New Android Smartphone Data Security Warnings Issued
New Android Smartphone data security warnings have been issued, alerting users to new security flaws in the software which could potentially allow hackers to gain control of the devices.
The Android security flaw discovered by IBM’s X-Force Application Security Research Team could affect 55% of Android phone owners, while Check Point’s discovery could similarly affect millions. These announcements come after Samsung, Google and LG had stated they will now be providing monthly security updates for Android devices, including a fix for the Stagefright vulnerability.
Unfortunately, Android devices often include additional software installed by the device manufacturer, a problem Apple and Blackberry do not share: Both companies have developed their own hardware and software. As a result the latter companies can roll out security updates much more quickly. With the open-source Android platform, security fixes will always be issued more slowly.
‘Certifi-gate’ Security Breach Reported
Android Smartphone data security warnings are now being issued with increasing frequency. The latest comes from Check Point, which recently discovered a security flaw that could put hundreds of millions of Android Smartphones at risk of being hacked. The security flaw allows hackers to hijack a handset, without alerting the owner of the phone. The security breach risk has been named “Certifi-gate” and is said to affect Samsung, HTC, LG and ZTE devices, irrespective of Android version.
The flaw could allow hackers to remotely gain access to the devices, exploiting flaws in apps that give them privileged access to the devices. According to Gabi Reish, vice president of product management at Check Point, “it would make it a remote spying device.” The flaw is in software installed by the manufacturers of the devices.
New Android Smartphone Data Security Warnings Issued by IBM
IBM’s X-Force Application Security Research Team also discovered another Android software security flaw, which could potentially allow hackers to escalate privileges in a compromised device, install code and effectively take control of the device. The security flaw has not yet been exploited by hackers according to IBM researchers.
An X-Force researcher explained the flaw: “In a nutshell, advanced hackers could exploit this arbitrary code execution vulnerability to give a malicious app, with no privileges, the ability to become a super app and help the hackers own the device,”
The flaw is present in Android 4.3-5.1 and a patch has been issued; however this has not yet been rolled out by all phone manufacturers.
IBM’s Or Peles, said the flaw affects OpenSSLX509Certificate and it exploits a communication channel between applications and services. “As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device.”
IBM researchers have a proof of concept that shell commands could be used to steal data stored or accessible through affected Android devices. That includes replacing apps with malicious versions. The report cited that it would be possible to replace Facebook Mobile, for example, with a fake version that sends all recorded data to the hacker.