Latest Android vulnerabilities can brick your phone, control the camera, steal your cash, and more

Latest Android vulnerabilities can brick your phone, control the camera, steal your cash, and more
We've discussed the "F" word before when talking about Android, and when it comes to the distribution of the monthly Android security update, fragmentation could be a serious problem for millions of Android users. That's because not every handset manufacturer pushes out the latest security patch in a timely manner. This is another example of why real fans of Android or the Google ecosystem might want to buy a Pixel (along with the fact that they get the first crack at the latest build of Android and cool features such as real-time transcription and Astrophotography).

Many Android phones, including a recently purchased Samsung Galaxy Note 10+ 5G (which comes out of the box with Android 10 at T-Mobile) did not include the December update. In a statement, Samsung said that "while we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models." We can only imagine the list of Android phones that are months behind.

For the majority of Android users, the monthly security update is a snooze-fest since it doesn't make any changes or add new features that they can see or use. But the problem is that the December security update is important because of a vulnerability known as CVE-2019-2232. According to the NIST National Vulnerability Database (via Forbes), a maliciously written message could result in a permanent denial of service attack that would brick a phone running Android 8, 8.1, 9, or 10. The December Android security update includes a patch for CVE-2019-2232 which means that if the update has been sent to your phone, install it immediately. But again, the real problem is that only a limited number of devices have it at the moment. The update was first disseminated on December 2nd and Google says, "In general, it takes about one and a half calendar weeks for the OTA to reach every Google device." And that is just for the Pixel handsets. 

"StrandHogg" is a dangerous vulnerability that puts the top 500 Android apps at risk


The reason for the fragmentation is that unlike Apple, which produces both the hardware and software for the iPhone, there are a large number of Android manufacturers. You can find which security patch you received last by going to Settings > About phone > Android version. Our Pixel 2 XL has the December 5th security patch level installed.

Many other security issues have recently cropped up for Android uses. Last month we told you about an issue with the Google Camera app that allowed a bad actor to remotely shoot videos and photos using the camera on an unsuspecting Android user's phone. The vulnerability affected hundreds of millions of Android users. Also last month, we passed along word of a vulnerability discovered in the next generation of Android messaging, Rich Communication Service (RCS). Attackers could have exploited this by spoofing caller ID and by phishing. In the worse-case scenario, an Android user might have be tricked into giving up PINs to bank and other accounts where significant assets would have been discovered and stolen.

Earlier this month, information about the "StrandHogg" vulnerability was released by security software developer Promon. Disguised as a legitimate app, this malware put the top 500 Android apps at risk (Promon partner Lookout discovered 36 malicious apps that actually carried the vulnerability) and allowed bad actors (without root access) to listen in on Android users through a phone's microphone, take control of the camera and remotely snap pictures, read and send SMS messages from a handset, make and record phone calls, learn a user's location through GPS access, see photos and files on an Android handset, view contacts, phone logs and more.



With "StrandHogg," an Android user would click on the icon belonging to a legit app. Instead of the legit app, malware would be displayed asking for certain permissions. Once these permissions were granted by the unsuspecting Android user, the hacker was given the green light to hack away. This vulnerability could unleash a phishing attack allowing the bad actor to obtain important personal data.



Google recently announced that it was teaming up with some security firms (including the aforementioned Lookout) in an attempt to fight back against malware. Hopefully, the App Defense Alliance can get one step ahead of the bad actors. The security research firms typically contact Google with their findings and the company closes these vulnerabilities. However, with StrandHogg, Promon notes that Google did not take it seriously at first and while it eventually removed the apps responsible for distributing the malware, this vulnerability has apparently not been fixed. And many of the "dropper apps" that helped spread StrandHogg are still on Android users' phones. One, a PDF creator app named CamScanner, has been installed over 100 million times.

FEATURED VIDEO

36 Comments

1. OneLove123

Posts: 1296; Member since: Aug 28, 2018

In so scared, so I'm switching to an iphone.lol

2. GreatBigPhoney

Posts: 71; Member since: Jan 27, 2015

I got my Note 10+ 5G on Saturday, the very first thing I did after setting up the device, was check for a software update and it got the December security update.

7. darkkjedii

Posts: 31764; Member since: Feb 05, 2011

How do you like the 5G model so far?

14. ahmadkun

Posts: 692; Member since: May 02, 2016

Do you think it would make difference if i take note 10 over the 10+ ? in your perspective !

3. Alcyone

Posts: 613; Member since: May 10, 2018

*opinion* Vigilance is needed. Scare mongering isn't helping, much less being effective in reporting. McAfee hasn't let me down, yet. Then, again, just don't download shady things.

34. Pssst3

Posts: 7; Member since: Sep 06, 2019

*fact* You are correct that paranoia and scare mongering doesn't help, but If you believe the rest of what you wrote, you are naive. Vigilance doesn't help against new discovered threats - that's preparing to fight former wars, which is what anti-malware apps do. By the time that a new vulnerability is publicly announced, whether or not it has been detected in general circulation, it has most likely already been used somewhere, and in some cases, removed after it did its work. AFA "shady" apps, malware has been installed AND UPDATED through the Google Play Store, been repeatedly "checked" by Play Protect before and after install. McAfee and other anti-malware apps cannot protect a system against flaws in the OS, the kernel or firmware, can rarely remove malware installed before they have signatures or heuristics to match them. If they could, OS developers would provide their own rather than create OS patches and making architectural changes. What anti-malware apps provide is two-fold: publicity and revenue for their developers, and heightened paranoia and overconfidence by their users. They are the user protection equivalent of script kiddy malware. Think of them as like the filters added to cigarettes. They catch some stuff, but they DO NOT reduce the threat or the damage. Moral: Don't trust your personal or professional welfare to software that can be modified through downloads from a system that you don't understand and don't control. That applies to everything, including your home and car.

4. tbreezy

Posts: 238; Member since: Aug 11, 2019

Oh dear... “ Google says, "In general, it takes about one and a half calendar weeks for the OTA to reach every Google device." And that is just for the Pixel handsets. “ Yikes.

6. darkkjedii

Posts: 31764; Member since: Feb 05, 2011

Sucks huh? What also sucks, is iOS after iOS update, not fixing what it's supposed to. I'm an iOS user as well...I know the real deal.

8. MsPooks

Posts: 310; Member since: Jul 08, 2019

We can't even update corporate iPhones to iOS 13 because it's an unmitigated disaster.

10. darkkjedii

Posts: 31764; Member since: Feb 05, 2011

iOS 13 is a bug filled mess at the moment, and the fanboys know it, but won't admit it. I use iOS daily, as well as android, I'm just honest and unbiased. Some iOS issues have been fixed, I won't lie, but many still remain.

15. tbreezy

Posts: 238; Member since: Aug 11, 2019

Indeed, Android is an absolute disaster, didn’t know it was that bad even for Pixel users.

35. Pssst3

Posts: 7; Member since: Sep 06, 2019

Could be worse. Could be Windows, where updates regularly break the system.

5. darkkjedii

Posts: 31764; Member since: Feb 05, 2011

Got my December patch last night, I'm good. Note 10+, unlocked from Samsung.

13. RevolutionA

Posts: 529; Member since: Sep 30, 2017

There will again be something attacking soon. Won't change your fate

16. tbreezy

Posts: 238; Member since: Aug 11, 2019

Indeed, shocking stuff. But it makes sense, Android is a cesspool.

18. darkkjedii

Posts: 31764; Member since: Feb 05, 2011

And there'll be broken iOS updates after ios updates. I know, I also use iOS. My fate is cool, I'm not an in the iOS box fanboy. I enjoy my Note 10+ to the max, it's never messed up on me, unlike my Pro Max.

9. MsPooks

Posts: 310; Member since: Jul 08, 2019

So this vulnerability is stealing my CASH, huh? Just checked my purse; it's all there.

11. Rocket

Posts: 732; Member since: Feb 24, 2014

Good one, lol

12. darkkjedii

Posts: 31764; Member since: Feb 05, 2011

LMAOOOO! Let me check my wallet.

17. Vancetastic

Posts: 1881; Member since: May 17, 2017

I'm still not sure what this article is about. Seems like it's rehashing the tired, old fragmentation bit again...oh, wait...there's news in there somewhere..

19. darkkjedii

Posts: 31764; Member since: Feb 05, 2011

And the usual Apple trolls are here, ragging on android's issues, but never ever discussing iOS issues (of which there are quite a few). Tbreezy, and RevolutionA can always be counted on. I can too...to tell the truth about both of the platforms I use. Android 9 (for me), has been quite a bit more stable, than iOS 13 has. Apple isn't releasing .X update after .X update for nothing.

22. Vancetastic

Posts: 1881; Member since: May 17, 2017

Agreed on all counts.

20. miag5

Posts: 6; Member since: Nov 21, 2019

This is why i switched to iphone. Updates are important!

26. blingblingthing

Posts: 986; Member since: Oct 23, 2012

You say that like iOS has no vulnerabilities then we probably get an article like this on the iOS side a week later. No platform can guarantee safety.

30. Fred3

Posts: 609; Member since: Jan 16, 2018

I think you need to check all of the breaches and hacks iPhone had this year alone.... nobodies safe

23. CEDEOTB

Posts: 479; Member since: Nov 21, 2016

If something doesn't change with software updates on Android in 2020 I'm switching to iPhone. I'd like to stay on Android but the Pixel is just trash.

24. Subie

Posts: 2445; Member since: Aug 01, 2015

Try Nokia. They stay on top of updates.

25. darkkjedii

Posts: 31764; Member since: Feb 05, 2011

I've tried having an iPhone as my only device, and just couldn't do it. Giving up what android offers, to only have an iPhone, was like giving up my legs. For me, I could only have a Note, but not only an iPhone. I prefer to carry both, as they both bring a lot to the table, and both do things exclusive to their platforms.

31. Vancetastic

Posts: 1881; Member since: May 17, 2017

I like my combo of Android phone and iPad tablet. If only the Apple watch worked with my Pixel....

32. darkkjedii

Posts: 31764; Member since: Feb 05, 2011

Yes, the Apple Watch is fantastic.

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless