Android Hacks, Second Act
Android hacks are all the buzz nowadays, and researchers have found the core of the problem.
According to Forbes, new problems with the Android OS open up hundreds of millions of phones to hacks…again. Dear Android gaming fans! By this time, I imagine you aren’t even shocked. But it’s worth to know the hows and whys, because even one text message can lead to dire consequences. Two Israeli researchers, OhadBobrov and Avi Bashan found that the rotten fruit in this whole ordeal is the remote support certificate that companies working with Google use. Companies use these certificates to prove that applications are authentic, but it also gives them an entrance into some parts of the system.
The two researchers discovered weaknesses, as Forbes reports, that allow for these certificates to be replicated and recoded to be malicious. They say that this problem can easily be fixed: by removing the Original Equipment Manufacturer, or OEM. This, however, is a less than ideal quick fix. As Bobrov and Bashan told Forbes, “All Android devices from major OEMs are vulnerable – hundreds of millions of devices.” The plugins that are made to help with servicing phones remotely can easily be converted into malware. What’s worse, 90% of Android phones have them.
Android hacks can affect Lenovo, LG, Huawei and Samsung phones
So, how do hackers go about their Android-hacking business? First, they persuade you to download an app that seems perfectly harmless. It can be a social gaming and gambling app, a handy converter or a weather app – basically any type of Android application will do. The malicious app, equipped with a Flashlight tool will then “impersonate the remote access tool by using a specially-crafted certificate, giving it total access to the phone, just as the remote support plugins have,” as Forbes reports. Does that sound bad? Wait for it… hackers can also send text messages that will download the bad remote access tools and viola! your phone is not your phone anymore.
The similar security issues of the aforementioned Stagefright program were thankfully patched, according to Forbes. Google and its partners will have to start quickly on correcting the weaknesses of these plug-ins, if they don’t want a whole scandal on their hands. The two Israeli researchers came up with a free app that can scan your Android phone for any security hazards. If you want to stay safe, it might be worth to download it and give it a go. The Checkpoint researchers claimed that people could try to uninstall these plugins, but would fail to do so. Only a patch can provide a sustainable solution.
Google is getting to work to obliterate Android hacks
Google is tirelessly working together with its partners and Checkpoint to patch up the errors in its system. So, no need to worry, you little Android gambling app lovers! According to Forbes, a Google spokesperson conveyed the company’s gratefulness to the two researchers, and added: “The issue they’ve detailed pertains to customizations OEMs make to Android devices and they are providing updates which resolve the issue. Nexus devices are not affected and we haven’t seen attempts to exploit this. In order for a user to be affected, they’d need to install a potentially harmful application which we continually monitor for with VerifyApps and SafetyNet. We strongly encourage users to install applications from a trusted source, such as Google Play.”
As Forbes reports, HTC already started releasing the necessary patches, but there is no information on what other companies are planning on doing or when they want to follow suite. In Bobrov’s opinion, rolling out patches is great and good, but the core of all security issues can be found in the whole structure of Android phones. The system of app creators having“to sign apps if they want to “talk” with one another, even if they’re vulnerable,” rests on wobbly foundations. For the time being, however, the patches will shield users from unwarranted hacks.