Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Dan Goodin
An estimated 80 percent of Android
phones contain a recently discovered vulnerability that allows attackers
to terminate connections and, if the connections aren't encrypted,
inject malicious code or content into the parties' communications,
researchers from mobile security firm Lookout said Monday.
As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In a blog post published Monday,
Lookout researchers said that the Linux flaw appears to have been
introduced into Android version 4.4 (aka KitKat) and remains present in
all future versions, including the latest developer preview of Android
Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.
"The tl;dr is for Android users to ensure they
are encrypting their communications by using VPNs, [or] ensuring the
sites they go to are encrypted," Lookout researcher Andrew Blaich told
Ars. "If there's somewhere they're going to that they don't want
tracked, always ensure they're encrypted."
The vulnerability makes it possible for anyone
with an Internet connection to determine whether any two parties are
communicating over a long-lived transport control protocol
connection, such as those that serve Web mail, news feeds, or direct
messages. In the event the connections aren't encrypted, attackers can
then inject malicious code or content into the traffic. Even when the
connection is encrypted, the attacker may still be able to determine a
channel exists and terminate it. The vulnerability is classified as
CVE-2016-5696.
One of the more likely ways exploits might
target Android users is for them to insert JavaScript into otherwise
legitimate Internet traffic that isn't protected by the HTTPS
cryptographic scheme. The JavaScript could display a message that
falsely claims the user has been logged out of her account and instruct
her to re-enter her user name and password. The login credentials would
then be sent to the attacker. Similar injection attacks might also
attempt to exploit unpatched vulnerabilities in the browser or e-mail or
chat app the targeted Android user is using.
To make the attack work, the adversary must
first spend about 10 seconds to test whether two specific parties—say a
known Android user and USA Today—are
connected. It then takes another 45 seconds or so to inject malicious
content into their traffic. The time required probably makes it
impractical to carry out opportunistic attacks that hit large numbers of
people. Still, the technique appears well suited for targeted attacks,
in which the adversary—say, a stalker or a nation-backed surveillance
agency—is attempting to infect or spy on a specific individual,
especially when the hacker knows some of the sites frequented by the
target.
A Google representative said company engineers
are are already aware of the vulnerability and are "taking the
appropriate actions. As noted in this post, the representative pointed
out the flaw resides within vulnerable versions of the Linux kernel and
it's not Android specific. The representative went on to say that the
Android security team rates the risk "moderate," as opposed to "high" or
"critical" for many of the vulnerabilities it patches. Maintainers of
the Linux kernel have already patched CVE-2016-5696. It wouldn't be
surprising if that fix is incorporated into a new Android release in the
next month or so.
Post updated in the last paragraph to add comment from Google.
Comments
Post a Comment