lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2020 08:46:42 +0200
From: Fabio <ctrlaltca@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Google's Android: remote install backdoor in Google Play
 Services

Il 10/07/20 13:16, Enrico Weigelt, metux IT consult ha scritto:
> =======================================================================
> Advisory: Google's Android (play services) built-in backdoor for remote
> app installation.
> =======================================================================
> 
> Google's PlayServices has a built-in backdoor which allows Google Inc,
> or anybody who has access to some device owner's Google account to
> remotely silently deploy any apps (at least those listed in the AppStore).
> 
> 
> Some technical background:
> 
> * PlayServices (GMS) frequently polls Google services for various kinds
>   of push messages
> * amongst those push message is one for triggering the GMS to *silently*
>   download and install some app from Google app store
> * there's no explicit notification, nor asking for confirmation
>   (except for download progress shortly appearing in status bar)
> 
> Possible attackers:
> 
> * anybody who highjacked victim's Google account
> * Malicious operatives at Google
> 
> Quick mitigation:
> 
> a) take away all permissions (especially changing system settings) from
>    Google Play Services as well as Google Play Store
> 
>    --> dramatically reduced the ratio of successful remote deployments
>        via Google App Store Web interface
> 
> b) disable / remove Google Play Services and Google App Store
> 
> 
> Legal considerations:
> 
> It is clear that Google explicitly built in an backdoor for silent
> remote deployment, without user concent - which is an criminal offense
> in most jurisdictions. (eg. CFAA in the US, ยง303 StGB in Germany).
> 
> Law enforcemence agencies are called to start criminal prosecution,
> victims (virtually any Android user) might consider filing criminal
> charges against Google.
> 
> 
> ---
> Enrico Weigelt, metux IT consult
> Free software and Linux embedded engineering
> info@...ux.net -- +49-151-27565287
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
> 

I'm sorry, but what's your point?
Looks like you just discovered a documented feature that exists since years.

As long as you attach a Google account to your android device, you give
up control of that device to that Google account.
You can even track or remotely wipe the device (android.com/find).
If the Google account is compromised, the same applies to the device.

Do you have any proof that Google actually used this feature in an
illegal way to remotely deploy malicious software to android users?

Have a nice day

Fabio Bas

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists