I wish this weren’t so. I really do. But since I wrote my post Android is broken. How cautious should firms be with BYOD? there has been a discovery of yet another critical vulnerability dubbed CVE-2015-3825 impacting roughly 55% of Android devices out in the open. Leveraging a flaw in the OpenSSLX509Certificate class of the Android system this vulnerability allows an inocuous looking app to promote itself to a super app and gain system wide control of the Android device. This would allow an attacker to be able to do pretty much anything with the Android device including complate data theft, snooping on the user and controlling the device remotely.
It works like this. The attacker puts together an innocuous-looking app which, when installed, doesn’t ask for permission to use data on the device, lulling the downloader into a false sense of security.
But once installed, the malware changes the memory values on the handset using the OpenSSLX509Certificate flaws, allowing it to escalate its privileges. The attacker can then introduce a replacement application for a legitimate app already on the device, and begin harvesting data once the device is rebooted.Details http://www.theregister.co.uk/2015/08/10/another_android_flaw_hitting_55_percent_handsets/
As I pondered aloud in my previous post enterprises such really need to sit up and take stock of the situation. There is always the easy route of stifling device support citing security reasons. As a technologist and a white hat hacker however I beg to ask a different question – can we not leverage the openness of the Android system in our favor and engineer solutions that are capable of detecting device intrusion and effectively self destruct? I am on a limb here and I accept openly that I am not a mobile device expert but I am a technologist, I love playing with bits and bytes and if my geeky contraptions have told me anything in the past few years it is that the technology in today’s Mission Impossible or James Bond is tomorrow’s reality. Maybe we should change our attack vector on this. Perhaps instead of taking a cautious approach the better answer would be to openly declare war on this “problem” and device a solution that can harness machine learning to identify potential hack attempts on the device and effectively put itself in the lock-down.
Alright someone come and wake me up. I think I have dreamt enough for one day.