Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Android and the enterprise 2016 - old versions remain a big security risk

John E Dunn | Jan. 22, 2016
An analysis of around one million enterprise and business users in the US by security firm Duo Security has found that a staggering third of Google devices from its customer base of several thousand are still running versions 4.0 or below, which means they haven't been updated for several years.

Certifigate - 2015

Discovered by Check Point, this is a flaw in two mobile Remote Support Tool plug-ins used by many handset makers, including Samsung, LG, HTC, Huawei and ZTE running Android versions up to 5.1. Attackers could exploit it by sneaking a bogus app onto a phone which exploits the flaw in a way that elevates the attacker's permissions. From that point on, the attacker would have complete remote control over the smartphone. The products affected are Rsupport, CommuniTake Remote Care and TeamViewer.

Although harder to exploit than 'Stagefright' (see above) still difficult to fix because the flaw exists in an element added to smartphones by handset makers or carriers rather than Google. It will require them to act and that will take time - possibly a long time in some cases.

Android Installer Hijacking - 2015

Affecting older smartphones only - that was still around half of all Android smartphones at the time of its discovery - this offered a novel way of attackers to replace one installer (or APK file) with another one when using third-party app stores, in effect letting a malicious app replace a legitimate one without the user realising it. Discovered by Palo Alto Networks.

FakeID Flaw - 2014

Discovered by small security firm Bluebox Security, this offers a way for a malicious app to hijack the trusted status of a legitimate app through (by forging its digital certificate), effectively escaping any sandboxing security on the device. This was an alarmingly simple flaw in its execution, affecting every Android handset from 2.1 to 4.3.

TowelRoot - 2014

An unusual kernel-level flaw affecting something called the futex subsystem, the flaw vulnerability was originally discovered and disclosed by a white hat called Pinkie Pie. However, not long after it was incorporated into a tool designed to root Android 4.4 called TowelRoot (from noted hacker George Hotz), which effectively functioned as a benign proof-of-concept exploit.


Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.