Google Says it Has Fixed Most of CIA’s Alleged Android Exploits

Android and Chrome users with the latest updates shouldn’t be worried about WikiLeaks’ data dump on the CIA, according to Google.

The CIA won’t be able to hack into the latest Android devices, according to Google.

The tech giant said Thursday that the CIA’s alleged exploits and malware detailed in WikiLeaks’ “Vault 7” release are already out of date. WikiLeaks released thousands of documents on Tuesday, accusing the CIA of creating malware and taking advantage of hidden exploits to crack into phones, TVs and cars. CNET is unable to verify whether the documents are real or have been altered.

“As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities,” Heather Adkins, Google’s director of information security and privacy, said in an emailed statement. “Our analysis is ongoing and we will implement any further necessary protections.”

The listed Android exploits, one-third of which were named after Pokemon creatures, would give hackers remote access to devices, allowing spies to bypass encrypted messages. Different exploit programs work on different versions of Android and Chrome, including Dugtrio affecting Android devices with version 4.0 to 4.1.2, Totodile for devices running KitKat, and EggsMayhem giving remote access to devices on Chrome versions 32 to 39. Android is the OS for mobile devices, while Chrome is the OS for laptops.

The latest Android version is 7.0, while the current Chrome version is 55.0.2883. WikiLeaks’ data dump from the CIA was allegedly from 2013 to 2016.

However, not every Android device has the latest update.

Because manufacturers and carriers can decide if and when certain phones get over-the-air updates for their Android devices, some people are left with older versions that can still be susceptible to the CIA’s exploits.

“For some systems, like Android with many manufacturers, there is no automatic update to the system. That means that only people who are aware of it can fix it,” WikiLeaks founder Julian Assange said Thursday at a press conference streamed on Periscope. “Android is significantly more insecure than iOS, but both of them have significant problems.”

Apple also said its latest iOS version is protected from most of the CIA’s exploits. Eighty percent of its users have upgraded to the latest version, Apple noted.

Other tech giants like Samsung, Microsoft and LG are still looking into their vulnerabilities.

Assange said Thursday he will let companies affected by the exploits look at the CIA’s hacking tools so they can patch their vulnerabilities before they become public. He plans to release the hacking tools to the public once they are disarmed.

Alfred Ng
CNET News