Here we go again…
We’ve only just got over the news of the Stagefright vulnerability, that allows attackers to infect Android devices with just a maliciously-crafted MMS message and the shocking (and welcome) news that Google and other leading manufacturers will be releasing regular security updates for millions of smartphones from now on.
Now IBM security researchers have warned of another serious vulnerability that impacts over 55% of all Androids.
The vulnerability, which has been dubbed CVE-2015-3825, affects Android versions 4.3 to 5.1, as well as the current Android M preview build, and could be exploited by malware.
“In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device.”
In a YouTube video, the researchers demonstrate a proof-of-concept attack demonstrating how an attacker could steal sensitive data. A malicious app, with no apparent special privileges, is able to overwrite an existing app (Facebook in the demonstration) with a fake version (Fakebook) that could steal users’ data.
The researchers informed Google’s security team of the Android vulnerability some months ago, and IBM’s blog post says that Google has issued patches for Android 5.1, Android 5.0, Android 4.4 and Android M.
Of course, whether these patches have actually made it into the Android device in your hand is a whole different matter… :(
“We encourage Google to continue its efforts toward decoupling the vendors’ dependent code from the rest of the system so patches will be available much faster,” writes researcher Or Peles.
And so say all of us.
The good news is that, so far, there is no indication that the vulnerability has been exploited in the wild.
The method of bypassing Google Play’s security controls, however, does bear comparison with BeNews, an Android app that to all intents and purposes looked like it was designed to give you the latest news about bees and beekeeping.
In truth, BeNews had been written by controversial spyware firm Hacking Team to infect targets and spy upon communications.
More details of the vulnerability are being shared at the USENIX Workshop on Offensive Technologies (WOOT ’15) currently being held in Washington, D.C. You can check out researcher Or Peles’s technical paper here.