Report: Android bug leave phones open to attack

If you have an Android 2.2 or 2.3 based smartphone, that device could be vulnerable to an attack which could cause the device to be placed under the control of outside users. That's the claim, anyway, from a newly revealed software security firm called CrowdStrike. The company says it has found a flaw in Google's mobile OS that could allow for such an attack to happen.

Reuters reports that, according to CrowdStrike, an attacker can simply send an email to an Android-based smartphone with a link embedded in the email. If a person clicks on the link, the smartphone gets hit with the attack. CrowdStrike claims the now infected phone can be accessed remotely by the attacker for listening in to phone calls or tracking the location of the phone.

Dmitri Alperovitch, the co-founder of CrowdStrike, states:

With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices.

CrowdStrike plans to demonstrate how this Android flaw works at a computer software conference next week. The attack currently works on Android 2.2-based phones but CrowdStrike claims it will be able to demonstrate how to launch a similar attack via a bug on Android 2.3-based phones by next week as well. Google has not yet commented on CrowdStrike's claims.

Report a problem with article
Previous Story

Microsoft reveals more about Visual Studio 11

Next Story

New Dropbox version adds automatic photo uploads

18 Comments

The flaw is already being exploited in the wild, it's called Android Market.

/joke

Social engineering if it requires a user to click a link.

Simon- said,
The flaw is already being exploited in the wild, it's called Android Market.

/joke

Social engineering if it requires a user to click a link.

That's not social engineering. Social Engineering is a form of manipulation, usually to get data (By pretending to be someone else, or by cunningly avoiding security questions). Just because the user has to click a link doesn't make it social engineering.

Kushan said,

That's not social engineering. Social Engineering is a form of manipulation, usually to get data (By pretending to be someone else, or by cunningly avoiding security questions). Just because the user has to click a link doesn't make it social engineering.


It is social engineering to click the link. Links don't click themselves.

thealexweb said,
A major problem with this flaw, it requires the user to be stupid enough to click links in random emails.

Well regarding most users habit, I wouldn't consider it as a "major" flaw for this attack

UndergroundWire said,

As usual.


so, are Android users "stupid" for falling for one of these many exploits, or "smart" for using this clearly amazing OS? I'm confused... LOL

M_Lyons10 said,

so, are Android users "stupid" for falling for one of these many exploits, or "smart" for using this clearly amazing OS? I'm confused... LOL

Please, like iOS doesnt have its fare share of problems as well.

M_Lyons10 said,

so, are Android users "stupid" for falling for one of these many exploits, or "smart" for using this clearly amazing OS? I'm confused... LOL

No, just like Windows desktop, if a user just clicks on anything and not knowing what they are doing, that makes them extremely dumb. So to insult Android users, you are also insulting Windows users as well. Is that what I am getting from you?

So once phones start getting comprimised, and carrier networks start having to eat various costs for service/repair/service charges racked up by the malware/etc. i wonder how much pressure they will start to put on the handset manufacturers to improve security and patch flaws on a more regular basis, instead of focusing their devlopment on new phones...

busdude said,
So once phones start getting comprimised, and carrier networks start having to eat various costs for service/repair/service charges racked up by the malware/etc. i wonder how much pressure they will start to put on the handset manufacturers to improve security and patch flaws on a more regular basis, instead of focusing their devlopment on new phones...

Its not up to the phone maker to secure the software, that is up to the software developer (Google). Now if there was a flaw in the launcher (Sense, Touchwiz, etc), then the phone maker would be at fault.

Commenting is disabled on this article.