Another Android Bug That Lets Hackers Control Your Phone With One Text!

Status
Not open for further replies.

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
Good day everyone.

Just when the world was starting to chill out about Stagefright, some Israeli hackers announced more bad news. Just like Stagefright, there’s another Android vulnerability that lets hackers take control of a phone with a single text. What’s worse is that there’s not an easy fix.

Announced today at the Black Hat security conference in Las Vegas, it’s called Certifi-gate. The research team from Check Point that found the vulnerability explained the details to a half confused audience in Las Vegas on Thursday morning. I say half-confused because the session’s title— “Front Door Access to Pwning Million of Androids” —sounds so familiar to the Stagefright scare that captured headlines at the end of July. However, the Check Point team’s findings reveal a more complicated issue with Android security that revolves around how the operating system fails to verify apps with privileged permissions. This means that it’s easy for a hacker to take over almost any Android phone with a fake app or even an SMS.

The apps in question are known as mobile remote support tools (mSRTs). These often come pre-installed by the manufacturer or carrier and enable support teams to access and control devices remotely, mainly for fixing problems. You might not know it, but you probably have an mSRT installed on your Android phone. It probably doesn’t even have an icon in your launcher. Google doesn’t ship these apps with stock Android, and there’s no native way to verify certificates, even though they’re often granted privileged permissions like the ability to install new apps, access the screen, or mimic user input.

Long story short, the Check Point team figured out a pretty straightforward way to create fake certificates and gain full access to an Android device with an mSRT installed. In the Black Hat demo, Check Point’s Ohad Bobrov and Avi Bashan demonstrated two ways of gaining access. One involved installed a fake flashlight app that requested very few permissions but actually gave them full control over the device thanks to the vulnerability. The other involved sending a single text message that could force the remote access tool to issue any command. The hack is pretty scary-looking in action.

It’s not all bad news. The Check Point team reported the vulnerability to Google as well as a number of device manufacturers (LG, Samsung, HTC, Huawei, etc.) as well as carriers. Many of them have already addressed it, but the researchers warned that there are still millions of devices that could still be vulnerable. Handily enough, Check Point built a scanner app that you can download from the Google Play Store to see if your phone is one of them.

You can continue to read the full-article here: http://gizmodo.com/another-android-...eed&utm_campaign=Feed:+gizmodo/full+(Gizmodo)

Android-virus-malware.jpg
 

Entreri

Level 7
Verified
May 25, 2015
342
iPhone has incredible security given how much Apple controls their AppStore and their vigorous monitoring and testing.

Android, a lot of people download all manner of apps made by Nobody Company without thinking and others jail break, thus malware haven.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top