A number of high-severity vulnerabilities have been uncovered, affecting more than 55% of Android devices.
These vulnerabilities, both on the Android platform itself and in third-party Android software development Kits (SDKs,) can be exploited by expert hackers to give a malicious app with no privileges the ability to gain unauthorized access to information and other functionalities on the device, according to IBM’s X-Force security division.
These Android specific vulnerabilities, along with others uncovered earlier in the year, continue to illustrate the importance of building security into the very foundations of mobile apps. A recent Ponemon study found organizations spent an average of $34 million annually on mobile app development, but only 5.5% of this spend was dedicated to ‘in app’ security. And a startling 50% of those companies devoted no budget at all to securing the apps they developed.
Found hard on the heels of Stagefright, the vulnerabilities center on the Android platform OpenSSLX509Certificate class, which is one of many classes developers leverage to add functionality to apps such as network access and the phone’s camera. By introducing malware into the communication channel between the apps and phone functionalities, attackers are able to take over an application on a user’s device and perform actions on behalf of the victim. (i.e. take photos, share content, send messages, etc.—depending on the app). They can also replace real apps with fake ones filled with malware that can collect personal information. (i.e. replace Facebook with a fake version that collects victim information on the social network).
Attackers can also steal sensitive information from the attacked app, like login details.
Google as well as the vulnerable SDKs have been patched; however, IBM Security recommends that all users make sure they have downloaded the latest version of Android and have updated SDKs.
“Our team titled the paper One Class to Rule Them All, since the single vulnerable class that we found in the Android platform, OpenSSLX509Certificate, was enough to take over the device using our attack technique,” researchers said in the report. “Developers take advantage of classes within the Android platform and SDKs. These classes provide functionality for apps—for example, accessing the network or the phone’s camera. The vulnerability we found can be exploited by malware through the communication channel that takes place between apps or services. As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device.”