UPDATED 13:14 EDT / AUGUST 10 2015

NEWS

IBM discovers another critical Android flaw that lets hackers replace real apps with malware

IBM Corp. has not waited for the shock from the recent discovery of a vulnerability affecting 95 percent of Android phones to wear off before dropping another security bombshell that is bound to raise even more alarm over the safety of the world’s most popular mobile platform. Its researchers have discovered a second exploit deep within the operating system that holds the same potential for harm.

The flaw, known by its technical designation of CVE-2015-3825, shares the passive susceptibility to attack that makes Stagefright- as its fellow bug is known – so dangerous. The main difference is that the mode of exploitation is not a text message but rather a piece of malicious code disguised as a legitimate application. It’s a tried-and-tested approach with one important twist.

Malware developed to exploit the vulnerability, of which it’s worth noting that IBM haven’t seen any examples beyond its proof-of-concept yet, wouldn’t execute an attack on its own but rather subvert other apps on the victim’s device through the internal communications mechanism in Android. Its friendly facade would act to hide the malicious process sending out infected messages in the background.

That means that the user not only doesn’t need to provide any special permission for the app to spread its malicious payload but likely won’t notice anything out the ordinary either if the hacker covers their tracks well enough. The targeted app receives a file with objects  of the vulnerable OpenSSLX509Certificate class that loosen the access restrictions on the memory space where its bits are stored to allow for override.

That enables the hacker to replace a legitimate application with a lookalike designed to trick the user into willingly giving away their personal data. IBM’s researchers showed how the vulnerability can be used to create a replica of the official Facebook app to steal social networking login credentials in their presentation, pointing out that the clone can also access whatever unencrypted local information has been available to real client it replaced.

It’s severe flaw that affects many applications on versions 4.3 and above of Android, but there are some good news: IBM notified Google’s security team of the flaw well in advance of its presentation and a patch has since been issued. That means users are out of the woods, assuming they’ve been updating their devices that is, something that organizations will no doubt double-check with their employees in the wake of the past week’s security discoveries.

Photo via andrekheren

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU