Over 55% of all Androids at risk of high severity vulnerability

Fake Facebook app Here we go again…

We’ve only just got over the news of the Stagefright vulnerability, that allows attackers to infect Android devices with just a maliciously-crafted MMS message and the shocking (and welcome) news that Google and other leading manufacturers will be releasing regular security updates for millions of smartphones from now on.

Now IBM security researchers have warned of another serious vulnerability that impacts over 55% of all Androids.

The vulnerability, which has been dubbed CVE-2015-3825, affects Android versions 4.3 to 5.1, as well as the current Android M preview build, and could be exploited by malware.

Sign up to our free newsletter.
Security news, advice, and tips.

“In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device.”

In a YouTube video, the researchers demonstrate a proof-of-concept attack demonstrating how an attacker could steal sensitive data. A malicious app, with no apparent special privileges, is able to overwrite an existing app (Facebook in the demonstration) with a fake version (Fakebook) that could steal users’ data.

The researchers informed Google’s security team of the Android vulnerability some months ago, and IBM’s blog post says that Google has issued patches for Android 5.1, Android 5.0, Android 4.4 and Android M.

Of course, whether these patches have actually made it into the Android device in your hand is a whole different matter… :(

“We encourage Google to continue its efforts toward decoupling the vendors’ dependent code from the rest of the system so patches will be available much faster,” writes researcher Or Peles.

And so say all of us.

The good news is that, so far, there is no indication that the vulnerability has been exploited in the wild.

BeNews The method of bypassing Google Play’s security controls, however, does bear comparison with BeNews, an Android app that to all intents and purposes looked like it was designed to give you the latest news about bees and beekeeping.

In truth, BeNews had been written by controversial spyware firm Hacking Team to infect targets and spy upon communications.

More details of the vulnerability are being shared at the USENIX Workshop on Offensive Technologies (WOOT ’15) currently being held in Washington, D.C. You can check out researcher Or Peles’s technical paper here.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

4 comments on “Over 55% of all Androids at risk of high severity vulnerability”

  1. Chris Thomas

    Makes my hardened Windows XP systems with Outpost Firewall Pro 9.1, Firefox with NoScript, AVG Antivirus, EMET and Malwarebytes Anti-Exploit look rock solid by comparison. I only use my Android to watch YouTube and iPlayer. Online banking on a tablet? Hear my uncontrollable mirth.

    I know that Windows is vulnerable and that makes me circumspect.

    1. Techno · in reply to Chris Thomas

      Presumably you have some essential software that only works on XP, and that software must also be connected to the internet. Otherwise, surely it would be easier to upgrade to a more recent operating system, or disconnect the computer from the internet to isolate it, as no doubt you are aware that Microsoft doesn't provide security updates for XP anymore.

      EMET isn't completely effective on XP machines.

  2. Spryte

    Any word about providers and manufacturers actually pushing these fixes to their devices?

  3. Andy Lee Robinson

    If you want to virtually guarantee security with internet banking, just boot the latest Fedora Live USB stick.
    Mobile internet banking? Not a chance!
    I still have no idea how to update my S3 as update options seem to be disabled, so I don't do anything sensitive with it.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.