Lookout now blocks Dialer exploits

Though the Dialer remote-wipe Android vulnerability from earlier this week has been patched, your phone could still be at risk, warns Lookout Mobile Security. The company has patched its app with a free fix.

Lookout now warns you when you tap a malicious phone number link from your mobile browser.

(Credit: Lookout Mobile Security)

Android fragmentation affects security patches, too. Instead of waiting to see which devices have been protected against a Dialer app vulnerability discovered earlier this week, Lookout Mobile Security (download) has stepped into the breach with a patch for it today. So far, it's the only known Android security app to block the exploit, but even Lookout's patch requires initial user input.

The vulnerability allowed some Samsung phones to be remotely wiped from the Dialer app, the "phone" part of your smartphone. While Samsung pushed out a patch quickly, it's not clear if other phones have also been patched. In its post announcing the fix, Lookout said that just because Google issued a patch for the default Dialer months ago doesn't mean all devices have it.

Dialer attacks are not particularly useful for earning the bad guys money, which is the driving motivation behind most malware these days, Chris Jones, Lookout's vice president of product said during a meeting at the Lookout offices overlooking foggy downtown San Francisco this morning. But a remote phone wipe can be highly disruptive for obvious reasons, so shutting down this vulnerability is important.

Lookout wrote in its blog that Dialer attacks can be triggered by tapping a malicious phone number link that looks legitimate on a Web site; or by opening a Web site that embeds the malicious phone number link as a resource, such as in an iFrame. The second one would cause the link to load automatically, regardless of whether you tap on it.

The updated version of Lookout will scan telephone links before they open, and warn you if the number is malicious. The first time you click on a tel: link, the updated Lookout app will ask you if you'd like to have the link scanned. This requires user input, but you can set it as the default from the pop-up box that asks you if you want to scan the tel: link.

Because the worst-case scenario involving this vulnerability is catastrophic data loss, Lookout has stated that it's important to protect against a Dialer app attack even though there's no known "in-the-wild" attack. The company recommends that people concerned about whether their phone is susceptible go to this Web site from their mobile browser.

CNET Top 5
Companies Apple could buy with their billions
Apple's sitting on a massive pile of cash. Here are five interesting ways they could spend it.
Play Video
 

Member Comments