Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday June 28 2015, @09:12AM   Printer-friendly
from the the-only-way-to-be-secure-is-not-to-network dept.

Security researchers of the security group at the Free University of Amsterdam found a hole in Android. The scoop in Dutch - news is 10hrs old at time of writing, I didn't find an English source yet. Heck, the university hasn't even put out a press release, even though this is currently making a splash in the Dutch news.

In short, the researchers hacked the user's (desktop) browser and then installed (via this browser) a malicious app on the phone.This gave them basically full control over the phone: turning camera on/off, replacing installed apps with malicious versions, intercepting text messages, etc. In fact, they used this to reduce a common version of two-factor authentication (know password and have phone) to only one factor: they managed to intercept verification codes (text messages) sent by a bank.

The problem is not in a specific version of Android, but in the deep integration between Google's websites and Android. Google has been made aware of the problems late 2014, but has yet to publicly reply.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Interesting) by Anonymous Coward on Sunday June 28 2015, @12:21PM

    by Anonymous Coward on Sunday June 28 2015, @12:21PM (#202413)

    What browser exploit did they use and how can it be secured against?

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   1  
  • (Score: 0) by Anonymous Coward on Sunday June 28 2015, @12:38PM

    by Anonymous Coward on Sunday June 28 2015, @12:38PM (#202415)

    More importantly, how does a desktop browser exploit result in a malicious app being installed on your mobile?

    • (Score: 4, Informative) by sjames on Sunday June 28 2015, @01:41PM

      by sjames (2882) on Sunday June 28 2015, @01:41PM (#202420) Journal

      If you browse Google play with a logged in chrome, you can select apps to be automatically installed on any associated Android phone.

      • (Score: 3, Funny) by Nerdfest on Sunday June 28 2015, @03:01PM

        by Nerdfest (80) on Sunday June 28 2015, @03:01PM (#202426)

        What should be added to this is that I would guess that the app must be available in the Google Play store. There really shouldn't be malware available there in the first place. There may be apps that are not 'malware' according to the rules of the store though, such as ones that send SMS messages to pay services.

        • (Score: 5, Informative) by davester666 on Sunday June 28 2015, @06:00PM

          by davester666 (155) on Sunday June 28 2015, @06:00PM (#202469)

          I believe the critical part of your post is "There really shouldn't be malware available there". Except there is. Just running the apps through a virus checker doesn't really get the job done.