back to article Inside the ongoing fight to stamp out govt-grade Android spyware

A study into government-grade Android spyware led researchers to a new strain of surveillance malware lurking in the Google Play app store – a strain that has now been unceremoniously booted out of the software marketplace. Last month it was revealed that the Mexican government was infecting smartphones with malware to spy on …

  1. SuccessCase

    “However, for now, Google and its friends have the upper hand on cyber-mercenaries who peddle government spyware.”

    I don’t see how the author can say that. Obviously Google only know about the exploits they know about. Then there’s all the ones they don’t know. Quite a few of those will be with the NSA and GCHQ, probably, but others will be with commercial vendors. Some of those commercial vendors and / or their employees will also deal with the criminal underworld. Again probably.

  2. John Smith 19 Gold badge
    Unhappy

    "to target older versions of Android that are no longer being patched "

    Were they ever?

    Isn't it decades past the time when it should be a legal requirement that if you put out something with an OS on that's network connect you're responsible for supporting that OS for reasonable period?

    Not a nice thing to do, a legal requirement.

    1. Dave 126 Silver badge

      Re: "to target older versions of Android that are no longer being patched "

      Google made a few compromises to get Android to market ASAP in the wake of the iPhone. One compromise was to placate phone vendors by allowing them to faff around with Android. Another was Android having to be built for specific hardware versions, requiring new binary blobs from silicon manufacturers over whom Google have little leverage. Google's Project Treble is their new attempt to make Android more modular so that updates can be rolled out without needing effort from Qualcomm, Broadcom et al. Note that Chromebooks were built with the benefit of lessons Google learnt with Android.

      None of which will protect you from zero-day vulnerabilities. Or spanners*.

      If you want something, you won't get it unless you pay for it. That currently means a Google Pixel phone (now that the Nexus line has been discontinued) or an iPhone.

      *https://xkcd.com/538/ Security

      1. RobinCM

        Re: "to target older versions of Android that are no longer being patched "

        If companies slowed down a little on developing and releasing new hardware (often that is not really significantly different from the previous version, or other products in their range) they might be able to a) spend more time testing and deploying security updates, and b) stop needlessly polluting the planet by manufacturing the pointless multiple new hardware revisions.

        Knowing what most people are like, they get attached to their stuff and don't want the hassle of choosing and migrating to a new device every few years. I wish I could bung HTC a few quid every year to get access to security updates for my phone. But instead I have to throw it out and buy a new one every few years.

        A few software devs have got to be cheaper than the vast amounts they must currently spend designing testing and building new hardware every few months.

        That model would take some selling at present, but sometime soon the collective security awareness of the world will demand it. Surely?

        If not, legislation will be needed.

        1. Anonymous Coward
          Anonymous Coward

          @RobinCM - "slowed down a little on developing and releasing new hardware"

          While you're correct that this year's Android hardware offers little over last year's, Android OEMs are forced to compete on specs and having a Snapdragon 820 instead of 835 or whatever would get them bad reviews and cost them a lot of sales. They have to keep current, even if 99% end users won't tell the difference between the 820 & 835, between BT 4.2 and 5.0, between LTE category 12 and 16, etc.

    2. Sil

      Re: "to target older versions of Android that are no longer being patched "

      Don't forget that Google refuses to cater to the security of N-2 & older versions of Android.

  3. Dave 126 Silver badge

    How does the marketplace for bug bounties work? Does the NSA outbid Google, for example? Or do criminals pay better? Are these zero-day vulns still stumbled upon by individuals, or do they require teams of skilled and motivated folk?

    Just idle curiosity on my part. I'm not a security researcher. I imagine a paycheck from Google or GCHQ would be less hassle to receive than some crypto currency from Uncle Tony. What price a Google night's sleep? :)

  4. Pen-y-gors

    Legit purposes?

    They only sell to governments for legit purposes, eh? So how does that fit with

    "the Mexican government was infecting smartphones with malware to spy on lawyers, journalists, and activists

    Some new, and previously unknown, definition of legit? Sounds like time for a prosecution.

    1. nijam Silver badge

      Re: Legit purposes?

      > Some new, and previously unknown, definition of legit?

      No, the current definition of "legit" used by governments, i.e. since laws are made by governments, what a government does is implicitly (or possibly explicitly) legit.

    2. DropBear

      Re: Legit purposes?

      It is much like the Royal Executioner saying "oh, but I'm not a killer - I don't go murdering people left and right, I only work for the King!" (aka utter bullshit).

      1. Charles 9

        Re: Legit purposes?

        It's not BS at all. If one can MAKE the laws, one can do as one pleases. Ink on a page and all...

        1. Anonymous Coward
          Anonymous Coward

          Re: Legit purposes?

          That depends on if your country has a Constitution or other document that limits the power of the government to make certain laws.

          Not that the US government tends to always properly obey it, but a lot of government employees will refuse to cooperate with something they know violates the Constitution. Or when they find out blow the whistle (like the guy who told the NYT about AT&T's secret room for NSA taps, or Edward Snowden) so the truth doesn't stay hidden forever.

          If we didn't have one, we'd end up with the Trump family permanently in power, once he fired all the judges who ruled against him and expanded executive power to place congress in the subordinate role he imagines/wishes them to be in.

          1. Charles 9

            Re: Legit purposes?

            Even the Constitution is just ink on a page. Someone determined enough and with enough power can just ignore the law, wipe out anyone who dares interfere, and replace them with sympathizers. Sure, President Trump's running into resistance right now, but how much longer before things REALLY come to a head, perhaps resulting in a Second Civil War?

            1. Alan Brown Silver badge

              Re: Legit purposes?

              "Someone determined enough and with enough power can just ignore the law, wipe out anyone who dares interfere, and replace them with sympathizers. "

              There's a conspiracy theory that this is being worked towards by calling a constitutional review. Once 2/3 of the states call it, anything's on the table (including wiping the document altogether).

  5. ForthIsNotDead

    Whilst I don't have anything to hide...

    ...it does make one wonder. For example, let's say I sued the UK government for a particular reason, and it was a high-profile case. I think in such a scenario, it wouldn't be an exaggeration to say that it would be reasonable to assume that one could be targeted for surveillance by the government.

    Hey, if they want to hack my phone go ahead - all they will find is loads of piccies of my children, and a ton of 80s albums.

    It does make one think about breaking out the trusty old Nokia 6310i though... I'd like to see them hack that without installing a WAP gateway in my garden...

    1. Cuddles

      Re: Whilst I don't have anything to hide...

      "Hey, if they want to hack my phone go ahead - all they will find is loads of piccies of my children"

      So you admit to having lots of pictures of young children on your phone? I bet you've shown them to other people and even emailed or passed them on in other ways. "Area man suing government is suspected pedophile who distributed pictures of children over the internet!"

      1. John Smith 19 Gold badge
        Gimp

        ""Area man suing government..suspected pedophile..distributed pictures of children..the internet!""

        Nice demonstration.

        Indeed, most of the mass surveillance has FA to do with terrorists, drug dealers, money launders or paedophiles.

        It has (and always has don) everything to do with the principal of "Give me 6 lines from an honest man and I'll find something with which to hang him."

    2. Charles 9

      Re: Whilst I don't have anything to hide...

      Simple. They hack the baseband processors, below the OS and anything you could touch. And it can work on feature phones, too.

      1. GidaBrasti

        Re: Whilst I don't have anything to hide...

        The fallacy of the 'Privacy and the "Nothing to Hide" Argument'

        https://www.schneier.com/blog/archives/2007/07/privacy_and_the.html

        think again...

  6. brookechloe
    Go

    Everyone is same

    State or public, All are same. Who is good, who is bad, doesn't matter.

    Last month it was revealed that the Mexican government was infecting smartphones with malware to spy. Next month you may listen what happened to Mexican govt. and the USA.

    It's none of any case. Everyone is spying everyone.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like