New security flaw found in Android

IBM researchers have dscovered a new Android flaw that could give criminals control of over 55 per cent of Android devices.

Dubbed One Class to Rule Them All, this serialisation vulnerability could, according to those who discovered it, allow attackers to give a malicious app with no privileges the ability to become a "super app".

Or Peles, one of the team that found the bug, said: "Our team titled the paper 'One Class to Rule Them All' since the single vulnerable class that we found in the Android platform, OpenSSLX509Certificate, was enough to take over the device using our attack technique."

"Developers take advantage of classes within the Android platform and SDKs. These classes provide functionality for apps - for example, accessing the network or the phone's camera. The vulnerability we found can be exploited by malware through the communication channel that takes place between apps or services. As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device," Peles added.

This means that a malicious actor could craft a seemingly harmless app, then use it to take control of any device it is installed on using the OpenSSLX509Certificate. In Peles' team's Proof of Concept (PoC) demonstration, this takes the form of exfiltrating data from and then overwriting the legitimate Facebook app.

The vulnerability, which has been given the code CVE-2015-3825, affects Android versions 4.3 Jelly Bean to 5.1 Lollipop, as well as the current preview of Android M (which you can read more about at our sister site, Alphr), and certain third-party SDKs are also affected.

Google has issued patches for Android 5, 5.1, 4.4 and M, according to Peles, as have "the relevant SDK vendors [and] code maintainers". However, it can take time for software updates to filter down to all Android handsets.

Peles' paper can be read in full here.

Image credit: Bloomua / Shutterstock.com

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.