June 30, 2014
Recent Android Vulnerability Discovery Remains A Threat To Devices
Peter Suciu for redOrbit.com - Your Universe Online
According to security researchers more than 86 percent of all Android devices remain vulnerable to a threat discovered last month. On Monday, IBM Security researchers shed new light on a vulnerability (CVE-2014-3100), which affects the Android KeyStore service that is used for storing cryptographic keys and other user information.
This vulnerability was reportedly patched in the latest version of the open source operating system – Android Kitkat 4.4 – but the problem remains as the vast majority of Android users aren't running this latest version.
While this is not an easy flaw to exploit, it does reside in the KeyStore, which is one of the most sensitive resources in the Android OS. If this is compromised a hacker could log in as the actual device's user to any service where passwords are likely remembered.
"Exploiting this vulnerability can theoretically be done by a malicious application; however, a working exploit needs to overcome a combination of obstacles," wrote Roee Hay, who leads the application security research at IBM.
Those obstacles could include Data Execution Prevention (DEP), which Hay said could be bypassed by Return-Oriented Programming (ROP) payloads; as well as Stack Canaries and Address Space Layout Randomization (ASLR), as well as Encoding techniques.
"However, the Android KeyStore is respawned every time it terminates. This behavior enables a probabilistic approach; moreover, the attacker may even theoretically abuse ASLR to defeat the encoding," Hay added. "Successfully exploiting this vulnerability leads to a malicious code execution under the keystore process."
Hay was able to exploit the bug and execute the malicious code that leads keys used by banking and other sensitive apps, virtual private networks (VPN) and even the PIN or finger patterns that are used to unlock a device.
As Hay noted, Google has fixed the problem on KitKat, but it remains on devices that run on the older Android OS – which accounts for 86.4 percent of devices. However, Android users who use their devices for mobile banking shouldn't worry too much about this vulnerability.
"Most banking apps, which force you to type your password every time, are probably safe against this particular attack," Nick Farrell wrote on Monday for Fudzilla.com.
Android's vulnerabilities, however, will likely increase.
In May, the Mobile Threat Report released by F-Secure is now the prime target for the brunt of harmful software. More than 99 percent of new mobile threats discovered by F-Secure during the period of the report were for the open source platform. The report identified 277 new threat families and variants. Of those 277, 275 targeted Android, one targeted iPhone and one targeted Symbian. The number of threats has increased since the same period last year when F-Secure identified 149 new threat families and variants, 91 percent targeted Android.
For this reason security experts have advised that apps should only be downloaded from official and trusted sites including Amazon and Google Play, but have also warned that even apps from those sites could have security risks.
Android KeyStore is not the only security vulnerability that Android users faced this month.
Last week, security researchers at Adaptive Mobile also identified a new Android worm that reportedly propagates itself to users by links sent in text messages.
PRE-ORDER YOURS TODAY! Amazon Fire Phone, 32GB (AT&T)