Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks

Dan Goodin
Ron Amadeo
An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren't encrypted, inject malicious code or content into the parties' communications, researchers from mobile security firm Lookout said Monday.
As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In a blog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.
"The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted," Lookout researcher Andrew Blaich told Ars. "If there's somewhere they're going to that they don't want tracked, always ensure they're encrypted."
The vulnerability makes it possible for anyone with an Internet connection to determine whether any two parties are communicating over a long-lived transport control protocol connection, such as those that serve Web mail, news feeds, or direct messages. In the event the connections aren't encrypted, attackers can then inject malicious code or content into the traffic. Even when the connection is encrypted, the attacker may still be able to determine a channel exists and terminate it. The vulnerability is classified as CVE-2016-5696.
One of the more likely ways exploits might target Android users is for them to insert JavaScript into otherwise legitimate Internet traffic that isn't protected by the HTTPS cryptographic scheme. The JavaScript could display a message that falsely claims the user has been logged out of her account and instruct her to re-enter her user name and password. The login credentials would then be sent to the attacker. Similar injection attacks might also attempt to exploit unpatched vulnerabilities in the browser or e-mail or chat app the targeted Android user is using.
To make the attack work, the adversary must first spend about 10 seconds to test whether two specific parties—say a known Android user and USA Today—are connected. It then takes another 45 seconds or so to inject malicious content into their traffic. The time required probably makes it impractical to carry out opportunistic attacks that hit large numbers of people. Still, the technique appears well suited for targeted attacks, in which the adversary—say, a stalker or a nation-backed surveillance agency—is attempting to infect or spy on a specific individual, especially when the hacker knows some of the sites frequented by the target.
A Google representative said company engineers are are already aware of the vulnerability and are "taking the appropriate actions. As noted in this post, the representative pointed out the flaw resides within vulnerable versions of the Linux kernel and it's not Android specific. The representative went on to say that the Android security team rates the risk "moderate," as opposed to "high" or "critical" for many of the vulnerabilities it patches. Maintainers of the Linux kernel have already patched CVE-2016-5696. It wouldn't be surprising if that fix is incorporated into a new Android release in the next month or so.
Post updated in the last paragraph to add comment from Google.

Comments