Active Drive-By Exploits Critical Android Bugs, Care Of Hacking Team

Dan Goodin, reporting for Ars Technica: An ongoing drive-by attack is forcing ransomware onto Android smartphones by exploiting critical vulnerabilities in older versions of Google's mobile operating system still in use by millions of people, according to research scheduled to be published Monday. The attack combines exploits for at least two critical vulnerabilities contained in Android versions 4.0 through 4.3, including an exploit known as Towelroot, which gives attackers unfettered "root" access to vulnerable phones. The exploit code appears to borrow heavily from, if not copy outright, some of these Android attack scripts, which leaked to the world following the embarrassing breach of Italy-based Hacking Team in July. Additional data indicates devices running Android 4.4 may also be infected, possibly by exploiting a different set of vulnerabilities.Blue Coat, a California-based provider of security and networking solutions writes: This is the first time, to my knowledge; an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim. During the attack, the device did not display the normal "application permissions" dialog box that typically precedes installation of an Android application. After consulting with analyst Joshua Drake of Zimperium, he was able to confirm that the Javascript used to initiate the attack contains an exploit against libxslt that was leaked during the Hacking Team breach. Drake also confirmed that the payload of that exploit, a Linux ELF executable named module.so, contains the code for the "futex" or "Towelroot" exploit that was first disclosed at the end of 2014.

Here is more proof

[Anonymous Coward]

That when a backdoor is held by the "good guys" (I use that term loosely but Hacking Team sold primarily to governments) it's just a matter of time before the bad guys get ahold of it and start fucking everyone over. Pay attention, Mrs. Feinstein.

Re:Here is more proof

[Hentes]

Towelroot has never been a secret or a backdoor. It is an exploit discovered and published by geohot, these guys just copied it. As any exploit, it can be used both for good and bad. In my case it helped me put Cyanogenmod on my phone instead of the outdated Android on it, making it more secure.

Re:

[hankwang]

Moreover, I used Towelroot to root an Android 4.4.4 phone, even though TFS talks about 4.3 and before. Or had the internals of the Towelroot app been changed a lot between 4.3 and 4.4? I do remember that the phone (or Google) warned me that the APK for Towelroot was possibly malicious; I had to confirm installation one more time.

Re: Here is more proof

[Karlt1]

If Google "acted like Apple", they wouldn't have allowed the carriers to control the update process and they would be providing security updates for all devices introduced since since July 2011.

Wouldn't any apps using Webviews still be vulnerable?

Thanks for nothing, carriers.

[Anonymous Coward]

And thanks to the common practice (looking at you, Verizon) amongst carriers of locking bootloaders and then refusing to supply updates, short of throwing the phone away and "upgrading" to another one, there's literally no way for the customer to update the typical Android phone's OS in a timely fashion.

Which suits the carriers - who make money off bundling shitware and selling "upgrades" to new phones - just fine, but what the fuck, Google. It's been half a decade. It's long past time for you to tell the carriers to permit users to download their own security patches.

Imagine if users couldn't get Windows updates from Microsoft, but relied on their own ISP - and whether it's Comcast or AT&T doesn't really matter.

Fuck. That. Noise. Get the carriers out of the OS business.

Google on the way down?

[Futurepower(R)]

Google is developing an extremely bad reputation. Tracking everyone. Allowing abuse.

Soon even Microsoft will be jealous.

Re:

[Archangel Michael]

There is an easy fix for this. Suing the carrier into oblivion for not unlocking devices they no longer support, so that the owners of those devices can get support from other sources (like CyanogenMod) .

The ONLY thing these people understand is economic costs, make it expensive to not support devices, but keep them under lock and key.

Re: Thanks for nothing, carriers.

[Karlt1]

Google is far from blameless. Apple never allowed the carriers to block updates. I don't have to wait on Dell or the other OEMs to allow me to update Windows.

Re:

[Dutch Gun]

That's why I need to ask, does Android need to be rewritten using the Rust programming language?

Well, you can certainly ask... But rewriting over fifteen million lines of code (not to mention the billions of lines written to those C-based APIs) built, tested, hardened, and tested over the course of decades is a non-starter. And besides that, no matter how perfect a *language* is, programmers will still find ways of screwing up by the numbers. C does make that easier, of course, but I don't believe there's a way to avoid the problem completely. And like it or not, our computer infrastructure is lik

Re:

[Anonymous Coward]

Google dictates a lot of terms to manufacturers through the licensing of Google Mobile Services (GMS). It's a big part of what's getting them in trouble with EU antitrust regulators. If Google can use GMS licensing for anticompetitive practices, they're certainly capable of doing so to demand security updates are delivered in a timely manner. That Google isn't using GMS licensing for this purpose leads me to seriously question Google's motives.

Re:

[Teun]

I have little to no sympathy for people who's phone is encumbered by a carriers greed or unwillingness to update, it's generally easy enough to get an unlocked phone, hell, it's even cheaper.
If you want the best service you get a Nexus.

I do have a problem with Google stopping OS updates 2 years after the last of a model has been sold.
Both My Nexus 4 and 7 are working fine but the OS doesn't update beyond 5.1.1, as such not a problem but at least the security updates should be available.
Now I have to g

Re:

[Obfuscant]

it's generally easy enough to get an unlocked phone,

I just went through this process. I wanted a completely carrier-unencumbered phone. That means no carrier apps, no carrier limitations.

The only phone I could find like that were "international versions", and unfortunately while being completely carrier agnostic, they weren't really. Neither of the two I went through -- one was a demo unit with manufacturer data collection still installed, the other "international"-- had the specific 4G LTE bands T-Mobile uses.

So yes, you can get the phone. Whether it is

Re:

[Teun]

That's another great advantage of owning your phone, you are free to root it.
I don't have experience with LTE but the US is a large market so I would think there must be many phones with the capability.
Your statement so few phones are 4G LTE capable is very surprising to me.

Re:

[Obfuscant]

Your statement so few phones are 4G LTE capable is very surprising to me.

Surprising to me, too, since I didn't say that. I said out of the two "unlocked" phones I tried, neither did the right bands for T-Mobile LTE.

Re:

[macs4all]

Fuck. That. Noise. Get the carriers out of the OS business.

Apple did. Why can't Google?

Oh, wait! They don't WANT to.

Re:

[Aighearach]

Fuck. That. Noise. Get the carriers [to do this, that, or some other things consumers would benefit from]

I don't see how trying to "get" these asshats to do anything is going to improve the situation. The only thing I can see helping is to allow small carriers access to mobile spectrum in a way that encourages competition. When that happens, I can just choose a carrier that isn't in the OS business. Until then, even if they did that, they'd find a way to screw it up so I couldn't enjoy it.

Lawsuits against manufacturers and carriers

[Anonymous Coward]

Why aren't there more lawsuits against manufacturers and carriers for not providing updates? When I buy a phone, I should be able to expect security updates for at least 24 months, preferably 36 months. Manufacturers aren't interested in supporting older phones because they make money when people update. Carriers seem primarily concerned with loading up the updated versions with crapware that people don't want, can't easily remove, and may well contain vulnerabilities of its own. Why aren't there more lawsu

Re:

[SpankiMonki]

Why aren't there more lawsuits against manufacturers and carriers for not providing updates?

Because when you signed up for service you waived your right to sue.

Re:

[Anonymous Coward]

Only 36 months of security updates? You're easy to please, I'd expect at least 60.

Re:

[Teun]

Only 36 months of security updates? You're easy to please, I'd expect at least 60.

Amen!

Re:

[coinreturn]

Only 36 months of security updates? You're easy to please, I'd expect at least 60.

And I want a pony!

Re:

[macs4all]

Manufacturers aren't interested in supporting older phones because they make money when people update

Apple does. Even though their business model is based on HARDWARE sales.

Think about that.

TowelRoot?

[Rob MacDonald]

TowelRoot? That only worked on a handful of devices reliably. And yes, when I used it I got zero sleep for the rest of the week. A single click root? Not good folks, and clearly someone has taken on the task of using that for nefarious purposes. Notice, though, how everyone is blaming hackingteam for this stuff, and not the NSA who likely knew about this long before them.

Re:

[Rakarra]

TowelRoot? That only worked on a handful of devices reliably. And yes, when I used it I got zero sleep for the rest of the week. A single click root? Not good folks, and clearly someone has taken on the task of using that for nefarious purposes.

Notice, though, how everyone is blaming hackingteam for this stuff, and not the NSA who likely knew about this long before them.

Yup. I used TowelRoot as well and decided at that point to never use my phone for anything truly useful. IE, to just assume my phone was compromised.
Why? Because I needed root access, and TowelRoot was the name of the game when it came to the Galaxy S3 and S5 that I had. So now that S5 is running an old old version of Android with an exploit, because Google hired guys who found these exploits. Later versions of Android have been hardened, and it's currently a bit difficult to do on current versions. I'm not

Re:

[Aighearach]

Basically, unpatched software is vulnerable... seems about right

Basically, software is vulnerable ... seems about right

Re:

[MobyDisk]

How do you know the hackers didn't come-up with the exploit themselves? Or that they didn't actually have it before the good guys did?

Re:

[BitterOak]

Heres my logic. It may be messed up but....

If a homeowner can own guns, not lock them up and then they get taken and used in a crime, the homeowner can be held accountable.

If a hacking company has exploits, doesnt lock them up properly, they get taken and used in a crime, can the hacking company be held responsible?

A better gun analogy would be you design a gun which can be manufactured on a 3D printer and leave the plans for the gun unprotected on your server. Someone downloads the plans, makes the gun on their 3D printer and uses the gun to commit a crime. Can the designer who didn't protect the plans adequately be held liable? I really don't know one way or the other, but I think it's a better analogy.

Dodged a bullet

[Qzukk]

Android versions 4.0 through 4.3

Thank God my HTC EVO 4G with Android 2.3 is safe

Re:

[Teun]

Yes, insufficient resources is a valid way of preventing a process from running :)