A PAIR OF SECURITY RESEARCHERS plan to demonstrate how two unpatched Android vulnerabilities can be exploited to gain root access on the device and bypass application permission prompts.
Android malware has taken off this year. According to a recent report from security vendor Lookout, Android users are two and a half times more likely to encounter malware now than they were six months ago.
There are already Android trojans in the wild that incorporate known root exploits, and the vulnerabilities that security researchers John Oberheide and Zach Lanier plan to present at the Source conference in Barcelona this November could expose new possibilities for mobile malware developers.
According to Oberheide, one of flaws is located in the Android kernel and allows an unprivileged application to gain root access. This can easily be exploited by trojans to download and install additional malware without requiring any user interaction.
The second vulnerability is also interesting for cybercriminals because it can simplify the distribution of malware. At the moment, the primary method of distributing Android trojans is to package them together with legitimate applications.
These trojanized apps are fairly easy to spot by security-aware users because they request extensive permissions at installation that are marked as potentially dangerous. However, the vulnerability discovered by Oberheide and his partner allows attackers to suppress and bypass permission prompts, leaving little to no indication of a security threat.
The two vulnerabilities have the potential of making Android trojans much more powerful and, unfortunately, there's no patch in sight. Google has known about these flaws for more than a month and still hasn't patched them, but even if it does, manufacturers and carriers are so slow at pushing out updates that over 90 per cent of Android devices will remain vulnerable for months to come.
According to Pavel Luka, CTO at security firm ESET, which is preparing to release an Android antivirus product soon, the responsibility for securing Android devices ultimately falls to users themselves.
Of course, ideally everyone in the distribution chain, from Google to device manufacturers, carriers and even applications developers should play a role in securing the operating system, but it's Android's openness that makes it more vulnerable than other mobile operating systems like IOS, and that's not going to change anytime soon.
"The platform is closed, the distribution of applications is centralized, so we're not seeing very much malware for iOS," the ESET CTO says. "But, you know, some people don't like it and they find Android very appealing because it offers more opportunities," he adds.
Luka believes that every user should take several security measures, including running an up-to-date antivirus product and paying attention to what they install. "I think the combination of both approaches is probably the best. User education is very important," he told The INQUIRER.
Even though trojanized apps currently represent the main security concern for Android users, other types of threats like drive-by downloads could become a widespread problem in the future. "Most applications are actually exploitable, so chances are vulnerabilities will be found in the system and some attacks will be executed around these," Luka says, and he warns that social engineering or targeted threats shouldn't be neglected either.
One thing's clear, however. Android's malware problem is only going to get worse. That's why antivirus vendors are rushing to get a head start, many of them already releasing both free and commercial solutions for the operating system.
ESET's upcoming Android antivirus software product will be a commercial product for now, but there are many free choices out there that are available from companies like AVG, Bitdefender, Symantec, Lookout and others. µ