World Hot
Topics Blog
Researcher Says Flaw in Android Creates Phone Risk
Cellphones using Google's Android
operating system are at risk of being disabled or wiped clean of their data,
including contacts, music and photos because of a security flaw that was
discovered several months ago but went unnoticed until now.
Opening a link to a website or a
mobile application embedded with malicious code can trigger an attack capable
of destroying the memory card in Android-equipped handsets made by Samsung,
HTC, Motorola and Sony Ericsson, rendering the devices useless, computer
security researcher Ravi Borgaonkar wrote in a blog post Friday. Another code
that can erase a user's data by performing a factory reset of the device
appears to target only the newly released and top selling Galaxy S III and
other Samsung phones, he wrote.
Borgaonkar informed Google of the
vulnerability in June, he said. A fix was issued quickly, he said, but it
wasn't publicized, leaving smartphone owners largely unaware that the problem
existed and how they could fix it. World Hot Topics Blog
Google declined to comment. Android
debuted in 2008 and now dominates the smartphone market. Nearly 198 million
smartphones using Android were sold in the first six months of 2012, according
to the research firm IDC. About 243 million Android-equipped phones were sold
in 2011, IDC said.
Versions of Android that are
vulnerable include Gingerbread, Ice Cream Sandwich and Jelly Bean, according to
Borgaonkar. He said the Honeycomb version of Android, designed for tablets,
needs to be tested to determine if it is at risk as well.
Samsung, which makes most of the
Android phones, said only early production models of the Galaxy S III were
affected and a software update has been issued for that model. The company said
it is conducting an internal review to determine if other devices are affected
and what, if any, action is needed. Samsung said it is advising customers to
check for software updates through the "Settings: About device: Software
update" menu available on Samsung phones.
Borgaonkar, a researcher at
Germany's Technical University Berlin, said the bug works by taking advantage
of functions in phones that allow them to dial a telephone number directly from
a web browser. That convenience comes with risk, however. A hacker, or anyone
with ill intent, can create a website or an app with codes that instruct the
phones linking to those numbers to execute commands automatically, such as a
full factory reset.
The phone's memory card, known as a
subscriber identity module, or SIM, can be destroyed remotely in the same way,
Borgaonkar said. "Vulnerability in Android can be exploited to kill the
SIM card permanently by clicking a single click," he wrote. "After
the successful attack, the end user has to go to the mobile network operator
and buy a new SIM card."
While Borgaonkar has drawn attention
to the problem, it's unclear how useful the vulnerability would be to
cybercriminals who are primarily interested in profits or gaining a competitive
advantage, said Jimmy Shah, a mobile security researcher at McAfee.
"There's no benefit to the attacker if they can't make money off it or
they can't steal your data," Shah said. "It's really not that
useful."
But the technique could cause huge
headaches if it were harnessed to issue outbound phone calls, said Mikko
Hypponen, chief research officer at F-Secure, a digital security company in
Helsinki, Finland. "If that would be doable, we would quickly see real
world attacks causing phones to automatically dial out to premium-rate
numbers," he said.
This World Hot Topics Blog is Originally from here :
Researcher Says Flaw in Android Creates Phone Risk
http: // abcnews.go.com/US/wireStory/researcher-flaw-android-creates-phone-risk-17350732#.UGYdWK6bFcA
