Security News

Google has released a security update for a critical flaw in its Android operating system that allows hackers to execute remote code on affected handsets, potentially allowing an adversary to gain remote access to the device. Part of Google's February Android Security Bulletin, released Monday, also warns of a second critical flaw that could allow a remote hacker to gain access to an Android handset and obtain sensitive data.

The Ring doorbell application for Android contains third-party trackers and sends out a large amount of personally identifiable information, the Electronic Frontier Foundation has discovered. The Ring app, the EFF says, sends user data to four main analytics and marketing companies, namely branch.io, mixpanel.com, appsflyer.com and facebook.com.

Privacy advocates allege Ring goes so far as to silently deliver updates on Ring customer usage to Facebook, even if the Ring owner doesn't have a Facebook account. The EFF performed dynamic analysis on the Ring for Android mobile app, using the "Mitmproxy" tool running on a Wi-Fi access point connected to the doorbell.

Google is testing out a feature to make Android's built-in password manager safer, according to online sleuths who have picked apart its software. You could use it to take autofill input from third-party password managers, or if you wanted to keep everything in your Google account, you could use autofill with Google's own password management service.

Google has removed 17,000 Android apps to date from the Play store that have been conduits for the Joker malware - and in an analysis of the code, said that Joker's operators have "At some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected." The internet giant said that having three or more active variants of Joker in circulation at the same time using different approaches or targeting different carriers is the norm; and at peak times of activity, up to 23 different apps from the Joker family have been submitted to Play in one day.

For much of Android's existence, Google has adopted a relatively hands-off approach that lets manufacturers ship units with pre-installed bloatware which, in many cases, cannot be easily removed. "Android Partners - who use the Android trademark and branding - are manufacturing devices that contain pre-installed apps that cannot be deleted, which can leave users vulnerable to their data being collected, shared and exposed without their knowledge or consent," the letter states.

These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model. This means permissions can be defined by the app - including access to the microphone, camera and location - without triggering the standard Android security prompts.

Update] Pre-installed malware on Android phones is a growing menace - so much that on Wednesday this week, Privacy International and around 50 other international NGOs sent an open letter to Google demanding a stop to the habit. The pre-installed malware comprises a Wireless Update app detected by Malwarebytes as Android/PUP.Riskware.

Google has pulled three malicious apps from Google Play, one of which exploits a recently patched kernel privilege escalation bug in Android to install the app aimed at spying on users. The Camero app would download a DEX file from a C&C, which would then download the callCam APK file and use the CVE-2019-2215 exploit to root the device, install the app and launch it without any user interaction or the user's knowledge.

Google kicked off its first Android Security Bulletin of 2020 patching a critical flaw in its Android operating system, which if exploited could allow a remote attacker to execute code. Google said its' critical vulnerability exists in Android's Media framework, which includes support for playing a variety of common media types, so that users can easily utilize audio, video and images.