Another Android Flaw Gives Apps Elevated Privileges

Close on the heels of Stagefright, another vulnerability has been found to affect Android devices. A flaw in the OpenSSL X509Certificate class allows apps to elevate privileges, allowing them to snoop on vulnerable devices, install malware, and cause other problems. More than half of Android handsets are believed to be vulnerable.

Google has provided a patch, but as with the patch for Stagefright, most people won’t receive it automatically. Ask your mobile carrier if a patch is available and if not, when you can expect it.

Read the story in the news.

“Stagefright” Security Hole in Android

The security bug Stagefright is in the MMS system on Android phones. MMS is similar to SMS (Short Message Service) but for multi-media such as videos, sounds, and pictures. While it is an aging system, most Android devices are still set up to receive MMS messages and will process them automatically by default.

On newer Android devices (4.4, aka KitKat and 5.x, aka Lollipop), the default SMS/MMS apps are “Messaging” and “Hangouts” and the default configuration for these apps is to download MMS content in the background as soon as the messages arrive.

The bug allows shell code to take control of your device when an infected MMS message arrives. This type of attack is known as a Remote Code Execution. Zimperium, the security company that found the bug, claims that 950 million devices may be at risk.

Google has responded to the bug and has prepared patches, but it’s possible that not all carriers will immediately patch or announce the patch to their customers. In the meantime:

  • Ask your mobile carrier whether a patch is available.
  • If not, find out when you can expect it.
  • If your messaging app supports it, turn off “Automatically retrieve MMS messages.” (Messaging and Hangouts allows this.)
  • Consider blocking messages from unknown senders.

We will send further information as more is released.

Read the story in the news here.

Android Phone Factory Reset Feature is Flawed

An estimated 500 million Android phones don’t completely wipe data when their factory reset option is run, a weakness that may allow the recovery of login credentials, text messages, e-mails, and contacts.

In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption.

The findings, published in a research paper titled Security Analysis of Android Factory Resets (.pdf), are sure to be a wake-up call for individual users and large enterprises alike. Based on the devices studied, the researchers estimated that 500 million devices may not fully wipe disk partitions where sensitive data is stored and 630 million phones may not wipe internal SD cards where pictures and video are often kept.

Read the story in the news.

Android Flaw Allows Attackers to Modify or Replace Apps

A security flaw in the Android operating system could be exploited to remotely take over vulnerable devices.

According to researchers from Palo Alto Networks, roughly half of all Android phones are vulnerable to a newly discovered hack that in some cases allows attackers to surreptitiously modify or replace seemingly benign apps with malicious ones that steal passwords and other sensitive data.

The vulnerability has been patched in Android 4.3_r0.9 and later but some Android 4.3 devices remain vulnerable.

The attack works only at third-party app stores, not the Google Play store.

Read the story in the news.

Secret Keys Stashed in Google Play Apps

Researchers at Columbia University have found that many Android app developers hide secret authentication keys in their code. The keys could be used to access private cloud accounts or social media profiles.

Read the story in the news.

Android Malware Spreading Through Mobile Ads

Malware targeting Android devices has been found to be spreading through mobile advertisement networks. Many developers include advertising frameworks in their apps to help boost profits. Advertisements in mobile apps are served by code that is part of the app itself. An attack scheme in Asia involved a rogue ad network pushing code onto devices. When users download and install legitimate apps, the malware prompts users to approve its installation, appearing to be part of the process for the app they have just downloaded.

Learn more in the news.

How to protect your Android device at MIT.

Who Updates Your Android?

A call has been made for legislators to get involved with making carriers more responsible for issuing updates to Android mobile devices or to cede control to Google. Activist Chris Soghoian says the “situation is worse than a joke, it’s a crisis.” Some devices are 16 months behind with receiving updates.

Android malware has skyrocketed over the last 12 months. Researchers at Kaspersky Lab said that 99 percent of mobile malware detected monthly was targeting Android. The most prevalent are SMS attacks that run up premium calling charges.

While Google is staying up on patching vulnerabilities, these patches are not making it to the consumers, says Chris Soghoian.

Read the full story online.