Security bug in Cordova allows a single URL click to tamper Android Apps

Security bug in Cordova allows a single URL click to tamper Android Apps

Security flaw in the Apache Cordova developer framework could allow for malicious injections into Android apps.

A serious security glitch has been found inside the device APIs used to develop Android applications.

Developed by The Apache Software Foundation, Apache Cordova, is a set of tools of device APIs used by mobile app developers to approach native device functions including accelerometer and cameras from JavaScript.

The APIs give a Javascript library to appeal to different functions. When this is used with Cordova, mobile apps can be built using web technologies such as CSS, HTML and Javascript. The service is adaptable with the Windows Phone, Android, iOS, Blackberry, Bada, Palm WebOS, and Symbian platforms.

Cordova had confessed in a security bulletin posted this week that a “major” security issue has been found in the API platform.

Identified by the TrendMicro Mobile Threat Research Team (TRT), the security susceptibility allows attackers to modify the behavior of Android apps by just clicking a URL. The damage of the modifications can range from crashing the apps completely to causing annoyance for app users.

This is due to the deficiency of clear and detailed values set in Config.xml by Android apps built using the Cordova framework, which in turn creates an opportunity for threat actors to put undefined secondary configuration variables. According to the foundation, this can result in “unwanted dialogs appearing in applications and changes in the application behavior that can include the app force-closing.”

Labelled as CVE-2015-1835, the security susceptibility does require particular conditions to make full use of. At least one of the app’s elements must enlarge from Cordova’s root activity — CordovaActivity — or the Cordova framework must be interfered with to ensure that the framework’s system is not properly protected. Further, at least one of Cordova supported preferences — except ErrorUrl and LogLevel — is not defined in the configuration file config.xml. TRT says:

“We believe this vulnerability is highly exploitable because the conditions that need to be met for a successful exploit are common developer practices. Most Cordova-based apps do extend the “CordovaActivity” and very few explicitly define all preferences in their configuration.

Moreover, all of Cordova-based apps build from the Cordova Command-Line Interface(CLI)() automatically meet the exploit prerequisites mentioned earlier, thus all of them are vulnerable.”
TRT explained “Our research has revealed that if the base activity is not properly secured and the preferences are set to default, an attacker may be able to alter these preferences and modify the appearance and behavior of the app itself.” An app’s looks could be changed, popups, advertisements and splashscreens could be administered into an app’s interface, the basic functionalities of an app may be interfered with or the app could be forced to crash due to the security fault.

Majority of the Cordova-based app’s that accounts for 5.6 percent of all apps in Google Play are liable to exploit, a fact that was highlighted by the security team.

To fix these security issues, Cordova is releasing version 4.0.2. of the API set. It also suggests that all Android applications built using Cordova 4.0x or higher must be upgraded to use version 4.0.2 of Cordova Android. Mobile app developers who are using older versions of Cordova can also upgrade to 3.7.2 to fix the same security issue. Other platforms are believed not to be influenced by the susceptibility.

OnePlus Two is officially known as OnePlus 2; to be released in September 2015

OnePlus Two is officially known as OnePlus 2; to be released in September 2015

OnePlus 2, not ‘Two’ is the official name of new device from OnePlus

There is a bad news for OnePlus 2 fans, it turns out that the OnePlus 2 wasnt unveiled yesterday after all. Given the hype surrounding the next iteration from OnePlus, fans were disappointed, however here is a bit of good news. According to the company’s co-founder Carl Pei, the company’s next flagship phone OnePlus 2 will be launched some time in Q3 this year.

Last week OnePlus has got its fans very excited when it sent out a teaser which made it seem as if the company is going to unveil the OnePlus 2 on June 1st. Official word has now come in from OnePlus co-founder Carl Pei who has confirmed that the OnePlus 2 will be actually unveiled in Q3, 2015 and that the announcement lined up for today is actually for something else.

Speculation was rife this week that the OnePlus 2 was going to revealed today, after the company posted the image on its Google+ page, teasing “Find out more June 1.”

Nearly everyone was assuming that it was referring to the OnePlus One sequel, but company co-founder Carl Pei has confirmed that the successor would not launch until later in the year.

We have come across OnePlus work the hype machine like no other company and the teaser just might have been another attempt on its part to get some headlines in last week’s news cycle.

The teaser that OnePlus has sent out last week showed a OnePlus One being partially erased and being readied to be drawn again by a pencil placed close by. The teaser can trick someone easily into thinking that the announcement is going to be about the new version of its kind.

However, now we know that this is not the case. OnePlus 2 is not going to arrive before Q3, 2015 and this has been made official by co-founder Carl Pei himself.

Speaking with AusDroid, Pei said the handset will be released in “Q3 2015”. That means that we could see it arrive from July 1 to September 30 – your guess is as good as ours.

Pei failed to divulge any other details of the gadget, apart from its official name. It’s confirmed that the new handset will be known as the OnePlus 2, not the OnePlus Two.

Apparently, the OnePlus 2 is also going to use the same invite system as its existing handsets, but there’ll be a lot more invites to go around. OnePlus is “a lot more confident” this time, Pei said.

So what’s in store for today’s event? Well, reports suggest the firm will launch cheaper version of OnePlus One models, with both the 16GB and 32GB handsets being reduced by $50.

Both the 64GB Standstone Black model and the 16GB Silk White model. The new prices will reportedly be $298 (Rs.19000.00) and $248 (Rs.16000.00) respectively.

Stay tuned with us for more news on the OnePlus 2, we’re bound to hear more about it in the coming months.

ASUS announces ZenPad tablets with Android Lollipop and Intel circuitry

ASUS announces ZenPad tablets with Android Lollipop and Intel circuitry

ASUS brought in a big bag of gadgets to present at Computex 2015 in Taipei, and the latest composites of circuitry, metal, glass, and black magic to emerge from it are named the ZenPad 8 & ZenPad S 8. As made apparent by their names, it is a duo of tablets that we’re talking about, and the slates are made special by the fact that they are the first to carry the Zen brand. Oh, and they also have some interesting Intel hardware inside!

The ZenPad 8 Z380, which is the cheaper of the two, is powered by a quad-core Intel Atom x3-C3230RK Silvermont chipset clocked to 1.2GHz. The chip is actually designed by Chinese silicon slinger Rockchip using licensed Intel architecture, and is built by TSMC on a 28nm process. That makes it a collaboration between three companies, which is kind of a rare treat. Still, the chip is situated at the entry-level performance segment, and the integrated ARM Mali 450MP4 GPU won’t give it much of a processing jump beyond that barrier.

Offbeat SoC and a gig or two of RAM aside, the Z380 brings along an 8-inch 11280×800 resolution IPS LCD display, and up to 16GB of expandable flash storage. There’s a pair of 2MP and 5MP cameras handling photos and videos. The tablet sizes up at 8.22 x 4.84 x 0.33in (209 x 123 x 8.5mm) and ships with Android 5.0 Lollipop, fashioned with ASUS Zen UI.

The ZenPad S 8 Z580CA is a beefier tablet that packs a quad-core Moorefield Z3580 2.3 GHz processing punch, along with a PowerVR G6430 GPU and 4GB of LPDDR3 RAM. It too has an 8-inch LCD display, but at a much higher 2048×1536 resolution. Weighing in at 10.5oz (299g), the tab measures a slimmer 8 x 5.3 x 0.26in (203.2 x 134.5 x 6.68mm). It too has a pair of cameras, 5MP on the front and 8MP on the back, with the operating system also being Android 5.0 Lollipop.

A distinct difference, however, is the availability of LTE connection with phone functionality in the cheaper Z380, while the more powerful model is a Wi-Fi only device. The Z580CA also features the new USB Type C port, while its little brother employs a standard microUSB connector. USB-C could let users connect the tablet to an external display, or use it to charge another device.

To complement the tablet launches, ASUS unveiled a special audio cover for the Z380 that enables 5.1 surround sound facilitated by the tablet’s built-in DTS codec. There’s also a power case, protective cases, and a 1024 pressure level stylus that works on both ZenPad tablets.

ASUS hasn’t spoken of the slates’ product availability, but given the ZenFone 2’s aggressive pricing scheme, we won’t be surprised if the low-end tablet eventually arrives at a sub-$200 price point, while its amped-up sibling commands a $100 or so premium.

How To Hack Android Phones With Androrat

In this tutorial we are going to show you how to hack Android phones with Androrat. In our tutorials we only EVER hack our own systems as a proof of concept and never engage in any black hat activity.

Step1: Create an account on

Step2: Create a host on and enter Hostname and click Add Host

Step3: Now do port forwarding on your network. Port forwarding settings changes on each moderm, so google your moderm and find out how to do port forwarding

Step4: Download Androrat Binder and enter the Hostname  and Port. Name the file and click Go. If you want to inject this file with another .apk file then go to Build + Bind tab name apk title and browse the location of the .apk and click Go.

Step5: Now download DUC (Dynamic DNS Update Client for Windows) and install

Step6: Open DUC and enter the host details which you have created in 

Step7: Download and run Androrat Project. Open Server tab on top and enter the port which you use on

Step8: Now run the .apk which is created by Androrat Binder on a Android Mobile.


Download Link:

Androrat + Binder: Click Here (Contains malware)

Androrat: Click Here

DUC: Click Here

Mother of All RAMs: World’s Fastest 128GB DDR4 RAM Kits Are Here


Two years ago when I bought my current PC, I thought 8GB RAM was enough and today 8GB or 16GB RAMs in PCs are a common sight. But what about whooping 128GB RAM – Sounds insane? Now companies like Kingston and Corsair have made the 128GB RAMs a reality.

Earlier this week, Kingston claimed that it is set to roll out the highest performing memory kit for computers. This is a part of Kingston’s HyperX lineup and is DDR4 type. Kingston called it world’s fastest DDR4 126GB RAM kit and it runs at 3000MHz. This includes eight modules of 16GB modules and the timings on them are 16-16-16-36.

HyperX, a division of Kingston Inc., is a leader in memory products, will be releasing a high-end system featuring these modules during the Computex Taipei.

The processor used in the test system was an Intel Core i7 5820K. Right now, Kingston hasn’t told much about the availability and pricing of these 128GB RAM kits. Take a look at the screenshots of the system performance below:



In another similar news, Corsair released 128GB DDR4 memory kits a couple of days before. The technology company has three 128GB kits – one in the Vengeance LPX and two Dominator Platinum sets. These are now available for purchase and designed for Intel X99 series motherboards.


These first available kits run at 2400Mz and the kits with more speed will be coming soon. These memory kits come with lifetime warranty.

Take a look at the specifications and price below:

Vengeance LPX 128 GB 8 x 16 GB modules 2400 MHz 14-16-16-31, 1.2 V $1754.99
Dominator Platinum 128 GB 8 x 16 GB modules 2400 MHz 14-16-16-31, 1.2 V $1979.99
Dominator Platinum 128 GB 8 x 16 GB modules 2666 MHz 15-17-17-35, 1.2 V $2119.99

Congratulations Apple, Galaxy S6 Sales Are Disastrous


This week is passing with some interesting Android news. Earlier, it was revealed that Google will be bringing native fingerprint support to its upcoming iteration of Android OS i.e. Android M and another big news comes from the biggest Android smartphone manufacturer Samsung.

Even though there are no official numbers but the reported numbers of the first month of sales is nowhere what Samsung expected.

The expected numbers are near about ten million and it isn’t just bad, it’s devastating, it’s disastrous, it’s deadly for the South Korean smartphone manufacturer. The Korean news agency Yonhap reports that it has taken about a month for the Galaxy S6 and S6 Edge sales to touch 10 million figure. A high-ranking tried to sugarcoat the fact by saying that the Galaxy S6 sales have already surpassed that number.

Forbes further explains that Galaxy S4 touched the magic number in 27 days while the critically failed Galaxy S5 took 25 days to sell 10 million units.

Adding to Samsung’s misery, these numbers are the combined numbers of the both Galaxy S6 versions. The hype created after the launch of these phones after their launch at this year’s Mobile World Congress hasn’t converted exactly into the sales number. It should be noted that the demand for the Galaxy’s Edge version is unexpectedly high in comparison to other version.

As the Forbes notes that if the demand of Galaxy S6 Edge sales are high out of the miserable overall sales, the question that needs to be answered is: how bad are the Galaxy S6 individual sales?

You Can Finally Post GIFs on Facebook

Prepare the cats

It’s been a long time coming, but Facebook has finally granted users the power to communicate in GIFs on the social network.

The company has quietly rolled out an update that lets GIFs play natively within the News Feed. Just copy the URL of your favorite moving image, post it in the status update bar and watch it appear in all its hypnotic glory.

Watch President Barack Obama on a skateboard

Tests seemed to indicate that the functionality doesn’t yet work in comments, so we’re still a ways away from being able to respond to a lame status update with Kanye un-smiling.

Also, you don’t have to worry about your News Feed becoming a torrent of distracting moving images. The GIFs don’t begin their endless loop until you click play.