Thursday, January 18, 2018
Home Tags LG G4

Tag: LG G4

“Weaker than expected premium smartphone sales" put a damper on LG's earnings.
Suit: LG replaced phones with faulty ones—didn’t replace out-of-warranty devices.
Hardware vuln strikes 18 of 27 tested mobes Security researchers have demonstrated how to gain root privileges from a normal Android app without relying on any software bug. The unprivileged application is able to gain full administrative permissions by exploiting the Rowhammer vulnerability present in modern RAM chips.

Essentially, malicious code can change the content of memory it should never be able to access. This means rogue mobile applications can abuse this hardware flaw to commandeer peoples' handhelds. The effect is pure physics and yet exploitable through software: RAM is assembled in rows of cells, and it is possible to flip bits in a row by repeatedly accessing the cells in an adjacent row.

By continuously accessing cells, software can trigger voltage fluctuations in the RAM chips' control electronics.

This causes cells in rows adjacent to the one being accessed to discharge faster than normal, meaning they lose the information they were holding. This can be exploited to alter bits in RAM one by one, and manipulate crucial operating system data to gain root privileges. With admin access, the software can completely hijack the device, install malware and spyware, and so on. Most – but not all – Android smartphones are potentially vulnerable to this attack, we're told. A team from Vrije Universiteit, Amsterdam and other academics have documented how this Rowhammer effect, previously demonstrated on Microsoft Edge and public clouds, also affects Android smartphones as well as PCs and servers. The group have developed and released Drammer, which exploits Rowhammer to take control of a mobile device by tampering with its physical memory, proving the attack technique is practical rather than a lab-only exercise.

Drammer has no special permissions – it is a normal unprivileged app – and yet is able to gain root-level access to the device. The researchers explain: The Rowhammer vulnerability allows attackers to change data in memory without accessing it directly, by reading from another memory region exhaustively (hence hammering).

To date, it was assumed that mobile, ARM-based devices would be too slow to trigger these so-called bit flips, limiting Rowhammer attacks to stationary PCs and servers.

This work squashes that common belief and shows how attackers can exploit the hardware bug in a fully deterministic and reliable manner. Drammer – developed in collaboration with the University of California at Santa Barbara and Graz University of Technology in Austria – uses Flip Feng Shui to achieve reliable Rowhammer exploitation. Not every phone is vulnerable to the Rowhammer bug.

The researchers performed bit flips in 18 out of 27 tested phones, including some (former) flagship models like Google's Nexus 5 or the LG G4. Google told El Reg that it had worked out a software fix designed to mitigate against attacks, which will become available in November.

A spokesperson told us: After researchers reported this issue to our Vulnerability Rewards Program, we worked closely with them to deeply understand it in order to better secure our users. We’ve developed a mitigation which we will include in our upcoming November security bulletin. The team that developed the attack warned that Google can only go so far toward resolving what boils down to a hardware problem. “Google scrambled to try and fix the problem, but they cannot really do it as the problem is in hardware,” Herbert Bos, professor of systems security at Vrije Universiteit Amsterdam and supervisor of the research, told El Reg. “Also, since the Android market is so fragmented, this patch will probably never reach most of the phones.” More details of the research are due to be unveiled on Wednesday, October 26, at the Conference on Computer and Communications Security (CCS), a security conference in Vienna, Austria, by Victor van der Veen, lead author of the paper. ®
We need to outpace malware-flingers, securo folk warn Motorola pushes out Android updates faster than any other manufacturer bar Google Nexus manufacturers, according to a new study. Mobile app metrics firm Apteligent examined device data for Samsung, LG, Sony, HTC, Motorola, and ZTE to determine which manufacturer pushes out OS updates the soonest.
It compared the time it took to upgrade from Android 5.x Lollipop to Android 6.0 Marshmallow for each manufacturer.   Android updates Nexus devices were excluded from the study since they always receive the latest Android updates on the day they are released. Android 6.0 Marshmallow was first released October 5, 2015. Updates arrived in two clusters: those that pushed out the update three months after the release and those that waited longer – a little over five months, according to Apteligent. Motorola tried the update first on a smaller set of devices, such as the Moto X Pure Edition / Moto X Style, for about two months and then rolled it out more widely. LG took the same approach starting with the LG G4 for about a month, while HTC basically just pushed the release out to all compatible devices from the beginning.

Both Samsung and Sony waited over five months before releasing the update to compatible devices. ZTE has released the Android M update to only a small handful of devices starting with the Axon line of devices February 2016. One of the most common complaints about consumer Android devices is how long it takes to get the latest Android OS update.
Slow updates mean that consumers are behind the curve on enjoying new features and performance improvements as well as (more importantly) posing a severe security risk. Apteligent's study - which also covers app crash rates - can be found here [PDF]. ® Sponsored: Global DDoS threat landscape report
Qualcomm and Google claim to have patched all but one of the four vulnerabilities. Android owners, beware: Security flaws found in Qualcomm processors serving Google's mobile operating system could put your devices at risk. Researchers at security firm Check Point researchers recently discovered the vulnerabilities, which may affect as many as 900 million devices. During last week's Def Con security conference in Las Vegas, Check Point's Adam Donenfeld revealed four new privilege escalation exploits—together dubbed "Quadrooter"—which can be used to remotely gain root access to Android handsets. An attacker simply needs to trick a user into installing a malicious app, and the cyberthief gains unfettered access to saved data. The attacker can also change or remove system-level files; delete or add apps; and access the device's screen, camera, or microphone, the security firm said. Since the vulnerable drivers are pre-installed, they can only be fixed via a patch from distributors or carriers. Those companies, meanwhile, can only push the repair after receiving new driver packs from Qualcomm. Qualcomm claims to have already fixed all four flaws, and Google said it patched three in an August update; the final debugging will come with the company's next security update, Android Headlines said. Neither Qualcomm nor Google immediately responded to PCMag's request for comment. Concerned Android owners can download Check Point's free QuadRooter Scanner app, which, as its name suggests, scans your phone to see if the necessary patches have been downloaded and installed. Even the most secure devices are at risk, according to Check Point, which provided the following list of affected smartphones: BlackBerry Priv Blackphone, Blackphone 2 Google Nexus 5X, Nexus 6, Nexus 6P HTC One, HTC M9, HTC 10 LG G4, LG G5, LG V10 New Moto X by Motorola OnePlus One, OnePlus 2, OnePlus 3 Samsung Galaxy S7, Galaxy S7 Edge Sony Xperia Z Ultra Qualcomm just last month unveiled its latest mobile processor, the Snapdragon 821, boasting 10 percent better performance than the 820; the latter just recently began showing up in gadgets like the Galaxy S7 and HTC 10.
John Palmerreader comments 30 Share this story Four major security holes in the Qualcomm chips which power modern Android devices have left as many as 900 million users vulnerable to a range of attacks. According to Israel-based security firm Checkpoint, the flaws—dubbed "Quadrooter"—found in the firmware which governs the chips, could allow potential attackers to "trigger privilege escalations for the purpose of gaining root access to a device" using malware which wouldn't require special permissions, allowing it to pass under suspicious users' radars. Qualcomm makes chips for the majority of the world's phones, holding a 65 percent share of the market. Most of the major recent Android devices are expected to be affected by the flaw, including: BlackBerry Priv Blackphone 1 and Blackphone 2 Google Nexus 5X, Nexus 6, and Nexus 6P HTC One, HTC M9, and HTC 10 LG G4, LG G5, and LG V10 New Moto X by Motorola OnePlus One, OnePlus 2, and OnePlus 3 Samsung Galaxy S7 and Samsung S7 Edge Sony Xperia Z Ultra Three of the four holes have already been patched, with a solution for the fourth on the way. However, most users are at the mercy of their handset manufacturers if they want these patches applied. Owners of Google's Nexus devices have already had patches pushed to their phones, but other manufacturers have historically been less interested in patching flaws found in their devices after release. According to Checkpoint—which revealed its findings over the weekend at the Defcon security conference in Las Vegas—the "vulnerabilities can give attackers complete control of devices and unrestricted access to sensitive personal and enterprise data on them." Since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm. This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end users. Once available, the end users must then be sure to install these updates to protect their devices and data. Ars sought comment from Qualcomm, but it was yet to respond with an official statement at time of publication. This post originated on Ars Technica UK