|
|
Subscribe / Log in / New account

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 16, 2015 21:14 UTC (Fri) by josh (subscriber, #17465)
Parent article: How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

This seems completely ridiculous. If phones have vulnerabilities, the phone vendors are ultimately at fault for leaving those devices vulnerable. Disclosing the existence of such root vulnerabilities (especially those that have been around for so long) tells malware developers nothing they don't already know, while providing tools specifically designed to help end users on locked-down devices.

to post comments

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 18, 2015 23:04 UTC (Sun) by zblaxell (subscriber, #26385) [Link] (4 responses)

> Disclosing the existence of such root vulnerabilities (especially those that have been around for so long) tells malware developers nothing they don't already know

It allows the malware developers to freeload. It's expensive to weaponize other people's bugs. It's much cheaper to extract an existing battle-tested exploit from a demonstrably successful product. Ordinary exploit PoC code doesn't get peer review, updates and maintenance like these tools do.

It's not just saving just time and money, either. Using a popular published exploit tool cuts down on identifiable traits that are often useful to forensic investigators. The black hats win twice here.

The tools wouldn't exist at all if vendors didn't insist on not providing legitimate access to the device firmware in the first place.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 2:34 UTC (Mon) by dlang (guest, #313) [Link] (3 responses)

Do you really think the bad buys aren't figuring these exploits out at least as fast as the people creating these apps?

I expect that they are creating these apps by watching the malware lists and piggy-backing on them rather than the other way around.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 4:11 UTC (Mon) by zblaxell (subscriber, #26385) [Link] (2 responses)

TFA mentioned original exploits not seen before their inclusion in the tools. That implies that at least one exploit exists today that wouldn't have existed otherwise (or would at least be used more discreetly if it did exist).

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 5:18 UTC (Mon) by dlang (guest, #313) [Link] (1 responses)

not seen before by whom? Do the authors of the collection even claim that they developed all the exploits? I doubt it.

I always question people who claim that any collection of exploits contains a bunch of new exploits never seen before.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 6:44 UTC (Mon) by zblaxell (subscriber, #26385) [Link]

There is significant value even in the mere collection, maintenance, and testing of the exploits. Black hats can focus their time and effort on their malicious payloads instead of building their own delivery vehicles.

That's still a net advantage for black hats even if the total number of theoretically available vulnerabilities remains constant.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds