Google, Xiaomi, and Huawei affected by zero-day flaw that unlocks root access

Their release pattern with the Apple fault could effectively be called a PR campaign, including a lot of editorial narrative about bad software development processes, etc.

This one gets a bug tracker entry.

When Project Zero posts a lengthy analysis with lots of scurious claims about the victims of the exploit, the window of exploitation, and narrative about the poor development practices that led to it, then call it even.

If it follows the traditional pattern, they'll write a post blaming some external party. No, seriously, when people point out all of the "Android" faults they've found invariably it is some variation of "but it isn't really Google's fault....".

Project Zero is brilliant, full of brilliant people, and is a remarkable effort, but when your paycheque is signed off by someone, it is human nature that you're really going to pussyfoot with them.

No. I may change my mind but the fact that they haven't written a blog post about it reinforces Project Zero's bias.

A minor windows exploit is found, and they publish "Windows Exploitation Tricks". An iOS exploit is found and they do a six part "very deep dive into iOS Exploit chains".

Now, they find a bad Android exploit and they don't publish anything.

I've not seen that criticism myself. But to me what Project Zero is doing re: Apple vulnerabilities is great. I own Apple products and it's only going to improve/harden them

However, I do think some of the motive is to take a bit of shine off Apple - meaning it's partly a marketing campaign.

So far this further supports the argument that they are special casing and going into a lot more detail when it comes to non Android or Chrome bugs.

Will there be a large analysis how frequently this was exploited and so forth? How about a public Google blog post around this?

Wasn't this a case where members of the Project Zero team were individually commenting in a Chromium bug thread and not a Project Zero public facing blog post?

Was there a Project Zero blog post before those comments went public that I missed?

It's interesting that even such basic usage of binder is buggy. It's long been known that binder is horrible code, but I didn't know it was quite this bad.

It's unfortunate that Google chose to use a custom IPC system, binder, for Android, instead of changing Android's design to better fit Linux. If binder was in use outside Android, I expect this bug would have been caught long ago and certainly would have been backported to stable.

Compare that to the level of sophistication required to do exploits in the recent iOS deep dive blog post and the commentary about “bad programming” in regards to it.

In Android land you can buy a phone where the bootloader can be unlocked and directly flash a pre-rooted ROM rather than relying on people exploiting security vulnerabilities like this.

Another great chance to install cryptojacking malware on a huge population of rooted phones

Because the "bad guys" already know about the vulnerability, so there's no benefit from keeping it secret but a duty to the consumers to inform them as well - especially since the kernel patch already exists.

Well, one thing is it was apparently already publicly reported over 2 years ago by syzkaller:

https://twitter.com/dvyukov/status/1180195777680986113

The general reasoning is that since it's already being exploited, there's more value in warning people so they can decide to not use said affected devices, rather than being in the dark.

You have to "install an application from an untrusted source, attackers can take advantage of that. Attackers can also take advantage of the bug if they pair it with vulnerabilities in the Chrome browser to render content."

I guess it informs us what not to do at the very least. Given the track record, I'm not very optimistic of the vendors pushing a patch very soon (if ever). This keeps us informed at least.

Well, Google are themselves the vendor here. Also seems it's fixed and this might encourage manufacturers to push out an update.

I don't know the reasons behind that policy, but I'd guess with the exploit already being used, there is less incentive to keep silent about the issue. The opposite is true: putting more pressure on the vendors to provide patches, and disclosing any malicious actions that are already underway as soon as possible

I don't understand people who want to remove choice. Don't want the ability to install apps from untrustworthy sources? Don't enable the option that gives you that ability.

The actual bug talks about "untrusted app code execution". As in, code in any app, regardless of where it was installed from. So you're relying on review by the walled garden as protection.

And of course, "untrusted sources" is not the same as "all side-loading". I use sources to sideload from that I trust more than the average app developer.

In case of 0-days, the Google play store is a non-trustworthy source.

It's been a awhile since I had an Android phone but don't you have to jump through some hoops to install arbitrary .apk's from the Internet, plus understand what downloading and executing a file is (something non-technical people sometimes struggle with). It's possible on Android but not typically out of the box.

> is why I prefer walled garden apple for my family

You can install family link, which blocks that option. It's a good option for parents to keep tabs on their kids - it shows you location, and which apps are installed.

Apple can have their walled garden of scrutinized apps. Why not allow other gardens? How about my own garden? Why not theo's garden?

I don't get why you're being downvoted, because that's an excellent question: I do that all the time: I'm using F-Droid more often than the Play Store. Actually, I haven't ever used the Play Store on my second smartphone (it requires a Google Account and I don't want to link it to a Google identity) — I've tens of apps on it.

I believe the article is translating that badly from the bug report. An app installed through the Play store is also an "untrusted app code execution" - Play deploys some scanning tools on submitted apps during the review, but do you trust them to catch it always? There's also things like Amazon devices with Amazon app store, ...

Similarly, Chrome is only mentioned because it's notable that it can be effective from inside its isolation if combined with a browser exploit. That likely applies to all browsers, but the article recommends to switch browsers.

There are lots of sites out there that host APKs of apps (older versions, etc.)... I'd wager they have more than a few users.

Some of us are just trying to remove ourselves from Google's teat because we don't want to be sucking from Apple's teat instead, but it's getting increasingly harder to do so.

I've been using LineageOS on my phones for a couple of years now, recently reinstalled and made the decision to not install the Play Store... and am totally happy with it!

I get most of my stuff from F-Droid and some software vendors provide APKs straight from their websites and whatever is Play Store exclusive, I simply don't use.

It was going really well, at least until recently, when here in Germany they started introducing mandatory apps for online banking, available (of course) only on Play Store or App Store.

I wouldn't even mind everyone's app-obsession if they'd at least always provide a store-free APK as well.

In addition to "essential" apps, like the early versions of Pokémon Go(?) that bizarrely needed to be sideloaded IIRC, and running your own (unpublished) apps - there are the numerous vendor-provided apps and app stores that avoid the play store gatekeeping. (of course, the vendors should be gatekeepers here..)

Then there's f-Droid, the people that run without Google apps (alternate roms).

And then there's "Android TV" that has a "different" play store due to the TV profile being different - but allows sideloading of apps like zerotier(VPN) or chrome - that work fine on TVs - but unfortunately isn't flagged as supporting TV in the Manifest.

In places without proper internet access it's common for phone stores to host their own fdroid repos on the local network to set people up with apps.

I use some apps on F-Froid.