Well, recently my employer's accounting department has been receiving fake invoices that appear to be from real vendors that we have previously done business with. Why would anyone waste their time trying to scam us? Because maybe they will succeed, and that it is worth their time and effort to try. You can't succeed if you don't try, and the scammers know this. Assuming they won't try because it is a waste of time is bad security practice. That is all I am getting at. Maybe this particular vulnerability really is worthless, but I think it's a mistake to make any assumptions that given enough time and effort someone couldn't make use of it. Better for it to be gone entirely, which is now happening only because someone called Google out on it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Android Phones Exposed to Remote Access Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
If someone can remotely root an android phone, they're way more capable than the combined brain trust of XDA forum. The best those geniuses can do is gain root access on a device they physical access to. They have to unlock the bootloader before attempting to root a phone.
From what you're saying, this vulnerability is a non-issue. I can sleep better at night knowing this.
I feel like at this point you are just trolling me and ignore the very simple and basic logic about the key aspect of this vulnerability. You even refused to write what would somebody absolutely need to do in order to be able to take advantage of this vulnerability.
The way I explained it even my over 90 years old grandfather would be able to understand it, and he doesn't know anything about phones.
No, it like those guys already have access to your bank accounts and can empty them but instead they waste their time with spam emails.
If you want to rob somebody and you obtain unrestricted access to his house, why would you waste your time trying to open a small window from within the house?You are already in, you have the keys for the front door, it doesn't make sense whatsoever.
Last edited:
Of course its a non issue. Remotely compromising an up to date version of Android and being able to do stuff on it that would require a computer, password and ADB comands is something almost impossible, I doubt a person that can do this even exists.
If they do exist, they're probably state-sponsored. And if you're the target of a state-sponsored hacking campaign... you should maybe consider a different line of work.
Even Google has acknowledged the vulnerability and will be addressing it, but you still think it's not worth anyone's time to worry about.
To open a back door so he can come back later and steal more stuff? You have not addressed the back door vulnerability.
Oh, "out of an abundance of precaution" they will remove the app.
Anyway this reply doesn't dismiss in any way shape or form what I wrote so I don't understand its purpose, maybe you don't either.
Last edited:
But he has the keys to the front door already.
And by exploiting the app he gets lower privileges than he already had.
Even for state-sponsored it would be monumentaly difficult to do anything productive with this app.
But more importantly there isn't any known method to exploit this remotely and Android 15 is about to launch and after that Android 16 and so on.
Seems to me, only the threat actors themselves would know that for certain.
Come to think of it, threat actors and their affiliates would also clearly have a vested interest in convincing the rest of us that we're all "perfectly safe" from even state sponsored actors.
Me'thinks, thou doth protest too much, TLuc.
Nope, its just common sense taking in consideration how difficult it is to activate the app on the device you own.
Oh, of course the solution is to ignore facts and truths in favor of conspiracies and fearmongering. Yeah I must be payed by someone.
You won't say whether or not you think it is a good thing that Google is removing the app now that the concern has been raised.
I don't know how to exploit this app, and even if I did I would not broadcast it on the open internet.
I can imagine a scenario where someone with full privileges sets up a brand new phone to activate the already-installed app and then hands the phone off to another user. The other user then changes the passcode so no one else can access the device. But the app is active now and virtually undetectable, and if the config file can be hijacked then potentially the phone could be compromised locally or remotely at some later date and time via the app. I don't know if this is possible but I'm not convinced that it is impossible. So it is better to just get rid of the app entirely and then not worry about it at all.
My initial concern was that Google is only removing it from Pixels. You said it only affected Pixels. Maybe, maybe not. It is possible that the app has been installed by someone on another brand of device, we really don't know.
LoL so you imagine an extremely improbable scenario. This is getting really funny.
Well taking in consideration the fact that iVerify needed Palantir's help to activate the app and exploit it, an average random dude setting up a Google Pixel most likely wouldn't be able to activate it himself(those at 9to5google tried and couldn't). Also even if he does, exploiting it remotely wouldn't be easy, he would additionally have to highjack a HTTP connection. Also, a restart or update can easily deactivate the app again.
I said it's only confirmed to affect the Pixels and this is an undeniable fact.
"we really don't know", the funny thing is how you ignore what we do know just to concentrate on fearmongering.
Last edited:
No, because the only way to change the locks is with a security update, which most likely will close the back door as well.
What's funny is how you speculate whether some average random dude could exploit it. I ain't talking about average random dudes. I'm talking about very sophisticated folks, maybe better than iVerify has access to. But I hope you are right and nothing ever comes of it. Also, you do protest too much about something that you say is inconsequential.
Its quite irrelevant if Google removes the app or not as it's not an attack point but several several magazines are disingenuously reporting about Pixel smartphones being delivered with „secret remote management software“ so they have no choice.
Very important:
Since it's an obsolete app that Verizon isn't using anymore, the stock Pixel OS already removed it in Android 15 which is visible in the Android 15 Beta.
Every month, a bunch of real vulnerabilities are patched for Android on Pixels. A subset of these including all High and Critical severity issues in Android itself get backported to older Android releases for non-Pixels too. iVerify's finding isn't even a Low severity issue.
LoL 🤣 not even a low severity issue. It's lower than low.
Also:
It's a retail demo app and it fetches that configuration when manually setting up the device to be in retail demo mode.
So the phone also has to be put manually in demo mode, it's not enough to have the app activated. And you have to highjack the connection the moment it fetches the confirmation file. Easy-peasy indeed.
Last edited:
So say you. I disagree. And poor Google being bullied into removing the app. So sad.
You have your SF scenarios, I have the facts on my side, I'm good with it.
Also another information, if Pixel phones don't have a Verizon Sim and other Verizon apps need for compatibility with their network, it won't fetch any configuration file even if the app is activated, it won't work.
FYI, my phone is incompatible with Verizon, for example.
It's funny that you think this is Google’s fault.
What are you doing here exactly? Besides spreading fearmongering.
What are you doing here exactly? Besides spreading fearmongering.
Last edited:
I'm just questioning your assumptions. Your "facts" are not wrong but they are incomplete and based on sources that you trust more than others. As I said, I hope you are right but I think it is better for this app to be removed to eliminate any question of doubt. I don't understand why you wouldn't agree that they should just get rid of it since it is no longer being used anyway and is not in the current builds. It seems like you are more interested in protesting the criticism from iVerify and others rather than just agreeing that the app should be gone forever.