Tag Archives: Android

Fortnite vulnerability on Android causes disclosure tension

Google’s disclosure policy and Android security in general came under question after the company disclosed a flaw in the Android installer for the world’s most popular game, Fortnite. The flawed installer is only for Android users because Fortnite developer Epic Games bypassed security protections available for apps distributed through the Google Play Store, in order to maximize profits and avoid paying distribution fees to Google.

On Friday, Google disclosed the Fortnite vulnerability and described it as a risk for a man-in-the-disk attack where any “fake [Android Package Kit] with a matching package name can be silently installed” by the Fortnite installer. Google disclosed the flaw to Epic Games on Aug. 15, and Epic had produced a patch within 24 hours.

After testing the patch and deploying it to users on Aug. 16, Epic asked Google on the issue tracker page if they could have “the full 90 days before disclosing this issue so our users have time to patch their devices.” Google did not respond on the issue tracker until Aug. 24, when it noted that “now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google’s standard disclosure practices.”

Epic Games founder Tim Sweeney accused Google on Twitter of wanting “to score cheap PR points” by disclosing the Fortnite vulnerability because Epic Games had released the game outside of the Google Play Store.

Epic Games had previously claimed the reason for not releasing Fortnite for Android through the Play Store was twofold: to maintain a “direct relationship” with customers and to avoid the 30% cut Google would take from in-app purchases. Security experts immediately expressed skepticism about the move because of the security checks in Android that need to be turned off in order to sideload an app from outside of the Play Store and the risk of malicious fakes.

Sweeney admitted on Twitter that the Fortnite vulnerability was Epic’s responsibility, but took issue with Google’s fast disclosure.

It is unclear if Epic Games contacted users directly regarding the Fortnite vulnerability and the need to update. And the company did not respond to requests for comment at the time of this post.

Sweeney did note on Twitter that the “Fortnite installer only updates when you run it or run the game” and said Google was monitoring the Fortnite vulnerability situation.

Liviu Arsene, senior e-threat analyst at Romania-based antimalware firm Bitdefender, said that “from a security perspective there’s no right or wrong in this scenario.”

From a security perspective there’s no right or wrong in this scenario.
Liviu Arsenesenior e-threat analyst, Bitdefender

“As soon as the vulnerability was reported, Epic fixed [it] within 24 hours, which is commendable, and then Google publicly disclosed it according to their policy. Technically, users are now safe and informed regarding a potential security vulnerability that could have endangered their privacy and devices,” Arsene wrote via email. “Granted, not all users will receive and install the update instantly, but the same can be said for most security patches and updates. As long as Epic is committed to delivering patches for their apps, regardless if they’re in Google Play or not, and Google is committed to finding and responsibly disclosing vulnerabilities, security is enforced and users are the ones that benefit most.”

Google’s OEMConfig could propel Android in business

A new initiative from Google aims to make Android more appealing to the enterprise.

Currently, enterprise mobility management (EMM) providers build different APIs into their platforms for each Android OEM’s unique features, which creates a hassle to fully support all manufacturers. With OEMConfig, the manufacturers themselves will provide the APIs in an application that EMM providers can support. That means IT pros can more easily manage and update various Android devices through their EMM, and incorporate OEM-specific features for their users.

“This looks like an enormous step forward,” said Willem Bagchus, a messaging and collaboration specialist at United Bank based in Parkersburg, W.Va. “Google is more serious about getting a deeper penetration into the business marketplace, and I look forward to it.”

What needs to change

Each Android OEM builds different features into its devices through APIs that augment what Google builds into the OS, such as capabilities that optimize bandwidth for field service workers. Android Enterprise helped expand API standards for Android in business settings, but there are still plenty of OEM-specific APIs.

That means EMM and unified endpoint management (UEM) providers must write, test and maintain different sets of code for different APIs, and repeat that process each time the OEM updates the OS. It also means the EMM provider is forced to make choices about where to dedicate its resources to support OEMs.

“This put a huge burden on the UEM providers,” said Ojas Rege, chief strategy officer at MobileIron. “The APIs wouldn’t necessarily be supported by many of the providers. The model doesn’t scale, and it takes away the manufacturer’s practical ability to differentiate.”

Some IT shops jump through hoops to manage Android in business because of the OS’ many varieties.

United Bank has used Microsoft Intune for the past two years to manage Apple iOS and Android devices. Only tech services employees get Android devices, and they’re Google phones rather than another manufacturer because Google’s own devices receive OS updates most often, Bagchus said.

“The frequency of OS updates — it’s the Wild West,” he said. “Everybody has their own flavor of Android, which is good on the one hand, but it’s hard to have a standard management approach to it.”

How OEMConfig could help

With Android Enterprise and AppConfig, EMM and UEM providers can send configurations to an application on a device. OEMConfig, which Google announced at its Android Enterprise Summit for Partners in London in May, will extend this capability.

With OEMConfig, an OEM builds its APIs into a configuration app and makes that app available in the Google Play store. EMM providers then support the OEMConfig app in their platform, and customers distribute the app to end users’ devices through the EMM. The app then configures a device to take advantage of the specific features in that OEM’s version of Android.

The more value-add a device can bring to an enterprise, the more likely they are to be bought.
Jason Baytonconsultant, CWSI

“It’s going to speed up the time to market on any new functionality,” said Jason Bayton, senior enterprise mobility consultant at CWSI based in the U.K. “We no longer have to wait on the EMM. It’s in [the OEMs’] best interest really because the more value-add a device can bring to an enterprise, the more likely they are to be bought.”

An extra benefit for IT is that the OEMConfig app can provide more consistent updates through Google Play automatically, and push new features to devices as soon as they’re available, Bayton said. IT admins can send new, vendor-specific calls to devices as soon as the OEM updates the app, without waiting for the EMM provider to build custom code, according to a Google spokesperson.

EMM providers will need to adjust their user interfaces to render OEMConfig’s more robust schema and properly display hardware management groupings for IT to configure, the spokesperson said.

The future of Android in business

OEMConfig mainly benefits smaller OEMs that don’t have support from all EMM vendors, experts said. That benefits IT at smaller businesses, which tend to have more mixed device environments than large enterprise organizations, said Eric Klein, director of mobile software at VDC Research.

“This can make EMM make a lot more sense for them because you’re going to be able to support any type of Android device,” he said. “It’s a way for Google to really make themselves a much more easily integrated platform.”

If OEMConfig simplifies EMM support and device updates, that’s a big reason for more highly regulated companies to adopt Android in business, Bagchus said.

“I think it will finally make Android devices more palatable,” he said. “We’re under a lot more scrutiny because of the regulators, which is why we had to steer clear of Android before.”

Still, Google will need OEMs and EMM providers to rally around this initiative to boost Android in business. Google has worked with hardware partner Zebra to develop the OEMConfig framework, and is “actively bringing our OEM and EMM partners together to incorporate OEMConfig into their solutions,” the Google spokesperson said, but declined to say when OEMConfig will be officially available.

EMM vendors likely will get on board in the last quarter of 2018, VDC’s Klein said.

MobileIron’s Rege said the company plans to support OEMConfig when it is available.

“It means that all these new capabilities can be supported by us without having to create custom code,” he said.

RAMpage attack unlikely to pose real-world risk says expert

A group of researchers developed a proof of concept for a variant of the Rowhammer exploit against Android devices and proved that Google’s protections aren’t enough, but one expert said the RAMpage attack is unlikely to pose a real-world threat.

A team of researchers from Vrije Universiteit Amsterdam, the University of California at Santa Barbara, Amrita University of Coimbatore, India and EURECOM — including many of the researchers behind the Drammer PoC attack upon which RAMpage was built — and created both the RAMpage attack against ARM-based Android devices and a practical mitigation, called GuardION.

According to the researchers, the most likely method for attacking a Rowhammer vulnerability on a mobile device is through a direct memory access (DMA) based attack.

As such, they developed the RAMpage attack, “a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses,” researchers wrote in their research paper. “To mitigate Rowhammer exploitation on ARM, we propose GuardION, a lightweight defense that prevents DMA-based attacks — the main attack vector on mobile devices — by isolating DMA buffers with guard rows.”

The researchers said a successful RAMpage attack could allow a malicious app to gain unauthorized access to the device and read secret data from other apps, potentially including “passwords stored in a password manager or browser, personal photos, emails, instant messages and even business-critical documents.” However, lead researcher Victor van der Veen was careful to note it is unclear how many devices are at risk because of differences in software.

“With RAMpage, we show that the software defenses that were deployed to stop Drammer attacks are not sufficient. This means that the only remaining requirement is having buggy hardware. Since we have seen bit flips on devices with LPDDR2, LPDDR3, and LPDDR4 memory, we state that all these devices may be affected, although it is uncertain how many,” van der Veen wrote via email. “Local access is required. This means that the attacker must find a way to run code (e.g., an app) on the victim’s device. A second requirement is that the device needs to be vulnerable for the Rowhammer bug: it is unclear what percentage of devices expose this issue.”

In a statement, Google downplayed the dangers of the RAMpage attack: “We have worked closely with the team from Vrije Universiteit and though this vulnerability isn’t a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.”

Google also asserted that newer devices include protections against Rowhammer attacks and “the researcher proof of concept for this issue does not work on any currently supported Google Android devices,” though Google did not specify what qualified as a “currently supported Google Android device.” 

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said this could mean “that ‘currently supported devices’ refers to Android builds to which Google still issues security patches, which means that Android Marshmallow (6.0.) and above may not be susceptible” to the RAMpage attack. According to Google’s latest platform numbers, more than 62% of Android devices in the wild are above this threshold.

However, van der Veen thought Google might be referring to its own handsets.

“I believe they hint at the devices that fall under their Android Reward program, which is basically the Pixel and Pixel 2. We did manage to flip bits on a Pixel, and I think that it is likely that there are Pixel phones out there on which the attack will work,” van der Veen wrote. “I don’t see criminals exploiting the Rowhammer bug in a large-scale fashion. It is more likely to be used in a targeted attack. I do think that Google can do a bit more though.”

Arsene agreed that the RAMpage attack does appear “very difficult and unlikely to happen on a mass scale.”

“Attackers would have to know in advance the type of device the target owns, because some manufacturers and OS builds implement different row sizes (e.g. 32KB, 64KB, 128KB), making the attack significantly more complex and less reliable,” Arsene wrote via email. “Google may be right in saying the attack should not be of concern to average users, but it could be used in highly targeted attacks that involve stealthily compromising the device of a high priority individual. For mass exploitation of Android devices there are likely other, less sophisticated methods, for compromise. Attackers will often go for the path of least resistance that involves maximum efficiency and minimum effort to develop and deploy.”

GuardION defense

Despite the relatively low likelihood of the RAMpage attack being used in the wild, researchers developed a mitigation based on protecting Google’s ION DMA buffer management APIs, which were originally added to Android 4.0.

“The main reason for which defenses fail in practice is because they aim to protect all sensitive information by making sure that they are not affected by Rowhammer bit flips. Hence, they are either impractical or they miss cases,” the researchers wrote in their paper. “Instead of trying to protect all physical memory, we focus on limiting the capabilities of an attacker’s uncached allocations. This enforces a strict containment policy in which bit flips that are triggered by reading from uncached memory cannot occur outside the boundaries of that DMA buffer. In effect, this design defends against Rowhammer by eradicating the ability of the attacker to inject bit flips in sensitive data.”

I think they main message should be that Rowhammer-based exploits are still possible, despite Google’s efforts.
Victor van der VeenPhD candidate in the VUSec group at Vrije Universiteit Amsterdam

Van der Veen added via email, “I think they main message should be that Rowhammer-based exploits are still possible, despite Google’s efforts. I think there is also (scientific) value in our breakdown of other proposed mitigation techniques and how they apply to mobile devices, plus our proposed defense, GuardION.”

GuardION may not be real-world ready either though. The researchers noted that Google said the mitigation technique resulted in too much “performance overhead” in apps, but they continue to work with the Android security team “to figure out what a real-world benchmark looks like so that we can hopefully improve our implementation.”

Arsene said “the existence of security research that exploits hardware vulnerabilities does not necessarily mean that users will be more at risk than before.”

“Some of it is purely academic and the practical applications of weaponizing this type research may never become a reality for the masses,” Arsene wrote. “However, users should realize that unpatched, outdated, and unsupported devices and operating systems will always involve significant security risks to their privacy and data.”


Looking for a Chromebox which is i3 or higher.

Also a preference for one which has or will be getting android apps


Location: Cent Ldn

This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should…


Google got faster pulling bad Android apps from Play Store

Google wants to reinforce that the Play Store is the safest place for Android users to get apps with a new set of stats on how its efforts to block bad Android apps have improved.

Andrew Ahn, product manager for Google Play, said the company has “halved the probability” of users installing bad Android apps and also made the Play Store “a more challenging place for those who seek to abuse the app ecosystem for their own gain.”

“In 2017, we took down more than 700,000 apps that violated the Google Play policies, 70% more than the apps taken down in 2016. Not only did we remove more bad apps, we were able to identify and action against them earlier,” Ahn wrote in a blog post. “In fact, 99% of apps with abusive contents were identified and rejected before anyone could install them. This was possible through significant improvements in our ability to detect abuse — such as impersonation, inappropriate content, or malware — through new machine learning models and techniques.”

Liviu Arsene, senior e-threat analyst at Romania-based antimalware firm Bitdefender, said it is “commendable that Google is going through great lengths to optimize be malicious app bouncing process,” considering the more than 3.5 million apps in the Play Store.

“However, malware developers don’t necessarily have to submit ‘bad Android apps’ when they can simply create something that’s barely functional with the sole purpose of getting past the vetting process. Some apps may offer deceptive descriptions and functionalities just to get installed on devices, from which they can request all sorts of permissions for tracking users or for bombarding them with ads,” Arsene told SearchSecurity. “There have been instances where apps walk a very fine line between complying with Google’s advertising policy and spamming users with nag screens, browser redirects, and unsolicited pop-ups just for the sole purpose of generating revenue for the developer. While, granted, they don’t install malware or pilfer personal data, some of them can still be borderline legitimate.”

Will the Play Store catch all the bad apps?

A Google spokesperson told SearchSecurity that there will always be a chance for bad Android apps to slip through because “they evade detection in a sneaky way, or seem to be very borderline cases,” and in those cases Google relies on analyzing how apps are being distributed, monitoring user community flagging and reviewing data from post-install Google Play Protect scans in order to take action on a potentially harmful app.

“Apps submitted to Google Play are automatically scanned for potentially malicious code as well as spammy developer accounts before they are published on the Google Play Store. To complement that effort, we recently introduced a proactive app review process to catch policy offenders earlier in the process, while still ensuring that developers can get their apps to market as soon as possible — in a matter of hours, not days or weeks,” the spokesperson said. “During that process, apps are specifically reviewed for compliance against our Google Play Developer Content Policy and Developer Distribution Agreement, which prevents things like apps that are impersonating legitimate companies or deceptive behavior.”

Arsene applauded the work done by Google to block bad Android apps “because Android is one of the most popular operating systems.”

“Some built in app scanning features even let users know if they’ve downloaded something malicious from a third-party marketplace, which acts as an additional line of defense,” Arsene said. “However, it’s recommended that everyone owning an Android device, regardless if they install apps from official marketplaces or not, install a mobile security solution as it will have the ability to protect them from much more than just malicious apps, but also against web-based attacks and other online threats.”

Android KRACK flaw patched in latest security update

Google’s latest security update included the patch for the Android KRACK Wi-Fi flaw, but it is unclear when users will see the fix rolled out to devices.

When researchers first disclosed the KRACK vulnerability, they made it clear that the attack was “exceptionally devastating against Linux and Android 6.0 or higher” because those systems could be “tricked into (re)installing an all-zero encryption key.”

The November security update from Google included the patch for the Android KRACK flaw and fixed the issue for versions 5.0.2 through 8.0 of the mobile OS. However, users have already seen issues with the rollout.

The Android KRACK patch was part of the security patch level 2017-11-06 released by Google, but the November release was also split into patch levels 2017-11-01 and 2017-11-05. Google’s own Pixel and Nexus devices were first to receive a rollout, but some users reported getting the 2017-11-05 patch level, which meant the Android KRACK flaw was not fixed.

Users on Twitter expressed confusion about Google pushing the patch level that did not remediate the KRACK vulnerability, and the CopperheadOS Twitter account provided a possible explanation.

“They have the wpa_supplicant patches in the release for Pixels today marked EMR but they appear to have reverted the patch level back to 2017-11-05 so there’s probably something missing outside wpa_supplicant,” CopperheadOS wrote on Twitter. “It’s only in the branch for 2nd generation Pixels so it’s not really patched in AOSP when none of the branches has the patches without them being reverted. For most devices, they’ll only get it with 2017-12-01.”

Android KRACK around the ecosystem

Normally, users have to wait until Google adds a patch to the Android Open Source Project repository before hardware manufacturers can begin work to push the fix, but with the Android KRACK flaw manufacturers appear to have begun the work to fix the issue before Google.

Manu Kumar Jain, vice president and managing director of Xiaomi India, announced its patch three days before Google.

Samsung also confirmed its November 2017 security update will include the Android KRACK patch, but the rollout of the update had not yet begun at the time of this post.  

The original researchers who discovered KRACK were initially praised for disclosing the issue beforehand to allow major manufacturers time to create patches, but it is unclear when Google was informed of the issue.

Fake WhatsApp app downloaded 1 million times

Android users were tricked by a convincing fake WhatsApp app listing in the official Google Play Store, but one expert said this incident shouldn’t take away from confidence in the safety of the Play Store.

The issue was first revealed on the r/Android subreddit and showed a fake WhatsApp app listing in the Google Play Store that had the developer name appearing to be the real WhatsApp Inc. Redditor “E_x_Lnc” first posted about the fake listing, noting it used a Unicode character that mimicked a blank space after the name in order to bypass Google’s malware scanner and was invisible unless someone looked at the code itself.

There were some minor red flags on the fake WhatsApp app listing that redditors pointed out though. First, while 1 million downloads may seem impressive, the real WhatsApp has been downloaded more than 1 billion times. The fake WhatsApp app listing also contained the tag claiming the app contained ads, which the real app does not. Finally, the real WhatsApp listing bears the “Verified by Play Protect” branding from Google.

What the fakeout means

Liviu Arsene, senior e-threat analyst at Romania-based antimalware firm Bitdefender, said using Unicode characters to impersonate a brand name and the fake WhatsApp app itself should never have made it past the Google Bouncer malware scanners.

“Malicious app developers have proven to be very resourceful in the past, and this incident with WhatsApp is no different,” Arsene told SearchSecurity. “It’s worth noting that before actually installing an application users should also go through the comments section to see if others reported any abnormalities with it or even doing a little research regarding the developer’s name and what other apps has he published, to spot any potential issues.”

According to redditor “dextersgenius”, the app itself was little more than an ad-wrapper, and once installed it tried to hide itself by having a blank icon and no title.

Malicious app developers have proven to be very resourceful in the past, and this incident with WhatsApp is no different.
Liviu Arsenesenior e-threat analyst at Bitdefender

Arsene said “adware itself is not always malicious,” which may be why this fake WhatsApp app wasn’t caught earlier.

“Benign apps have been smuggled before in Google Play, only to be later updated with malicious components — even if for a short period of time,” Arsene said. “However, malicious behavior that involves data exfiltration and remote control of the device is a lot easier to spot that simply deciding whether or not an ad-displaying app is too intrusive.”  

Despite this incident, Arsene said Android users should still see the Google Play Store as the safest place to get apps.

“The general line for Android safety remains downloading apps from Google Play, mostly because these incidents where malware or aggressive adware makes it in their marketplace are sufficiently rare and quickly handled,” Arsene said. “However, it’s more than recommended to also rely on a security solution for mobile devices, as security vendors are in the business of scrutinizing apps more aggressively for keeping users safe.”

Wanted – SSD > 120gb

Need a SSD for building android and the like.

The HDD isnt cutting it anymore.

It has to be bigger than 120gb. 120gb doesn’t have have enough space after OS installation.

Something cheap would be great.

Location: Oldham

This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.