| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALdcr8dKnP_ucjnhmt+GFd4DKqjs-geSEZvGYhbkLCPuHz_j0g@mail.gmail.com> Date: Tue, 14 Jul 2020 13:19:15 -0400 From: Michael Lazin <microlaser@...il.com> To: "Enrico Weigelt, metux IT consult" <info@...ux.net> Cc: fulldisclosure@...lists.org, certbund@....bund.de Subject: Re: [FD] Google's Android: remote install backdoor in Google Play Services Could you please provide more detail. I am not seeing how this is an attack. The Debian apt system which predates the play store seems to work under the same principle. You have a core set of default packages and you can install your own packages from the store, in this case debian apt. The debian security team pushes updates which not only install software with patches but the dependencies as well. The vulnerability you appear to be speaking about seems to be a fundamental way the concept of an app store works, it must include a method of pushing patches as new exploits are published. This necessitates pushing any dependencies of the patches. If I am not understanding this properly please elucidate. Thank you, Michael Lazin to gar auto estin noein te kai ennai On Tue, Jul 14, 2020 at 2:01 AM Enrico Weigelt, metux IT consult < info@...ux.net> wrote: > ======================================================================= > Advisory: Google's Android (play services) built-in backdoor for remote > app installation. > ======================================================================= > > Google's PlayServices has a built-in backdoor which allows Google Inc, > or anybody who has access to some device owner's Google account to > remotely silently deploy any apps (at least those listed in the AppStore). > > > Some technical background: > > * PlayServices (GMS) frequently polls Google services for various kinds > of push messages > * amongst those push message is one for triggering the GMS to *silently* > download and install some app from Google app store > * there's no explicit notification, nor asking for confirmation > (except for download progress shortly appearing in status bar) > > Possible attackers: > > * anybody who highjacked victim's Google account > * Malicious operatives at Google > > Quick mitigation: > > a) take away all permissions (especially changing system settings) from > Google Play Services as well as Google Play Store > > --> dramatically reduced the ratio of successful remote deployments > via Google App Store Web interface > > b) disable / remove Google Play Services and Google App Store > > > Legal considerations: > > It is clear that Google explicitly built in an backdoor for silent > remote deployment, without user concent - which is an criminal offense > in most jurisdictions. (eg. CFAA in the US, ยง303 StGB in Germany). > > Law enforcemence agencies are called to start criminal prosecution, > victims (virtually any Android user) might consider filing criminal > charges against Google. > > > --- > Enrico Weigelt, metux IT consult > Free software and Linux embedded engineering > info@...ux.net -- +49-151-27565287 > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists