Latest in Gear

Image credit: Kiyoshi Ota/Bloomberg via Getty Images

Google fixes two serious Android security flaws

It also gave the boot to apps that posed a security risk.
2669 Shares
Share
Tweet
Share

Sponsored Links

Kiyoshi Ota/Bloomberg via Getty Images

Google's mobile security team has definitely been busy cleaning house this week. The company has released an Android update that closes two security holes that could pose a major threat if intruders found a way to exploit them. The first was only designed for "research purposes" and would only have been malicious if modified, Google tells Ars Technica, but it wouldn't have been hard to detect or weaponize.

The other flaw behaved similarly to the well-known Stagefright exploit, letting an attacker send an altered JPEG image through Gmail or Google Talk to hijack your phone. The issue, as SentinelOne researcher Tim Strazzere explains to Threatpost, is that it's both easy to find and capitalize on this vulnerability.

There's more. Security company Check Point also revealed that Google Play had been hosting apps containing two forms of malware (CallJam and DressCode). CallJam both steered phones to websites that made bogus ad revenue and, if you granted permission, would call paid phone numbers. DressCode would also visit shady ad sources, but it could also compromise local networks. Google has since removed the offending apps, but the infection rate may have been high when users downloaded the software hundreds of thousands (or in a few cases, millions) of times.

While the likelihood of running into this malware is relatively small, it underscores an issue with timely Android security updates. Only Nexus owners get first crack at the fixes -- most everyone else will have to wait, provided they're in line in the first place. Google's monthly security updates help, but this won't do much if your phone maker either hasn't committed to those updates or has left you running an older Android version that can't get those patches. You may have to either be patient for a more conventional update or move to a newer device if you're determined to stay current.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
2669 Shares
Share
Tweet
Share

Popular on Engadget

Google Duplex begins international rollout with a New Zealand pilot

Google Duplex begins international rollout with a New Zealand pilot

View
The Morning After: A final trailer for 'Star Wars: The Rise of Skywalker'

The Morning After: A final trailer for 'Star Wars: The Rise of Skywalker'

View
Todoist 'Foundations' update adds a host of organization features

Todoist 'Foundations' update adds a host of organization features

View
Microsoft's latest VR experiment is a literal walk in the park

Microsoft's latest VR experiment is a literal walk in the park

View
Lilium proves its electric air taxi can fly

Lilium proves its electric air taxi can fly

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr