BadKernel Vulnerability Affects One In 16 Android Smartphones

An anonymous reader writes from a report via Softpedia: A security bug in Google's V8 JavaScript engine is indirectly affecting around one in 16 Android devices, impacting smartphone models from all major vendors, such as LG, Samsung, Motorola, and Huawei. Despite this bug being public for more than a year, only in August 2016 have Chinese security researchers discovered that the V8 issue also affected a whole range of Android-related products where the older V8 engine versions had been deployed. Affected products included Google Chrome Mobile, Opera Mobile, apps that use the WebView component (Gmail, Facebook, Twitter, WeChat, etc.) and apps that deploy the Tencent X5.SDK (a bunch of Chinese apps). It is estimated that around one in 16 Android devices is vulnerable to this issue, nicknamed BadKernel. The flaw leads to a RCE on Android devices, allowing attackers to take full control over one's smartphone. Despite BadKernel being discovered in August 2016, because all research was only published in Chinese, most E.U. and U.S. users have no clue they might be affected. One of the best ways to protect yourself, as noted in the report, is to keep your apps and operating system updated. You can view this list via Trustlook's website to see if your device is affected. There's also a dedicated BadKernel security scanner you can download from the Play Store to check for the vulnerability.

Well

[Ol Olsoc]

At least they have a headphone jack, so no problem.

Re:

[Ol Olsoc]

Indeed, it's good to have a headphone jack. It performs its function universally well. Though some people might use Bluetooth earbuds, still having the jack means more choice and convenience for consumers all around. Despite the occasional discovery of software vulnerabilities, which exist on every platform including iOS, Android manufacturers aren't Apple and thus aren't driven by an unholy quest to fuck over and throw their customers into a bottomless pit of proprietary hell just to raise profits a bit higher.

Actually the 3.5 mm headphone jack is a failure prone device, designed years ago, and shows it. I've replaced dozens of them, and thrown away a lot more that couldn't be replaced. It's a true piece of shit that should have been replaced years ago with a substantial and professional connector.

And having both Android and iOS and OSX devices, I gotta tell ya, your Apple fucking people over meme is lacking in truth.

Headphone jack only failure in seven years

[drnb]

I have never had a headphone jack fail. Nor do I know anyone who has.

I have. I am not claiming the following failure is common. I'm merely debunking the notion that the headphone jack is immune from problems. My personal experience is that it is the one and only thing that has failed for me in seven years.

I've occasionally dropped my phone, maybe once or twice a year over the last seven years. I only suffered damage once about five years ago. The headphone jack would no longer correctly detect when the earbuds were plugged in. Occasionally there would be a false positive

Re:

[Ol Olsoc]

I'm merely debunking the notion that the headphone jack is immune from problems.

No one was making that claim. He simply said he hasn't had a problem with a headphone jack or know anyone who has, implying that the problem is quite rare, which it is.

Yeah, rare as Windows 10 updates breaking things. I can't produce the proof of all of those I've replaced over the years because I never knew I'd have to justify it to cowards, but the 3.5 mm adapter is a cheap little thing, and prone to failure. Just because you haven't had one, or that all the guys in your DnD club haven't does not mean a thing. Its like a 1/4 inch plug and jack, but more prone because it is smaller, and cannot have the contacts supply enough pressure to be reliable. On my professional audio equipment, its all XLR and 1/4 inch, and there's a reason the 3.5 mm isn't there - it isn't very reliable. Jacks are a major failure mode on everything they are on, and the smaller, the worse. Don't believe me? Don't care. do your own research.

Re:

[macs4all]

Hi Tim!

I think you have a more modern version of the old PEBKAC problem.

I have never had a headphone jack fail. Nor do I know anyone who has.

I gotta tell ya, obvious astroturfing shill is obvious.

And you obviously are the entire headphone-using population.

Re:

[Ol Olsoc]

And you obviously are the entire headphone-using population.

No, he isn't, but he certainly represents the majority. This claim that headphone jacks are terribly unreliable came straight out of the Apple Users Cult, not from your boy Phil Schiller. Those of us outside the reality distortion field know the sole reason for removing the headphone jack was to promote the use of Apple's proprietary, licensed, and costly accessories. A fact that YOU, STILL, CAN'T, ACKNOWLEDGE.

I mush have a time machine, because I knew that the 3.5 mm jacks were unreliable long before the iphone was a gleam in Steve Jobs' urinal. Professionals stay away form them when they can because of that. And quit yelling.

Re:

[macs4all]

No, he isn't, but he certainly represents the majority. This claim that headphone jacks are terribly unreliable came straight out of the Apple Users Cult, not from your boy Phil Schiller.

Anybody who HASN'T had to do the "Spinna-Spinna, Jiggle-Jiggle, Remove-Reinsert, Remove-Wipe-Reinsert" dance with a 3.5 mm jack/plug combo in an (usually unsuccessful) attempt to cure intermittent channel-cutout, should count themselves extremely lucky. In fact, 1/4" "guitar" plugs and jacks have the same problem. It's just the nature of the beast. Has been that way for DECADES. There was just wasn't anything better. And in fact, only time will tell if the Lightning an USB-C connectors fare any better in th

Re:

[Ol Olsoc]

Hi Tim!

I think you have a more modern version of the old PEBKAC problem.

I have never had a headphone jack fail. Nor do I know anyone who has.

I gotta tell ya, obvious astroturfing shill is obvious.

And you obviously are the entire headphone-using population.

Yeah, and highly useful comments Coward makes. This is like the one person in a room who brags about how he's never had a Windows 10 update break anything - always perfect! While a hundred other people have.

In the end , it means nothing.

So we're gonna have a sitdown folks. Here's the issue. Contact points. When using a tubular jack, where connections are made along the length of the Jack and connector, the contact is made by a spring metal strip, pressing against the part of the tube that correspon

Re:

[macs4all]

Even the 1/4 inch plugs used in professionalequipment are a common failure point, it can only get worse as the size decreases.

As a former professional musician and sound engineer, how well I know!

What used to amuse me, is all the guitarists that would purchase expensive cables with "MIL-Spec" 1/4" plugs on them. Too bad those "military-grade" plugs were made of corrosion-prone BRASS, and had a "bulbous" tip-end that reamed-out the "non-MIL-Spec" Jacks even more, making the whole thing even MORE intermittent. And as a bonus, the layer of corrosion on the brass sometimes formed a kind of semiconductor junction, turning your guitar

Re:

[Jesus_666]

It's not that 3.5 mm jacks are perfect and impossible to beat. They just happen to be good enough for most people, usually only becoming unreliable after the device has reached the end of its useful life. In terms of reliability I'd put them about on par with Micro-USB jacks; those can also easily experience forces they weren't designed to handle and will then become unreliable. I don't know how much force Lightning jacks can take.

The main beef many people have is that Apple removed the 3.5 mm jack withou

Re:

[Ol Olsoc]

The main beef many people have is that Apple removed the 3.5 mm jack without supplying an adequate alternative. All options Apple has offered are problematic in some way:

Which iPhone do you have?

Re:

[Jesus_666]

Not me but a close friend. He has a 6s, which will be replaced with another 6s if it dies because the 7 is not appealing to him. The lack of a headphone jack is one of the more important factors there.

I'm mainly interested because a) other manufacturers might decide to follow Motorola's example now that Apple did and b) I'd like my headphones to remain compatible between all of my devices, including ones too old to support Bluetooth.

Re:

[Ol Olsoc]

False. The headphone jack is not prone to failure.

A part that isn't prone to failure? they are all prone to it, and the 3.5 mm is worse than many. Good day sir, and thanks for the laugh.

Ahhh yes

[wbr1]

A slashvertisment for a 'security' app that ostensibly tests for a vulnerability, whilst simultaneously asking for every permission my phone has. No thanks. And have a mode finger while you're here.

Re:

[Anonymous Coward]

Indeed, and on their site "Trustlook" (never heard of them) claim that "AV-Test" gives them the OK.
Funny, on the "AV-test" site, they're not even in the list of (about 25) tested products...

https://www.av-test.org/en/antivirus/mobile-devices/
 

Best ways, huh?

[Bob the Super Hamste]

One of the best ways to protect yourself, as noted in the report, is to keep your apps and operating system updated.

So how many of the devices listed are basically unsupported since initial sale and will never be update?.

I really wonder if things like this should be treated as manufacturing defects and since carriers and phone vendors don't seem to want to support these devices people should start bringing them back and getting them replaced for free as they are obviously defective.

I don't know warranty law but maybe someone one could chime in who has some idea as it would seem that if these issues aren't fixed then the customer is due a replacement or refund because their device does have a manufacturing or design defect.

Re:

[Aaden42]

The devices were never warrantied as being secure. They're sold as telephones. As long as they still make calls, they're not defective. There's no way you'll get phone makers or cell carriers to make good on these without a law telling them they have to. And you can rest assured they'd pass the cost of any such law directly on to consumers.

Buyers need to vote with their wallets. You're not just buying a dumb telephone. You're buying an always-on, always-connected computer that you're going to store so

Re:

[Gr8Apes]

You're not just buying a dumb telephone. You're buying an always-on, always-connected computer that you're going to store some of the most private things about your life on.

This part I disagree with with - I am just buying a dumb phone, SMS messenger and web browser. Really. That's all anyone really needs, despite the plethora of apps all about, claiming to make life easier. Now the mail app makes things easier with local storage, as does the chat app of choice. As for storing the most private things about your life, why? Why would you essentially leave the keys to your life on a very portable and easily lost or stolen device?

I agree with much of what you say otherwise.

Re:

[Aaden42]

Primarily because it's the most secured device I can buy as a consumer. It's also the one that's with me at all times. My phone is my exocortex. The part of my brain that actually works right, more often than not. If there's an arbitrary detail of modern life than has no value to me other than when engaging in certain bureaucratic ablutions, you can bet my phone remembers it better than I do.

And sure I could LIVE without the other stuff my phone does. My heart would keep beating, and I'd keep breathing

Re:

[Gr8Apes]

Truth be told - a paper list is faster and generally more convenient than a phone list, unless you can type it in on a computer and send it to you phone (in which case it's a simple consuming device) I still hold that "the most private things about your life" being on your phone is truly an odd thing to say, believe, or do.

Re:

[Aaden42]

I find paper lists far more cumbersome. They get lost or left at home. They can't be edited easily. My handwriting is dreadful. Can't write while moving or doing other things, etc. Siri can take a note no matter what I'm doing. The note is available on my phone, tablet, laptop, and two desktops near enough to instantly. I can delete it when done or revise it if necessary. I can share lists with family members, and we can all check off things as we do them or add more as we think of them. None of tho

Re:

[Gr8Apes]

Siri can take a note no matter what I'm doing. The note is available on my phone, tablet, laptop, and two desktops near enough to instantly.

...The security of the data on it is very important to me.

You use Siri and iCloud. I'd say security is secondary to you at most, and that's being very loose with the term 'security'. You were correct to drop "privacy" from your statement entirely, because you've given that up entirely.

Re:

[steveg]

Personally, I'm buying a portable computer that fits in my pocket. That I can use it for phone calls or SMS is mildly convenient, but not ultimately vital.

As far as "most private things" go, there is some of that (but not a ton) and that's mostly encrypted. At least as far as what *I* put on there. What the phone gathers about me is a whole other thing.

Re:

[Gr8Apes]

So if the phone part is so not vital, why not just remove the cellular portion of the phone (ie, yank the sim)? Wait, it IS important that you can effectively call/message and access the web.

Re:

[steveg]

Access the *Internet*. That's part of what being a computer is. I didn't say being connected wasn't vital, I said being a phone wasn't vital.

I added the "is connected" criterion to my definition of "useful computer" somewhere around 1989. Even though "uses telephone technology" is part of what makes that work, the "is a phone" part isn't all that important.

I'm not saying that I don't use the phone as a phone. But it's not why I have it. If I had to choose between a portable phone without computer funct

New phones shipping with older versions of Android

[drnb]

If I were to purchase a Maytag dryer from Sears and know the warranty is good for one year.

New phones are shipping with older versions of Android. "New" as in unused, not as in a recent design.

I can get a new prepaid Samsung Galaxy S5 running Android 4.4 KitKat at Walmart for $150. It will not receive any updates to a newer version of Android. Some Android phones are vulnerable and have no upgrade path when they are new in the box, its not merely a problem of old used phones no longer being supported.

Re:

[GTRacer]

An S5? Not an ON5? I *just* went phone shopping and settled on a refurbed S5 for $120 shipped. All the Galaxy phones I saw in stores and online at that price were ON5s. I'd have gladly bought from WalMart at $150!

Sorry, S4 was $150, S5 was $300

[drnb]

My bad, that was a Galaxy S4 at $150, 4.2 Jellybean and not upgradable. Their S5 was $300, 4.4 KitKat and not upgradable.

I apologize for the confusion.

Re:

[GTRacer]

Thanks for the clarification! So far, our refurbed S5s are working OK... *knocks on wood*

Re:

[macs4all]

I can't update my apps. Right now I have about 10 apps that need updating but each one of them wants a whole bunch more permissions. It is getting stupid - I don't think a weather app needs access to my identity or my contact list. Why can't we get a decent OS and proper applications for these powerful smart-phones? I would pay money for that.

Buy an iPhone, and gain control over your Apps. Seriously, that shit just doesn't happen on iOS.

My Nextbit Robin isn't on the list

[the_humeister]

I guess my phone is safe.

Re:

[mlw4428]

Yes, nothing says security like sending your data up to a third party's cloud.

Sigh.

[ledow]

"Install this piece of random software to see if you're safe from this vulnerability that affects a ton of devices."

Yeah, right. It's precisely that mentality that causes more problems in the first place.

The list is just about worthless

[coolmoe2]

My phone and tablet were both listed so I installed the app and ran the check and neither one was vulnerable to this bug. I don't think the list they have includes vendor OTA updates so its more less based on the software the devices had when they were stock. So my take away is don't put too much faith in that list by itself. You are better to do the check and then remove the app.

Re:The list is just about worthless

[Nemyst]

I don't know about you, but I don't think I'd trust the results of a security app made by a company I've never heard of before.

Re:

[Anonymous Coward]

https://bugs.chromium.org/p/chromium/issues/detail?id=604033

useable to root myself?

[Herve5]

Could this bug be used, not to do devilish things, but to help me rooting my devices in a simple way, so that afterwards I could at least install the firewalls I already have on my old Fairphone*?
(*) that came pre-rooted by default, contrary to the new ones

Re:

[GTRacer]

I have a Note 3 running CM11 because reasons. But the newest I can get is 12 and I can't be arsed to go through the hours of reinstalling my apps (even with Titanium it takes a while because...). I use XPrivacy to control permissions so hopefully anything that tries to own me through an app-based vector alerts me. If it's Chrome into the OS itself, well, I guess I'm buggered.

BadKernel Research Source Data

[clarkd]

I work for Trustlook, so I am somewhat familiar with the company. :^) Trustlook is a venture-funded Silicon Valley startup specializing in Android security. The company has an Android app in the Play store with over 18M users, plus a RESTful cloud SDK to enable virus scan capability in any Android app. We also have an analytic tool that allows you to peek inside any Android app (skyeye.trustlook.com). Finally, at the end of 2016, we will become the default security engine of every new phone for a top 3