Pwn2Own Chrome gets no takers; Android security gets taken

Trojanized security update undercuts Google's whole security approach

By  

Kind of a good news/bad news day for Google and Android fans.

First, the extra $10,000 in prize money Google put up to anyone who could crack Chrome at the annual Pwn2Own contest yesterday stayed right where it was -- stuck between the seat cushions in Larry Page'sprivate plane.

No one cracked it, the news isn't as good as it sounds. Of the two teams that signed up to have a go at Chrome, one didn't show up and the other decided to focus on a BlackBerry vulnerability it particularly liked for a later cracking event.

Safari and Internet Explorer, on the other hand, went down to their first challengers.

The Pwn2Own contest isn't a hacker melee, like most of the contests at conferences like Black Hat.

Rather than replicating the Internet by sic'ing everyone on the same target at once, Pwn2Own requires teams to sign up ahead of time and "freezes" the code to be cracked two weeks ahead of time so vendors can't slip in patches at the last second to foil impending pwnership.

HP's Tipping Point security unit sponsors the contest and puts up $10,000 prizes for each successful Pwner; Google added an additional $10K as incentive.

 

Maybe it should do the same for Android, which has not only been getting hammered by malware and crackers lately.

 

If you want to tell a really good lie, start with the truth and change it a little to do what you want.

That, at least, was the approach taken by malware authors who put out what may be the cleverest Android malware attack so far -- one that appears to come from Google to make Android more secure.

It's a faked version of a real anti-malware release from Google called the "Android Market Security Tool" that is designed to fix changes caused by the Android.Rootcager virus.

According to Symantec, which discovered it on an unregulated Chinese software site, the "trojanized" version of the tool uses the same name as the original, installs itself, and sends SMS messages to a command-and-control server at this address: hxxp://www.youlubg.com:81/Coop/request3.php

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question