Android Flaw Lets Rogue Apps Hijack Phones

DELHI, India - Aug. 12, 2015 - PRLog -- Security exploits in specific versions of operating systems are common enough, but it's never encouraging to hear about a vulnerability that could compromise an entire platform.

A flaw that affects almost all Android devices less than two years old allows attackers to plant fake apps and use them to take control of a phone. While Google has issued a patch for this particular threat, it doesn't fix all affected phones, and even those for which it's available may not yet be patched.

Or Peles, a security researcher at IBM's X-Force team, first wrote up the details of the vulnerability, which X-Force presented in a full-length paper at the USENIX WOOT 2015 security conference in Washington, D.C. yesterday (Aug. 10). The paper, entitled "One Class to Rule Them All," describes a vulnerability that could allow attackers to plant innocuous-looking fake apps on Android phones that then escalate their privileges to gather sensitive user data.

While the One Class flaw is not quite as devastating as Sauron's One Ring of Power for which it is named, it's undoubtedly a potentially very dangerous bit of code. Without getting too technical, the X-Force researchers discovered that the OpenSSL X.509 certificate in Android's code was vulnerable to targeted malware, and that any app that used that certificate could be impacted.

This certificate allows apps different privileges, like accessing a phone's camera, for example. By taking advantage of the flaw, a malicious hacker could change an app's privileges after a user has granted initial permission. Imagine an app that requests access only to your camera, but then helps itself to your contacts list, your stored files and your email record.

Worse still, X-Force's proof-of-concept attack was able to replace a legitimate app with a completely fake one. The researchers substituted Facebook with a convincing facsimile called Fakebook. It doesn't take too much imagination to figure out how a malefactor could have a field day replacing legitimate email or banking apps with others that steal personal or financial information.

Google responded to IBM's concerns quickly, and the flaw already has a patch for Android 4.4 KitKat through the still-developing Android M. Make sure you install Android OS updates when you receive them over-the-air, and you should be fine. However, many handsets rely on the cellular carrier or handset maker to deliver updates, and some devices may never receive this.

Furthermore, the flaw also affects Android 4.3 Jelly Bean, which was released in the summer of 2013, and it doesn't look like that version of Android will be patched.

https://www.cyberworx.in/android-app-development.php

On the other hand, Peles was quick to point out that the patch fixed a specific security problem, and does not completely protect against future exploits of a similar style. The ability to fix this problem is mostly on the developer side, so users can't do much to protect themselves, save to be very judicious about which apps they install, particularly if an app seems to request fewer permissions than it should need to function.

Between the One Class flaw and the Stagefright vulnerability, researchers have found a number of widespread security holes in Android operating systems over the past few weeks. As long as security researchers find the flaws before malefactors and users keep their phones up to date, though, the overall security of the platform should not be in serious jeopardy.

Source: tomsguide.com