Translated by
2020/05/29 13:51:37

Security of Android

It is article about vulnerabilities and security issues in the Android operating system. The main facts about OS in the main article: Android.


Whether the antivirus for Android is necessary?

When choosing the mobile device it is necessary to consider a set of factors: the price, functionality, reliability, etc. – all these characteristics help you to estimate how this device suits you. If it is about functionality, then it is also necessary to estimate and mobile security. Operating systems of Apple work in the closed system: the source code is not provided to application developers, and owners of IOS devices are not capable to change independently the code that[1] does such devices by safer[2].

On the other hand, devices with Android are considered as less safe devices because they work at an open code system. It means that the owner of the device can seriously "play" with settings of a system to configure them as it will want. This code is also open also for application developers. Unfortunately, such approach can become weakness in the device and make it more open for the malware.

Malware are installed on your device an undesirable program code (programs, applications) for the harmful purposes. Can be such purposes rather harmless (to cause your irritation), and can be and very extreme (access to confidential information for its theft and use against you).

Whether phones with Android can be infected viruses?

Traditional "viruses" are widespread among the PC and they represent the program which extends due to "attachment" to other program (more often than quite legitimate). Devices with Android do not get such traditional viruses, however can "pick up" other malware: for example, programs which are developed for the hidden control over the device or even theft from it confidential information.

Example of such malware for Android is Triout. Triout was for the first time detected in August, 2018 complete with the legitimate application on Google Play. This malware could hide in your Android and write phone calls, save text messages, record video, take the picture and collect information on your location. Though this first version of the program was active only during the period from May to December, 2018, its new variations are detected now.

The built-in functions of security in Android

Though Android is known that it is less safe, nevertheless developers of the operating system built in its structure a number of safety features for prevention of viruses and malware.

The rights for applications

Also there is a function of the rights for applications located in the application menu which allows you to see what applications have access rights to functions of your phone. Here you can control what applications have control over your microphone, the camera, location and confidential information.

Software updatings and security

Android offers new security updates and software for devices with Android both via the website, and through the built-in function in the operating system.

Safe viewing websites

Devices with Android have the mode of 'safe viewing the websites' which is built in the operating system and is included by default. When using Google Chrome this function will issue you warnings before opens the suspicious website. Until your Chrome and Android are updated to most current release, this function will work so that to protect you from the harmful websites.

How do you use your Android?

Though Android also has all these basic safety features, but them can be insufficiently how you use your device. In this case it is better for you to use an antivirus for Android.

Downloading of applications

Advantage of the operating system with the open code is that you get access to a huge variety of applications. But though the Google Play tries to check carefully all applications, nevertheless, rather often dangerous applications escape their control. In 2017 Google deleted 700,000 malware from the Google Play shop. Installation of an antivirus will provide for Android to you the additional level of protection and will allow to limit access to these dangerous applications.

Administration of the phone

There are many people who like to have a possibility of deep administration and control of the phone since gives this advantage to them certain freedom. However with such freedom the security level considerably decreases, at the same time there are other threats. To counteract it, it is very useful to add the anti-virus application which will check your Android for threats.

Use of phone for work

Do you use the phone for work? If this is so, then on it, perhaps, is stored a lot of confidential information (passwords, banking data) which loss can cost much to you. For this reason, most likely, you will need the additional security level which is capable to provide you an antivirus for Android.

Loss or theft of the device

You are afraid to lose the device? If you do not want that it got into strange hands together with all your information, to you there is a sense to set an antivirus for Android which will be able to detect your device and far off to erase on it any confidential information.

Functions of an antivirus for Android

The antivirus for Android will fill shortcomings of your Android operating system in terms of security. Whether it be protection or performance which interest you or to you are required for function of confidentiality and the anti-thief, the antivirus is capable to facilitate the solution of these problems.

There are some functions included in structure of an antivirus for Android:

  • Antivirus protection in real time
  • Check on viruses and threats on demand
  • Scanning of the SD card
  • Optimization of capacity of the device
  • Optimization of consumption of the battery
  • Access check for installed applications
  • Remote cleaning of confidential data
  • Detection and remote blocking of the device


Google is suspected of tracking of users of Android

The chief prosecutor of the State of Arizona, the USA, Mark Brnovich submitted in May, 2020 a claim against Google company, having accused it illegal collecting of location-based these users of Android devices Google[3][4]

"Google makes an impression that users can turn off tracking. But the company goes other ways to intrude in private life. To impracticablly prohibit Google to keep track of location of the user that contradicts the legislation of Arizona, and even the innovative companies should observe the law" — Brnovic reported.

Location-based data are used for determination of weather and refining of results of search queries, however even at shutdown of transfer of this information in the Google Chrome settings geodata are all the same transferred to servers of the company.

Brnovic demanded from Google to pay profit which she could receive for the advertizing based on location of residents of Arizona. The court can also apprehend actions of the company as fraudulent, and for it in the State of Arizona the penalty in the amount of $10 thousand is necessary.

Authorities of the state began investigation after the publication of material of Associated Press that Google secretly collects information on location of users. The company uses web activity and applications for sale of advertisements. As showed survey results, Google uses fraudulent and unfair methods for collecting as it is possible bigger amount of information. Besides, it is very difficult for users to manage the data.

Failure of devices of Samsung after updating of Android

In the middle of April, 2020 it became known of problems with updating of Android in the Samsung smartphones. Installation of a new firmware puts out of action devices, and forever. Read more here.

The beginning of blocking of installation on Android device of the applications loaded not from Google Play

On March 19, 2020 it became known that the Google company began to block installation of applications on mobile Android device if they were loaded not from Google Play shop. It means that users will not be able to download the APK file with a distribution kit of this or that utility from third-party resources any more and to set it independently, passing Google services.

Changes as writes portal 9to5Google, will affect all owners of Android devices in the near future. They will be implemented through Advanced Protection Program (APP) – the Android function which implementation as of March, 2020 already began.

Need for integration of APP for Android Google proved by care of safety of users. According to her representatives, the instruments of protection which are available in Android cannot check the applications downloaded outside Google Play that increases risk of infection of the device with the malware and thefts of personal data.

For the first time possible appearance of additional "defender" as a part of Android became known in December, 2019 when mentioning of it was revealed in an application code of Google Play. Experts 9to5Google then suggested that forced blocking of installation of programs not from Google Play will not be.

Blocking of installation of applications, downloaded not from Google Play – one of two aims which are pursued by Google, implementing Advanced Protection Program. The second is a forced inclusion of Play Protect, the regular Android tool for verification of the programs installed from Google Play.

Play Protect represents some kind of antivirus blocking installation of the riskware. For March, 2020 it can be disconnected in settings of a system, but implementation of Advanced Protection Program will exclude this opportunity – "defender" will always work.

This change of Google will make Android more similar to iOS – the competing mobile platform Apple. Installation of applications from third-party sources in it is prohibited from the very first days of work of App Store – the corporate marketplace of Apple started in the summer of 2008 consider in CNews.

The bypass of these restrictions is possible only by a jailbreak – cracking of IOS for gaining access to the file system of mobile devices of Apple. It is possible to perform a jailbreak even on gadgets with iOS 13.3 – stable release of mobile Apple OS.

After cracking there is a possibility of installation of applications on iPhone and iPad from third-party shops including from the most known – Cydia. At the end of 2018 it was planned to closing, however as of March, 2020 it still functions.

Advanced Protection Program becomes attached to the Google account that will not allow to avoid its emergence on the smartphone or the tablet by failure from updates of OS or its separate components. Nevertheless, there is one efficient method of a bypass of blocking of installation of APK files, claim in CNews.

The distribution kits downloaded from the Internet can be installed on the gadget bypassing "defender" of Android by means of the desktop PC or the notebook and the ADB utility (Android Debug Bridge). The operability of this method is confirmed also by the Google aware of its existence. It is possible that in the future and this hole will be closed.

Action of APP also does not extend to the applications downloaded from brand stores of large producers. Such marketplaces advance, including, Samsung companies (Galaxy Store) and Huawei (Huawei Mobile Services), and Google will not begin to prevent the software installation from directories of this sort.

Google will also not interfere with operation of applications, Advanced Protection Program set through APK before implementation. They will continue to function and in some cases will even be able to receive updates, noted in CNews.[5]

Vulnerability of remote accomplishment of the code in Android is corrected

On January 9, 2020 the Google company announced release of planned security updates for Android and correction of a number of vulnerabilities in different components, including seven dangerous and one critical.

Critical vulnerability (CVE-2020-0002) contains in the Android Media platform including support of reproduction of different types of multimedia files. The problem mentions versions of Android 8.0, 8.1 and 9 OS. Operation of this vulnerability allows the removed malefactor to execute using specially created file any code in the context of exclusive process.

Accomplishment of the code

Also vulnerabilities of increase in privileges (CVE-2020-0001 and CVE-2020-0003) and the problem connected with a failure call in service (CVE-2020-0004) in Android framework were corrected. Their operation "allowed the local malware to bypass requirements of user interaction and to get access to additional permissions".

Besides, in Android three dangerous vulnerabilities (CVE-2020-0006, CVE-2020-0007, CVE-2020-0008) which could lead to remote disclosure of information without the need for additional privileges were corrected.

Except other, twenty nine vulnerabilities in components of Qualcomm which are used in Android devices were corrected. One critical vulnerability contained in the rtlwifi Qualcomm Realtek driver (CVE-2019-17666) and allowed to execute the code far off. The rtlwifi driver is the program component allowing some modules Realtek Wi-fi which are used in Linux devices to exchange data with Linux OS.[6]


In Android OS 414 vulnerabilities are revealed

In total in OS Android in 2019 414 vulnerabilities were revealed. It became known on March 10, 2020.

The Android operating system was the most vulnerable platform in 2019. Specialists of the TheBestVPN portal came to such conclusion during the analysis of statistics of vulnerabilities in different operating systems and software products at the end of 2019.

If in 1999 only 894 vulnerabilities were recorded, then 20 years later this indicator increased almost by 14 times — to 12,174. In 2018 the greatest number of vulnerabilities was revealed — 16,556, 1,197 of which contained in free OS Debian GNU/Linux.


In 2019 Android OS with 414 vulnerabilities detected in a year became the leader of this rating. On the second place Debian Linux (360 vulnerabilities), and on the third — follows Windows Server 2016 and Windows 10 (357).

Despite this situation, every year in Android it is detected less problems. Last year 525 vulnerabilities, and the previous year — 843 were revealed. For all the time of existence of Android found 2563 vulnerabilities in it.

In total for all 2019 in the software 12,174 vulnerabilities were revealed. 25.3% of all problems allowed malefactors to execute any code on devices, 17.7% belonged to vulnerabilities like cross-site accomplishment of the scenario, and 13.9% — buffer overflow.

For the last 20 years of the company began to depend more on digital data and cloud calculations that increased their exposure to cyber attacks. In 2019 in products Microsoft 668 vulnerabilities were recorded. Since 1999 this indicator is 6,814 that makes Microsoft the most vulnerable supplier for the last 20 years. It is followed Oracle IBM by companies (6,115) and (4,679).[7]

New Android virus completely terrorized the Russian banks

At the end of November, 2019 it became known of the attack of a new virus to Russian banks. This trojan is capable to transfer automatically funds through banking mobile applications for operating system Android, experts reported Group-IB.

Before many viruses for Android displaid counterfeit windows through whom there were payments for goods or service. The same trojans told malefactors of digit of codes, the transactions directed by banks to clients for confirmation.

It became known of an attack of a new virus to the Russian banks

With the advent of a new virus for plunder of money the owner of the smartphone even should not pay something through mobile application.

The harmful element gets into bank programs on the infected device, takes mobile application and automatically transfers funds of the victim to the account specified by the malefactor. Experts call such mechanism "avtozalivy".

Swindlers mask viruses under applications (games, browsers) or files, then extend them in the form of the link on the websites for adults, the websites with the cracked applications and piracy movies, torrent trackers, by e-mail and SMS. The smartphone is infected when the user downloads the file or the application offered it.

According to RBC, at least two largest banks — Post Bank and MKB — in Russia faced such virus.

Emergence of a new type of trojans was confirmed in Kaspersky Lab. However cases when it operated the banking application, forcing it to register payment, are single, the anti-virus expert of Kaspersky Lab Victor Chebyshev claims.

According to Group-IB calculations, during the period from July, 2018 to June of the 2019th hackers managed to steal about 110 million rubles by means of Android-tryanov that is 43% less, than the previous year. Every day there are about 40 successful attacks, and the average amount of damage from them is 11 thousand rubles.[8]

The vulnerability allowing to operate the Camera application

On November 19, 2019 it became known that the head of research of security of Checkmarx company Erez Yalon detected a number of the vulnerabilities integrated under one identifier CVE-2019-2234 in mobile devices of Google and Samsung.

During the research of security of cameras in Google Pixel 2 XL and Pixel 3 devices the team of experts of Checkmarx detected the vulnerabilities in the Camera application from Google which allowed them to manage some functions without having got the corresponding permission.

In general, CVE-2019-2234 allows any application without the corresponding permission to operate the Camera application, including to take a photo and video even if the device is blocked, the screen is switched off, and the user speaks by phone. According to specialists, in addition to Google, the problem mentions also other Android devices producers, including Samsung.

Google limits access of annexes to sensitive functions, such as camera, microphone and location-based services. For gaining access to them it is required to get the corresponding permission at first. Nevertheless, the vulnerability detected by researchers allows to bypass these restrictions.

The Camera application in Android OS usually saves photos on SD cards therefore for access to them other applications request access to the SD card.

Unfortunately, this permission has a broad spectrum of activity and provides access to the SD card in general. There is a number of the legitimate applications requesting access to storage though for work images and video are not required for them. Upon, it is one of the most required permissions, - researchers reported.

Specialists decided to use this permission as an attack vector. As it appeared if to the malware to provide access to the SD card, then it not only gets access to photos and video, but thanks to vulnerability will also force a photo-application to make new photos and video.

We could record easily a voice both the user during the conversation, and a voice of calling. It is undesirable activity as the Google application Camera should not be controlled by the external application completely, - researchers noted.

Researchers notified Google on a problem in July, 2019. At first the company considered vulnerability of average danger, but then recognized it highly dangerous, registered CVE and released correction[9].

Vulnerability of NFC in Android of versions 7, 8 and 9

On October 25, 2019 it became known that a team of researchers from Checkmarx Security Research detected the vulnerability mentioning OS Android versions 7, 8 and 9. Vulnerability contains in the pre-installed application of Tags intended for reading of the Near Field Communication (NFC) tags, the analysis and sending results to the corresponding applications.

Vulnerability (CVE-2019-9295) allows any unauthorized application to deceive Tags for simulation of the NFC tag that it can be used by malefactors within the attacks. Operation of vulnerability requires also user interaction.

Specialists described several scenarios of the attack. The first assumes implementation of the pop-up window inducing the user to scan the NFC tag (generated by the malware). The user will need to interact with this window for the choice of the corresponding application. When the user tries to read the NFC tag, the malware considers it, will change contents and then will cause a preview player of tags of Android by default, at the same time the user will suspect nothing.

In the second scenario the user scans this application that will allow the malware to intercept and change tag contents before its processing by the corresponding application of the operating system. For example, in the course of scanning by the user of a label of the company with the phone number, the unauthorized application can change this number, without causing suspicions of the victim.

Both scenarios require transition of the user according to the link readdressing on the page under control of malefactors with the wrong number or other data which can be built in NFC tags.

The Google company corrected this problem in Android 10, however the previous versions of OS still remain vulnerable. To users it is strongly recommended to be updated to the latest version[10].

Vulnerability in Android allows "capture devices" Huawei, Xiaomi, Samsung and Oppo

On October 8, 2019 it became known that experts Google of Threat Analysis Group announced detection of vulnerability of zero day of century to the operating system Android. Vulnerability of CVE-2019-2215 threatens users of devices Google Pixel, smartphones as well as tablets based on Android, developed Huawei Xiaomi Samsung Oppo, Moto and Oreo.

The problem is caused by existence of the error use-after-free (use of area of memory after release) in the driver of a framework of inter-process communication Binder. This vulnerability can be operated far off and in the theory allows to malefactors to increase the privileges in a local system at the level cores. Eventually, "bug" allows "rutovat" the device far off (to acquire the superuser's rights). Vulnerability of CVE-2019-2215 can be operated by two methods: either through specially prepared malware, or through on-line attacks. In the second case malefactors will need to couple an exploit to this vulnerability to one more, directed to vulnerability in the code browser Chrome.

Vulnerability in Android allows "capture devices" Huawei, Xiaomi, Samsung and Oppo

According to the expert of Threat Analysis Group Maddie Stone, vulnerability affects "the majority of devices under Android released till fall of 2018", and the same exploit will work on all devices with minimum "adaptation" under different models or at all without like that.

Stone also noted that it has "technical information" that vulnerability was used by NSO Group or someone from her clients. NSO is the Israeli firm which is engaged in search of vulnerabilities in mobile operating systems and creation and sale of exploits to them. NSO, however, claims that it has no relation to operation of this vulnerability.

CNews noted that same "bug" was detected and corrected in December, 2017 in a core of 4.14 LTS Linux (without assignment of the CVE index) and in a kernel of Android of versions 3.18, 4.4 and 4.9. However then vulnerability somehow again appeared in Android.

"It is interesting that despite obvious threat which is posed by this vulnerability it is given the status High Severity ("high degree of gravity"), but not Critical though it is about a possibility of remote capture of control over the device with little effort. Also the fact of repeated emergence of already corrected vulnerability attracts attention",

For October, 2019 existence of vulnerability in the following devices is confirmed: Google Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL based on Android 9 and Android 10 Preview; Samsung S7-S9; Huawei P20; Xiaomi A1 Redmi 5A and Redmi Note 5; Oppo A3; Moto Z3; Oreo series smartphones are also vulnerable LG.

In view of the fact that vulnerability is actively operated, experts of Google published data on "bug" of all in a week after detection.

Google Pixel devices will receive patches in October cumulative updating for Android. When the same happens to other devices, depends on their producers.[11]

The bank botnet Geost infected with 800 thousand Android devices in the Russian Federation

On October 3, 2019 it became known that researchers from the Czech technical university, the National university Kuyo (Argentina) and Avast companies detected one of bank botnets which received the name Geost. The victims of a harmful campaign of steel of at least 800 thousand owners of Android devices in the Russian Federation, in particular malefactors got access to their bank accounts on which several million euros were in total stored. Read more here.

Multiple vulnerabilities in VoIP-components

On October 2, 2019 it became known that a team of experts OPPO of ZIWU Cyber Security Lab company, Chinese the university Hong Kong and Singapore the university of management multiple vulnerabilities in components detected VoIP operating system Android. Problems with security were revealed during the research (testings only of the VoIP-equipment, servers and mobile applications, but not the Android VoIP-components were held until recently).

10 vulnerabilities in VoIP-components

Within several years the team of experts developed three methods of the analysis VoIP-bekendov of Android and with their help looked for vulnerabilities which can be operated in cyber attacks. Most often researchers used a fazzing – the technology of software testing assuming transfer of the wrong, unexpected or accidental input data to the application.

During testing researchers analyzed only the latests version of Android, beginning from Android 7.0 (Nougat) and finishing Android 9.0 (Pie). In total they detected nine vulnerabilities on which at once notified Google (some vulnerabilities then were corrected). Touched on eight issues directly VoIP-bekend Android, and the ninth concerned the third-party application.

Vulnerabilities allow to perform not authorized VoIP-calls, to forge the identifier of the calling user, to reject incoming calls and even to execute on the user's device a malicious code[12].

The vulnerabilities allowing to crack Android on a wireless network

On August 6, 2019 it became known that researchers of security from the Tencent Blade group detected in a WLAN system firmware on Snapdragon crystal from Qualcomm two dangerous vulnerabilities which operation is able to allow the malefactor to crack the modem and a kernel of Android on a wireless network. Read more here.

Correction of 33 vulnerabilities

On July 2, 2019 it became known that within July planned security updates for Android the Google company corrected 33 vulnerabilities. Patches of levels 2019-07-01 and 2019-07-05 correct vulnerabilities in the Android system, a framework, library, a media framework and components of Qualcomm, including closed source.

The bulletin has two levels of patches that provides to partners of Android big maneuverability for fast correction of groups of the vulnerabilities identical on all Android devices, said in the bulletin of security.

Four corrected vulnerabilities are critical and allow to execute the code far off. The most dangerous vulnerability was corrected in a media framework. With its help the malefactor can execute far off any code in the context of exclusive process, using in a special way the configured file.

Critical vulnerabilities of CVE-2019-2106 and CVE-2019-2107 mention all versions of OS, beginning from Android 7.0. CVE-2019-2109 mentions all versions, beginning from Android 7.0, except for Android 9. Vulnerabilities of CVE-2019-2111 are subject only devices running Android 9.

Other problems or are connected with increase in privileges and disclosure of information, or not classified. The evidence of their operation in the real attacks is not revealed. Partners of Android were notified on vulnerabilities at least a month before disclosure of their general public[13].

The fraudulent scheme because of which millions of Android smartphones are quickly discharged is opened

In March, 2019 the huge scheme of fraud at which in applications for Android the embedded video advertizing was started was opened. Because of it devices were quickly discharged and there was a transfer of personal data.

Swindlers used the services paying viewing advertizing and did so that users allegedly started video declarations which actually were not visible to owners of devices. Malefactors used popular applications which are downloaded by millions of users for swindle implementation.

Main article: Fraud in advertizing

Positive Technologies detected dangerous long-term vulnerability in Android 7.0, 8.0, 9.0

On March 21, 2019 Positive Technologies reported that his expert - Sergey Toshin revealed critically dangerous vulnerability in current operating system Google Android versions (7.0, 8.0, 9.0) and its earlier editions. The error is found in the WebView component. It allows to get access to confidential to data users of Android through installed harmful application or the application with instant start (Android instant apps).

Specialists of Google estimate the level of danger of this vulnerability (CVE-2019-5765) as high.

The WebView component is used in the majority of mobile applications of Android therefore attacks on it are extremely dangerous. The most obvious scenario of the attack is connected with little-known third-party applications. The malefactor can add to them harmful functionality for reading of information from WebView of other applications that will allow it to intercept browser history, authentication tokens and headings (which are quite widespread method of authentication) and other data. Starting with Android 7.0, the WebView component is implemented via Google Chrome therefore for correction of vulnerability it is necessary just to update this browser. On older versions of Android it is necessary to update the WebView component through the system of updating of Google Play. Users of the equipment on which there are no Google services need to wait for updating of WebView from the supplier of the device.
Sergey Toshin, specialist of group of researches of security of mobile applications of Positive Technologies

WebView is the Android platform component which gives the chance to display web pages in the Android-application. The problem is detected in the Chromium engine on which WebView, starting with Android 4.4 is constructed. Vulnerability also threatens users of mobile browsers based on Chromium, such as Google Chrome, Samsung Internet Yandex.Browser.

The instant apps technology allows to browse the application on the device without installation: on the device of the user only the small file after click-through in the browser is downloaded. At the attack through instant apps interception of data is possible if the user clicks on the link with the harmful instant application.

Vulnerability allowed the harmful PNG image to execute any code on the device

On February 7, 2019 there was information that in Android three dangerous vulnerabilities were corrected, however it is unknown when patches reach end users — not all producers Android devices release updates every month.

With respect thereto users of Android devices should observe big care when opening the graphic files loaded from the Internet or received in the message. Having opened the picture harmless at first sight, the user risks to subject the smartphone to cracking threat.

Three vulnerabilities detected recently mentioning versions of Android from 7.0 Nougat to 9.0 Pie are the reason of threat. Google does not disclose any technical details about them yet, however in updates correction of buffer overflow, errors is mentioned in SkPngCodec and a number of problems with components for rendering of PNG images.

According to the notification of security from Google, the most dangerous of three vulnerabilities allows in a special way the configured harmful PNG image to execute any code on the device.

The most dangerous is the critical vulnerability in Framework allowing remote attacking using in a special way the configured PNG file to execute any code in the context of exclusive process, reported in the notification of security.

For vulnerability operation the malefactor has enough to force the victim to open harmful PNG image which with the naked eye cannot be distinguished from harmless. The image can be sent to the victim in the messenger or by e-mail.

CVE-2019-1986, CVE-2019-1987 and CVE-2019-1988 were corrected in Android Open Source Project (AOSP) with an exit of planned February security updates.[14].

2018: A gap in Android sandbox

On August 14, 2018 it became known that researchers Check Point Software Technologies of Ltd. detected a gap in a sandbox Android — the protected area storages data on Android devices. Its function — not to allow harmful to applications to influence other applications and also to do harm most OS.

Some applications store data not in Android sandbox, and in external storage (or in the section on the device, or on the external SD card) that creates potential danger for the user. Malefactors can attack devices, automatically loading the unknown malware, to carry out the attacks like "failure in service" for legitimate applications and even to cause failures in their work and also the attacks like "code injection" which then can be started in an exclusive context of the attacked application.

Vulnerability works as follows:

  1. the External storage of the Android device is public area which can be detected or changed by the third-party (harmful) application.
  2. Android does not provide the built-in means of protecting for the data which are stored in external storage. It offers only recommendations for developers how properly to use this resource.
  3. Not all developers understand importance of security aids and understand potential risks and also not always follow recommendations.
  4. Many pre-installed and popular applications ignore the recommendations of Android and store confidential data in the unprotected external storage.
  5. It can lead to the attack of "Man-in-the-Disk" which can lead to manipulation and/or abuse of the unprotected confidential data.
  6. Change of data can result in undesirable results on the user's device.


Shadowing users even at switching off of a geolocation and lack of the SIM card

Devices under management OS Android collect the location information of users and send them to the company Google even if on them all location-based services are switched off, any application is not started or is absent SIM- the card. Data go to Google every time as the device is connected to the Internet. In November, 2017 came to such conclusion during own investigation[15].

Since the beginning of 2017 of Android smartphones began to remember the addresses of the cellular towers located nearby even if location-based services on devices are turned off by the user, and to send these data to Google, found out the edition. Thus, the company began to obtain data which on the structure are beyond ideas of users of protection of their confidentiality. The user cannot disconnect. According to Quartz, changes were made to Firebase Cloud Messaging service which by default is present at all Android devices.

The experiment made by the edition showed that even reset of settings to factory, meaning removal of all installed applications, does not help — the smartphone continues to send in Google of the address of the next towers as passes from one to another. If the SIM card is not inserted into phone, he sends data when he catches Wi-Fi.

Google confirmed to Quartz that 11 months resort to such practice. The addresses of towers are transferred to a system which sends on smartphones of the push-notification and message. This system works separately from normal location-based services. The company assures that these data are not stored and are not used in any way. After contact with Quartz the management of Google made the decision to contract this practice. Already by the end of November of Android will cease to collect the addresses of towers and to transfer them to the company — at least, in such a way, at which the user cannot disconnect it.

Technically new practice is expressed that Android began to trace Cell ID — the identifier which is appropriated by the operator to each sector of the base station. However Google assures that Cell ID was not built in network system of synchronization therefore collected data were removed at once. After updating a system will cease to request the identifier.

The company reports that collecting of Cell ID was carried out for improvement of delivery of messages. In turn, Quartz writes what is not absolutely clear how it could improve it. The edition notes that using the addresses not of one, and at once several towers, the location of the user can be defined to within radius in 400 meters, and in city conditions — even more precisely as towers are located nearby from each other.

Privacy policy of Google provides collection of data on location of the user, however does not specify that data collection continues even after shutdown of location-based services.

All versions of Android, except Oreo, allow to take control over the device

At the beginning of September, 2017 in all versions mobile OS Android, except Oreo (8.0), the serious vulnerability allowing to take full control over the device using the modified pop-up notifications is detected. In case of the successful attack malefactors can set on smartphone free skating or put it out of action.[16]

Attack essence

Vulnerability is revealed by researchers of Palo Alto Networks. According to the description of experts, the attack represents a kind of the attack "A raincoat and a dagger" which was described in the spring of 2017 by specialists of the University of California in Santa Barbara and Institute of Technology of Georgia.

The essence of the attack is that the malware outputs over all windows the own, hiding real notifications from the operating system. Thus, as a result of the attack the user will see a counterfeit window with a noncommittal phrase, however, having pressed the Ok button in the interface, he unconsciously will agree to installation of the malware, having granted it at the same time the administrator's rights.

Features of the attack

It was specified in the publication of experts of the University of California and Institute of Technology of Georgia that the malware trying to make the similar attacks have two serious obstacles: they should get unambiguous permission to use of the draw on top function (just and allowing the application to display the windows over the others), and it is available only to applications from Google Play.

Experts of Palo Alto Networks in turn found out that the system pop-up notifications Android (so-called Toast) can be used for carrying out the attacks similar to "A raincoat and a dagger": these notifications emerge over all windows, do not demand special permissions from users, at the same time they can be modified so that they closed all display of the device, turning them into a functional equivalent of normal windows of applications.


As noted, the patches closing vulnerability already extend. Experts of Palo Alto strongly recommend not to install applications from somewhere, except Google Play.

Google closed 12 critical vulnerabilities in Android

The Google company at the beginning of August released the planned security update of Android fixing in total 51 problems in the components MediaServer, AudioServer, CameraServer, different libraries and so forth. According to the description, from the total number of the eliminated vulnerabilities turned out 12 critical.[17]

In particular, 10 critical vulnerabilities in the Media Framework component (libraries of multimedia), one vulnerability in library (CVE-2017-0713) and one more problem (CVE-2017-0740) in the Broadcom components were closed. Vulnerabilities in Media Framework allowed to execute far off any code in the context of exclusive process using sending specially created file. Having exploited two last problems, the malefactor could execute far off the code in the context of unprivileged process.

Among others the corrected problems: 16 vulnerabilities in the Media Framework component allowing to cause failure in service, to increase privileges and to open data; 5 vulnerabilities of increase in privileges in OS kernel, 2 vulnerabilities of increase in privileges in the MediaTek components and also 6 vulnerabilities allowing to raise the rights and to open data in components of Qualcomm.

Play Protect is protective function for Android

At the end of July, 2017 it became known that the Google company decided to raise the overall level of security of the mobile platform Android, having added the new Play Protect screen on all Android device which use Google Mobile Services 11 or are newer. It is possible to find the new tool in the menu of settings (the section of Google, the Security tab, the point "Verification of Applications"). According to plans of the company, soon service will appear in Google Play and will replace the Google Verify Apps function.[18]

Protective function will be required for verification of applications on problems with security and existence malicious code. In separate lists of applications the It Is Checked using Google Play Protect icon will also be added. The option of safe work in Internet will warn the user when he tries to pass to the suspicious website of century browser Chrome.

Verification of applications is performed in the automatic mode. The user will receive notifications on all detected risks. Besides, Google moved Find the Device service by which it is possible to define location of the device to Play Protect, to block, call on it or to delete from it all data.

Growth of malwares on Android

2016: Growth of number of vulnerabilities - 158%

On December 2, 2016 Quick Heal Technologies announced growth of amount of vulnerabilities in the Android platform by 158%. The report of the company reflects data for the third quarter 2016 in comparison with an indicator of previous year.

According to experts of the company, in 2017 the number of cyber attacks using racketeering and harmful banking software will increase.

Android, (2015)

According to data of a research, for the last three months the number of racketeers for mobile platforms grew by 33% in comparison with an indicator of the second quarter of 2016. Experts recorded insignificant decrease of the activity of potentially undesirable software and advertizing software for 3% and 12% respectively. In the third quarter 2016 the number of mobile bank trojans increased by 25%. In comparison with 2015 the number of the harmful banking software intended for attacks on mobile platforms increased by 76%[19].

Researchers noted expansion of the sphere of a scope of the attacks by cybercriminals due to application of harmful advertizing software. If earlier malefactors were limited to demonstration of undesirable advertizing, their main objective plunder of information now.

According to forecasts, in 2017 the number of cyber attacks using racketeering and harmful banking software will increase.

Malefactors will continue to attack owners of devices based on Android and Windows and also the company (especially financial institutions) which use these platforms for daily business operations.

Sanjay Katkar, managing director of Quick Heal Technologies


How to break Android interlocking system

In September, 2015 researchers asked a question: if one of the most wanted cyber-criminals in the USA used a name of the cat as the password, and the research of Google showed that typical security issues, such how 'Your favourite dish?' were almost useless what we should expect from the system of an unblocking which protects our smartphone from unauthorized access? Of course, not really much …

Like obvious passwords and answers to guess pictures which we draw on the screen for an unblocking of our smartphone, as a rule, easily. It was shown by Marta Loge[20], the researcher from the Norwegian University of science and technologies, in its research which it provided at the PasswordsCon conference in Las Vegas in September, 2015.

Having analyzed about 4000 real user combinations, the expert detected a set of inexpedient options which repeated very often. First of all, when choosing of the blocking drawing it is possible to connect up to 9 points (a grid 3*3), but most of users prefers to connect much less points.

The median used number of points – five therefore the quantity of possible combinations is reduced to 9000. However, it appears, most of users selects only connections of four points (minimum admissible option), and it means that the range of combinations in this case is limited only 1600 which are obviously not enough.

It is not the only error which we do since 44% from us begin to draw the picture from the upper left corner of the screen. As if it is not enough, 77% of drawings begin in any of four corners of a grid. Knowing that the drawing connects only four points, and one of them should be in one of corners, in this case security of the drawing significantly decreases.

Besides, it turns out that we more likely do the drawing from left to right and from top to down, and therefore it becomes even simpler to guess such drawing.

Image:Как сломать систему блокировки Android 01.jpg

There are also other important factors which we need to consider in addition to quantity of the connected points. The complexity of the sequence of points is also important when choosing the drawing. If we use number from 1 to 9, then we see that it is much more difficult to guess a combination of 2, 1, 3, 6 than 1, 2, 3, 6.

Though both combinations have only 4 values, but the first combination complicates selection due to change in the direction (from 2 to 1 and from 1 to 3) while simpler option shows all errors about which we spoke earlier: the beginning in the upper left corner of the screen, the movement from left to right and from top to down. If for protection of the mobile device you use approximately such combinations, then it needs to be changed as soon as possible.

Image:Как сломать систему блокировки Android 02.jpg

Usually say that the user is the weakest link in questions of cyber security. As told the Log on PasswordsCon, "the human entity is conceivable", and, therefore, he can act it is quite guessed. Actually, "we see the same combinations in drawings for an unblocking, as well as in PIN codes or digital passwords", told the Log.

Possibility of theft of data through the MMS message

On July 28, 2015 it became known about of the vulnerability of Android devices detected by Zimperium research company, it called it "... the most dangerous mobile Android OS for all the time of existence"[21].

According to a research of the company, each smartphone running Android OS can be infected, having received the MMS message. Joshua Drake from Zimperium noted that the smartphone can be infected still before playing of a sound of the come message comes to the end - the user can just not learn about an accomplished fact[22]. The message with a malicious code which will begin to steal immediately data will come to phone or to transfer information from the camera and the microphone.

Hangouts, 2014

The lead engineer of Google on security of Android Adrian Ludwig recognized existence of vulnerability and the high level of its danger: hackers can use the Hangouts function for optimization of watching video received in the message. The malefactor can send to phone of the user of video will force a malicious code to work with the hidden malicious code and Hangouts - Hangouts instantly processes all accepted videos and hackers can use it.

However, according to media reports, for July 28, 2015 cases of use of the detected vulnerability are not mentioned, and the Zimperium command transferred all necessary information to Google. Nevertheless, there are bad news:

  • first, even after Google will close vulnerability updating, it will probably not reach to more than half of devices;
  • secondly, even if the user does not use Hangouts, it means that the malware will not be started automatically, however it will all the same be started when the user opens the received video.

As reported in media, vulnerability appeared by means of bugs in the Stagefright media player which is built in Android. All phones with the version of OS higher than 2.2 can be exposed to the attack. Depending on the version of OS also the level of the got access - from full control before access to photos differs.

Zimperium transferred to Google reports on vulnerabilities since April 9, 2015, then the vendor answered with the obligation to include patches from in the following updates. After that found 6 more bugs in Zimperium. Google announced informing all smartphone manufacturers, and their duty - to correct vulnerabilities, but according to Forbes as of July 27, 2015, HTC, LG, Lenovo, Motorola, Samsung, Sony and Google did not release updates for the devices.


In Russia 18% of devices on the Android platform are infected

In 2012 the number of the attacks on the mobile devices working under Android OS increased in comparison with 2011 more than twice. Annual increment of the malware for mobile devices made 163%.

Researchers of the producer of means of protecting NQ Mobile in 2012 detected 65227 new blocks of codes of the malware focused on mobile platforms whereas in 2011 — only 24794 blocks. Among this "sea" of hacker products of 94.8% only 4% — on open Symbian OS are intended for attacks on the Android platform, and. According to NQ Mobile, in 2012 more than 32.8 million Android devices were infected (for comparison: in 2011 — only 10.8 million), and growth in a year was 200%.

The superiority among the infected devices — at China, is infected 25.5% of all volume sold in this country of Android devices there. On the second place — India (19.4%), on the third Russia (17.9%). They are followed by the USA (9.8%) and Saudi Arabia (9.6%). Data of NQ Mobile demonstrate that means of protecting were set by 53% of the American users of Android devices.

On structure malicious codes in 2012 were not really various: 65% represented so-called potentially dangerous programs (exploits, spyware, the getting advertizing and Trojans), 28% are the programs collectors taking personal data, and 7% are the codes forcing the device to function unusually.

App Repackaging (adding of lines of codes in licensed applications and an application overload with the code on the third-party websites of sales) and also Smishing ("blende") which represent the pseudo-links causing switching of management of OS to loading of the application with malicious codes or on the dangerous website became the main method of implementation of malicious codes in 2012. One more method of infection — use of the harmful URL address redirecting the browser from the original website on its clone to take personal user information.

Researchers consider the reason of so mass infection of Android devices security policy, insolvent in terms of data protection, for Google Play storage that made it, in fact, open for hackers and allowed them to extend malicious codes using the Android-applications. In the version of Android 4.2 (Jelly Bean) the Google company significantly reduced risks for this platform.

However the picture which was received by NQ Mobile company looks awful for Android more, than the similar research conducted by F-Secure company according to which only 79% of malicious codes for mobile devices are focused on this OS.

Android was equal to Windows on number of malwares

According to the reports of Trend Micro devoted to researches of trends of cyberthreats and security of mobile devices (Trend Micro 2012 Annual Roundup and Mobile Security) in 2012 the circle of the purposes of hackers significantly extended and now includes not only the PC, but also devices running Android, social media and even the Mac OS X platforms. In particular, less than in three last years the number of malware only for Android was equal to the number of the malware for Windows created in 14 years. According to forecasts of Trend Micro, the number of threats for users of Android in 2013 will overcome a mark – 1 million.

By Trend Micro estimates, for the end of 2012 the number of threats for the Android platform made 350 thousand. In three years for Android OS the same number of malware, as for the PC in fourteen years appeared.

2012 was marked also by the fact that hackers displaced focus of the attacks from Windows OS to Java and vulnerabilities in other systems. In particular, we became witnesses of the first large-scale attack to Mac OS.

English and the Russian take the leading positions in the list of 10 most popular languages spam messages; India heads the world ranking of "suppliers of spam".

Social networks draw special attention of cybercriminals. Many users put themselves at risk, showing excessive frankness at communication on the Internet and posting on the pages in social networks information which malefactors can use.

2012 was marked by a number of the sophisticated APT attacks, such as Luckycat, Taidoor, IXESHE, etc.

Instead of "inventing" of the new attacks malefactors began to master professional methods of software development. The Blackhole (BHEK) exploits, automatic translation systems of money (ATS) and the program racketeers were improved and supplied with new functionality using technologies of development of which any producer of the commercial software would be proud. Growth of number of threats for mobile systems and devices is a key trend of an era of post-PC. For the last three years for the Android platform appeared as much malware how many it was created for the PC in 14 years. Besides, only 20% of users of devices based on Android use applications for security. As of the end of 2012 the number of threats for this rather new mobile platform reached 350 thousand; according to forecasts of Trend Micro, in 2013 the number of the malware for Android can increase to 1 million.


Smartphones to Android send coordinates to Google each hour

After the publication of article that IPhones and IPad write coordinates of places which their owners visited experts showed keen interest in the hidden functions of smartphones of this sort. According to the research conducted by the expert in the field of information security Samy Kamkar, information of this sort is also collected by smartphones based on Android and, moreover, send to Google. Devices write the MAC addresses of all access points Wi-Fi which get to a range, the level of their signal and that is more important, GPS coordinates of devices.

As Google uses these data, Kamar does not explain, but reports that data writing is performed each several seconds, and sending to Google - each hour, from any smartphone working running Android. On the special page the expert suggests to enter the MAC address of any router and to learn where it is in the world. According to Reuters, this information, most likely, is necessary for Google for work of LBS-applications, such as Google Maps and Latitude. In the company so far did not comment on this message in any way. Meanwhile, the author of the blog Daring Fireball, the famous journalist John Gruber, believes that preserving of information in what places there were users of devices of Apple, most likely, is a software failure as Apple is enough to be known where the user is now. He believes that this "bug" will be eliminated in the next updating of IOS.

Ответ Google: To protect your privacy we would like you to know that Google Latitude is running on your mobile device and reporting your location. If you didn't enable this or want to stop reporting your location, please open Latitude privacy settings or sign out of Latitude. To learn more, visit the Latitude Help Center.

The number of the malware for Android increased by 400%

Analysts of Juniper Networks in May, 2011 published results of the research devoted to studying of potential threats for mobile devices. According to data retrieveds, since summer of 2010 the number of the malware for Android increased by 400%. Besides, it is reported that for this period the mobile devices belonging to both the companies, and individuals underwent record number of threats including to the target attacks on Wi-fi networks.

The extreme concern causes the fact detected during the research that most of all distribution of the malware is promoted by the applications loaded on mobile devices. However, despite the growing number of threats for Android, most of users still neglect protection and do not find it necessary to install any antivirus on the gadget.

The German scientists from the Ulmsky university conducted a research in which they proved vulnerability of the vast majority of mobile devices based on Android. It is connected using the identification ClientLogin protocol. At introduction by the user of data for identification on the password-protected services, the digital key (authToken) transferred in the form of the simple text file which can be intercepted is created. Thanking it the malefactor can, for example get full access to the calendar, a contact information, or private web albums of users of Google and browse, change or delete any contacts, calendar events, or private photos, scientists explained. Besides, it is possible to change imperceptibly the e-mail addresses of the chief of the victim or business partners for the purpose of interception of the letters containing important or confidential business information. As the period of action of authToken lasts up to two weeks, in the report it is noted that the malefactor can collect them in big scales, using for this purpose the unsafe wireless access points located in public places. Researchers urge Google to limit authToken validity period and also to refuse use of unsafe connections for the ClientLogin protocol. ***

You See Also


  1. [ whether
  2. the antivirus for Android Is necessary?]
  3. is suspected of tracking of users of Android Mark Brnovich @GeneralBrnovich·28
  4. of May of Today we filed a consumer fraud lawsuit against Google for deceptive and unfair practices used to obtain users' location data, which Google then exploits for its lucrative advertizing business.
  5. Users of Android were overtaken by a terrible nightmare of owners of iPhone
  6. Google corrected vulnerability of remote accomplishment of the code in Android
  7. Android OS became the most vulnerable platform in 2019
  8. The Russian banks detected a new virus for plunder of money
  9. Vulnerability in Android allows the malware to record video
  10. of Google OS is not going to correct vulnerability of NFC in Android 7, 8 and 9
  11. In Android there was "hole" allowing "rutovat" far off the Huawei, Xiaomi, Samsung and Oppo smartphones
  12. In the Android VoIP-components dangerous vulnerabilities are detected
  13. of Google corrected four critical vulnerabilities in Android
  14. Android smartphone can be cracked, having forced the victim to open the picture
  15. the Quartz Google edition keeps shadowing users even when in the smartphone there is no SIM card
  16. All versions of Android except the last allow to intercept completely management over the smartphone
  17. Google corrected 10 critical vulnerabilities in Android
  18. Google released the built-in protection for Android
  19. In 2016 the number of vulnerabilities in the Android platform grew by 158%
  20. to Why the unblocking system of your Android isn't secure and how you should change it
  21. detected the most terrible vulnerability of Android for all the time of existence of OS
  22. of Experts Found a Unicorn in the Heart of Android