Certifigate - 2015
Discovered by Check Point, this is a flaw in two mobile Remote Support Tool plug-ins used by many handset makers, including Samsung, LG, HTC, Huawei and ZTE running Android versions up to 5.1. Attackers could exploit it by sneaking a bogus app onto a phone which exploits the flaw in a way that elevates the attacker's permissions. From that point on, the attacker would have complete remote control over the smartphone. The products affected are Rsupport, CommuniTake Remote Care and TeamViewer.
Although harder to exploit than 'Stagefright' (see above) still difficult to fix because the flaw exists in an element added to smartphones by handset makers or carriers rather than Google. It will require them to act and that will take time - possibly a long time in some cases.
Android Installer Hijacking - 2015
Affecting older smartphones only - that was still around half of all Android smartphones at the time of its discovery - this offered a novel way of attackers to replace one installer (or APK file) with another one when using third-party app stores, in effect letting a malicious app replace a legitimate one without the user realising it. Discovered by Palo Alto Networks.
FakeID Flaw - 2014
Discovered by small security firm Bluebox Security, this offers a way for a malicious app to hijack the trusted status of a legitimate app through (by forging its digital certificate), effectively escaping any sandboxing security on the device. This was an alarmingly simple flaw in its execution, affecting every Android handset from 2.1 to 4.3.
TowelRoot - 2014
An unusual kernel-level flaw affecting something called the futex subsystem, the flaw vulnerability was originally discovered and disclosed by a white hat called Pinkie Pie. However, not long after it was incorporated into a tool designed to root Android 4.4 called TowelRoot (from noted hacker George Hotz), which effectively functioned as a benign proof-of-concept exploit.
Sign up for CIO Asia eNewsletters.