Security researchers at IBM have gone public about a critical security vulnerability in the Android operating system, that could allow hackers to remotely execute code on users’ devices and steal sensitive information.
The flaw, which was discovered nine months ago by researchers of the Application Security team at IBM but has only now been made public, affects everyone who is not running the most up-to-date version of Android - version 4.4, known as KitKat.
Roee Hay, who leads the application security research team at IBM, said that the reason why it has taken so long for details of the security hole to be made public is that his group believes in responsible disclosure, and has worked with the Android security team at Google to ensure that a patch was made available for KitKat.
Normally security researchers who discover vulnerabilities are chomping at the bit to announce their discovery, and it wouldn’t have been a surprise to see this one announced at the same time as the fix was rolled out by Google.
But things are very different when it comes to Android, because of the difficulties that exist in rolling out patches to users of the many different devices running the operating system - a point that Hay acknowledged in his article:
“Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure.”
There is good reason to be concerned.
Even though the latest version of Android is protected against the vulnerability - there are still many Android users who are running older versions of the operating system and are potentially at risk.
The latest statistics from Google show that KitKat is only being used by 13.6% of Android users.
What IBM’s researchers have discovered is a Stack Buffer Overflow vulnerability in the Android KeyStore service - which is responsible for storing and securing device’s cryptographic keys.
If successfully exploited, the vulnerability could allow malicious code to execute which could:
- Leak the device’s lock credentials. Since the master key is derived by the lock credentials, whenever the device is unlocked, ‘Android::KeyStoreProxy::password’ is called with the credentials.
- Leak decrypted master keys, data and hardware-backed key identifiers from the memory.
- Leak encrypted master keys, data and hardware-backed key identifiers from the disk for an offline attack.
- Interact with the hardware-backed storage and perform crypto operations (e.g., arbitrary data signing) on behalf of the user.
The only silver lining is that IBM’s researchers say that they have seen no evidence to date that the vulnerability has been exploited in the wild,
As Optimal Security reported last week, Google is currently rolling out the latest version of KitKat (4.4.4) to its own Nexus smartphones and tablets, in order to protect against another serious vulnerability in OpenSSL, and Android Lollipop (if that’s what the next big version gets called) will hopefully be available later this year.
But however good Google makes the future incarnations of its mobile operating system, there will still be a lot of users of older flavors of Android left running insecure versions with no clear path for updating and patching their phones and tablets. I, for one, wouldn’t be surprised to see those older Android devices increasingly targeted by hackers.
This article originally appeared on the Lumension blog.