Nice article to read.. Just thought I would share.. MODS PLEASE DELETE IN CASE THIS IS A DUPLICATE.
http://news.yahoo.com/theres-zombie-...013019842.html
There's a Zombie-like Security Flaw in Almost Every Android Phone
LikeDislike
Abby Ohlheiser 56 minutes ago
Technology & Electronics
.
View gallery
There's a Zombie-like Security Flaw in Almost Every Android Phone
Almost every Android phone has a big, gaping security weakness, according to the security startup who discovered the vulnerability. Essentially, according to BlueBox, almost every Android phone made in the past four years (or, since Android "Donut," version 1.6) is just a few steps away from becoming a virtual George Romero film, thanks to a weakness that can "turn any legitimate application into a malicious Trojan."
While news of a security vulnerability in Android might not exactly be surprising to users, the scope of the vulnerability does give one pause: "99 percent" of Android mobiles, or just under 900 million phones, are potentially vulnerable, according to the company. All hackers have to do to get in is modify an existing, legitimate app, which they're apparently able to do without breaking the application's security signature. Then, distribute the app and convince users to install it.
Google, who hasn't commented on the vulnerability yet, has known about the weakness since February, and they've already patched the Samsung Galaxy S4, according to CIO. And they've also made it impossible for the malicious apps to to install through Google Play. But the evil apps could still get onto a device via email, a third-party store, or basically any website. Here's the worst-case scenario for exploitation of the vulnerability, or what could potentially happen to an infected phone accessed via an application developed by a device manufacturer, which generally come with elevated access, according to BlueBox:
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
The company recommends users of basically every Android phone double check the source of any apps they install, keep their devices updated, and take their own precautions to protect their data. But as TechCrunch notes, Android users really should be doing this anyway, as the devices tend to come with a " general low-level risk" from malware. That risk, however, is elevated for users who venture outside of the Google Play store for their apps.
So while the actual impact of the vulnerability is not known, neither is the timeline for fixing it. Manufacturers will have to release their own patches for the problem in order to fix it, something that happens notoriously slowly among Android devices.
Mr_Jay_jay said:
/snip
Click to expand...
Click to collapse
As always, this really boils down to the same thing: don't be a fool in the most non-pejorative way possible. With the exception of the Syrian Electronic Army fiasco awhile back, secured and verified app vendors like Google Play (or Apple's App Store) continue to provide all the services most users will need without exposing the end-user to this kind of vulnerability. If you don't expose yourself, you're not at risk.
That said, this all relies on the notion of the end-user being at least somewhat vigilant, which can be quite dangerous.
Rirere said:
As always, this really boils down to the same thing: don't be a fool in the most non-pejorative way possible. With the exception of the Syrian Electronic Army fiasco awhile back, secured and verified app vendors like Google Play (or Apple's App Store) continue to provide all the services most users will need without exposing the end-user to this kind of vulnerability. If you don't expose yourself, you're not at risk.
That said, this all relies on the notion of the end-user being at least somewhat vigilant, which can be quite dangerous.
Click to expand...
Click to collapse
Not every Android device has access to Play Store though, by-default. I have a tablet now that doesn't have access. If a normal user had such a device, they wouldn't likely go through the process needed to get Play Store, and would just deal with whatever marketplace app existed.
This exploit will likely only ever affect users that by default use devices that do not have Google support. Many of these are distributed among 3rd world nations and are typically a hot bed of illicit activities anyways. Of the first worlders that would be affected, it would be those using black market apps without knowing the risks involved in doing so. Most black market users are knowledgeable enough to know to check their sources and compare file sizes before installing apk's.
Also the notion that 99% of devices being affected has nothing with the OS being flawed (Google reportedly fixed the flaw in March), but rather the OEMs being slow in pushing out (or not pushing out at all) the patched hole.
Also I would be weary of a security outfit that has been around since 'mid-2012' and continues to pride themselves as a start-up mobile security firm.
espionage724 said:
Not every Android device has access to Play Store though, by-default. I have a tablet now that doesn't have access. If a normal user had such a device, they wouldn't likely go through the process needed to get Play Store, and would just deal with whatever marketplace app existed.
Click to expand...
Click to collapse
Granted, but the Play Store reduces the attack surface by a considerable margin. Right now, I consider non-Google blessed Android to be something akin to stock Windows 7 with Defender and Firewall turned off-- you can do just about anything with it, but you're running at a risk by not deploying some vendor-based add-ons (in this case, choosing to use the unit available).
I do understand that many devices sell outside of the Google world, before anyone jumps on me, but it doesn't change how the vulnerabilities play out.
This boils down to:
If users install a virus then they get a virus!!! This affects all Android phones!!!!!!!! Oh Nos!
Sucks that this is being patched. Guess there will be no more modding games for me.
Hi!
For privacy reasons, I'd like to use my CM7.2 Atrix [Neutrino ROM] without any ties to Google. I've got all servers set up myself [Contacts, Tasks, Mail etc.], so this would be perfectly possible, except that I basically need the Play Store. ATM, it's still the only decent source for apps at least here in Germany, so I'd like to retain the functionality somehow while being able to remove it and the Google account it requires from my device.
Are there any decent solutions for that? I know that there's been some work going on to get it to run in an Android emulator, but this seems to include a lot of unreliable hacking, and I'm not sure how usable it would be for practical purposes. Basically, I'd just like to have some way to retrieve the APKs for free apps and those I paid for without resorting to dubious third-party download sites.
Please not that I'm not trying to do anything illegitimate here, for some reasons someone looking for privacy seems to get accused of that a lot. I could just get the APKs from the phone itself if I wanted to redistribute them or similar.
Thanks!
David
Hi,
Stock ROMs aren't really trustworthy by default (e.g., phandroid.com/2014/11/06/carrier-iq-settlement).
Some manufacturers' devices aren't really trustworthy, even with stock ROMs removed (e.g., theepochtimes.com/n3/830922-chinas-xiaomi-smartphones-may-be-spying-on-you).
Cyanogenmod went donwhill:
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where your product or device is used so that we can better understand customer behavior and improve our products, services, and advertising.
Click to expand...
Click to collapse
(from cyngn.com/legal/privacy-policy) They started on this path long ago, but I won’t go there now.
I would like to buy a new Android phone. I won’t have national secrets on it, but I still don't want any Google-style spying. Assuming I don't add GApps, is AOKP a good choice for me? Does it respect the privacy of its users? Does it contain any components that would ever connect anywhere to trunsmit any information like GApps do. Obivously, I'm not talking about user initiated events.
One more thing, does it have a permission manager? Ideally, something that allows the user to choose for each permission for each apps whether real, fake or blank data is shared, but a bit cleaner than XPrivacy.
Thanks!
Looking for advice on how to make my phone as secure as possible as far as it not spying on me. I was a privacy freak before, but now with last weeks Federal judges saying we have NO legal expectation of privacy on our phones I seriously want to lock this thing down.
I'm thinking encrypted VPN for my traffic and I already use Signal for my texts (most of my contacts are on it as well, so that's good) I'm pretty strict with who I give my info too, but as far as the OS itself that's where I'm iffy. Does running AOSP based ROMS offer less google spying than one based on stock? I may understand that wrong. Would running an AOSP ROM and never installing the GAPPS be the only way to get google out? I'm not sure how usable the phone would be with NO google in their since the alternative app stores aren't as good but I'm assuming that aside from the playstore itself that a lot on the backend is the problem. I'm open to suggestions and to know what other privacy freaks are doing.
Whilst I understand that there are no hard and fast rules when it comes to software development, and that the cost ultimately comes down to the scope of the project. It would however be nice to figure out as to how much it normally costs for a fully customised version of Android OS that can be used professionally. This customised ROM of Android would then need to be flashed to a device.
I understand that I have a choice of either reusing an existing ROM, or starting with AOSP. In both cases, I would need to customise that, and then package it along with the OEM vendor's kernel and drivers.
I know that there will be a lot of work involved, and also understand that I need to get a professional onboard. I don't however know / understand as to how much something like this will cost.
The plan would be to create a ROM that would be fairly similar to how the firmware on the Switch operates. In this way, the ROM must have the following features:
be devoid of all bloatware so as to increase performance of the hardware and to also allow apps to load and run faster.
tangentially... the ROM must "feel" native to the device, and allow developers to maximise performance of the device by creating and running apps that run as if they've been "written to the metal".
has a variation of the Google Play Store from which apps can be bought and downloaded from.
ROM is linked to host website.
has DRM and copy-protection features implemented where the OS checks for the authenticity of the device it's running on, and the authenticity of the app where only apps sold via the store will be able to run on the customised ROM of the Android OS. This would also probably mean that the apps would need to be authenticated by the server on a regular basis, otherwise there would be an online ban.
allows for Android apps and exports from gaming engines such as Unity, GameMaker, Unreal to be made available and to run on the device - with DRM / Copy Protection features.
development of all necessary API.
not allow the device to be easily hackable / rooted, or even be customisable by casual users.
acts as a launcher for (gaming) apps, and minimises / stops all other processes from running in the background.
I just don't know how much something like the above would cost...
How many hours would it take to create a ROM based on the above specification, and assuming that the developer charged $30 per hour, what sort of budget should I be looking at?
A stock ROM is the adaptation of the telephone's working framework that accompanies your telephone when you get it.
A custom ROM is a completely independent adaptation of the OS, including the piece (which makes everything run), applications, administrations, and so on - all you require to work the gadget, with the exception of it's redone by somebody here and there.
So what does the "altered" part mean? Since Android is open source, engineers are allowed to take stock ROMs, adjust them, strip them of trash, streamline them, add things, and essentially do whatever their creative mind and abilities permit.