12-23-19 05:42 PM
88 123 ...
tools
  1. John Albert's Avatar
    According to the NIST National Vulnerability Database (via Forbes), a maliciously written message could result in a permanent denial of service attack that would brick a phone running Android 8, 8.1, 9, or 10. The December Android security update includes a patch for CVE-2019-2232 which means that if the update has been sent to your phone, install it immediately. But again, the real problem is that only a limited number of devices have it at the moment.

    Earlier this month, information about the "StrandHogg" vulnerability was released by security software developer Promon. Disguised as a legitimate app, this malware put the top 500 Android apps at risk (Promon partner Lookout discovered 36 malicious apps that actually carried the vulnerability) and allowed bad actors (without root access) to listen in on Android users through a phone's microphone, take control of the camera and remotely snap pictures, read and send SMS messages from a handset, make and record phone calls, learn a user's location through GPS access, see photos and files on an Android handset, view contacts, phone logs and more.

    With "StrandHogg," an Android user would click on the icon belonging to a legit app. Instead of the legit app, malware would be displayed asking for certain permissions. Once these permissions were granted by the unsuspecting Android user, the hacker was given the green light to hack away. This vulnerability could unleash a phishing attack allowing the bad actor to obtain important personal data.

    Source:

    https://www.forbes.com/sites/daveywi.../#3bab502f66fe
    https://www.phonearena.com/news/Late...users_id120973

    Are BlackBerry phones affected by this malware?
    12-08-19 12:51 PM
  2. John Albert's Avatar
    Patch level 2019-12-01

    This level affects most third-party handsets – those not made by Google. If the patch level on your phone uses the ‘01’ date beside the month, that means you’re getting the security updates up to and including that date, which is to say all the essential ones.
    Three fixes on this level are listed as critical, but for two of these – CVE-2019-2222 and CVE-2019-2223 – the rating only applies for versions 8.0, 8.1, and 9. On Android 10, that drops to ‘high’. That could be because 10 has extra mitigations or because it uses Project Mainline through which some critical updates are applied more quickly via Google Play.
    12-08-19 01:53 PM
  3. Chuck Finley69's Avatar
    So my XR isn't Android, it’s okay for now but I’m seeing more reasons not to use my KEYones even as WiFi only devices?
    Tsepz_GP likes this.
    12-08-19 03:50 PM
  4. Tsepz_GP's Avatar
    So my XR isn't Android, it’s okay for now but I’m seeing more reasons not to use my KEYones even as WiFi only devices?
    It’s absolutely shocking stuff! I am actually uninstalling CamScanner in my P30 Pro and advising everyone I know who has it installed to also remove it.

    Glad my iPhone XS Max is not affected and is my daily driver.

    This is why Android OEMs should be updating their phones for at least 5 years!
    Last edited by Tsepz_GP; 12-09-19 at 03:44 AM.
    nevilleadaniels likes this.
    12-09-19 03:25 AM
  5. falbo's Avatar
    Another good reason not to auto update the playstore apps.
    elfabio80 likes this.
    12-09-19 03:31 AM
  6. John Albert's Avatar
    Glad I have December security patch on my phone.

    In Keyone or Evolve, could BlackBerry secure layer protect against such vulnerability?
    12-09-19 04:31 AM
  7. babugaru1's Avatar
    What about the users who bought Indian variant of Key 2? These devices stopped receiving the security updates since December, last year. What should we do to avoid risk?

    Classic is magic!
    12-09-19 06:50 AM
  8. Chuck Finley69's Avatar
    What about the users who bought Indian variant of Key 2? These devices stopped receiving the security updates since December, last year. What should we do to avoid risk?

    Classic is magic!
    Complain to BBOptiemus and/or buy a supported device.
    12-09-19 06:58 AM
  9. babugaru1's Avatar
    Complain to BBOptiemus and/or buy a supported device.
    Optiemus have ears but they can't hear anything. But I will still try. What are the symptoms? What are preventive measures? Someone said camscanner is culprit? Is it so?

    Classic is magic!
    12-09-19 07:04 AM
  10. falbo's Avatar
    Are the apps in question downloaded via the playstore or unknown sources. Would using a vpn help if device has not been affected yet ?
    12-09-19 07:17 AM
  11. Chuck Finley69's Avatar
    Optiemus have ears but they can't hear anything. But I will still try. What are the symptoms? What are preventive measures? Someone said camscanner is culprit? Is it so?

    Classic is magic!
    The preventive measure is an updated phone. If BBOptiemus doesn’t update your phone, you need to use Android phone with latest update installed per the article. Using a non-updated phone means you assume the risk.

    I’d suggest reading the lengthy articles regarding ALL the apps that could be infected and the complete situation explained.
    12-09-19 08:15 AM
  12. the_boon's Avatar
    Who needs CamScanner when Adobe Scan does the job just as well if not better and doesn't charge you to not have a watermark lol
    PantherBlitz likes this.
    12-09-19 08:22 AM
  13. Chuck Finley69's Avatar
    Interesting end quote by the author in Forbes article

    “I will finish by quoting the advice given to me by Ian Thornton-Trump, a cyber threat intelligence expert and member of the infosecurity education collective known as The Beer Farmers: "If you can’t update the device due to age or a lack of manufacturer support it’s time for a new device."

    For me, that’s as if EVERY Android device I’ve ever owned has just been added to my box of electronic paperweights...
    12-09-19 08:27 AM
  14. IceCreamPlz's Avatar
    Are the apps in question downloaded via the playstore or unknown sources. Would using a vpn help if device has not been affected yet ?
    VPN is not a magic fix-it/cure all. All vpn does is encrypt data IN TRANSIT. It does nothing to data at rest. VPN primarily guards against the situation where someone is listening to your data going in or out and retracing frames.

    In terms of on board device encryption, granted your device should be encrypted, but that will simply prevent someone from brute-forcing the data from the outside. If I pick up a handset off the sidewalk and it is locked, I will have limited means to access device contents.

    Disk encryption does not help if your device is leaking data through a malicious app. In this case, the app already has access to plaintext device contents. If the primary user has installed an app, and the app is designed to leak data through the internet, even if the device is locked, you're SOL.

    This is the fallacy of all the people running around these forums praying to VPN providers.
    ppeters914, bbfanfan and whatnow00 like this.
    12-09-19 10:37 AM
  15. PantherBlitz's Avatar
    Has anyone found a list of the dropper apps, other than CamScanner?
    12-09-19 10:44 AM
  16. Dunt Dunt Dunt's Avatar
    Interesting end quote by the author in Forbes article

    “I will finish by quoting the advice given to me by Ian Thornton-Trump, a cyber threat intelligence expert and member of the infosecurity education collective known as The Beer Farmers: "If you can’t update the device due to age or a lack of manufacturer support it’s time for a new device."

    For me, that’s as if EVERY Android device I’ve ever owned has just been added to my box of electronic paperweights...
    That's why Apple has reigned in Enterprise....

    Samsung and other large Android OEMs have gotten the hint from Google and their support of the Pixel phones. You buy from OnePlus, Huawei, Nokia, Samsung and a few others, then you should be good.

    It's stuff like this that has me doubting how long a KEY device will be good for once updates end. I've said in the past I might be good for a year past the last update... if you don't install apps from random places or visit the dark side of the web. But I had CamScanner...
    12-09-19 10:50 AM
  17. Chuck Finley69's Avatar
    That's why Apple has reigned in Enterprise....

    Samsung and other large Android OEMs have gotten the hint from Google and their support of the Pixel phones. You buy from OnePlus, Huawei, Nokia, Samsung and a few others, then you should be good.

    It's stuff like this that has me doubting how long a KEY device will be good for once updates end. I've said in the past I might be good for a year past the last update... if you don't install apps from random places or visit the dark side of the web. But I had CamScanner...
    I had CamScanner as well... the bigger issue about updates is just illustrated by the fact that Android does get fixed but as you point out , the players running Android One and if not are big enough to update themselves. It’s a math problem that we know BB and BBMo already can’t agree upon.
    ppeters914 likes this.
    12-09-19 10:55 AM
  18. Dunt Dunt Dunt's Avatar
    I had CamScanner as well... the bigger issue about updates is just illustrated by the fact that Android does get fixed but as you point out , the players running Android One and if not are big enough to update themselves. It’s a math problem that we know BB and BBMo already can’t agree upon.
    Might be a case where DTEK would have shined? And might still protect BlackBerry user after their phones are no longer updated... or it might not. Really wouldn't know for sure without someone doing the testing...
    ppeters914 likes this.
    12-09-19 11:06 AM
  19. RLeeSimon's Avatar
    This from BlackBerry tghe security company allowing a gazillion BlackBerry emblazoned devices to go bereft of security... shameful ! Supercilious... and stupid... no excuse !!
    12-09-19 04:47 PM
  20. RLeeSimon's Avatar
    While awaiting Titan, what is the list of apps to remove ??
    12-09-19 04:52 PM
  21. conite's Avatar
    This from BlackBerry tghe security company allowing a gazillion BlackBerry emblazoned devices to go bereft of security... shameful ! Supercilious... and stupid... no excuse !!
    What do you mean? The KEY² and KEY² LE will get this patch within the next few weeks.

    In the meantime, the Titan will rarely, if ever, see patches.
    12-09-19 05:08 PM
  22. John Albert's Avatar
    Interesting end quote by the author in Forbes article

    “I will finish by quoting the advice given to me by Ian Thornton-Trump, a cyber threat intelligence expert and member of the infosecurity education collective known as The Beer Farmers: "If you can’t update the device due to age or a lack of manufacturer support it’s time for a new device."

    For me, that’s as if EVERY Android device I’ve ever owned has just been added to my box of electronic paperweights...
    What do you mean by the latest update?

    Android 10 or the security patches?
    12-09-19 05:21 PM
  23. Bla1ze's Avatar
    What do you mean by the latest update?

    Android 10 or the security patches?
    Security patches since the flaws are in 8,9,10.
    12-09-19 06:21 PM
  24. John Albert's Avatar
    Security patches since the flaws are in 8,9,10.
    Thank you.
    Do you think Dtek or BlackBerry hardened layer might help in protecting Keyone, Evolve, or the Indian Key2 that didn't get December patch?
    12-09-19 06:25 PM
  25. Bla1ze's Avatar
    Thank you.
    Do you think Dtek or BlackBerry hardened layer might help in protecting Keyone, Evolve, or the Indian Key2 that didn't get December patch?
    DTEK the app - No.
    The BlackBerry Integrity Protection - Maybe.

    It's interesting seeing people say they are removing CamScanner, though, considering CamScanner is embedded into all those devices. Granted, it's not the same install as the Google Play Store but the camera app uses integrated CamScanner builds.
    12-09-19 06:30 PM
88 123 ...

Similar Threads

  1. KEY2 on AT&T minor error in Phone "additional settings"
    By classact in forum BlackBerry KEY2
    Replies: 30
    Last Post: 12-11-19, 09:48 AM
  2. the OTG device can't be used
    By kuje75 in forum BlackBerry KEY2
    Replies: 2
    Last Post: 12-09-19, 08:31 PM
  3. Save 75% on Bitport.io and torrent securely on all your devices
    By CrackBerry News in forum CrackBerry.com News Discussion & Contests
    Replies: 0
    Last Post: 12-08-19, 10:40 AM
  4. will the BlackBerry keyone have any more updates?
    By CrackBerry Question in forum Ask a Question
    Replies: 3
    Last Post: 12-08-19, 09:33 AM
  5. BBAW - apps can't be downloaded
    By bizorkan09V in forum BlackBerry Classic
    Replies: 0
    Last Post: 12-07-19, 01:54 PM
LINK TO POST COPIED TO CLIPBOARD