[aklug] Re: Android Master Key Vulnerability

From: Arthur Corliss <acorliss@nevaeh-linux.org>
Date: Fri Jul 19 2013 - 14:56:30 AKDT

On Fri, 19 Jul 2013, Lee Brumbaugh wrote:

> Guys and Gals,
> Think of this as a PSA more than anything else, and if you don't use any
> Android device, then feel free to delete this message. If this was already
> posted.. then ignore my feeble warnings.
> In case any Android users out there haven't seen this yet, it's a big one:
> http://www.informationweek.co.uk/security/vulnerabilities/hack-99-of-android-devices-big-vulnerabi/240158013
> What it boils down to is that some security researchers found a
> vulnerability in Androids signing check going all the way back to Android
> 1.6 to the nearly latest and greatest Android 4.1.x. What this means is
> that any malicious app using this can basically do whatever they want on
> your device without you being aware of it, from stealing your info to
> posting on you social media.
> They also just found 2 apps on Google Play that are using this
> vulnerabilities; probably benignly, but it means that Google isn't
> necessarily checking for this. You can see that here:
> http://www.informationweek.com/security/client/google-play-has-apps-abusing-master-key/240158446
> That last article also lists that Webroot and Bitdefender antivirus apps
> are now blocking/defending against this, so I highly recommend that all
> Android users install one of the two.

Another day and another reason I'm grateful for my dumb phone...

         --Arthur Corliss
           Live Free or Die
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jul 19 14:56:57 2013

This archive was generated by hypermail 2.1.8 : Fri Jul 19 2013 - 14:56:57 AKDT