Android 14’s “ransomware” data-storage bug locks out users, remains unfixed – Ars Technica | #ransomware | #cybercrime

Android 14’s “ransomware” data-storage bug locks out users, remains unfixed

Aurich Lawson

Android 14 has a nasty storage bug that seems to be affecting users of the “multiple profiles” feature. The bug is about as bad as you can get, with users having “unusable” devices due to getting locked out of device storage. A few users are likening the experience to getting hit with “ransomware.”

Earlier reports had this bug limited to the Pixel 6, but Google seemed to ignore those reports, and now with a wider rollout, this does not seem device-specific. Everything upgrading to Android 14 this early seems to be affected: Pixel 6, 6a, 7, 7a, Pixel Fold, Pixel Tablet.

The Google issue tracker for this is now up to over 350 replies and has had no response from Google. The bug is languishing at only the medium “P2” priority (P0 is the highest) and remains “unassigned,” meaning, assuming the tracker is up to date, no one is looking into it.

Some users have helpfully posted log files full of worrying messages, like, “Failed to open directory /data/media/0: Structure needs cleaning.” Being locked out of your own device’s data partition causes all sorts of bizarre issues. Some users are boot looping, others are stuck on a “Pixel is starting…” message, while others are able to get into the phone. If your phone tries to continue trucking with no local storage, you’ll be inundated with all sorts of error messages. The camera app claims to be “out of storage,” and you can’t take screenshots because there’s nowhere to store the screenshots. The file manager lists 0 bytes for every type of file and empty folder, and the files also aren’t viewable from a PC over USB. The System UI and Settings also keep crashing. Basically, computers need storage to function!

Android’s user-profile system allows for both multiple users on a single device (which is good for tablets) and splitting up “home” and “work” profiles to keep your work data separate from your personal data, via duplicate apps. It sounds like the bug is only hitting users who take advantage of this rarely used feature, with lots of reports that the primary profile—that’s usually the important one—gets locked out.

Several users are complaining about the data lost from all of this, so it’s a good time to remind people to always have a backup of everything on your phone. Even straight out of the box, Android has options for Google Photos automatic backups, Play Games storage of your game data, and a million other cloud-based data features (it would be nice if Android phones had a comprehensive whole-phone backup feature, though). While it is totally reasonable to expect your OS to keep running after an update, phones are uniquely vulnerable to getting lost/stolen/damaged, so having everything get stored somewhere else is a great idea. Shockingly, several users report the phone is automatically doing a factory reset, which deletes all your data, shutting down any possibility of data recovery. This feature should probably not exist, but it’s another sign that phones are not a reliable storage medium for critical data.

What’s so strange about how Google is handling this bug is that the company has tools to deal with this. Google delivers software on a slow and often-frustrating “roll out” strategy, where a small percentage of users will get an update at first, and as the days pass, more and more users are opted-in to the update. Google does this to see if any problems pop up via its extensive Android analytics system, and if a problem is detected, the update rollout can be halted, limiting the problem to as few people as possible.

Why didn’t that happen here? Surely a bug where people are locked out of their phones and possibly lose data is worth halting a rollout, but it never happened. Google’s entire response to this problem has been lacking. To our knowledge, no one from Google has officially addressed the issue in the ~10 days it has been around. It hasn’t issued statements to the several sites that have already reported on this. No one is replying to the bug tracker, and the issue is unassigned. What’s up, Google?

Source link

National Cyber Security