Researchers from IBM’s X-Force security division say they have discovered a number of high-severity vulnerabilities affecting more than 55% of Android devices.
These vulnerabilities, both on the Android platform itself and in third party Android Software Development Kits (SDKs,) can potentially be exploited by hackers to give a malicious app with no privileges the ability to gain unauthorised access to information and other functionalities on the device.
Ponemon — gotta survey ’em all
Those who give credence to Ponemon research studies may find some interest in suggestions from the organisation that firms spend an average of $34 million annually on mobile app development, but only 5.5% of this spend is dedicated to ‘in app’ security.
It is claimed that 50% of those companies devoted no budget at all to securing the apps they developed.
The vulnerabilities revealed by IBM centre on the Android platform OpenSSLX509Certificate class, which is one of many classes developers leverage to add functionality to apps such as network access and the phone’s camera – much like the news from last week’s Black Hat conference which underlined webcams as highly vulnerable.
What can happen?
By introducing malware into the communication channel between the apps and phone functionalities, attackers are able to:
· Take over an application on a user’s device and perform actions on behalf of the victim. (i.e. take photos, share content, send messages, etc – depending on the app)
· Replace real apps with fake ones filled with malware that can collect personal information. (i.e. replace Facebook with a fake version that collects your information on the social network)
· Steal sensitive information from the attacked app. (i.e. steal confidential banking information from a banking app or login credentials for different accounts)
Google as well as the vulnerable SDKs have been patched, however, IBM Security recommends that all users make sure they have downloaded the latest version of Android and have updated SDKs. If you would like anything else on this news, please just let me know.