Wait last time I wanted to use flash on an android I had to manually install it. In Fact I had to go to an archived flash site to get it as flash has not been offered on google play for quite some time.
Android ransomware DoubleLocker encrypts data and changes PINs
Crooks have come up with a strain of Android ransomware that both encrypts user data and locks victims out of compromised devices by changing PINs. DoubleLocker combines a cunning infection mechanism with two powerful tools for extorting money from its victims. "Its payload can change the device's PIN, preventing the victim …
COMMENTS
-
-
Friday 13th October 2017 14:28 GMT Tigra 07
RE: Kain
It's likely targeted at the idiots that fall for these kind of scams.
The same people who click on flashing banners on websites saying "You've won, click here to get your prize".
The very same people who think they've won the Nigerian lottery when checking their email.
I'm ashamed to admit that I know two such people, with the one believing the toilet won't flush during a power cut...
-
Friday 13th October 2017 15:34 GMT GBE
Re: RE: Kain
"I'm ashamed to admit that I know two such people, with the one believing the toilet won't flush during a
power cut..."
Whether or not your toilet continues to flush during a power cut depends on what you use for a water source. I've lived places where it would flush a few times during a power cut, but eventually it wouldn't.
-
Friday 13th October 2017 16:37 GMT kain preacher
Re: RE: Kain
Tigra 07 I do believe this is above the skill set of these idiots to do it. I had to find the flash web site, put it on an SD card . Then scroll through the settings to allow me to install apps from entrusted source. Try asking the average android use how to find files (using the file manger app) on their phone. See what happens.
-
Friday 13th October 2017 21:20 GMT Terry 6
Re: RE: Kain
Actually. We do have a toilet that won't flush ( or rather won't refill after one flush) if the power goes off. The water supply is pumped to it. That being said, I did have to explain, patiently, to a worried shop keeper that, despite the message he'd just been sent over the Interweb, any of the old round £1 coins in his till wouldn't become worthless overnight just because they stopped being legal tender .
-
Friday 13th October 2017 14:37 GMT Anonymous Coward
Yep, the potential infection rate of this "news" is basically zero (when you exclude "researchers" actively getting it).
You not only have to manually install flash, you have to grant lots of permissions, grant accessibility permission, activate it as a device administrator, that before we even bring in the other big guns like Google's on device app scanning, which you would have to have opted out of...
It's quite embarrassing how these hypothetical infections are making news. it's as if they NEED the clicks that go with them.
-
-
-
Friday 13th October 2017 16:41 GMT Anonymous Coward
Re: >porn still requires Flash....
Ahem porn sites were one of the first to switch over to HTML 5. So I was told by my hot busty sectary that is always bending over.
Wait what do you mean that this post is pure work of fantasy? No no I do not look at porn much, on days that have U,E,S or N in them.
-
-
-
Sunday 15th October 2017 20:22 GMT Kiwi
Anyway, why do men feel the need to pretend they never look at porn?
Some of us never do...
At least not for the last few years anyway, back around '06 it actually was bordering on an addiction for me for a while. Got myself some help (from a very good friend who waived all fees for the time we spent) but, like with smoking and alcoholism, I have to be careful not to touch it again or I could easily be hooked again. It wasn't being done to "fulfill some deep childhood need" or other stuff like that which many psychs will mention, it started as something where an employer asked me to help keep the work computers clean, something tickled my fancy (actually I think it was a curiosity about someone I thought I might've known in a video, downloaded it at home or something like that), and when I was bored I'd find some entertainment. If only I'd found cat videos instead when I went searching for "pussy"...
-
-
-
Friday 13th October 2017 14:55 GMT RyokuMas
Better they are reported now than after it has been re-engineered in such a way that it can circumvent Play Store security.
It's very embarrassing how some people either have their heads stuck in the sand over potential security issues... or is this a case of attempted reputation damage limitation?
-
-
-
Saturday 14th October 2017 08:08 GMT mark l 2
If your Android phone is a cheapy Chinese one then you might find that your phone had malware built into the ROM from the vendor so you don't need to install any apps to get popup and random app installs. Doogee have a big problem with this but it doesn't show until you have been using the phone for about a month so they can claim it must be an app you have installed.
-
-
-
Friday 13th October 2017 16:54 GMT Anonymous Coward
How does it change the devices PIN? Why would Google expose an API to allow this, rather than all pin services being privileged and handled by some super-secure unspoofable protected layer of the OS? Seriously, what kind of fuckwits do they have coding Android?
Edit. Apparently this does the trick. Google truly -are- fuckwits.
https://stackoverflow.com/questions/12453926/change-pin-programmatically
-
-
Friday 13th October 2017 21:38 GMT Anonymous Coward
This would be easy to fix if they have a switch somewhere in the accessibility menu to allow other programs to set a PIN. Most people don't need accessibility options, so having something like this enabled by default isn't that great. If the only people who could be attacked by this malware were people who had enabled this option, the malware writers wouldn't bother.
-
-
Sunday 15th October 2017 09:39 GMT Anonymous Coward
This is a requirement in enterprise, how else would MDM be able to remote-reset a pin?
It's not an open API any app can use, the app must be verified by the OS (read user) via a full-screen (probably ignored) security warning. Changing your pin is the least of you concerns if you give an app this permission. It literally is an admin, and can encrypt/wipe the entire device if it wants.
Removing this functionality would make Android unmanageable in enterprise.
-
Monday 16th October 2017 21:45 GMT Anonymous Coward
It could be restricted so you're only allowed to use it on a device that's under management. The majority are not, so that would protect most of them. Presumably the transactions for remote reset / remote wipe / etc. require a certificate that gets installed when a device is managed, otherwise you have bigger things to worry about.
-
Wednesday 18th October 2017 07:01 GMT Anonymous Coward
"It could be restricted so you're only allowed to use it on a device that's under management."
The permission is required for the management software, you must give the management software this permission for it to manage the device. Therefore the device cannot be "under management" without first giving out this permission.
Users are giving the permission to rogue apps. The only solution around social engineering is education. Unfortunately the masses don't want to be educated.
-
-
-
-
Friday 13th October 2017 17:27 GMT fidodogbreath
Apple tax?
This is the kind of crap that made me dump Android. The accessibility service security was supposedly improved in Oreo, but most Android users will never see that unless they buy a new phone.
A brand new Pixel 2 costs about the same as an iPhone 8, but is only promised OS and security updates for three years from release. Based on previous history, an iPhone 8 buyer can expect to receive full OS and security updates through 2022. To achieve that same level of currency, you'd have to buy another new Pixel phone in 2020. That makes even the most-supported Android phone 2x more expensive over 5 years than Apple's offering.
-
Friday 13th October 2017 19:23 GMT Nick London
It only says it is a Flash update.
Updating Flash was a regular chore on my web browser until HTML5 came along. Most people wont have a clue whether Android uses Flash or not. So they are more likely than not to push the update button.
And who worries about permissions except the tin foil in the hat brigade. They should but they don't.
-
Friday 13th October 2017 21:49 GMT Anonymous Coward
Re: It only says it is a Flash update.
So I guess all that is required is you visit a site they've hacked? This could be almost any site given how many major sites don't keep up with patching, let alone the lesser ones. Imagine if someone hacked a site like yahoo.com with this payload?
I agree that presenting itself as a flash update is a smart strategy. Adobe's constant barrage of patches has trained PC users to click 'yes' on anything related to flash, and most people won't know that flash isn't even supported on Android. Much more likely to fool people than previous strategies trying to find those dumb enough to click yes to install a free app with celebrity nudes or whatever.
The big problem is that this could be sort of the "gift that keeps on giving". They hack a few sites, hit some people, then the sites are fixed. Hack another few sites, hit more people, and so on. Since the majority of Android phones won't see a fix for this, it could keep dribbling on and on for a long time. If they ever hit a really major site, look out!
Probably will also see some copycats, since you merely need modify the attack to deposit the bitcoins in YOUR wallet instead of the wallet belonging to whoever created this, and find your own web sites to hack.
-
-
-
Friday 13th October 2017 22:33 GMT fidodogbreath
I'm waiting for an Android malware that can war-drive a vanilla device in the field, without special privileged, completely pwn it, and find a way to persist even after a factory reset. THEN I'll be interested.
The Broadcom WiFi bug allows remote code execution in the context of the kernel. It was patched in 2016, but a lot of devices never received an update for it.
-
-
Sunday 15th October 2017 06:07 GMT Anonymous Coward
Re. dumbasses
I have no sympathy for phools that click every "You've won a prize!!!!!" in broken Engrish just in case.
I also suggest that if anyone has valuable data on their phone and does not have it backed up, to do so ASAP in an offline format (ie BD-R) so nothing can mess with it. All of £1.22 a disk and if Income Tax/HMRC/etc ever come knocking you can produce those payslips/invoices/P&L sheets pretty sharpish.
Being nobbled by ransomware is not an excuse, I've checked!
Especially annoying when the cause of data loss is SO messing with phone and "accidentally" putting a trojanized verson of Facebook Lite on there, resulting in endless suffering and a Godzillabill until I removed it. $Deity knows how much damage was done but judging by how hot the phone was getting it was likely mining as well.
-
-
Sunday 15th October 2017 20:29 GMT Kiwi
Re: @Kiwi - BD-R
@Kiwi - BD-R
http://lmgtfy.com/?q=Bd-r
Yes I know full well what they are, even saw a disk for them once I think. Once pulled a non-working drive from a computer, customer had never used it anyway (was causing some issue at POST IIRC).
The point I was making is that who uses such limited mediums to back up to these days, when you phone automatically does it to this "cloud" thingy anyway?
For that matter, as usual ( :( ), who does backups even when it is automatic?
Site wouldn't work for me though, requires running google
BSJS, that's a low I'm not interested in sinking to.-
Wednesday 18th October 2017 09:47 GMT Charles 9
Re: @Kiwi - BD-R
"The point I was making is that who uses such limited mediums to back up to these days, when you phone automatically does it to this "cloud" thingy anyway?"
Many of us don't trust clouds to stay where they are over time, plus there's the matter of data caps, which ARE stricter for mobiles than they are for landlines (due to sheer physics).
"For that matter, as usual ( :( ), who does backups even when it is automatic?"
It's not on Android. I don't know of any automated mechanism where Nandroids (complete app and data backups) can be done automatically, not even with rooting (AFAIK, only Recovery Mode can do a Nandroid). If Google were smart, they'd include a mechanism for such a backup into the standard Android so that any user can maintain backups in case Murphy strikes. It's not like it's that difficult, and you can even encrypt them if you're scared about data leaks.
-
-
-
Monday 16th October 2017 04:23 GMT Anonymous Coward
RE. Re. BD-R
At 50GB a disk price is still lower than tape and for most purposes (eg backing up data in a form you can get to easily) its fine. Disks will last at least 40+ years in storage.
Of course being able to find a drive that can read them might be a problem, its hard enough to find a CD-R capable drive these days as many Bluray players simply dispense with the 780m laser to save costs.
-
Tuesday 17th October 2017 00:27 GMT Kiwi
Re: RE. Re. BD-R
At 50GB a disk price is still lower than tape and for most purposes (eg backing up data in a form you can get to easily) its fine. Disks will last at least 40+ years in storage.
We're talking home users here. The disks will survive at most 2 incidents of being slid across the carpet face-down (never had kids?), or one incident of cat+shiny. They'll not be put in hermetically sealed rooms with a dozen layers of security, they'll be left where whoknowswhat dust and other stuff can get to them, they'll be mishandled, fingerprinted, labels written with a ballpoint pen. 40 years? I'd be surprised if they last 40 minutes.
And then there's the getting the drive hooked up to the phone, getting backup software that works, backup software that will still work next month, getting the users to do the few seconds of pressing buttons before they go to sleep at night to let some sort of backup process run for a few minutes.
As to CD's, I still have a few older machines that may be in working order. Circa P1 or P2 machines I think. (If anyone's desperate enough to be interested in acquiring them, get in touch via El Reg)
-