| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Oct 2020 14:51:40 +0200 From: "Enrico Weigelt, metux IT consult" <lkml@...ux.net> To: Michael Lazin <microlaser@...il.com>, "Enrico Weigelt, metux IT consult" <info@...ux.net> Cc: fulldisclosure@...lists.org, certbund@....bund.de Subject: Re: [FD] Google's Android: remote install backdoor in Google Play Services On 14.07.20 19:19, Michael Lazin wrote: Hello folks, > Could you please provide more detail. In short, Google's playstore receives notifications from Google and installs any app that Google wants to be installed - without any further notification or even interaction of the user. Google silently controls your device as soon you enter an google account. Actually, it's not a bug, but a on-purpose backdoor. I've published it here, in order to let everybody know. Futher actions have to be done by the enforcement agencies. > I am not seeing how this is an > attack. The Debian apt system which predates the play store seems to > work under the same principle. No, apt only acts on explicit operator commands. There is no way for Debian folks to *push* anything at will out onto individual machines. And you can also configure which repos are used. Google's Appstore (and Playservices) is in no way comparable. > The debian security team pushes updates which not only > install software with patches but the dependencies as well. Absolutely not, they don't push anyting onto user's machines. They just upload new versions. It's up to the user to run upgrades, if he decides to. And the user can configure which repos to use / trust. > The > vulnerability you appear to be speaking about seems to be a fundamental > way the concept of an app store works, Yes, this vulnerability is on-purpose. Therefore I call it a backdoor. No way for the user to do anything about it - execept for flashing a google-free OS. Legally, this is a criminal act. > it must include a method of > pushing patches as new exploits are published. No, it does not need to. Pushing here means Google decides what's going to installed when on the device - user has no control over that, and even doesn't get informed. And it's not just for patches, but also for deploying completely new software. --mtx -- --- Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren GPG/PGP-Schlüssel zu. --- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info@...ux.net -- +49-151-27565287 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists