[John Albert]

According to the NIST National Vulnerability Database (via Forbes), a maliciously written message could result in a permanent denial of service attack that would brick a phone running Android 8, 8.1, 9, or 10. The December Android security update includes a patch for CVE-2019-2232 which means that if the update has been sent to your phone, install it immediately. But again, the real problem is that only a limited number of devices have it at the moment.

Earlier this month, information about the "StrandHogg" vulnerability was released by security software developer Promon. Disguised as a legitimate app, this malware put the top 500 Android apps at risk (Promon partner Lookout discovered 36 malicious apps that actually carried the vulnerability) and allowed bad actors (without root access) to listen in on Android users through a phone's microphone, take control of the camera and remotely snap pictures, read and send SMS messages from a handset, make and record phone calls, learn a user's location through GPS access, see photos and files on an Android handset, view contacts, phone logs and more.

With "StrandHogg," an Android user would click on the icon belonging to a legit app. Instead of the legit app, malware would be displayed asking for certain permissions. Once these permissions were granted by the unsuspecting Android user, the hacker was given the green light to hack away. This vulnerability could unleash a phishing attack allowing the bad actor to obtain important personal data.

Source:

https://www.forbes.com/sites/daveywi.../#3bab502f66fe
https://www.phonearena.com/news/Late...users_id120973

Are BlackBerry phones affected by this malware?

[John Albert]

Patch level 2019-12-01

This level affects most third-party handsets – those not made by Google. If the patch level on your phone uses the ‘01’ date beside the month, that means you’re getting the security updates up to and including that date, which is to say all the essential ones.
Three fixes on this level are listed as critical, but for two of these – CVE-2019-2222 and CVE-2019-2223 – the rating only applies for versions 8.0, 8.1, and 9. On Android 10, that drops to ‘high’. That could be because 10 has extra mitigations or because it uses Project Mainline through which some critical updates are applied more quickly via Google Play.

[Chuck Finley69]

So my XR isn't Android, it’s okay for now but I’m seeing more reasons not to use my KEYones even as WiFi only devices?

[Tsepz_GP]

So my XR isn't Android, it’s okay for now but I’m seeing more reasons not to use my KEYones even as WiFi only devices?

It’s absolutely shocking stuff! I am actually uninstalling CamScanner in my P30 Pro and advising everyone I know who has it installed to also remove it.

Glad my iPhone XS Max is not affected and is my daily driver.

This is why Android OEMs should be updating their phones for at least 5 years!

[falbo]

Another good reason not to auto update the playstore apps.

[John Albert]

Glad I have December security patch on my phone.

In Keyone or Evolve, could BlackBerry secure layer protect against such vulnerability?

[babugaru1]

What about the users who bought Indian variant of Key 2? These devices stopped receiving the security updates since December, last year. What should we do to avoid risk?

Classic is magic!

[Chuck Finley69]

What about the users who bought Indian variant of Key 2? These devices stopped receiving the security updates since December, last year. What should we do to avoid risk?

Classic is magic!

Complain to BBOptiemus and/or buy a supported device.

[babugaru1]

Complain to BBOptiemus and/or buy a supported device.

Optiemus have ears but they can't hear anything. But I will still try. What are the symptoms? What are preventive measures? Someone said camscanner is culprit? Is it so?

Classic is magic!

[falbo]

Are the apps in question downloaded via the playstore or unknown sources. Would using a vpn help if device has not been affected yet ?

[Chuck Finley69]

Optiemus have ears but they can't hear anything. But I will still try. What are the symptoms? What are preventive measures? Someone said camscanner is culprit? Is it so?

Classic is magic!

The preventive measure is an updated phone. If BBOptiemus doesn’t update your phone, you need to use Android phone with latest update installed per the article. Using a non-updated phone means you assume the risk.

I’d suggest reading the lengthy articles regarding ALL the apps that could be infected and the complete situation explained.

[the_boon]

Who needs CamScanner when Adobe Scan does the job just as well if not better and doesn't charge you to not have a watermark lol

[Chuck Finley69]

Interesting end quote by the author in Forbes article

“I will finish by quoting the advice given to me by Ian Thornton-Trump, a cyber threat intelligence expert and member of the infosecurity education collective known as The Beer Farmers: "If you can’t update the device due to age or a lack of manufacturer support it’s time for a new device."

For me, that’s as if EVERY Android device I’ve ever owned has just been added to my box of electronic paperweights...

[IceCreamPlz]

Are the apps in question downloaded via the playstore or unknown sources. Would using a vpn help if device has not been affected yet ?

VPN is not a magic fix-it/cure all. All vpn does is encrypt data IN TRANSIT. It does nothing to data at rest. VPN primarily guards against the situation where someone is listening to your data going in or out and retracing frames.

In terms of on board device encryption, granted your device should be encrypted, but that will simply prevent someone from brute-forcing the data from the outside. If I pick up a handset off the sidewalk and it is locked, I will have limited means to access device contents.

Disk encryption does not help if your device is leaking data through a malicious app. In this case, the app already has access to plaintext device contents. If the primary user has installed an app, and the app is designed to leak data through the internet, even if the device is locked, you're SOL.

This is the fallacy of all the people running around these forums praying to VPN providers.

[PantherBlitz]

Has anyone found a list of the dropper apps, other than CamScanner?

[Dunt Dunt Dunt]

Interesting end quote by the author in Forbes article

“I will finish by quoting the advice given to me by Ian Thornton-Trump, a cyber threat intelligence expert and member of the infosecurity education collective known as The Beer Farmers: "If you can’t update the device due to age or a lack of manufacturer support it’s time for a new device."

For me, that’s as if EVERY Android device I’ve ever owned has just been added to my box of electronic paperweights...

That's why Apple has reigned in Enterprise....

Samsung and other large Android OEMs have gotten the hint from Google and their support of the Pixel phones. You buy from OnePlus, Huawei, Nokia, Samsung and a few others, then you should be good.

It's stuff like this that has me doubting how long a KEY device will be good for once updates end. I've said in the past I might be good for a year past the last update... if you don't install apps from random places or visit the dark side of the web. But I had CamScanner...

[Chuck Finley69]

That's why Apple has reigned in Enterprise....

Samsung and other large Android OEMs have gotten the hint from Google and their support of the Pixel phones. You buy from OnePlus, Huawei, Nokia, Samsung and a few others, then you should be good.

It's stuff like this that has me doubting how long a KEY device will be good for once updates end. I've said in the past I might be good for a year past the last update... if you don't install apps from random places or visit the dark side of the web. But I had CamScanner...

I had CamScanner as well... the bigger issue about updates is just illustrated by the fact that Android does get fixed but as you point out , the players running Android One and if not are big enough to update themselves. It’s a math problem that we know BB and BBMo already can’t agree upon.

[Dunt Dunt Dunt]

I had CamScanner as well... the bigger issue about updates is just illustrated by the fact that Android does get fixed but as you point out , the players running Android One and if not are big enough to update themselves. It’s a math problem that we know BB and BBMo already can’t agree upon.

Might be a case where DTEK would have shined? And might still protect BlackBerry user after their phones are no longer updated... or it might not. Really wouldn't know for sure without someone doing the testing...

[RLeeSimon]

This from BlackBerry tghe security company allowing a gazillion BlackBerry emblazoned devices to go bereft of security... shameful ! Supercilious... and stupid... no excuse !!

[RLeeSimon]

While awaiting Titan, what is the list of apps to remove ??

[conite]

This from BlackBerry tghe security company allowing a gazillion BlackBerry emblazoned devices to go bereft of security... shameful ! Supercilious... and stupid... no excuse !!

What do you mean? The KEY² and KEY² LE will get this patch within the next few weeks.

In the meantime, the Titan will rarely, if ever, see patches.

[John Albert]

Interesting end quote by the author in Forbes article

“I will finish by quoting the advice given to me by Ian Thornton-Trump, a cyber threat intelligence expert and member of the infosecurity education collective known as The Beer Farmers: "If you can’t update the device due to age or a lack of manufacturer support it’s time for a new device."

For me, that’s as if EVERY Android device I’ve ever owned has just been added to my box of electronic paperweights...

What do you mean by the latest update?

Android 10 or the security patches?

[Bla1ze]

What do you mean by the latest update?

Android 10 or the security patches?

Security patches since the flaws are in 8,9,10.

[John Albert]

Security patches since the flaws are in 8,9,10.

Thank you.
Do you think Dtek or BlackBerry hardened layer might help in protecting Keyone, Evolve, or the Indian Key2 that didn't get December patch?

[Bla1ze]

Thank you.
Do you think Dtek or BlackBerry hardened layer might help in protecting Keyone, Evolve, or the Indian Key2 that didn't get December patch?

DTEK the app - No.
The BlackBerry Integrity Protection - Maybe.

It's interesting seeing people say they are removing CamScanner, though, considering CamScanner is embedded into all those devices. Granted, it's not the same install as the Google Play Store but the camera app uses integrated CamScanner builds.