Google’s mobile security team has definitely been busy cleaning house this week. The company has released an Android update that closes two security holes that could pose a major threat if intruders found a way to exploit them. The first was only designed for “research purposes” and would only have been malicious if modified, Google tells Ars Technica, but it wouldn’t have been hard to detect or weaponize.
The other flaw behaved similarly to the well-known Stagefright exploit, letting an attacker send an altered JPEG image through Gmail or Google Talk to hijack your phone. The issue, as SentinelOne researcher Tim Strazzere explains to Threatpost, is that it’s both easy to find and capitalize on this vulnerability.
There’s more. Security company Check Point also revealed that Google Play had been hosting apps containing two forms of malware (CallJam and DressCode). CallJam both steered phones to websites that made bogus ad revenue and, if you granted permission, would call paid phone numbers. DressCode would also visit shady ad sources, but it could also compromise local networks. Google has since removed the offending apps, but the infection rate may have been high when users downloaded the software hundreds of thousands (or in a few cases, millions) of times.