Alun Williams - Google+One involves software that is pre-installed by some manufacturers and is accused of keystroke logging data, and the other is a possible security flaw that could enable unauthorised sources to secretly record phone conversations and monitor other personal info, such as geographic location data...
First up is The Telegraph which reports claims that malware installed on millions of Android phones could be secretly tracking every key stroke, Google search, and text message by their users...
Katherine Rushton begins:
An Android app developer in America has posted a video showing what he claims is 'conclusive proof' that 'Carrier IQ' software installed by manufacturers of many US phones record the way those phone are used in real time, as well as their geographic locations.Read the full article >>
Carrier IQ has claimed that the software only tracks information for the benefit of users, not for any spying purposes, and that it is "counting and summarising" information rather than recording it.
Meanwhile, our own technology editor Steve Bush reports on findings from computer scientists in North Carolina State University relating to a possible security weakness for some Android smartphones, with unauthorised access to personal data...
He writes:
Extra features on some as-delivered Android smartphones allow hackers to bypass Android's security features. So found researchers at North Carolina State University.
"Some of these pre-loaded applications or features are designed to make the smartphones more user-friendly, such as features that notify you of missed calls or text messages," said researcher Dr Xuxian Jiang. "The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential backdoors that can be used to give third-parties direct access to personal information or other phone features."
Eight models were tested, including two reference implementations that only had Google's baseline Android software.
"Google's reference implementations and the Motorola Droid were basically clean," Jiang says. "No real problems there."
However, five other models did not fare as well: "HTC's Legend, EVO 4G and Wildfire S, Motorola's Droid X and Samsung's Epic 4G all had significant vulnerabilities," said the University, "with the EVO 4G displaying the most."
The backdoors could, for example according to the University, allow phone calls to be recorded, texts to be sent to premium rate numbers, or personal phone settings to be wiped.
Research findings were sent to the manufacturers.
"If you have one of these phones, your best bet to protect yourself moving forward is to make sure you accept security updates from your vendor," Jiang said. "And avoid installing any apps that you don't trust completely."
The team now plans to test these vulnerabilities in other smartphone models and determine whether third-party firmware has similar vulnerabilities.
A paper, "Systematic Detection of Capability Leaks in Stock Android Smartphones," will be presented at the Network and Distributed System Security Symposium in San Diego in February.
Leave a comment