IBM among firms adding hacks to growing Android epidemic

Ray Walsh

Ray Walsh

August 11, 2015

Recently, it feels like Android devices are always in the news because some new flaw has been discovered. No one can deny that Smartphones are convenient and packed with features.  Apps can do a multitude of things to help our day run smoothly, but at the same time build up a treasure trove of personal information that is incredibly tempting to hackers. Now, because of the speed with which mobile operating systems were designed, developers have to struggle with the repercussions.

‘When there is a big boom, people take a lot of shortcuts, when you take shortcuts you build up a lot of technical debt,’ said Joshua Drake, head of cyber security firm Zimperium.

The story at last week’s Black Hat cybersecurity conference in Las Vegas was no different, with a number of hacks for Android being brought to the table. One flaw discussed uses a pre-installed tool, designed to allow tech support remote access for maintenance, to hack and take over the device.  

The flaw was discovered by a cyber defense firm from Tel Aviv called Check Point Software Technologies. It’s representative, Avi Bashan, said that over the last three years the business had seen a tremendous rise in vulnerabilities being exploited both on Android and Apple OS phones,

‘Mobile devices are taking a bigger place in businesses and in our lives. As more people use them for more things, attackers gain interest.’

The hack is orchestrated by fooling device owner’s into installing a piece of software that fuses to the maintenance tool and gives the hacker full access to the phone. According to Ohad Bobrov, Check Point’s head of threat prevention, ‘it affects every version of Android’ and can be carried out by sending a text message to a smartphone – that doesn’t even need to be opened.

‘I need your phone number and that is it,’ Bobrov warned the community at the Black Hat conference.

Unfortunately, this is not the only hack that can be carried out in that way. Joshua Drake, head of Zimperium, also made a presentation at the conference to discuss the problem. He warned of a vulnerability in Stagefright (Android’s native media playback engine), which is designed to auto-load video snippets in texts so that the recipient won’t have to wait later. Thanks to Stagefright, hackers can hide malicious code in video files which the phone then processes without the multimedia message ever having to be opened.

With around 1 billion Android devices currently in circulation you can be thankful that Zimperium found the bug, and that (some) device makers are now issuing monthly updates to deal with the problem (Google, Samsung, and LG). Anybody worried about the flaw is advised to get the Zimperium designed  Stagefright Detector App, which does six checks for the bug. If the App reveals that you are at risk: disable multimedia messaging at once and seek advice from your service provider. Consumers are also advised to be careful opening unsolicited texts from unknown sources.

Sadly the story doesn’t end there.  IBM’s X-Force Application Security Research Team has also found a problem that affects more than 55% of Android devices. According to X-Force’s blog, the vulnerability can be used to extend privileges and install code. This allows hackers to take over and access personal data,

“In a nutshell, advanced hackers could exploit this arbitrary code execution vulnerability to give a malicious app, with no privileges, the ability to become a super app and help the hackers own the device.”

IBM presented a paper on the flaw,  which affects Android versions Jelly Bean, Kitkat, and Lollipop, at the USENIX WOOT ’15 in Washington last Friday. The paper describes the flaw in detail but does not disclose the code to carry it out – a trend that has been putting many hacks in the hands of criminals – and which IBM sought to avoid. IBM researcher Or Peles commented,

‘What our team found has not been seen in the wild yet but shows that with the right focus and tools, malicious apps have the ability to bypass even the most security-conscious users.’

The vulnerability in question is found in the OpenSSLX509Certificate of Android devices, and IBM researchers used ADB shell commands to replace real apps with fake ones that can steal user data (in the paper researchers used the Facebook app).

As is always the case with flaws found in computer products, the downside has a silver lining.  A patch has been issued to allow service providers to release a fix for the bug – as and when that fix is sent out to Android users is down to individual service providers – but with any luck the threat will have been stamped out soon.

The same is true of other vulnerabilities. As cyber security firms discover flaws, Android developers can improve defenses, leading to safer platforms.  For that reason some bad news is good for everyone, and although an element of caution is always advised when using mobile devices, the good thing is that we have an extensive, worldwide, workforce of ‘white hat’ hackers. Whose job it is to discover problems like the ones that Android appears to be riddled with.

Exclusive Offer
Get NordVPN for only
Get NordVPN for only