If you think you’ve had enough giggles, grins and maybe even heartaches with our handy sci fi comic book inventions (otherwise known as wireless communications devices) I have great news! Here is another adventurous debacle for you to roll around your cranium in wonder. Today we talk about googling androids. Old school might connect with something like Heimy from the “Get Smart” TV series. Not so old might reminisce to the movie “A.I.” or DATA from the modern day Trek series. Current techies might hit “I,Robot”. Alas, today we will only peer into the wonders of the Android phone and how your google play account can open the door for some not so old fashioned maliciousness.
As of right now, the biggest risks are with devices that run android 4.3 “jelly bean” or older. There are other browsers that are vulnerable so, if you’ve one of these humming away in your purse or pocket, you might wanna pay some extra attention.
The technical version is as follows:
“ the web browser in Android 4.3 and prior that are vulnerable to a Universal Cross-Site Scripting (UXSS) attack, and Google Play Store is vulnerable to a Cross-Site Scripting (XSS) flaw. In UXSS attacks, client-side vulnerabilities are exploited in a web browser or browser extensions to generate an XSS condition, which allows the malicious code to be executed, bypassing or disabling the security protection mechanisms in the web browser.”
Got it? For those not savvy to the language here is a more simplified version:
Due to a lack of coverage in certain parts of Google’s play store and an imperfection in Androids jelly bean, someone feeling mischievous or malicious can get wiggle their way through this “loose board in the fence” and launch all sorts of apps onto your android phone without your permissions or you even knowing about it… while you are logged in.
Yes, there are more details to it and the fine folks at rapid7 have created a Metasploit tool (and made it public) on Github in order to help security folks test phones for exposure to the vulnerability. Not everyone‘s phone will be affected. The largest group with issues is those that seem to habitually be signed in to google services like Gmail, YouTube etc…
Note to self; if you didn’t catch that last part it stated “while you are logged in”. That, my Anonymous friends of the world is the quickest and easiest defense to this until the issue is “fixed”. Log out or sign out. Don’t just assume that when you leave a site, you’re out. Sure it’s an inconvenience to have to input your password, it’s not fool proof and it’s not a guarantee. The simple fact remains in this case and many others in our current world of cyber mayhem. In many cases, if you do not log out, you stay logged in. if you stay logged in while you are not actively doing or playing it’s the same as going for a walk while leaving your house or apartment door hanging wide open. Most people won’t enter but, there just may be someone strolling by that will.
Here is the tool posted by Metasploit if you would like to check it out: https://github.com/rapid7/metasploit-framework/pull/4742
Anonymous recommends: Protect your PC & mobile devices from hackers & governments & surf anonymously
Beardsley, T. (2015, February 10). Security Street. Retrieved 14 February 2015, from https://community.rapid7.com/community/metasploit/blog/2015/02/10/r7-2015-02-google-play-store-x-frame-options-xfo-gaps-enable-android-remote-code-execution-rce
inline citations: (Beardsley, 2015)
Leyden, J. (2015, February 11). Silent but violent: Foul Google Play flaw lets hackers emit smelly apps. Retrieved 14 February 2015, from http://www.theregister.co.uk/2015/02/11/google_play_x_frame_options_flaw/
inline citations: (Leyden, 2015)
Team, C. (2015, February 11). Google Play Store Vulnerable to XSS and UXSS Attacks. Retrieved 14 February 2015, from http://cyberintelligence.in/google-play-store-vulnerable-to-xss-and-uxss-attacks inline citations: (Team, 2015)
Wei, W. (2015, February 12). Hackers Can Remotely Install Malware Apps to Your Android Device. Retrieved 14 February 2015, from http://thehackernews.com/2015/02/hackers-can-remotely-install-malware_12.html?utm_source=feedburner
inline citations: (Wei, 2015)
No me dan ganas de leer cosas asi…
dado que las ultimas noticias han sido idiotas y una perdida de tiepo
The grammar/syntax in this article was horrible. It was clearly not even edited. How hard would it be to have the damn thing proofread just once? Jeez.