One billion Android devices at risk of hacking:
More than a billion Android devices are at risk of being hacked because they are no longer protected by security updates, watchdog Which? has suggested.
The vulnerability could leave users around the world exposed to the danger of data theft, ransom demands and other malware attacks.
Anyone using an Android phone released in 2012 or earlier should be especially concerned, it said.
[...] Google's own data suggests that 42.1% of Android users worldwide are on version 6.0 of its operating system or below.
According to the Android security bulletin, there were no security patches issued for the Android system in 2019 for versions below 7.0.
[...] How to check whether your phone is vulnerable and what to do
- If your Android device is more than two years old, check whether it can be updated to a newer version of the operating system. If you are on an earlier version than Android 7.0 Nougat, try to update via Settings SystemAdvanced System update
- If you can't update, your phone could be at risk of being hacked, especially if you are running a version of Android 4 or lower. If this is the case be careful about downloading apps outside the Google Play store
- Also be wary of suspicious SMS or MMS messages
- Back up data in at least two places (a hard drive and a cloud service)
- Install a mobile anti-virus via an app, but bear in mind that the choice is limited for older phones
More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research:
File this one under "well, duh." Consumer mag Which? today published research estimating that over a billion Android devices are vulnerable to hackers and malware as they are not receiving security updates.
Data obtained from Google by the publication found that 42.1 per cent of active Android users are languishing on version 6.0 or earlier.
The most current version of Android is version 10, while Android 9.0 Pie and Android 8.0 Oreo continue to receive updates. The Chocolate Factory is expected to release a major update to the world's most popular mobile operating system, Android 11, later this year.
Anything below Android 8.0, therefore, is vulnerable. Extrapolating from the data, Which? believes that almost one billion Android phones are inherently vulnerable.
Compounding the problem is the proliferation of older devices on sites like Amazon, where they're sold by third parties. The mag bought a handful of phones – including the Motorola X, Sony Xperia Z2, and Samsung Galaxy A5 2017 – and found they were susceptible to a host of long-discovered vulnerabilities, including Stagefright, Bluefrag and the Joker Android malware.
Which? is encouraging those with older phones who can't update to take sensible precautions – such as avoiding side-loaded apps and ensuring their data is backed up.
Vulnerability in Fully Patched Android Phones Under Active Attack by Bank Thieves
Major Security Bug Called StrandHogg Discovered in All Android Versions
Major Security Bug Called StrandHogg Discovered in All Android Versions
Security company Promon has discovered a critical vulnerability affecting all Android versions, including Android 10, which can allow an attacker to obtain full access to a compromised device.
Baptized StrandHogg, the security flaw allows infected apps to pose as legitimate apps, and researchers explain that all top 500 most popular apps available on Android are currently at risk.
The vulnerability enables malicious apps to be disguised as legitimate ones by exploiting a bug in the Android multitasking engine. An infected app can ask for permissions on behalf of a legitimate app when users launch the multitasking interface, basically tricking targets into believing they are interacting with the legitimate one.
“This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire,” Promon notes.
[...] Vulnerability already being exploited in the wild
[...] Very important to know is that StrandHogg does not spread through applications published in the Google Play Store. However, it can use other infected apps that are already listed in the Play store to download the necessary payload that eventually exploits StrandHogg on a vulnerable device.
[...] Promon has already reported the vulnerability to Google, but patches aren’t yet available. Google, however, removed the affected apps that could help drop StrandHogg on an Android device.
Also at Dark Reading, TechXplore and ZDNet.
Vulnerability in fully patched Android phones under active attack by bank thieves
A vulnerability in millions of fully patched Android phones is being actively exploited by malware that's designed to drain the bank accounts of infected users, researchers said on Monday.
The vulnerability allows malicious apps to masquerade as legitimate apps that targets have already installed and come to trust, researchers from security firm Promon reported in a post. Running under the guise of trusted apps already installed, the malicious apps can then request permissions to carry out sensitive tasks, such as recording audio or video, taking photos, reading text messages or phishing login credentials. Targets who click yes to the request are then compromised.
Researchers with Lookout, a mobile security provider and a Promon partner, reported last week that they found 36 apps exploiting the spoofing vulnerability. The malicious apps included variants of the BankBot banking trojan. BankBot has been active since 2017, and apps from the malware family have been caught repeatedlyinfiltrating the Google Play Market.
The vulnerability is most serious in versions 6 through 10, which (according to Statista) account for about 80% of Android phones worldwide. Attacks against those versions allow malicious apps to ask for permissions while posing as legitimate apps. There's no limit to the permissions these malicious apps can seek. Access to text messages, photos, the microphone, camera, and GPS are some of the permissions that are possible. A user's only defense is to click "no" to the requests.