Over 55% of all Androids at risk of high severity vulnerability

Fake Facebook appHere we go again…

We’ve only just got over the news of the Stagefright vulnerability, that allows attackers to infect Android devices with just a maliciously-crafted MMS message and the shocking (and welcome) news that Google and other leading manufacturers will be releasing regular security updates for millions of smartphones from now on.

Now IBM security researchers have warned of another serious vulnerability that impacts over 55% of all Androids.

The vulnerability, which has been dubbed CVE-2015-3825, affects Android versions 4.3 to 5.1, as well as the current Android M preview build, and could be exploited by malware.

Sign up to our free newsletter.
Security news, advice, and tips.

“In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device.”

In a YouTube video, the researchers demonstrate a proof-of-concept attack demonstrating how an attacker could steal sensitive data. A malicious app, with no apparent special privileges, is able to overwrite an existing app (Facebook in the demonstration) with a fake version (Fakebook) that could steal users’ data.

The researchers informed Google’s security team of the Android vulnerability some months ago, and IBM’s blog post says that Google has issued patches for Android 5.1, Android 5.0, Android 4.4 and Android M.

Of course, whether these patches have actually made it into the Android device in your hand is a whole different matter… :(

“We encourage Google to continue its efforts toward decoupling the vendors’ dependent code from the rest of the system so patches will be available much faster,” writes researcher Or Peles.

And so say all of us.

The good news is that, so far, there is no indication that the vulnerability has been exploited in the wild.

BeNewsThe method of bypassing Google Play’s security controls, however, does bear comparison with BeNews, an Android app that to all intents and purposes looked like it was designed to give you the latest news about bees and beekeeping.

In truth, BeNews had been written by controversial spyware firm Hacking Team to infect targets and spy upon communications.

More details of the vulnerability are being shared at the USENIX Workshop on Offensive Technologies (WOOT ’15) currently being held in Washington, D.C. You can check out researcher Or Peles’s technical paper here.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

4 comments on “Over 55% of all Androids at risk of high severity vulnerability”

  1. Chris Thomas

    Makes my hardened Windows XP systems with Outpost Firewall Pro 9.1, Firefox with NoScript, AVG Antivirus, EMET and Malwarebytes Anti-Exploit look rock solid by comparison. I only use my Android to watch YouTube and iPlayer. Online banking on a tablet? Hear my uncontrollable mirth.

    I know that Windows is vulnerable and that makes me circumspect.

    1. Techno · in reply to Chris Thomas

      Presumably you have some essential software that only works on XP, and that software must also be connected to the internet. Otherwise, surely it would be easier to upgrade to a more recent operating system, or disconnect the computer from the internet to isolate it, as no doubt you are aware that Microsoft doesn't provide security updates for XP anymore.

      EMET isn't completely effective on XP machines.

  2. Spryte

    Any word about providers and manufacturers actually pushing these fixes to their devices?

  3. Andy Lee Robinson

    If you want to virtually guarantee security with internet banking, just boot the latest Fedora Live USB stick.
    Mobile internet banking? Not a chance!
    I still have no idea how to update my S3 as update options seem to be disabled, so I don't do anything sensitive with it.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.