Researcher says flaw in Android creates phone risk

WASHINGTON — Cellphones using Google’s Android operating system are at risk of being disabled or wiped clean of their data, including contacts, music and photos because of a security flaw that was discovered several months ago but went unnoticed until now.

Opening a link to a website or a mobile application embedded with malicious code can trigger an attack capable of destroying the memory card in Android-equipped handsets made by Samsung, HTC, Motorola and Sony Ericsson, rendering the devices useless, computer security researcher Ravi Borgaonkar wrote in a blog post;http://www.isk.kth.se/&frac78 Friday. Another code that can erase a user’s data by performing a factory reset of the device appears to target only the newly released and top selling Galaxy S III and other Samsung phones, he wrote.

Borgaonkar informed Google of the vulnerability in June, he said. A fix was issued quickly, he said, but it wasn’t publicized, leaving smartphone owners largely unaware that the problem existed and how they could fix it.

Google declined to comment. Android debuted in 2008 and now dominates the smartphone market. Nearly 198 million smartphones using Android were sold in the first six months of 2012, according to the research firm IDC. About 243 million Android-equipped phones were sold in 2011, IDC said.

Versions of Android that are vulnerable include Gingerbread, Ice Cream Sandwich and Jelly Bean, according to Borgaonkar. He said the Honeycomb version of Android, designed for tablets, needs to be tested to determine if it is at risk as well.

Samsung, which makes most of the Android phones, said only early production models of the Galaxy S III were affected and a software update has been issued for that model. The company said it is conducting an internal review to determine if other devices are affected and what, if any, action is needed. Samsung said it is advising customers to check for software updates through the “Settings: About device: Software update” menu available on Samsung phones.

Borgaonkar, a researcher at Germany’s Technical University Berlin, said the bug works by taking advantage of functions in phones that allow them to dial a telephone number directly from a web browser. That convenience comes with risk, however. A hacker, or anyone with ill intent, can create a website or an app with codes that instruct the phones linking to those numbers to execute commands automatically, such as a full factory reset.

The phone’s memory card, known as a subscriber identity module, or SIM, can be destroyed remotely in the same way, Borgaonkar said. “Vulnerability in Android can be exploited to kill the SIM card permanently by clicking a single click,” he wrote. “After the successful attack, the end user has to go to the mobile network operator and buy a new SIM card.”

While Borgaonkar has drawn attention to the problem, it’s unclear how useful the vulnerability would be to cybercriminals who are primarily interested in profits or gaining a competitive advantage, said Jimmy Shah, a mobile security researcher at McAfee. “There’s no benefit to the attacker if they can’t make money off it or they can’t steal your data,” Shah said. “It’s really not that useful.”

But the technique could cause huge headaches if it were harnessed to issue outbound phone calls, said Mikko Hypponen, chief research officer at F-Secure, a digital security company in Helsinki, Finland. “If that would be doable, we would quickly see real world attacks causing phones to automatically dial out to premium-rate numbers,” he said.

More in Herald Business Journal

Peoples, HomeStreet banks bump lowest salaries after tax cut

The banks with Snohomish County branches will raise minimum salaries for employees to $15 an hour.

Electroimpact cuts Mukilteo staff by 9 percent

“What we’re missing now is a monster anchor project,” the company’s VP said.

Exotic animals find compassionate care in Bothell (video)

At the Center for Bird and Exotic Animal Medicine, vets treat snakes, hedgehogs and even kangaroos.

How can you tell if you are getting good financial advice?

Assume that it’s still the same buyer-beware market that has always existed.

Amanda Strong (left) tries on an Angel of the Winds Arena hat as she and Courtney Brown hand out gift bags after the renaming ceremony Dec. 13 in Everett. The new name replaces the Xfinity name. (Andy Bronson / Her file)
Angel of the Winds to break ground on $60M casino expansion

“We think we’re on the cusp of becoming a major resort.”

In this Dec. 20, 2017, photo, a clerk reaches to a shelf to pick an item for a customer order at the Amazon Prime warehouse, in New York. (AP Photo/Mark Lennihan, File)
Amazon’s potential HQ2 sites leaves many cities disappointed

And yet, some municipal leaders are looking at the bright side of being rejected.

How do you retrieve an errant Boeing 737 from a muddy slope?

Turkish authorities used cranes to lift a plane that skidded off a runway.

Don’t take economic forecasts to the bank — or the casino

Air travel delays could spur a rebirth of passenger rail service.

Emirates orders 20 more Airbus A380 jumbos, saving program

The Dubai carrier also has options to buy 16 more. The program seems safe until 2029.

Most Read