The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: Android Vulnerability

Google Makes 2 Years of Android Security Updates Mandatory for Device Makers

Google Makes 2 Years of Android Security Updates Mandatory for Device Makers

October 25, 2018Mohit Kumar
When it comes to security updates, Android is a real mess. Even after Google timely rolls out security patches for its Android platform, a major part of the Android ecosystem remains exposed to hackers because device manufacturers do not deliver patches regularly and on a timely basis to their customers. To deal with this issue, Google at its I/O Developer Conference May 2018 revealed the company's plan to update its OEM agreements that would require Android device manufacturers to roll out at least security updates regularly. Now, a leaked, unverified copy of a new contract between Google and OEMs obtained by The Verge reveals some terms of the agreement that device manufacturers have to comply with or otherwise they have to lose their Google certification for upcoming Android devices. Google's New Terms for Android Security Updates According to the leaked contract, Android OEMs will now be required to regularly roll out security updates for popular devices—lau
Popular Android Phone Manufacturers Caught Lying About Security Updates

Popular Android Phone Manufacturers Caught Lying About Security Updates

April 13, 2018Mohit Kumar
Android ecosystem is highly broken when it comes to security, and device manufacturers (better known as OEMs) make it even worse by not providing critical patches in time. According to a new study, most Android vendors have been lying to users about security updates and telling customers that their smartphones are running the latest updates. In other words, most smartphone manufacturers including big players like Samsung, Xiaomi, OnePlus, Sony, HTC, LG, and Huawei are not delivering you every critical security patch they're supposed to, a study by Karsten Nohl and Jakob Lell of German security firm Security Research Labs (SRL) revealed. Nohl and Lell examined the firmware of 1,200 smartphones from over a dozen vendors, for every Android patch released last year, and found that many devices have a "patch gap," leaving parts of the Android ecosystem exposed to hackers. "Sometimes these guys just change the date without installing any patches. Probably for m
Millions of Android Devices Using Broadcom Wi-Fi Chip Can Be Hacked Remotely

Millions of Android Devices Using Broadcom Wi-Fi Chip Can Be Hacked Remotely

July 07, 2017Mohit Kumar
Google has released its latest monthly security update for Android devices, including a serious bug in some Broadcom Wi-Fi chipsets that affects millions of Android devices, as well as some iPhone models. Dubbed BroadPwn , the critical remote code execution vulnerability resides in Broadcom's BCM43xx family of WiFi chipsets, which can be triggered remotely without user interaction, allows a remote attacker to execute malicious code on targeted Android devices with kernel privileges. "The most severe vulnerability in this [runtime] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin. The BroadPwn vulnerability ( CVE-2017-3544 ) has been discovered by Exodus Intelligence researcher Nitay Artenstein, who says the flawed Wi-Fi chipset also impacts Apple iOS devices. Since Artenstein will be presenting his finding at
Google Won't Patch A Critical Android Flaw Before ‘Android O’ Release

Google Won't Patch A Critical Android Flaw Before ‘Android O’ Release

May 10, 2017Mohit Kumar
Millions of Android smartphones are at serious risk of "screen hijack" vulnerability that allows hackers to steal your passwords, bank details, as well as helps ransomware apps extort money from victims. The worse thing is that Google says it won't be patched until the release of 'Android O' version, which is scheduled for release in the 3rd quarter this year. And the worse, worse, worse thing is that millions of users are still waiting for Android N update from their device manufacturers (OEMs), which apparently means that majority of smartphone users will continue to be victimized by ransomware, adware and banking Trojans for at least next one year. According to CheckPoint security researchers, who discovered this critical flaw, the problem originates due to a new permission called " SYSTEM_ALERT_WINDOW ," which allows apps to overlap on a device's screen and top of other apps. This is the same feature that lets Facebook Messenger float
This Android Malware Can Root Your Device And Erase Everything

This Android Malware Can Root Your Device And Erase Everything

February 15, 2016Swati Khandelwal
A new Android malware has been making waves recently that have the capability to gain root access on your smartphone and completely erase your phone's storag e. Dubbed Mazar BOT , the serious malware program is loaded with so many hidden capabilities that security researchers are calling it a dangerous malware that can turn your smartphone into a zombie inside hacker's botnet. Mazar BOT was discovered by Heimdal Security while the researchers at the firm were analyzing an SMS message sent to random mobile numbers and locations. How Mazar BOT Works Despite other Android malware that distributes itself by tricking users into installing an app from third-party app stores, Mazar spreads via a spam SMS or MMS messages that carry a link to a malicious APK (Android app file). Once the user clicks the given link, he/she'll be ending up downloading the APK file on their Android devices, which when run, prompts the user to install a new application. This
Google releases Security Patch for Android Stagefright 2.0 Vulnerability

Google releases Security Patch for Android Stagefright 2.0 Vulnerability

October 06, 2015Wang Wei
Google reportedly fixed the latest round of Stagefright vulnerabilities in Android, pushing its latest over-the-air (OTA) update to Nexus devices. Last week, researchers warned of Stagefright 2.0 vulnerability that affected more than one Billion Android devices dating back to the latest versions of the Android operating system. The Stagefright bugs allowed hackers to take control of affected Android devices by sending a malicious audio or video file. In April, Zimperium researchers disclosed the first Stagefright vulnerability that allowed hackers to hijack any Android smartphones with just a simple text message ( exploit code ). As promised, Google on Monday pushed a patch that fixes the holes in Stagefright media playback engine used by Android to process, record and play multimedia files such as PDFs. The patch fixes 30 vulnerabilities in total, which includes: 14 critical vulnerabilities in Stagefright library 5 Remote Code Execution bugs 8 Eleva
Stagefright Bug 2.0 — One Billion Android SmartPhones Vulnerable to Hacking

Stagefright Bug 2.0 — One Billion Android SmartPhones Vulnerable to Hacking

October 01, 2015Mohit Kumar
Attention Android users! More than 1 Billion Android devices are vulnerable to hackers once again – Thanks to newly disclosed two new Android Stagefright vulnerabilities . Yes, Android Stagefright bug is Back… …and this time, the flaw allows an attacker to hack Android smartphones just by tricking users into visiting a website that contains a malicious multimedia file, either MP3 or MP4. In July, Joshua Drake, a Security researcher at Zimperium revealed the first Stagefright bug that allowed hackers to hijack Android smartphones with just a simple text message ( exploit code ). How Stagefright Bug 2.0 Works Both newly discovered vulnerabilities ( CVE-2015-6602 and CVE-2015-3876 ) also reside in the Android Media Playback Engine called ' Stagefright ' and affects all Android OS version from 1 to latest release 5.1.1. Reportedly, merely previewing a maliciously crafted song or video file would execute the Stagefright Bug 2.0 exploit , allowing h
New Android Vulnerable Lets Hackers Take Over Your Phone

New Android Vulnerable Lets Hackers Take Over Your Phone

August 24, 2015Khyati Jain
This time Everything is Affected! Yet another potentially dangerous vulnerability has reportedly been disclosed in the Google's mobile operating system platform – Android . Android has been hit by a number of security flaws this month, including:   Stagefright vulnerability that affects 950 Million Android devices worldwide A critical mediaserver vulnerability that threatened to crash more than 55 percent of Android devices Another critical flaw (CVE-2015-3842) discovered last week, affected almost all the versions of Android devices This time the issue resides in the multitasking capability of the Android phones, the ability to run more than one app at a time. The security flaw gives hacker ability to spy on Android smartphone owners, steal login credentials, install malware , and many more, according to the latest research conducted by the researchers at the Pennsylvania State University and FireEye . How the Attack Works? According to security
Another Critical Flaw Affecting Almost All Android Devices

Another Critical Flaw Affecting Almost All Android Devices

August 18, 2015Swati Khandelwal
Two weeks ago, we reported about a critical mediaserver vulnerability that threatened to crash more than 55 percent of Android devices, making them unresponsive and practically unusable to perform most essential tasks. Now, security researchers at Trend Micro have uncovered another flaw in the Android's mediaserver component that could be remotely exploited to install malware onto a target device by sending a specially crafted multimedia message. The vulnerability ( CVE-2015-3842 ) affects almost all the versions of Android devices from Android 2.3 Gingerbread to Android 5.1.1 Lollipop, potentially putting hundreds of Millions of Android devices open to hackers. Since Google has patched this issue, but hopefully the patch issued by Google this time isn’t incomplete like its patch for the Stagefright vulnerability that affects 950 Million Android devices worldwide. How the Vulnerability Works? The security flaw involves a mediaserver component called Aud
Yet another Android vulnerability Discovered; Affects 55% Users

Yet another Android vulnerability Discovered; Affects 55% Users

August 11, 2015Wang Wei
It seems like there isn’t any end to Android security flaws. After the discovery of the Stagefright vulnerability that allowed hackers to infect Millions of Android devices with just a maliciously-crafted message… Researchers have now warned of another critical security hole in Google’s Android mobile operating system platform that impacts over 55 percent of all Android users . Security researchers at IBM have discovered a new privilege escalation vulnerability in the Android platform that could allow “ a malicious app with no privileges the ability to become a ‘super app’ and help the cybercriminals own the device. ” Dubbed the Android serialization vulnerability, assigned CVE-2015-3825 , affects Android versions 4.3 and above, including the latest build of Android M. The vulnerability resides in a component of Android’s platform called OpenSSLX509Certificate , which can be exploited by an Android app to compromise the system_server process and gain powerful syste
"Certifi-Gate" Android Vulnerability Lets Hackers Take Complete Control of Your Device

"Certifi-Gate" Android Vulnerability Lets Hackers Take Complete Control of Your Device

August 07, 2015Swati Khandelwal
Android users are busy fighting with Stagefright vulnerability while the popular mobile operating system faces another critical security vulnerability, dubbed as “ Certifi-Gate ”. Millions of Android devices could be hacked exploiting a plugin that comes pre-installed on your Android devices by the manufacturers. Most of the Android device manufacturers pre-install ‘ Remote Support Tool (mRST) ’ plugin onto their phones that are intended to help users, such as RSupport or TeamViewer . But, a critical Certifi-Gate security vulnerability in this mRTS plugin allows malicious applications to gain illegitimate privileged access rights, even if your device is not rooted. "Certifi-Gate" Android security vulnerability According to Israeli researchers at Check Point, Ohad Bobrov and Avi Bashan, Certifi-Gate Android vulnerability lies in the way Google’s partners (manufacturers) use certificates to sign remote support tools. Remote support tools often hav
How to Hack Millions of Android Phones Using Stagefright Bug, Without Sending MMS

How to Hack Millions of Android Phones Using Stagefright Bug, Without Sending MMS

August 01, 2015Swati Khandelwal
Earlier this week, security researchers at Zimperium revealed a high-severity vulnerability in Android platforms that allowed a single multimedia text message to hack 950 Million Android smartphones and tablets. As explained in our previous article, the critical flaw resides in a core Android component called " Stagefright ," a native Android media playback library used by Android to process, record and play multimedia files. To Exploit Stagefright vulnerability, which is actively being exploited in the wild, all an attacker needed is your phone number to send a malicious MMS message and compromise your Android device with no action, no indication required from your side. Hacking Without Knowing Phone Number But, Now you Don’t even require the mobile numbers of your victims to infect their devices, a recent research claimed. In the previously known attack scenario, an attacker can exploit Stagefright vulnerability only against his/her known contact n
New Android Vulnerability Could Crash your Phones Badly

New Android Vulnerability Could Crash your Phones Badly

July 30, 2015Wang Wei
Bad week for Android. Just days after a critical Stagefright vulnerability was revealed in the widely popular mobile platform, another new vulnerability threatens to make most Android devices unresponsive and practically unusable to essential tasks. Security researchers at Trend Micro have developed an attack technique that could ultimately crash more than 55 percent of Android phones , almost making them completely unresponsive and useless to perform very basic functions, including to make or receive calls. The dangerous security flaw affects any device running Android 4.3 Jelly Bean and later, including the latest Android 5.1.1 Lollipop , potentially putting hundreds of millions of Android users vulnerable to hackers. The flaw surfaced two days after Zimperium researchers warned that nearly 950 Million Android phones can be hijacked by sending a simple text message. Dubbed Stagefright , the vulnerability is more serious because it required no end-user interaction at
Flawed Android Factory Reset Failed to Clear Private Data from Smartphones

Flawed Android Factory Reset Failed to Clear Private Data from Smartphones

May 22, 2015Swati Khandelwal
If you’re planning to sell your old Android smartphone then you need to think again because there is a weakness in the Android Factory Reset option that could be exploited to recover your login credentials, text messages, emails and pictures even if you have wiped its memory clean. Computer researchers at the University of Cambridge conducted a study on Android devices from 5 different vendors and found that more than 500 Million Android devices don't completely erase data after the factory reset. "Factory Reset" function, built into Google's Android mobile operating system, is considered to be the most important feature to wipe all the confidential data out from the smartphone devices before going to sold, or recycled. However, the computer researchers found that the data could be recovered from the Android device even if users turned on full-disk encryption. The second-hand market is huge and based on the study; the researchers estimated that ov
Billions of Android Devices Vulnerable to Privilege Escalation Except Android 5.0 Lollipop

Billions of Android Devices Vulnerable to Privilege Escalation Except Android 5.0 Lollipop

November 20, 2014Wang Wei
A security weakness in Android mobile operating system versions below 5.0 that puts potentially every Android device at risk for privilege escalation attacks, has been patched in  Android 5.0 Lollipop  – the latest version of the mobile operating system. The security vulnerability ( CVE-2014-7911 ), discovered by a security researcher named Jann Horn , could allow any potential attacker to bypass the Address Space Layout Randomization (ASLR) defense and execute arbitrary code of their choice on a target device under certain circumstances. ASLR is a technique involved in protection from buffer overflow attacks. The flaw resides in java.io.ObjectInputStream , which fails to check whether an Object that is being deserialized is actually a serializable object. The vulnerability was reported by the researcher to Google security team earlier this year. According to the security researcher, android apps can communicate with system_service, which runs under admin privileges
New Android Browser Vulnerability Is a “Privacy Disaster” for 70% Of Android Users

New Android Browser Vulnerability Is a “Privacy Disaster” for 70% Of Android Users

September 17, 2014Mohit Kumar
A Serious vulnerability has been discovered in the Web browser installed by default on a large number (Approximately 70%) of Android devices, that could allow an attacker to hijack users' open websites, and there is now a Metasploit module available to easily exploit this dangerous flaw. The exploit targets vulnerability ( CVE-2014-6041 ) in Android versions 4.2.1 and all older versions and was first disclosed right at the start of September by an independent security researcher Rafay Baloch, but there has not been much public discussion on it. The Android bug has been called a " privacy disaster " by Tod Beardsley, a developer for the Metasploit security toolkit, and in order to explain you why, he has promised to post a video that is " sufficiently shocking ." “ By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser secur
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.