Android vulnerabilities could allow "easy" root access
Google has fixed this latest flaw with Android but Trend Micro warns that fragmentation in the Android ecosystem means hackers can still exploit it.
Fragmented Android operating system leaves some users vulnerable, says Trend Micro
A number of vulnerabilities have been discovered in the the Android mobile operating system that could allow hackers to gain root level access to smartphones and tablets.
According to Trend Micro, the flaws affect Android devices with Snapdragon system-on-chip (SoC) processors including the Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Note Edge.
The firm said that the vulnerabilities could be exploited by an attacker in order to gain root access on the target device simply by running a malicious app. It said that while the flaws have been fixed, fragmentation of the Android ecosystem could mean that hackers would still be able to take advantage of the vulnerabilities.
“Given the fragmented nature of vulnerability patching in the mobile and Internet of Things (IoT) space, many users will not be able to receive the needed security update and may continue to be at risk of, among others things, information exposure,” said Wish Wu, mobile threat response engineer at Trend Micro in a blog post.
“As the number of embedded SoCs in devices explode with the IoT growth, we anticipate that these kinds of vulnerabilities will become a bigger problem that will challenge the overall security posture of Internet of Things.”
The two bugs, cited as CVE-2016-0819 and CVE-2016-0805, can be used to gain root access on a Snapdragon-powered Android device. Wish said that the firm would not disclose the full details of the attack but would disclose further details at the upcoming Hack In The Box security conference in the Netherlands, to be held in late May 2016.
“We believe that any Snapdragon-powered Android device with a 3.10-version kernel is potentially at risk of this attack,” said Wish. “Given that many of these devices are either no longer being patched or never received any patches in the first place, they would essentially be left in an insecure state without any patch forthcoming.”
Wish added that the scenario still relies on the attacker getting malicious code onto the device in the first place. “Users should be very careful of installing apps from untrusted sources, especially those outside of the Play Store,” said Wish.
The researcher advised Android users to check with the makers of their devices if an update is available that will fix these flaws.
Michael Shaulov, head of mobility product management at Check Point, told SCMagazineUK.com that it's critical to ensure that devices are using the most up-to-date software versions to protect against known vulnerabilities.
“Unfortunately, updating software is clearly not enough as it can take months for vulnerabilities to be patched. This leaves plenty of time for attackers to exploit and use them as weapons. So it's also important to use security measures that are able to detect malicious applications that try to conduct any sort of privilege escalation,” he said.
Mark James, security specialist at ESET, told SC that he expects to see more of these types of problems on platforms where there is such a vast range of operating versions.
“Android is one of the worst as the users often forget the importance of keeping mobile devices up to date – and not just application's but operating systems as well. But with so many suppliers either not updating or being very late in releasing updates, it is a security minefield.”
James added that if your devices are not being patched as frequently as liked then your only choice for security is limiting apps or services allowed to be installed.
“If you restrict or vet your software then you limit the attack vector for malware to strike. There are many mobile device management options available to you that should be installed alongside a good internet security product to help keep your device safe.
“All too often the mobile device is overlooked as a very real threat to your company security, but it does not need to be that way.”