Full Disclosure mailing list archives
Re: Google's Android: remote install backdoor in Google Play Services
From: "Enrico Weigelt, metux IT consult" <lkml () metux net>
Date: Mon, 12 Oct 2020 14:51:40 +0200
On 14.07.20 19:19, Michael Lazin wrote: Hello folks,
Could you please provide more detail.
In short, Google's playstore receives notifications from Google and installs any app that Google wants to be installed - without any further notification or even interaction of the user. Google silently controls your device as soon you enter an google account. Actually, it's not a bug, but a on-purpose backdoor. I've published it here, in order to let everybody know. Futher actions have to be done by the enforcement agencies.
I am not seeing how this is an attack. The Debian apt system which predates the play store seems to work under the same principle.
No, apt only acts on explicit operator commands. There is no way for Debian folks to *push* anything at will out onto individual machines. And you can also configure which repos are used. Google's Appstore (and Playservices) is in no way comparable.
The debian security team pushes updates which not only install software with patches but the dependencies as well.
Absolutely not, they don't push anyting onto user's machines. They just upload new versions. It's up to the user to run upgrades, if he decides to. And the user can configure which repos to use / trust.
The vulnerability you appear to be speaking about seems to be a fundamental way the concept of an app store works,
Yes, this vulnerability is on-purpose. Therefore I call it a backdoor. No way for the user to do anything about it - execept for flashing a google-free OS. Legally, this is a criminal act.
it must include a method of pushing patches as new exploits are published.
No, it does not need to. Pushing here means Google decides what's going to installed when on the device - user has no control over that, and even doesn't get informed. And it's not just for patches, but also for deploying completely new software. --mtx -- --- Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren GPG/PGP-Schlüssel zu. --- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info () metux net -- +49-151-27565287 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: Google's Android: remote install backdoor in Google Play Services Enrico Weigelt, metux IT consult (Oct 16)
- Re: Google's Android: remote install backdoor in Google Play Services Adrian Sanabria (Oct 20)
- Re: Google's Android: remote install backdoor in Google Play Services Pedro Cunha (Oct 20)
- Re: Google's Android: remote install backdoor in Google Play Services Michael Lazin (Oct 20)