SoylentNews is people
SoylentNews
One billion Android devices at risk of hacking:
More than a billion Android devices are at risk of being hacked because they are no longer protected by security updates, watchdog Which? has suggested.
The vulnerability could leave users around the world exposed to the danger of data theft, ransom demands and other malware attacks.
Anyone using an Android phone released in 2012 or earlier should be especially concerned, it said.
[...] Google's own data suggests that 42.1% of Android users worldwide are on version 6.0 of its operating system or below.
According to the Android security bulletin, there were no security patches issued for the Android system in 2019 for versions below 7.0.
[...] How to check whether your phone is vulnerable and what to do
- If your Android device is more than two years old, check whether it can be updated to a newer version of the operating system. If you are on an earlier version than Android 7.0 Nougat, try to update via Settings SystemAdvanced System update
- If you can't update, your phone could be at risk of being hacked, especially if you are running a version of Android 4 or lower. If this is the case be careful about downloading apps outside the Google Play store
- Also be wary of suspicious SMS or MMS messages
- Back up data in at least two places (a hard drive and a cloud service)
- Install a mobile anti-virus via an app, but bear in mind that the choice is limited for older phones
File this one under "well, duh." Consumer mag Which? today published research estimating that over a billion Android devices are vulnerable to hackers and malware as they are not receiving security updates.
Data obtained from Google by the publication found that 42.1 per cent of active Android users are languishing on version 6.0 or earlier.
The most current version of Android is version 10, while Android 9.0 Pie and Android 8.0 Oreo continue to receive updates. The Chocolate Factory is expected to release a major update to the world's most popular mobile operating system, Android 11, later this year.
Anything below Android 8.0, therefore, is vulnerable. Extrapolating from the data, Which? believes that almost one billion Android phones are inherently vulnerable.
Compounding the problem is the proliferation of older devices on sites like Amazon, where they're sold by third parties. The mag bought a handful of phones – including the Motorola X, Sony Xperia Z2, and Samsung Galaxy A5 2017 – and found they were susceptible to a host of long-discovered vulnerabilities, including Stagefright, Bluefrag and the Joker Android malware.
Which? is encouraging those with older phones who can't update to take sensible precautions – such as avoiding side-loaded apps and ensuring their data is backed up.
Previously:
Vulnerability in Fully Patched Android Phones Under Active Attack by Bank Thieves
Major Security Bug Called StrandHogg Discovered in All Android Versions
(Score: 3, Informative) by Dr Spin on Saturday March 07 2020, @07:53AM (9 children)
This is a clear case of "Goods not of merchandisable quality" and the owners should be entitled to a full refund.
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by edIII on Saturday March 07 2020, @08:31AM (8 children)
Absolutely Not. It's not the carrier's responsibility, nor the manufacturer's responsibility. Expecting them to keep your software updated after the point of sale is unreasonable.
You're free to update your software on your property any time you want. Google is the maintainer of the project, get your lazy asses up and download the source.
You act as if the only people that can upgrade your software, and fully operate your devices, are the carriers and manufacturers. Almost as if they work hard at establishing iron control over your property after you've purchased it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 5, Insightful) by NickM on Saturday March 07 2020, @04:37PM (5 children)
And you talk as if cryptographically locked bootloader and updates are not a thing.
Minimaly manufacturers should be required to unlock the boot loader when they stop supporting a device.
I a master of typographic, grammatical and miscellaneous errors !
(Score: 2) by edIII on Saturday March 07 2020, @07:47PM (1 child)
I would've thought the dripping sarcasm, and obviously incorrect statements, obviated the need for the sarc tags, but then again, people eat Tide Pods.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by NickM on Saturday March 07 2020, @08:25PM
I a master of typographic, grammatical and miscellaneous errors !
(Score: 1, Informative) by Anonymous Coward on Saturday March 07 2020, @10:43PM (2 children)
Most manufacturers provide unlocking services. Carriers (at least in the US) have been required to provide unlocking service or instructions for unlocking since 2014 [fcc.gov].
So, mostly they aren't, as you say, "a thing." At least not in the US.
(Score: 2) by kazzie on Sunday March 08 2020, @12:57PM (1 child)
That covers being locked into a particular carrier's telephony services. It does nothing about whether you're allowed to modify the software being run on the phone (i.e. bootloader).
(Score: 0) by Anonymous Coward on Monday March 09 2020, @09:27PM
They don't "allow" it? Hah!
That's an incorrect statement. You should say: "I *allow* others to tell me how can I use my own property."
I don't allow that, and if it bothers you, neither should you. What's more, *you* have choices.
There are many ways to unlock your bootloader. Some provided by manufacturers/carriers, some provided by third parties.
*You* can unlock the bootloader on just about *any* Android phone. All it takes is some Google-fu and, in very rare cases, USD$10 or so.
Here's a good place to start.
https://www.xda-developers.com/root/ [xda-developers.com]
If you don't take matters into your own hands, you are allowing carriers/manufacturers to keep you from using your property the way you choose. If you don't like being restricted, but don't exert control over your own property, you have no one to blame but yourself.
(Score: 3, Insightful) by toddestan on Saturday March 07 2020, @07:17PM (1 child)
I'd gladly absolve them of having to keep my software up to date, in return for them not locking down my device so that I'm allowed to install updates myself, or even completely change the software running on it if I so choose. Ideally mobile would be more like a PC - the manufacturer provides the hardware, and all the hardware has a common way of loading the operating system and software I choose onto it, and thus I have no need to interact with the manufacturer at all after purchase since I can updates directly from whoever made the software.
But if they insist on locking down the bootloader and making it so that they are the only source for updates, then yes they have taken on the responsibility of providing said updates. As I said I would be quite happy if the manufacturer would just let me get Android updates straight from Google.
The PC equivalent to what the phone makers do would be like the manufacturer locking down the boot loader so it will only boot and run a single special version of Windows that the manufacturer created, and this special version of Windows has Windows Update ripped out of it, and in its place some special updater that only gets updates from the manufacturer of the PC. Doesn't matter if the updates are just Microsoft's updates that have been repackaged - once the manufacturer stops providing them then I'm SOL. Kind of like a Mac, though at least with those you can (or at least could) install Windows or Linux on them once Apple drops OSX supports for it.
(Score: 2) by edIII on Saturday March 07 2020, @08:00PM
I was being sarcastic, but the problem the carriers have is that they can't actually let us have control the phones. If you controlled the phone, you could disable certain tracking measures. You could affect how e911 operates, and indeed, shut down all telemetry. If you had unfettered access to the software stacks for the radio, who knows what you could really do right? Way back in the day I loaded a hacked OS into my HTC Windows phone, and had to get the software stacks for radio separate. I think it's a lot more locked down that now, and Windows phone is no more. It's all Android or iOS.
They have to lock it down so hard, because they need to lock down their proprietary software stacks for their networks and to ensure proper operation of tracking/e911 measures. That last part is about compliance with federal regulations, and it's them, not us, that are the on the hook.
To move absolute control back into our pockets, that liability would need to be shifted onto us. A consumer connecting up to a wireless carrier is mandated by law to transmit GPS, and would suffer fines if not acting in compliance with e911 laws. Shifting that onto the consumer has never really worked, it always backfires, and that's why the chokepoint is the carrier.
The best move is to abandon the carriers all together, but this would require ubiquitous wi-fi coverage. What I would like to see is a data-only radio module from a carrier. Something I could isolate from the rest of the system, especially all audio/video circuits, physically switch on/off, and has nothing to do with e911. My own OS and the data connection is more than sufficient to receive push notifications from whatever platform I want to implement, and to enable end-to-end encrypted conversations over VoIP. Since we have VoIP, we have a connection back to the PSTN to interact with regular phone lines.
Technically, lunchtime is at any moment. It's just a wave function.