Over 55% of all Androids at risk of high severity vulnerability

Fake Facebook appHere we go again...

We've only just got over the news of the Stagefright vulnerability, that allows attackers to infect Android devices with just a maliciously-crafted MMS message and the shocking (and welcome) news that Google and other leading manufacturers will be releasing regular security updates for millions of smartphones from now on.

Now IBM security researchers have warned of another serious vulnerability that impacts over 55% of all Androids.

The vulnerability, which has been dubbed CVE-2015-3825, affects Android versions 4.3 to 5.1, as well as the current Android M preview build, and could be exploited by malware.

"In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device."

In a YouTube video, the researchers demonstrate a proof-of-concept attack demonstrating how an attacker could steal sensitive data. A malicious app, with no apparent special privileges, is able to overwrite an existing app (Facebook in the demonstration) with a fake version (Fakebook) that could steal users' data.

The researchers informed Google's security team of the Android vulnerability some months ago, and IBM's blog post says that Google has issued patches for Android 5.1, Android 5.0, Android 4.4 and Android M.

Of course, whether these patches have actually made it into the Android device in your hand is a whole different matter... :(

"We encourage Google to continue its efforts toward decoupling the vendors’ dependent code from the rest of the system so patches will be available much faster," writes researcher Or Peles.

And so say all of us.

The good news is that, so far, there is no indication that the vulnerability has been exploited in the wild.

BeNewsThe method of bypassing Google Play's security controls, however, does bear comparison with BeNews, an Android app that to all intents and purposes looked like it was designed to give you the latest news about bees and beekeeping.

In truth, BeNews had been written by controversial spyware firm Hacking Team to infect targets and spy upon communications.

More details of the vulnerability are being shared at the USENIX Workshop on Offensive Technologies (WOOT '15) currently being held in Washington, D.C. You can check out researcher Or Peles's technical paper here.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

4 Responses

  1. Chris Thomas

    August 11, 2015 at 7:47 am #

    Makes my hardened Windows XP systems with Outpost Firewall Pro 9.1, Firefox with NoScript, AVG Antivirus, EMET and Malwarebytes Anti-Exploit look rock solid by comparison. I only use my Android to watch YouTube and iPlayer. Online banking on a tablet? Hear my uncontrollable mirth.

    I know that Windows is vulnerable and that makes me circumspect.

    • Techno in reply to Chris Thomas.

      August 11, 2015 at 9:53 am #

      Presumably you have some essential software that only works on XP, and that software must also be connected to the internet. Otherwise, surely it would be easier to upgrade to a more recent operating system, or disconnect the computer from the internet to isolate it, as no doubt you are aware that Microsoft doesn't provide security updates for XP anymore.

      EMET isn't completely effective on XP machines.

  2. Spryte

    August 11, 2015 at 11:25 pm #

    Any word about providers and manufacturers actually pushing these fixes to their devices?

  3. Andy Lee Robinson

    August 12, 2015 at 5:04 am #

    If you want to virtually guarantee security with internet banking, just boot the latest Fedora Live USB stick.
    Mobile internet banking? Not a chance!
    I still have no idea how to update my S3 as update options seem to be disabled, so I don't do anything sensitive with it.

Leave a Reply