Despite great efforts to prevent broken hearts and to enhance mobile security, there’ll always be the one that gets away. It’s not uncommon for us to overlook things small in size; we rationalize this by assuring ourselves that no substantial harm can come from things so tiny. But with mobile security it’s the little guys you should look out for. One tiny bug has the capacity to wreak havoc on millions of users -- don’t be one of them.
Recently, researchers from the mobile security firm Lookout confirmed that “an estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren't encrypted, inject malicious code or content into the parties' communications.” The statement itself might be new, but many have already suspected a flaw in version 3.6 of Linux, dating as far back as 2012. It’s thought that the flaw itself was introduced into Android version 4.4 (aka KitKat) and is still present today, including in the latest developer preview, Android Nougat.
As numerically backed up by the Android install base and quoted by statistic provider Statista, over 1.4 billion Android devices (about 80 percent of users) are currently vulnerable. What Android users can do is to ensure that their communications are encrypted by using VPNs (virtual private networks) or by making sure that whatever sites they visit are encrypted. Encryption allows you to travel without being tracked; if the predator can’t see you, you’re no longer a target.
If you’re vulnerable, you welcome anyone with an Internet connection to determine whether or not two parties have been communicating via a long-lived transport protocol connection. This includes Webmail, news feeds as well as direct messages. Unencrypted connections allow attackers to utilize malicious code or inject content into the traffic. This doesn’t mean that encrypted connections are safe; attackers are still be able to determine and terminate the existence of channels as well. This vulnerability has been dubbed as CVE-2016-5696.
To initiate the attack, the attacker must spend about 10 seconds to establish whether two specific parties are connected, then another 45 seconds to flood their traffic with malicious content. Because it takes a certain amount of time for the attack to fully commence, these attacks aren’t suited for opportunistic attacks that affect more than one individual. Instead, this technique is ideal for the infection or surveillance of one specific target, especially if the hacker knows some of the sites the target frequently visits.
We can breathe a sigh of relief with a Google representative’s statement that company engineers are aware of the situation and are “taking appropriate actions.” He also noted that among the various vulnerabilities on Google’s patches, the Android security team has officially rated the risk as “moderate” as opposed to “high” or “critical.” Maintainers of the Linux kernel have successfully patched CVE-2016-5696. They are working toward incorporating a fix into a new Android release in the coming months.
Matters of security should never be taken lightly, especially when it comes to your personal device. For more information on this sensitive and intricate matter, please feel free to contact us anytime. We are more than happy to answer your questions. The more you know, the better.