Android fragmentation affects security patches, too. Instead of waiting to see which devices have been protected against a Dialer app vulnerability discovered earlier this week, Lookout Mobile Security (download) has stepped into the breach with a patch for it today. So far, it's the only known Android security app to block the exploit, but even Lookout's patch requires initial user input.
The vulnerability allowed some Samsung phones to be remotely wiped from the Dialer app, the "phone" part of your smartphone. While Samsung pushed out a patch quickly, it's not clear if other phones have also been patched. In its post announcing the fix, Lookout said that just because Google issued a patch for the default Dialer months ago doesn't mean all devices have it.
Dialer attacks are not particularly useful for earning the bad guys money, which is the driving motivation behind most malware these days, Chris Jones, Lookout's vice president of product said during a meeting at the Lookout offices overlooking foggy downtown San Francisco this morning. But a remote phone wipe can be highly disruptive for obvious reasons, so shutting down this vulnerability is important.
Lookout wrote in its blog that Dialer attacks can be triggered by tapping a malicious phone number link that looks legitimate on a Web site; or by opening a Web site that embeds the malicious phone number link as a resource, such as in an iFrame. The second one would cause the link to load automatically, regardless of whether you tap on it.
The updated version of Lookout will scan telephone links before they open, and warn you if the number is malicious. The first time you click on a tel: link, the updated Lookout app will ask you if you'd like to have the link scanned. This requires user input, but you can set it as the default from the pop-up box that asks you if you want to scan the tel: link.
Because the worst-case scenario involving this vulnerability is catastrophic data loss, Lookout has stated that it's important to protect against a Dialer app attack even though there's no known "in-the-wild" attack. The company recommends that people concerned about whether their phone is susceptible go to this Web site from their mobile browser.