TR Forums

Original article on Ars

Looks like it's been patched in KitKat (v4.4), but not any of the other versions. The comments mention that it's just theoretical at this point, but still...

Attackers would also have to have an app installed on a vulnerable handset.

Also, it's patched in Android 4.4 and up. The worst part about Android remains the speed with which handset makers and service providers stop producing updates, but even Google stopped the Galaxy Nexus, which was launched with 4.0, at 4.3. But yeah, mobile exploits....they exist across all OSes.

Cool, I (or anyone else whom I personally know) am not affected. As for lower Android versions - well, sucks for cheapskates who buy "no-name" $20 junk from eBay/DealExtreme/whatever, but I'm not really concerned about that.

From the looks of it, this vulnerability would be very difficult to exploit in practice - an attacker would have to get you to install a malicious app in the first place, and presumably Google is screening the Play store for this sort of thing. So don't sideload apps from shady porn sites, and you will be fine. And looking at the exact nature of the buffer overflow, writing code that exploits it, and it actually useful, will be very difficult to do.

DreadCthulhu wrote:

an attacker would have to get you to install a malicious app in the first place, and presumably Google is screening the Play store for this sort of thing

Well, to be fair they still occasionally let such things slip by their automated scanners, right into Google Play store, but it's pretty rare

Yet another reason why Nexus phones are better than everything else.

MadManOriginal wrote:

Attackers would also have to have an app installed on a vulnerable handset.

Also, it's patched in Android 4.4 and up. The worst part about Android remains the speed with which handset makers and service providers stop producing updates, but even Google stopped the Galaxy Nexus, which was launched with 4.0, at 4.3. But yeah, mobile exploits....they exist across all OSes.

JohnC wrote:

Cool, I (or anyone else whom I personally know) am not affected. As for lower Android versions - well, sucks for cheapskates who buy "no-name" $20 junk from eBay/DealExtreme/whatever, but I'm not really concerned about that.

Yeah, my HTC Incredible got all of one update via Verizon, and that's what bugs me about the "buy a phone, pitch in a year for newer model" cycle we're in now. Minimal attempt at fixing older revs, just focus on selling the new ones.

And I know more than a few people who get those cheap phones. They tend to get malware either via shady porn sites, or the games they let their kids download and play when they want to use the phone as a babysitter.

How effective are the mobile anti-virus, such as Avast free for android?

This is a surprise...to someone who's never heard of Android I'm sure.

I like Android...they have a reasonably good platform on the new versions...but every year so far I'm still extremely disappointed.

UnfriendlyFire wrote:

How effective are the mobile anti-virus, such as Avast free for android?

Most of good apps can detect most of the known malware, with very minimal battery impact:
http://www.av-test.org/en/news/news-sin ... tant-fire/

Though obviously they won't detect a "0-day" stuff unless someone submits a sample first, and it's not as easy to do as with Windows OS.