1. Easy acces of SD card data.
The android team are working tough to there way to "zero-loophole" day.
One among its many loophole, this one seems to be a big one. The attackers are able to acces the data of SD cards of your android devices. This loophole may not allow the attackers to override the administrative privilages, or that from accessing the memory of device, but it greatly compromises the security of SD cards. And if the file is opened, the users will not get the hint.
So far the manufacturers hava not come up with the solutions. Android users you have to wait.
2. NFC Security loophole
New Android handsets featuring NFC capabilities can potentially be ‘hijacked’ by malicious code, according to recent research.
Charlie Miller, principal research analyst at security specialists Accuvant, spoke to tech website Ars Technica about the fatal flaw in Android’s implementation of Near Field Communication technology.
The most important thing to realise is that Miller’s research shows that the NFC protocol standardremains uncompromised, it’s still as secure as ever, but specifically the way in which Android’s Beam software uses it is a real cause for concern.
Essentially, Android Beam works in such a way that it can allow a phone’s NFC chip to automatically access a device’s web browser.
This immediately opens up a whole can of worms as any kind of malicious web-based attack which can be delivered through a web browser (and there are many) can then be implemented to operate via NFC activation.
It’s a serious problem because attackers can simply create their own NFC sticker and place it over a legitimate one. The sticker can then send code to a handset when swiped allowing webpage based exploits to be automatically activated. It doesn’t even have to be a sticker either, just a discreet chip placed somewhere that NFC phones are likely to be in use, such as an NFC-enabled cash register.
’What that means is with an NFC tag, if I walk up to your phone and touch it, or I just get near it, your Web browser, without you doing anything, will open up and go to a page that I tell it to,’ said Miller.
’So instead of the attack surface being the NFC stack, the attack surface really is the whole Web browser and everything a Web browser can do. I can reach that through NFC,’ he added.
Miller also revealed the same problem affects NFC enabled MeeGo phones such as the Nokia N9. However, there are far more current NFC Android devices on the market which are potentially at risk, including some of the most popular handsets such as the multi-million selling Samsung Galaxy S3, the Samsung Galaxy Nexus, Sony’s Xperia S and the HTC One X
3. Android 4.2 loopholes
Since the android 4.2 update, it has been discovered loophole and bugs. After update and repair the calendar bug the missing December in Android 4.2.1 the previous version, this time again found a new loophole for multi-account login.
Android 4.2 has brought the function of multi-account log in, but after tested, when use the non-primary user account login, the function of running the application program actually turned into a completely transparent state, and even may see the main screen. Although see from visual effects, it looks quite brilliant. This is a very serious problem.
Google should soon find and continue to release updates to fix the transparent bug of application interface, but since the android 4.2 update, the problems always appear, really does make the user to complain and say they can’t afford.
Android 4.2 has brought the function of multi-account log in, but after tested, when use the non-primary user account login, the function of running the application program actually turned into a completely transparent state, and even may see the main screen. Although see from visual effects, it looks quite brilliant. This is a very serious problem.
Google should soon find and continue to release updates to fix the transparent bug of application interface, but since the android 4.2 update, the problems always appear, really does make the user to complain and say they can’t afford.
4.Path loophole
Path, a reasonably popular iOS social networking app, has seemingly opened a can of worms. After sources discovered that iOS apps like Path could secretly copy and transfer private data such as contacts and photos, Apple received an unprecedented level of derision and flak from all quarters.
It had created the walled garden approach of its App Store to reduce piracy, as well as to ensure that iOS users didn’t side-load malware and other security risks onto their devices. However, this mechanism ended up getting circumvented through loopholes in the iOS permissions framework.
Android, as it turns out, isn’t far behind. It has been an OS plagued with malware issues ironically due to one of its USPs – openness, i.e. the ability to side-load apps. Now, as a New York Times investigation has revealed, all a malicious app has to do is to get permission to connect to the net (unlike iOS, which did happen to require permission to access photos, etc.).
The investigating developer, Ralph Gootee, proved that an innocuous permission like that could allow a simple app to upload the device’s newest photo to a public website. This test app was, apparently, just a timer, but as soon as a user chose to start it, the uploading process would begin.
5.'Master key' to Android Phones Uncovered
A "master key" that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox.
Upon hearing the bad news Android wets itself.
The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.
The loophole has been present in every version of the Android operating system released since 2009.
Google said it currently had no comment to make on BlueBox's discovery...
The danger from the loophole remains theoretical because, as yet, there is no evidence that it is being exploited by cyber-thieves
6.Temptation to use illegal capabilities of Android.
A security consultant has developed an Android phone app that can electronically hijak and control a plane AMSTERDAM, The Netherlands -- Hugo Teso, a security consultant who is also trained as a commercial pilot, claims he has developed an Android phone app which can hijak and control an airliner. Teso detailed his discovery of loopholes in flight management systems found on commercial airliners at the "Hack In The Box" conference in Amsterdam on Thursday. He said that he had spent the last four years investigating the systems that control the aircraft, which has revealed numerous loopholes in their security. "I expected [the control systems] to have security issues but I did not expect them to be so easy to spot," he said. "I thought I would have to fight hard to get into them but it was not that difficult." Teso demonstrated how his "PlaneSploit" app could be used to control anything in the cockpit from changing air pressure settings to altering course and even sending the aircraft crashing into the ground. The app took three years to develop, and Teso bought old aircraft systems from eBay to test it. He stressed his app was merely a proof of concept, intended to alert aircraft manufacturers to the security loopholes. He claimed the Federal Aviation Administration and the European Aviation Safety Administration were already working on fixing the vulnerability.
7.A 4- year old loop-hole.
Android is currently the world’s most popular operating system. Google recently announced that there are more than 900 million activated Android devices across the world. Now, a security company has discovered a loophole within the system that can compromise 99 percent of that number, which includes both smartphones and tablets.
Bluebox Security, the firm behind the discovery, has uncovered an "Android master key" which has the potential to let any hacker turn literally any Android app into a Trojan horse. This essentially means that a malware ridden app can allow hackers to remotely capture data and control functions on an Android device, such as calls or messages. Neither the phone user, nor Google or the app developer will come to know about the hack.
On the BlueBox Security blog, CTO Jeff Forristal has put a post explaining that the vulnerability has existed since Android 1.6: Google's Donut build, which was released around four years ago. Forristal said that the company zeroed in on the technique used by hackers, which revolves around modifying an app’s APK code without needing to crack the signature used for authentication. This means that the app, which could be loaded with the malware, will appear completely normal and legitimate from the outside.
Cover
Android vulnerability may compromise 99 percent of all smartphone and tablets...
What is scary about this, apart from having your phone hacked without knowing about it, is the fact that verified apps are given complete and unrestricted access to the Android system as well as all the applications on a smart device. Thus, the potential ramifications of this security weakness are huge, although it is still to be determined exactly how the malwar-loaded apps and updates will be sent out to users.
Android users should be relived to know that apps which are listed on Google’s Play store are immune from this tampering, according to the security firm. Thus, a hacker will have to con a user into downloading a malicious version of an app, maybe with a third-party app store or even fake app links. There has been a huge jump in the number of malware related attacks levied against Android devices in the last year. Apart from that, the number of phishing attacks registered in the last year have also increased significantly.
Thus, a phishing email which links a fake update for a popular app might be something that hackers turn to. The easiest way to avoid this is to use official channels for app downloads. However, there are countries where the Play Store is still not available.
The loophole was first reported to Google by the security firm in February, according to CIO. Google has not been idle about this, though, with reports coming in that the company has addressed the issue for the Samsung Galaxy S4 and is currently looking to its own Nexus range. The fact that older devices, which are no longer updated with newer Android builds, can be compromised is a big worry that Google may need to address soon.
8.Loop-holes in permission updates.
A new “No Permissions” application from Leviathan Security illustrates how easily Android applications can bypass user permissions. In a perfect world, Android’s permissions system would help users make informed decisions about the apps they install. But, as the new permission-breaking app shows, we don’t live in a perfect world.
The goal of the “No Permissions” app is to make public the ease with which permissions can be bypassed. When you install the app you are not asked to give the app access to your device’s memory. The app then presents you with buttons that access data the app wasn’t given permission for.
Some of that data can be quite personal, such as your device’s identification number, the SIM card’s vendor ID and information about your device’s version of Android. The app can also read data from your SD card, which means it could grab all of your photos and video at any time.
Does this mean your device is at immediate risk? Yes, it could be if you frequently download new apps. Android’s permission model is supposed to keep you protected by keeping you informed, but any flaws that bypass permissions render the model useless. MakeUseOf advocates the use of Android security apps, and this is yet another example of why they’re necessary.
If you’d like to toy with the “No Permissions” app, you can download it from a page on Leviathan Security’s blog which also offers some explanation about how the app works.
9.Loophole affecting 900m Android devices
Search engine Google has reportedly issued a patch to mend the security flaw detected by security firm BlueBox which made almost all Android phones vulnerable to hacking .
As revealed earlier by the security firm, Android uses the cryptographic signature as a way to check that an app
or program is legitimate and to ensure it has not been tampered with, however, BlueBox found a method of tricking the way Android checks these signatures so that malicious changes to the apps go unnoticed.
According to News.com.au, Google has released a patch to original equipment manufacturers in a bid to address the bug which reportedly affected up to 900 million Android devices since the release of Android 1.6 in 2009.
Google's Android Communications Manager, Gina Scigliano said that there has not been any evidence of exploitation in Google Play or other app stores because of the loophole.
The report said that while the security hole exists, there is no indication that it has yet been exploited and Android users can manually check for system updates through the settings menu or can rely upon their hardware providers for the update.
10. Security experts revealed loopholes
Near Field Communication
One of the loopholes of Android smartphones, according to Accuvant researcher Charlie Miller, is the new near field communications (NFC) technology. People who know the workaround could easily take over the phone through this channel.
He said that he already knows how to create a device on a smaller scale which could be put in a subtle place that when an Android device is near enough, a malicious code could be sent giving him access to the phone.
Miller spent five years working with the U.S. National Security Agency whose tasks included breaking into computer systems.
Google Chrome Exploit
CrowdStrike’s Georg Wicherski shared that he was able to infect an Android device with a malicious code using Google’s Chrome browser flaw. He said that while Google is doing its job to find those flaws before hackers do, Android phone users are still vulnerable because manufacturers and carriers couldn’t immediately rollout updates to fix the possible points of exploits.
“Google has added some great security features, but nobody has them,” said Marc Maiffret, chief technology officer at BeyondTrust.
Java Script Bridge Exploit
Two researchers from Trustwave demonstrated an exploit on how to get past Google’s “Bouncer” technology for finding malicious applications submitted into Google Play Store. It could be done by using a legitimate programming tool known to many programmers as “Java Script Bridge,” which lets developers add new features to their apps remotely without having to pass through Android update process.
According to them, both LinkedIn and Facebook use this technology for legitimate purposes but they, too, can be exploited by hackers with malicious intents. To prove their point, they showed attendees they could easily load malicious code into one of their phones and gained control of the browser which they could manipulate to download more codes and gain total control of the device.
“Hopefully Google can solve the problem quickly,” said Nicholas Percoco, senior vice president of Trustwave’s SpiderLabs.
Many security experts believe Android is still a wild west that many hackers—both with good and malicious intents—often meet.
0 comments :
Post a Comment