IBM: High-severity vulnerability puts Android M devices at risk

Share on FacebookPin on PinterestShare on StumbleUponTweet about this on TwitterShare on LinkedIn

ANDROID’S BAD SECURITY SUMMER ROLLS ON. IBM has thrown more drama at the operating system, claiming that a high-severity serialisation vulnerability has users doomed.

We haven’t messed about. We went straight to Google for a response. We are waiting for it. We do not have to look hard, or wait long for the dirty details as IBM has blogged about it on its own security news pages.

IBM has done us all a favour. The firm has offered a TL;DR version of its doom prophecy, a document called One Class to Rule Them All, explaining that smart hackers can easily make merry on Android using arbitrary code.

“In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a ‘super app’ and help the cyber criminals own the device,” IBM said.

“In addition to this Android serialisation vulnerability, the team also found several vulnerable third-party Android SDKs which can help attackers own apps.”

What we have here is something not unlike the methods used by the infamous Hacking Team, which employed a fake news app to grab elevated privileges on devices.

IBM said that the vulnerability, snappily titled CVE-2015-3825, is embedded in the heart of Android and affects versions from Jelly Bean to Lollipop and the Android M preview v.1, putting 55 percent of devices at risk.

“The single vulnerable class that we found in the Android platform, OpenSSLX509Certificate, was enough to take over the device using our attack technique,” added the firm.

“Developers take advantage of classes within the Android platform and SDKs. These classes provide functionality for apps – for example, accessing the network or the phone’s camera.

“The vulnerability we found can be exploited by malware through the communication channel that takes place between apps or services. As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device.”

We are still waiting for a response from Google, a firm that is currently spinning off a kind of elite version of its business called Alphabet.

Typically, such as in the case of the Stagefright bug, the firm has been quick to fix and patch over problems. Google has also promised to release regular patches for its software, an intention shared by Samsung.

IBM said that people should always use the most up-to-date version of their OS of choice.




Share on FacebookPin on PinterestShare on StumbleUponTweet about this on TwitterShare on LinkedIn