The gist is that all you need to do to wipe the security PIN is to delete the app’s stored data via the Settings menu, essentially resetting it to the state it was in when you downloaded it from the Android Market. This is a common Android function and is even recommended sometimes when an app is misbehaving. Wipe the data, re-launch the app, and you (or anyone who has your phone) can access Wallet, associate it with your Google account (without entering a password) and set up a new PIN. Then they can spend the money at any online or retail store that accepts Google Wallet – all without root.

Watch as Hashim demonstrates:

This is a much bigger problem than the previous leak, because anyone with physical access to your phone has the ability to do this quickly and easily. The problem lies with Google Wallet’s authentication system: though funds are added into your account and virtually “kept” by Google, the authentication is linked to a single device, not your account. Compare this with any banking app, which keeps your account password connected to your username. Odds are overwhelming that Google will address this loophole very soon. In the meantime, the best way to stay protected while using Google Wallet is to set up a PIN or lock pattern on your device itself – without the PIN or pattern, a thief would have to completely wipe your phone to access any apps or data.

[via 9to5Google, via AndroidandMe]

Here’s the full text of their reply:

The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.

That’s a disappointing answer, but not an unexpected one. When you unlock or root a device, you’re always running at least some kind of risk, to your hardware, your software, and even your personal data. The possibility that 1) your rooted phone would get stolen by 2) someone with the technical knowledge to pull a similar hack off and 3) the knowledge that both your banking information is on the phone and that it’s possible to retrieve it is remote to say the least. Considering the low saturation of NFC payment systems, especially in the US, it would seem that root users just need to do without for now.

This isn’t the first time that Google has essentially ignored the considerable percentage of Android users who root: there’s still no way to legally watch movies or TV shows downloaded from the Android Market on a rooted device. While this is thought to be a measure insisted upon by the various entertainment studios, that doesn’t make the refusal of service any less annoying. Even so, it’s not Google’s responsibility to cover every contingency of every Android modification: If you modify the software on your phone or tablet, you’re responsible for any change in functionality or security. That seems like a reasonable position, if at times frustrating one.

But for the rest of you modders running custom ROMs and kernels, while using Google Wallet take extra precautions to protect yourselves. Apparently, PIN information is saved in the actual phone, and not through the secure NFC chip. And thus Zvelo stated that “this completely negates all of the security of this mobile phone payment system”. I don’t know about you, but hacking the PIN to my Google Wallet account would leave me in utter turmoil.

Preventing this is actually easy, but requires doing nevertheless. By adding a lockscreen security pattern or PIN to your device and disabling USB debugging, the chances of a hacker producing your Google Wallet PIN is slim to none. Though, Google is probably already taking measures to improve current security upon realization – so I’m sure we’ll hear back from them soon.

[via AndroidCentral]

This isn’t all either. Google already has multiple systems in place, from features and sandboxes built in to prevent these types of problems or information theft, to a system where they can quickly pull the ban hammer out and delete malicious apps from the market — even right off your device if severe enough. I’ve never had a malware problem myself, but some claim it is still an issue for Android.

The new Market Bouncer will work in a few ways. For one it will scan every Android Market application on Google’s cloud services and simulate it running on a device. Then check for malware or suspicious activity. And secondly, the new system will scan each app as they are introduced into the Market upon the approval process. So this will watch and protect us from new apps, and current apps that might get updated or introduce malware or suspicious activity.

Google says this will not affect the submission and approval process and works in just a few seconds — as long as your code and application are clean. What about wrongly flagged apps being removed from the market? That won’t happen either as once an application is flagged Google’s team will manually investigate the application to make sure before wrongly pulling an app or game.

I am really liking this forward thinking and positive approach to malware. What do you guys think? Google ends the security post on a good note and had this to say:

No security approach is foolproof, and added scrutiny can often lead to important improvements. Our systems are getting better at detecting and eliminating malware every day, and we continue to invite the community to work with us to keep Android safe.

The flaw affects phones with Sense UI, and seems to go back quite a ways into HTC’s catalog. Users of the Desire HD, Glacier (T-Mobile MyTouch 4G), Droid Incredible, Sensation 4G, ThunderBolt, Desire S, EVO 3D and EVO 4G should be wary, but Nexus one and MyTouch 3G owners needn’t worry. The last two phones run mostly unmodified Android code, and are susceptible to the permissions error in Sense. HTC instructs its customers to check back on its support site in a week for further instructions.

This is the second major security flaw found in Sense in the last few months. Not to beat a dead horse or anything, but doesn’t that indicate that Sense (and by extension most custom UIs) aren’t worth it? Note that those who install a ROM based on open-source Android are fine as far as security goes, yet still have a voided warranty for their trouble. Isn’t it time that HTC starts to let its customers choose whether or not they want Sense on their phone, or at the very least ,release one or two models running Stock Android? Considering that they’ve proven their own additions to Android make it less secure, and that the software differentiation is a non-issue for many users, that would seem like a good idea.

Are you listening, HTC? Stock Android is safer, quicker to update and requires less legwork on your end to maintain. Why aren’t you letting your customers have the choice to remove Sense?

[via The Next Web]

The flaw is a minor one, allowing any application access to stored SSID passwords by using the “android.permission.INTERNET” permission. Affected phones tested by the researchers include the Desire HD, Glacier (T-Mobile MyTouch 4G), Droid Incredible, Sensation 4G, ThunderBolt, Desire S, EVO 3D and EVO 4G. While US-CERT recommends visiting the HTC support website for update instructions, HTC has said nothing as of yet about the security hole. Based on their behavior with the last security alert, you can expect them to update the affected handsets within the next few weeks.

Users shouldn’t panic: there’s been no documented case of apps or malware taking advantage of this loophole as of yet, and it would take some doing for an unscropilous developer to take advantage of it for personal gain. That said, it might be best to delete stored WiFi SSDs until the update and rely on a 3G or 4G connection for data, especially if you access sensative networks at home or at work. US-CERT notes that the Nexus One and T-Mobile MyTouch 3G (HTC Hero), both of which run mostly unmodified Android code, do not suffer from this issue. That means that if you’re running a custom ROM built from Android’s open-source packages, you’re probably safe as well.

[via PhysOrg]

Further laying out exactly what Android.Counterclank does, Symantec notes that the applications are generally undesirable, but not inherently dangerous. Considering Symantec’s poor public image as of late (including malfunctioning desktop programs and compromised code) this episode isn’t doing the company any favors. Advanced users are already wary of alarmist declarations from security vendors, and though the malware threat for Android is growing, many consider it overblown, especially when compared to Windows and other desktop operating systems.

All that being said, the thirteen applications that use Android.Counterclank should be avoided on general principles. The advertising that they employ goes way beyond the run-of-the-mill banner ad. Here’s just a few of the “aggressive” methods the apps in question use to try and get your dollars: setting a shortcut on your home screen, adding bookmarks to your browser app, reassigning the home page of the browser app, and sending unwanted web pages to your phone with a push notification system. We won’t link to the apps themselves, as many of them are still available on the Market, but if you’ve downloaded any of the apps on the original list, you’ll want to uninstall them immediately. Considering the rather crass nature and poor quality of the apps, you’ll probably want to do so anyway.

[via ComputerWorld]

According to Lookout, the Apperhand package is the common code running in al l13 offending apps. Once executed it places a search icon on the Android home screen which links exclusively to partner ad websites. Lookout disagrees with Symantec’s assessment that the relevant apps qualify as “malware”, though they do say that most Android users wouldn’t want the ads running on their phone or tablet. Syamntec is sticking with its classification. The ad network identifies individual phones via IMEI number, pushes ads to the phone (as if they were SMS or email messages) and drops bookmarks into users’ browser apps, but Lookout still does not consider this “malicious” activity.

What we have here is a battle of interpretation. Symantec classifies the apps as malware based both on their observed activities and their capabilities – namely, the possibility that the apps can send personal information through an otherwise necessary Internet connection. Lookout disagrees, asserting that Symantec’s original claims were overblown. While Symantec’s post is certainly self-serving, it doesn’t appear deceitful – they outline the capabilities of the Android.Counterclank API and why users should be worried. However, since not all of the 13 apps originally identified by Symantec have been removed form the Android Market by Google, users can assume that whatever objectionable content is to be found in their code does not constitute “malware” by Google’s definition.

[via eWeek]

The Android.Counterclank malware is technically a trojan: it can receive remote commands and send back personal information. It’s a serious risk for anyone who has it installed on their hardware. Exact download numbers aren’t known, but looking briefly at some of the estimated downloads in the web version of the Android Market, Symantec could very well be correct. This is the largest documented security breach for Android so far, and it doesn’t help that the apps are still available for download.

If you’ve downloaded any of the apps listed below, remove them immediately.You should also change any passwords you have stored on your Android device and check any vital accounts for illicit access.

• Counter Elite Force
• Counter Strike Ground Force
• CounterStrike Hit Enemy
• Heart Live Wallpaper
• Hit Counter Terrorist
• Stripper Touch girl
• Balloon Game
• Deal & Be Millionaire
• Wild Man
• Pretty women lingerie puzzle
• Sexy Girls Photo Game
• Sexy Girls Puzzle
• Sexy Women Puzzle

Calling this a huge problem is putting things mildly. Some of these apps have been available for months. As great a tool as the relatively open Android Market is, the continual discovery of spyware and malware in widely available apps is a black eye on the Market and Android as a whole. We await Google’s reesponse to Symantec’s findings with interest.

[via AndroidGuys]

Tech-savvy customers were understandably upset – according to a proof of concept site, any website with the right settings could harvest a significant amount of personal phone numbers without breaking any law, or even going to too much technical trouble. The blunder comes at a sensitive time for mobile carriers, as the privacy faux pas of Carrier IQ and its extreme data logging is still fresh in the minds of the public. Though there’s still no word from O2′s corporate arm, they did tweet a UK security researcher saying that the phone numbers embedded into the HTML code were designed to indicate that the browser was coming from a mobile device. There are many other ways of achieving this determination from a website owner’s perspective.

When questioned about the issue, the United Kingdom Information Commissioner’s Office said that the events did not constitute an official data breach, according to Paid Content. A phone number alone isn’t personal enough to meet the state’s requirements. Even so, a representative said that the organization would be speaking with O2 on the matter, since most people do not expect their cell phone number to be exposed simply by visiting a website.

UPDATE: O2 has shed some light on the issue in an official post on their blog. According to the published information, routine maintenance on the network caused a minor change that exposed some users’ phone numbers for approximately two weeks. the carrier apologized for the error and offered up a Q&A for concerned customers.

[via SlashGear]

To build SE Android, you’ll need to download and compile the latest code from the Android Open Source Project, then applying the custom SE Android code on top of it. So what do the extra bells and whistles do? Basically every single file and folder that Android has access to can be locked down tight, with considerable encryption and put in place to protect them. Network security is enhanced on both WiFi and mobile networks, and the already considerable app permission system is enhanced with multi-level security.

Currently SE Android is only intended for emulators and the Nexus S, and son’t expect much support if you intend to expand its horizons. The project wiki assumes that you’re already familiar and comfortable with building Android from source, and know your way around Linux/Unix-based systems. Tin foil hats are sold separately.

[via H-Online]

The app’s distribution method is particularly sinister: once installed, it sends out SMS links to every number in the user’s contact list, directing them to a forum. Surprisingly, it isn’t instructing users to download more copies of itself, instead displaying a tribute to Tunisian protest martyr Mohamed Bouazizi. That makes the Trojan app more like “hacktivism” than true malware, but it’s still performing actions on the user’s phone without his or her permission, and potentially racking up considerable texting charges.

The app must be downloaded from the Internet and installed via Android’s 3rd-party app function, like almost all Android malware to date. The original compass app, which can still be found in the Android Market, is unaffiliated and (as far as we know) safe. While more and more anti-virus and anti-malware products are being made available to Android users, the best way to protect yourself is still to use extreme caution when installing third-party applications. Copied or pirated apps have proven to be some of the most dangerous – don’t copy that floppy, kiddos.

[via ITP.net]

In all fairness, it would be nigh impossible to replicate a game as complex as The Old Republic on Android, even with the recent advancements in hardware. And there’s a real need for security in online games, where dedicated players spend hundreds of hours and a not inconsiderable amount of real cash on their role playing characters. The Star Wars: The Old Republic Mobile Security Key helps keep that investment safe, in an online environment where gaming identity theft is all too common. Blizzard, maker of World of Warcraft, uses a similar authentication app for its Battle.net service.

The app is basically just a second level of authentication for The Old Republic, allowing security-conscious players to require a login on both their computer and Android device. Once it’s properly set up, you’ve got a two-stage verification system that would be tough to crack without a would-be hacker physically taking your phone or tablet. It’s a useful addition to a game that’s likely to sell millions of copies and hook players for months, if not years. Still, I would have liked to have seen a lightsaber training app, or an inventory manager or something… please, BioWare?

[via DroidGamers]

We can do it to hundreds of thousands of phones in a short timeframe. None of the networks protects users very well. Mobile network is by far the weakest part of the mobile ecosystem, even when compared to a lot attacked Android or iOS devices.

This is quite disappointing. Though many of us choose to have a tier of texting or data – nearly 100% of us have some sort of voice plan incorporated. In case you don’t know which carriers use GSM networking technology, they include AT&T, T-Mobile, the select states with Cellular One, and many others: Yes this means you guys on Big Red and The Now Network are in the clear!

To make matters worse, compromised phones would be completely under the hacker’s control. Text messages or phone calls can be carried out easily and at any time. And until GSM carriers patch the security vulnerability, subscribers are all at risk. Fortunately, it will only take some updating of outdated software. There is no timeframe advertised to the public, but I’m sure it will be first on their “To-Do” lists (if not done already). We should all thank Mr. Nohl and those at the conference for discovering this vulnerability and restoring security to the airwaves.

[via Phandroid]

Thomas Cannon demonstrates the vulnerability in a screencasted video, working with a Gingerbread SDK emulator. The app that he’s created  installs with absolutely no enabled permissions – it’s about as threatening as a wallpaper, according to Android’s permissions system. The app allows him to take control of the shell via a a remote (virtual) connection. The app displays as “A Game” and requires no security or root access. Cannon says that the exploit he’s using is not new and has been known by security researchers for some time – I’m not knowledgeable enough to confirm or deny this. Cannon says that he’s tested the process on Android versions 1.5 all the way through Ice Cream Sandwich. The app tunnels into the Android web browser to leverage its permissions for web and other access.  Other security issues that he found were unencrypted files from the Email app stored on the SD card.

ViaForensics recently exposed vulnerabilities in Google’s Wallet NFC payment system as well. Cannon is a researcher, not a hacker. The application that he’s using is a test APK created to prove the vulnerability. Even so, the demonstration is worrying – if an advanced developer can manage the trick, an intermediate one should be able to figure it out eventually. Cannon didn’t articulate the particular system he’s using to take over the Android web browser, but presumably the engineers at Google can find it and plug the hole. As always, check your permissions (even if they might not tell you the whole story) and only install APK files from sources that you trust.

ViaForensics reports that the Google Wallet app doesn’t store the entire credit card number, but it stores data on purchases, the last four digits of the credit card number, and transaction history on the phone. The company thinks that malware would be able to get to the data store on the phone. Google responded by saying that viaForensics used a rooted smartphone in its testing and that the app is secure.

However, we have seen malware in the past that could bypass Android security; the malware was called Droid Dream. ViaForensics says that the data stored on the phone also offers details on card balances and payment due dates. The company says that the data it stores should not be stored unencrypted on the handset.

[via SlashGear]

When XDA member Trevor Eckhart published a scathing expose on everything that the software does, including the possible recording and transmitting of location, call data, web history, contacts, used apps and even keystrokes, the Android community was justifiably upset. When Carrier IQ threatened to sue him for exposing theses security and privacy violations, they were, not to put too fine a point on it, pissed. Carrier IQ withdrew their threats almost immediately and placated the public by saying that the software doesn’t record keystrokes or other personal information. That appears to have been a bald-faced lie, or at the very least, an uninformed PR response. Mr. Eckhart has now proven his findings ob video.

You can see an extensive breakdown of the logging process in the YouTube video:

The software is installed on a number of HTC, Samsung, Nokia and RIM (BlackBerry) phones. I’ll point out that the logging and data collection being done certainly doesn’t have any ill intent – it’s designed to let carriers identify and fix problems with their networks. But that doesn’t excuse the massive amount of private information that’s being collected and stored who knows where.

Android Community is attempting to contact the four major carriers in the U.S. to who is using Carrier IQ and on which phones. So far only Verizon Wireless has responded, saying emphatically that they do not use Carrier IQ’s software in any way. we’ll update you with the other responses as soon as they come in.

Managing a workforce that increasingly relies on mobile hardware isn’t easy when there’s dozens of different configurations to customize. But as long as employees stick to a late model BlackBerry, Android Froyo or Gingerbread or iOS 4+, their security and access can be managed remotely. Spotty version support is going to cause a few problems in the coming months – Honeycomb isn’t really a factor for corporate networks, but Ice Cream Sandwich may well be by mid 2012.

RIM has a while to iron out the kinks. The beta program won’t begin until January, with a wider public beta available in March, so there’s almost four months to widen support and squash some bugs. I suppose your local megalithic corp’s accounts department can use the time to shore up funds for those $200 PlayBooks – just get the marketing department to justify it.

[via SlashGear]

“As part of our fast-growing engineering team, [Marlinspike and Anderson] will be bringing their technology and security expertise to Twitter’s products and services,” Twitter wrote in an announcement on its corporate blog. “We’re happy to have Moxie Marlinspike and Stuart Anderson onboard.” The duo will gradually shut down their satellite projects, but RedPhone will be shuttered immediately – an unfortunate circumstance, as many Middle Eastern countries are still in the throes of citizen revolt. Whisper System notes that RedPhone will live on in “some form”, perhaps precipitating an open-source release.

But what could Twitter want with Whisper? Well, the primary Twitter service itself isn’t that secure. It’s possible that the company just wants to beef up its own security after years of high-profile hacks and celebrity identity theft. Plus, Twitter’s already investing in the Android ecosystem. Twitter has purchased TweetDeck, makers of popular Twitter clients across all platforms, including and Android app that technically competes with the official version of Twitter. We’ll me watching misters Marlinspike and Anderson with interest.

While it’s great that the company has ceased its heavy-handed bullying of a well-intentioned community member, their retraction leaves a lot to be desired. Carrier IQ said that the software does not:

• Does not record your keystrokes.
• Does not provide tracking tools.
• Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
• Does not provide real-time data reporting to any customer.
• Finally, we do not sell Carrier IQ data to third parties.

It’s true that the software may not be reporting any of this information to carriers or other parties, but the simple fact that has been revealed by Trevor Eckhart’s research is that it has the capability to do so. That still represents a huge violation of the privacy of end-users on the part of Carrier IQ, and any manufacturer (like HTC, Samsung, Nokia and RIM) or carrier (Verizon and others) who uses it. It would be the digital equivalent of your cell phone provider mandating as a condition of service that you keep your home’s doors unlocked, while promising never to actually go in.

There’s likely to be a lot of independent research that goes into Carrier IQ’s capabilities very soon, and how to identify and stop it. TrevE has already found some rudimentary ways to disable the software on some phones. We’ll be on the lookout for a permanent and wide-reaching solution, or even better, an opt-out program from carriers and/or manufacturers.

[via Android Central]