Android vulnerability renders antivirus products ineffective

TWO SECURITY RESEARCHERS plan to disclose Android vulnerabilities that allegedly can be used to incapacitate all security measures on the mobile operating system.

Privateer Labs founders Riley Hassell and Shane Macaulay will disclose the flaws they discovered during a presentation at the Hack in the Box security conference in Kuala Lumpur next week.

"We will reveal previously undisclosed vulnerabilities in vendor apps installed on millions of US mobile phones and techniques to evade all available security solutions," the security researchers announced.

CNET reports that at least one of the issues affects a component used by most Android antivirus products and that the two researchers have been working with vendors to find a solution.

Hassell believes that there's a way for the affected security software to achieve the same functionality without relying on the vulnerable component. This is a very important aspect, given Android's market fragmentation and update inconsistency.

Even if Google was to address the vulnerability, it would have little impact on the problem because it would take months for a significant number of Android smartphones to end up running the patched version.

Under current circumstances, Android smartphones get only a few updates during their support lifetimes. After that, owners are pretty much stuck with handsets vulnerable to various attacks.

Device manufacturers are working with Google to resolve this situation, but since all of them are using customized versions of Android any update needs to be ported and tested on every supported device before being delivered to users.

If indeed this vulnerability affects most Android antivirus products, it might give mobile malware creators the means to run malicious code unhindered. And since the Android Market has been known to host malicious apps before, a serious attack is a real possibility. µ