A new critical Android vulnerability has been discovered that could potentially allow Android Smartphones to be hijacked by hackers without any user interaction required. The vulnerability affects Chrome JavaScript v8 – and not just older devices but the latest models now being released. Even the Nexus 6, one of the most advanced and secure Android phones, contains the vulnerability.
Hackers could potentially use the exploit to install apps on the device without any user interaction. The apps could be given permissions to access all communications made through the device. The new critical Android vulnerability was demonstrated at the recent Tokyo PacSec conference. Full details of the exploit have been shared with Google and a patch is currently being developed to plug the security hole.
This is just one more critical Android vulnerability to be discovered, and it will not be the last. Fortunately, this time the security hole was found by a security expert rather than a hacker.
Fake ID critical android vulnerability still exists on many Smartphones
Last year, researchers at Bluebox Security discovered another critical vulnerability which affects all Android Smartphones running KitKat (version 2.1 to 4.4). The critical Android vulnerability affects millions of devices,
The vulnerability, named Fake ID, potentially allows hackers to develop apps that can exploit a flaw in the way the devices deal with security certificates. The vulnerability can be used to gain privileges granted to other applications – even those with high levels of privileges such as Google Wallet.
Fortunately, to exploit this critical Android vulnerability, hackers would need to convince the user to download a malicious app to their device, which would be difficult if the user only used Google Play Store to obtain new apps.
However, StageFright – a critical Android vulnerability discovered this summer – is potentially much more serious. The bug enables a hacker to remotely execute code on an Android phone and escalate privileges. StageFright allows a hacker to attack an Android device via a video sent by MMS text message. The attack is possible via the libStageFright mechanism.
Android phones running Google Hangouts would potentially be vulnerable and could be exploited without the user’s knowledge as the app processes video automatically before the message is viewed by the user.
Due to how patches are rolled out, Smartphones could still be vulnerable to both Fake ID and StageFright, even though patches have now been released.
When a new critical security vulnerability is discovered, a patch is rapidly developed to plug the security hole. Even when a patch is issued, it can take some time before it is rolled out and installed on each device. The speed depends on the carrier. Patches are rolled out quickly in some cases – Google Nexus and LG for example – but slower with other brands such as Samsung and HTC.
Often updates to the operating system are packaged together with manufacturer updates and are not rolled out immediately. Sometimes they are not rolled out at all, leaving some phones particularly vulnerable to attack.
A recent study conducted by the University of Cambridge showed that 87% of Smartphones contain at least one critical Android vulnerability, and many contain more than one.
Reducing Security Risk from Android Devices
BYOD has grown in popularity in recent years, and many employers are now allowing employees to bring their own mobile devices to work. While not all allow the use of personal laptops, employees are commonly allowed to use their Smartphones at work, and even use them to connect to their employer’s network.
Any employer operating BYOD, should carefully consider which devices are allowed to connect to the corporate network. Some Smartphones are safer than others and will involve much lower network security risk. Allow devices to connect that can be easily compromised, and they could be used as a platform to launch an attack on the network.