Security team finds additional Android vulnerability

An IBM security research team has uncovered an additional flaw in Android that can give a malicious app the ability to fully control a device.

IBM researchers reveal new Android flaw
IBM researchers reveal new Android flaw

An IBM security research team has uncovered an additional flaw in Android that can give a malicious app the ability to fully control a device.

The study by IBM's X-Force Application Security Research Team believes that 55 percent of all Android smartphones are at risk to this potential hack, which is very similar, the team noted, to what the Hacking Team has used. The Android versions susceptible are 4.3 to 5.1 and M Preview 1. Additionally, the Android and third-party software development kits (SDKs) are at risk to be used maliciously.

“What our team found has not been seen in the wild yet but shows that with the right focus and tools, malicious apps have the ability to bypass even the most security-conscious users,” wrote Or Peles, a security researcher for the X-Force team, on the team blog.

Peles' team found that developers take advantage of the classes found in Android, in this case, the OpenSSLX509Certificate, and that allowed arbitrary code execution in apps and services that can be exploited by malware.

“Our paper describes a reliable proof of concept (PoC) that demonstrates the feasibility of the attack. For instance, an attacker can take over any application on the victim's device by replacing the target app's Android application package (APK). This can then allow the attacker to perform actions on behalf of the victim,” Peles said.

IBM also noted that while vulnerabilities in the operating system are dangerous, those in SDKs are much worse.

“One vulnerable SDK can affect dozens of apps whose developers are usually unaware of it, taking months to update,” Peles said, adding that the opening found in Apache Cordova still affects dozens of apps even though a patch has been issued. The same danger holds true for SDKs that are little used or do not receive regular security updates.

The team is presenting its finding this week at USENIX WOOT '15.