Monday, June 30, 2014

86 Percent of Android Devices Vulnerable to Bug

android logo 275Android users, beware: 86 percent of Google OS-based devices may contain a high-risk vulnerability.

IBM security researchers uncovered the bug in September, quietly warning the Android Security Team, which two months later confirmed a patch for 4.4 KitKat. But the remaining Android versions do not yet have a fix, leaving them exposed to hackers.

According to June 4 data from Google, about 13.6 percent of Android devices are on 4.4 KitKat, while 10.3 percent are running version 4.3. Most (29 percent) are running 4.1.x, while 19 percent are on 4.2.x.

In last week's public reveal, the IBM team explained that the vulnerability lies in the Android KeyStore, where cryptographic keys and other credentials are stored. By exploiting the flaw, hackers can obtain banking and virtual private network credentials, PINs, and unlock patterns.

This isn't exactly an open door to attackers, though. According to IBM application security research team lead Roee Hay, Google has several barriers in place to slow, if not stop, hackers from successfully exploiting the vulnerability.

With built-in data execution prevention and address space layout randomization, the Android operating system isn't a pushover. Plus, as Ars Technica pointed out, an attacker would need to have an app installed on a vulnerable handset to infiltrate user information.

But that doesn't soften the blow: the weakness resides in KeyStore, which is one of the most sensitive resources in the OS, according to Ars.

"Generally speaking, this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone's user to any service where they've got a corresponding app," Dan Wallach, Rice University professor specializing in Android security, told the site.

Applications that require a password to be retyped each time—banking services, for example—are at lower risk than more easily compromised apps, like Twitter, Wallach said. Similarly, users should keep an eye on those apps that load VPN credentials onto their phone, which essentially hand hackers a key to bypass the firewall.

Google did not immediately respond to PCMag's request for comment.

This isn't the only security issue for Android owners. Despite multiple patches to its top products, Google admitted in April that Android 4.1.1 is still vulnerable to the Heartbleed bug, leaving about 34 percent of users exposed.

Don't go ditching your Google-based device for a more secure iOS smartphone, though: Apple's system isn't exactly foolproof.

No comments:

Post a Comment