The Number of Android Vulnerabilities Will Continue to Rise in 2016
2015 was quite a year for mobile security. The number of known threats and Android vulnerabilities jumped by more than 30%, and the world learned that even the mighty iPhone could be hacked. 2016 will be even more active and most industry analysts believe hackers will be targeting Android devices more than any other device or computer class.
The spotlight on Android vulnerabilities reminds me of a what the famous American bank robber Willie Sutton said when asked why he robs banks. His answer? “Because that’s where the money is…” So it goes with Android security. It is targeted by hackers, because ‘that’s where the vulnerabilities are…”
In the past week alone, security researchers in different companies have found 2 MAJOR zero-day vulnerabilities in Android. One is an update of the Android.Bankosy financial Trojan which lets malware steal passwords from voice call-based two-factor authentication.
Writes Symantec: “Once installed, the malware opens a backdoor that enables unconditional call forwarding and silent mode on the device so the victim is not alerted during incoming calls. “Once this is set, the attacker — who has already stolen the victim’s credentials (the first factor in two-factor authentication) — can steal authorisation tokens from voice calls and initiate a fraudulent financial transaction.”
Wow. So much for the power of 2-Factor authentication.
The second major Android security issue became known 5 days ago thanks to the work of the security firm Perception Point. This is a Linux kernel weakness but note also that Android is built upon the Linux kernel. At risk are nearly 70 million Android devices around the world. According to Perception Point, the vulnerability was introduced in kernel version 3.8, which was released in Feb. 2013. This weakness allows malware that can be injected by a website to gain root access to the device. Once the malware has root access it can control every part of the device.
2016 will be a tough year for Android. As more and more devices implement SELinux expect to see more and more kernel android vulnerabilities in 2016. And be wary, even when updates and patches are created, they often don’t make their way to the affected device. Additionally, Google is dropping support for Android below the 4.4 version. About 35% of existing Android devices are older than 4.4.
No wonder CIOs, CISOs, and CTOs are worried about the ‘bring your own device’ to work reality we all now live in. The threat isn’t limited to Android devices, though.
Remember the ‘AirDrop’ vulnerability of 2015? This was an iOS vulnerability that made it possible for a hacker to send and install malware on any device within range: even if the user tried to block the file by changing his/her AirDrop settings on iOS. Expect to see more and more jailbreaks and iOS kernel exploits in iOS 9.2 and 9.3, coming in 2016.