo chown -R us /home/base
(Score: 2) by urza9814 on Monday December 05 2016, @11:33PM
You might as well be asking why users unsatisfied with Windows 10 aren't switching to Windows 11 yet. It already is the user's responsibility to update mobile devices. Updates aren't forced over the air -- the phone checks, notifies you that it's available, and you do the update yourself. The problem is the updates simply aren't available. You can't update the system if nobody has written the updated software yet...
(Score: 2) by darkfeline on Thursday December 01 2016, @06:31PM
Android is FOSS, Google can't do that. What Google can do is push requirements on manufacturers if they want Google Play et al installed.
Join the SDF Public Access UNIX System today!
(Score: 1, Interesting) by Anonymous Coward on Thursday December 01 2016, @06:41PM
There is no reward for the manufacturers. Sony has been offering stock developer devices completely unlocked for years but they have no traction in thE US. Xperia devices are basically nexus phones with SDCard slots but I have never seen one in the wild outside of ones that I have owned. I have an Xperia Z3 compact which is a 3 year old model and they still offer updates. Compared that to Samsung which get reliable updates for about a year or Motorola which are basically abandoned the day of release.
(Score: 2) by goody on Thursday December 01 2016, @11:12PM
Gee, I thought only iPhone lusers were into new and shiny phones.