This summer has been a very bad season for the Android mobile operating system. After 980 million user scare generated by Stagefright, now IBM released a new possibility of security risk, high-severity security vulnerability which can impact 55% of the Android user base.
IBM’s X-Force Application Security Research Team stated,
“In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a ‘super app’ and help the cyber criminals own the device,”
“In addition to this Android serialisation vulnerability, the team also found several vulnerable third-party Android SDKs which can help attackers own apps.”
What this means is, for the users who are fond of rooting their devices and who take no measure of thought when downloading .apk’s from 3rd party websites, their devices are at a huge risk of contracting this vulnerability.
IBM has classified this security leak as, CVE-2015-3825 which is in the core programming code of the Android OS. Thus, this puts risk on any device which runs every version from Jellybean to Android M, conveniently putting a full load of 55 percent of devices at risk. IBM also added that,
“The single vulnerable class that we found in the Android platform, OpenSSLX509Certificate, was enough to take over the device using our attack technique,”
The most dreaded fact of this risk is that this vulnerability can be exploited by malware at communicational midway stream between apps and services, as this time period in the process is where the binary information is coded and decoded. Malware can apparently inject malicious code in this time period and allow that innocent looking alarm clock to function as a super app, giving the hacker, full control over your device.
IBM has gone out of their way and released a video, explaining how hackers can mess with your device, in a video documentary called, “One Class To Rule Them All”
So what do you think of these loop-holes in our devices? Throw some light on that in the comments below.