PDA

View Full Version : Android 4.3 Jelly Bean



Jorge-Vieira
13-01-15, 14:31
Google stops Android 4.3 Jelly Bean web patch dev

http://images.bit-tech.net/news_images/2015/01/google-jelly-bean-patches/article_img.jpg
Google has indicated that it will no longer develop security patches for the WebView renderer in versions of Android prior to 4.4 'KitKat' - leaving hundreds of millions of users at risk of attack.

Google regularly releases new editions of its Android mobile operating system, each one of which gets a friendly dessert-themed codename. The latest is Android 5.0 Lollipop, the successor to Android 4.4 KitKat. Each release brings with it new features, such as the more efficient Android RunTime (ART) to replace the old Dalvik runtime, and also fixes for numerous security holes - in common with any complex software.

Tod Beardsley of the Metasploit project has, however, reported something Google has not trumpeted: it is no longer developing security fixes for any but the last two releases of its operating system. Users on Android 4.3 Jelly Bean and older - the most recent version of which was released in October 2013, and is estimated to account for just shy of a billion devices globally - are, therefore, at increasing risk of attack.

In a blog post (https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior), Beardlsey reports on a discovery by security researcher Rafay Baloch of a flaw in the WebView renderer of Android 4.3 and older. Responding to Baloch's discovery, Google's security team explained: 'If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.'

The message is clear: Google will not develop patches for security vulnerabilities in the WebView render supplied with versions of Android older than 4.4 - but will consider releasing patched software if the person or organisation reporting the flaw writes the patch for them.

'I've never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google's position,' Beardsley wrote, relaying a similar response he had received from Google confirming the policy. 'When asked for further clarification, the Android security team did confirm that other pre-KitKat components, such as the multi-media players, will continue to receive back-ported patches.

'Google's position is that Jelly Bean devices are too old to support - after all, they are two versions back from the current release, Lollipop,' Beardsley explains. 'On its face, this seems like a reasonable decision. [But] the idea that "pre-KitKat" represents a legacy minority of devices is easily shown false by looking at Google's own monthly statistics of version distribution. As of January 5, 2015, the current release, Lollipop, is less than 0.1% of the installed market, according to Google's Android Developer Dashboard. It's not even on the board yet. The next most recent release, KitKat, represents about two fifths of the Android ecosystem.

'This leaves the remaining 60% or so as "legacy" and out of support for security patches from Google. In terms of solid numbers, it would appear that over 930 million Android phones are now out of official Google security patch support, given the published Gartner and WSJ numbers on smartphone distribution.'

Noticia:
http://www.bit-tech.net/news/bits/2015/01/13/google-jelly-bean-patches/1

Jorge-Vieira
26-01-15, 15:21
Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3


If you’re running Android 4.3 or earlier, you’re pretty much out of luck when it comes to a baked-in defense against a WebView (http://hothardware.com/tags/webview) vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole.
For those that don’t already know, WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 (http://hothardware.com/tags/android-44) KitKat (http://hothardware.com/tags/kitkat) and Android 5.0 (http://hothardware.com/tags/android-50) Lollipop (http://hothardware.com/tags/lollipop) is based on Chromium (http://hothardware.com/tags/chromium) and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android (http://hothardware.com/tags/android) users (or nearly one billion customers) are affected.


image: http://hothardware.com/ContentImages/NewsItem/32420/content/jellybean_nexus.jpg
http://hothardware.com/ContentImages/NewsItem/32420/content/jellybean_nexus.jpg
(Source: Maulim/Wikimedia Commons (http://commons.wikimedia.org/wiki/File:Jelly_Bean_on_Nexus.jpg))
Google responded to Beardsley (https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior) on January 12 with the following statement:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
What’s most interesting is that Google has no trouble tossing grenades at the feet of Microsoft (http://hothardware.com/news/googles-project-zero-zaps-apple-as-it-discloses-three-os-x-vulnerabilities) and Apple (http://hothardware.com/news/google-gives-microsoft-the-finger-discloses-more-0-day-vulnerabilities) courtesy of its Project Zero (http://hothardware.com/tags/project-zero) program, but doesn’t seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.
On Friday, Google’s Adrian Ludwig took to Google+ to further explain his company’s position on patching vulnerabilities in older versions of Android. While Google still has no plans of extending an olive branch to users running Android 4.3 (http://hothardware.com/tags/android-43) or earlier, Ludwig did give some insight into why this decision was made.

“Keeping software up to date is one of the greatest challenges in security,” Ludwig explained. “Google invests heavily in making sure Android and Chrome are as safe as possible and doing so requires that they be updated very frequently.”
Ludwig went on to explain that backporting a patch would be a herculean effort. “WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.” We’re sure that Microsoft and Apple would have loved to throw that excuse out when complying with Google’s 90-day window for reporting exploits via Project Zero.

image: http://hothardware.com/ContentImages/NewsItem/32420/content/androidversions.jpg
http://hothardware.com/ContentImages/NewsItem/32420/content/androidversions.jpg
Only Android 4.4 KitKat and Android 5.0 Lollipop users are safe. However, Lollipop market share is too low to even show up in Google's stats.
Ludwig would further explain that users on Android 4.3 and older should simply use a browser that is updated through Google Play (http://hothardware.com/tags/google-play) in order to avoid the WebView vulnerability (he specifically points out Chrome (http://hothardware.com/tags/chrome) and Firefox (http://hothardware.com/tags/firefox)). “Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future."
For those savvy enough to install a browser other than the default (like Chrome or Firefox) on your Android 4.3 or earlier device, it appears that the exploit can be easily sidestepped. But as for the vast majority of people that just stick with the default browser and use their devices for playing Candy Crush, keeping up with friends on Facebook (http://hothardware.com/tags/facebook), or scouting new recipes on Pinterest (http://hothardware.com/tags/pinterest); they will likely be the ones most at risk from nefarious hackers. And that’s what most unsettling about Google’s response to this matter.




Noticia:
http://hothardware.com/news/google-explains-why-security-exploits-go-unpatched-on-older-android-phones#3w2M8hCKRwgyJ5Px.99

Jorge-Vieira
07-12-15, 18:15
Rootnik Android Trojan Uses a Root Tool to Steal Sensitive Information

Using a root tool to gain system access, a new trojan is stealing information from Android devices, affecting users in the United States, Taiwan, Malaysia, Thailand, and Lebanon.
http://cdn.wccftech.com/wp-content/uploads/2015/11/VPN-Service-for-Online-Security-635x476.jpg
Android 4.3 and older devices are vulnerable to Rootnik trojan: Rootnik is a new Android trojan that has stolen at least five exploits used in the Root Assistant utility to gain root access of the Android devices, researchers have revealed. Root Assistant is a commercial customized utility developed by a Chinese company helping users to root their Android devices (http://wccftech.com/samsung-sends-out-ces-2016-invites/). Researchers have reported having observed over 600 samples of Rootnik in the wild. The malware was able to spread by being embedded in copies of legitimate applications, including:


WiFi Analyzer
Open Camera
Infinite Loop
HD Camera
Windows Solitaire
ZUI Locker
Free Internet Austria

How Rootnik trojan works… “Rootnik distributes itself by repackaging and injecting malicious code into legitimate Android apps,” explain Palo Alto Networks researchers. After being installed on an Android device (http://wccftech.com/how-to-show-battery-percentage-in-android-6-marshmallow/), the trojan gains root access on the device using the exploits stolen from the Root Assistant. After achieving root access, Rootnik then writes four APK files to the system partition and reboots the compromised Android device.
Advertisements


http://cdn.wccftech.com/wp-content/uploads/2015/12/Rootnik1-500x400.png
These files are named as AndroidSettings.apk, BluetoothProviders.apk, WifiProviders.apk, and VirusSecurityHunter.apk. AndroidSettings helps the trojan promote other apps (increasing revenues) while the BluetoothProviders and WiFiProviders act as remote control components, installing and uninstalling apps along with downloading and executing new code from remote servers. The VirusSecurityHunter is reported to be stealing WiFi information and device owner’s location along with other similar sensitive data.
According to researchers, Rootnik only attempts to gain root privileges on devices located in certain countries and doesn’t attempt to gain root access if the location of the device is determined to be in China. All the Android 4.3 and older devices are vulnerable to this exploit, except of course those in China. To keep your devices safe from these attacks, make sure you keep them updated to the latest security firmware updates (http://wccftech.com/samsung-introduces-marshmallow-android-security-feature-in-lollipop/) and avoid installing applications from unknown sources.
Source (http://researchcenter.paloaltonetworks.com/2015/12/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/) | Via (http://www.securityweek.com/rootnik-trojan-modifies-legitimate-root-tool-hack-android-devices)









Noticia:
http://wccftech.com/rootnik-android-trojan-uses-root-tool-to-hack-devices/#ixzz3tezZEfJR

Jorge-Vieira
22-01-16, 13:57
32 percent of Android users run 4.0 or older, vulnerable to exploit

A new study from Duo Labs has revealed some concerning data on security pertaining to Android users.


http://imagescdn.tweaktown.com/news/4/9/49834_1_32-percent-android-users-run-4-older-vulnerable-exploit.jpg (http://www.tweaktown.com/image.php?image=imagescdn.tweaktown.com/news/4/9/49834_1_32-percent-android-users-run-4-older-vulnerable-exploit_full.jpg)

It turns out 32 percent of them run version 4.0 of the operating system or older. This is especially worrisome because this makes them more susceptible to the Stagefright vulnerability, unlike later versions which added or supported security features to fight it.

The team also found 1 in 3 Android owners do not use lockscreen passcodes, compared to iPhone owners who are apparently much more concerned about security (1 in 20 don't use a lockscreen passcode). More, just 10 percent of Android phones utilize pre-boot passcode device encryption; 20 percent are running 5.1.1 and not 6.0.1, and 5 percent are jailbroken (versus 0.4 percent of jailbroken/rooted iPhones).

Duo Labs is recommending manufacturers make it so missing security updates are detected, at which point users are prompted to download them. As well, they urge Google to deploy updates on its Nexus devices more frequently and directly, since there's less red tape involved. In the meantime, you can download its X-Ray (https://labs.duosecurity.com/xray?_ga=1.39684896.2066309578.1453392985) tool to scan for vulnerabilities.




Noticia:
http://www.tweaktown.com/news/49834/32-percent-android-users-run-4-older-vulnerable-exploit/index.html


Aproveitei aqui o topico do Android versão 4 mais antigo existente no forum para colocar esta noticia.
Penso que a culpa esteja apenas e só na Google em não obrigar os fabricantes a actualizações constantes como faz a Microsoft.