VULNERABILITY Posts on XDA

Google Camera and Samsung Camera apps exposed camera and video intents to third-party apps

When compared to iOS, Android provides applications a lot of ways to interact with each other, enabling developers to build some of the more common Android features we have come to expect and love. This is made possible thanks to Android's Intent system, which allows any app to send any intent it wants, and allows...

Google now pays more for disclosing vulnerabilities in Chrome, Chrome OS, and some Play Store apps

One of the hardest aspects of maintaining a cross-platform product is ensuring its security. Vulnerabilities can be exploited on various platforms in various scenarios, and it's almost impossible for literally any company's security department to fix all of them on their own. That's why companies often use vulnerability disclosure rewards programs, which basically means giving...

Huawei opens a Vulnerability Reward Program with a max payout of ~$143,000

Mobile security is important for a number of reasons, no less because most of our personal lives now reside on our smartphones. From photographs to social media, anybody with malicious access to your device could, in theory, cause a number of problems in your life. That's why it's important to make sure you have the...

Fortnite Installer could be abused to silently install apps on Galaxy phones

The launch of Fortnite Mobile on Android hasn't been too great, especially since many of the supported devices really struggle to play the game with acceptable frame rates. The game launched as a Samsung Galaxy exclusive for only 3 days. The Fortnite Installer was first available on Samsung Galaxy Apps before Epic Games allowed non-Samsung...

Google acquires GraphicsFuzz, a firm which specializes in testing GPU reliability

Google has acquired GraphicsFuzz to improve GPU reliability within the Android ecosystem. GraphicsFuzz is a firm that specializes in testing GPU reliability by creating graphics driver testing technologies that can be used to find bugs in graphics drivers. The firm then discloses these bugs to GPU vendors, OEMs, or any other involved parties and works...

Many Android email apps and PayPal are vulnerable to recipient spoofing

A couple of months ago, we covered a story about a Google Inbox spoofing design flaw found by Eli Grey. It would allow for people to send mailto links that would spoof the recipient of the email. This could be used for tricking people to send emails to a different address than the one shown. The...

OxygenOS 5.1.7 update for the OnePlus 6 fixes bootloader vulnerability

Following a slew of updates for the OnePlus 6 since its launch, OxygenOS 5.1.7 is the first to offer strictly bug fixes and security enhancements. The first big fix for this update pertains to the bootloader vulnerability uncovered by a security researcher last week. It has been patched with an updated bootloader, so users are...

[Update: Fix] Bootloader Protection Bypass Discovered on OnePlus 6 (requires physical access)

The OnePlus 6 was made official in the middle of last month. The device has only recently started to make its way into the hands of consumers and developers on our forums, and already we're hearing about the work that's being done. An official build of TWRP is already available and work is progressing nicely...

LastPass Authenticator Update Fixes a Serious Security Vulnerability

LastPass is one of the most popular password managers on Android, and for good reason: It's incredibly secure. But the same couldn't be said of LastPass Authenticator, its companion application, which made headlines when a security researcher discovered a serious vulnerability in its code. Luckily, it was patched this week. LastPass Authenticator offers 2FA on LastPass...

Janus Vulnerability Allows Attackers to Modify Apps without Affecting their Signatures

Android is installed on a huge large number of devices, and that makes it a target for malicious attackers. Vulnerabilities in Google's mobile operating system continue to be discovered every month, but the good news is that Google is usually diligent about fixing them in regular security patches which are then offered to OEMs, who...

New Android Vulnerability Tricks Users Into Recording Their Screen

Android is on billions of devices worldwide, and new vulnerabilities are discovered every day. Now, an exploit discovered by MWR InfoSecurity details how applications in Android versions between 5.0 and 7.1 can trick users into recording screen contents without their knowledge. It involves Android's MediaProjection framework, which launched with 5.0 Lollipop and gave developers the ability to capture...

Cloak And Dagger Exploit uses Overlays and Accessibility Services to Hijack the System

What we at XDA once envisioned as a proof of concept security vulnerability has now been confirmed by computer scientists at the Georgia Institute of Technology in Atlanta. The team details what they call "cloak and dagger" exploits which can take over the UI of most versions of Android (including 7.1.2). Given it's nature, it...