Last night, we told you guys about a security hole in Android that was to be revealed at a security conference called Black Hat 2012. Well today, corporate and government security technology experts from all over gathered in Las Vegas, Nevada to learn more about all the new ways their networks are currently vulnerable to hackers, cyber criminals and would-be terrorists from around the world.
During a session dubbed “Adventures in Bouncerland,” Trustwave’s SpiderLabs demonstrated a security hole in “Bouncer” (Google’s security software for keeping out and quickly removing malicious apps from the Play Store) that can evade detection from Google Bouncer, and works on virtually all devices currently on the market. This makes downloading malicious apps disguised as legitimate applications in the Play Store a very real possibility. And that’s not all.
A researcher from a company called Accuvant showed off their method for delivering malicious code to Android devices via the much touted NFC (near field communications) chip found in some of the hottest Android devices currently on the market. Researcher Charlie Miller — who spent 5 years with the US National Security Agency — found a way to create a small, postage stamp sized device that could be placed just about anywhere (a cash register or vending machine) and can infect an unsuspecting person’s NFC enabled device without them ever know what happened. Scary stuff.
Freaked out yet? Well, there’s more. Miller and another researcher from a company called CrowdStrike found an exploit in the stock Android browser, unveiled back in February and publicly acknowledged by the Google Chrome development team and patched up in the latest versions of Chrome for Android. But therein lays the problem. With only around 10% of devices currently running Ice Cream Sandwich, and even less running Jelly Bean (where Google has officially made Chrome the stock Android browser), that means the majority of Android users are vulnerable to attack.
I guess that means users have even more ammunition for urging OEM’s and carriers to update their devices to the lstest version of Android. It’s no longer about all the cool new features and pizazz, now it’s simply a matter of security. When it came to Apple’s devices, researchers pointed out how quickly Apple is able to get carriers to push out new security updates. But as it stands for many security experts at the Black Hat 2012 conference, Android is still “the Wild West.”
[Reuters]
always nice to see these expose on a new is makes it stronger when Google fixes them. That ain’t a biggie. Even Linux and Unix is not hacker proof.
Nothing is hacker proof and the sooner people get this through their heads the less stressed they will be. I don’t blame Google for this at all. Every version of everything usually improves security over the last. Even if you want to argue that there shouldn’t have been flaws to begin with, it’s not Google’s fault that OEMs and carriers refuse to keep their products up to date. What with all that “internal testing” they do, these types of things should have been caught before they were released and they should be prepared to patch this kind of stuff asap.
As frankie said, the point of these things is to make devs aware of issues and help resolve them.
So no, no I’m certainly not ‘freaked out’.
This is why they have these events. the good ol` release to the public. google already was aware though. im quite sure they`ll patch it server side for the 2.2+`s of the world
Maybe these guys have a fix for the secure element error that locks you out of Wallet.
Fyi, Chrome hasn’t replaced the Android stock browser on jelly bean. It has only replaced it on the nexus 7.
This is awesome! People finding the loopholes in Android simply makes OEMs and Google fix it and create a better OS!