This year has been particularly fruitful on critical errors in key components of operating systems and popular applications. Many of them are still relevant, endangering millions of users of obsolete devices, which have not been delivered to the upgrade. In this article we consider the basic vulnerability of the operating system Android, and then describe how to detect them by the user.
Each vulnerability does a security breach, giving the attacker the ability to bypass traditional protection. The digital signature applications, reputational model resident antivirus monitor – all this is useless if you are using the exploit. Take a look, for example, to demonstrate the use of vulnerability Stagefright.
The main vector of attack have now become all kinds of mobile devices. Smartphones, tablets, PHABLET, Chromebook and other interesting gadgets attackers for several reasons:
- most of the time they are connected to the Internet via Wi-Fi or the mobile network operator;
- a powerful multi-core configuration and permanent access platforms make them ideal for mining Bitcoins, DDoS-attacks and other actions as part of a botnet;
- the user does not leave them, so they collect the maximum possible amount of personal data;
- All collected data is stored in the files of known types of routes and associated with one account;
- to make full use of the gadget you want to register your account by cracking that can access the user data in multiple services;
- is often tied to the account bank card and confirmation of all transactions with them comes to the same (hacked) device.
The Central Bank of the Russian Federation estimates the total loss for last year of fraud with bank accounts in the amount of 3.5 billion rubles. Most of the incidents occurred with the use of Trojans for mobile OS, designed to steal payment data or simulated banking transactions on behalf of the user. According to “Kaspersky Lab” in 2014 the number increased to nine times. Preliminary assessment of the outcome of 2015 demonstrates the continuing growth in the number of such incidents.
Most occur in the wild Trojans for mobile operating systems are rather primitive . They are distributed by social engineering masquerading update anti-virus software or popular programs – for example, flash-player. Infection occurs exclusively by them because of the incompetence of the users themselves. However, there is another class of malicious software, the implementation of which is automatic. Using the known gap or zero-day vulnerabilities, they penetrate into the hidden system and intercept control over it.
Each discovered vulnerability is fixed by the National Institute of Standards and Technology. While studying she gets her room at the base of MITRE (SVE- *). After the release of the patch all the details about it becoming public. The problem is that many of the vulnerabilities described in detail and continue to use after the release of patches – simply because the developers do not have the ability to quickly deliver them to all devices at once. If a vulnerability is detected in the components of the nucleus, or the popular libraries, it affects several operating systems.
This problem is especially acute for the operating system Android, on which each manufacturer creates their unique assembly – with firm shell and stuffed with integrated applications. Hardware platform in each case can also be anyone why Google rushed to patch holes only in their own series of Nexus devices with “bare by Android.” In total there are 138 based vulnerabilities.
According to IDC the share of Android OS in the second quarter of 2015 was 82.8%. Since 2011 the most popular mobile OSes, and therefore it is more likely to attack. Quick release of new versions of packages corrections slightly improved the situation. After the presentation of the new firmware on the telemetry data Google continue to dominate for a long time old.
Monitoring Online AppBrain SDK shows that among the developers of applications for Android dominates v.4.4 (KitKat) with an index of 41.2%. It was introduced two years ago – in October 2013. The total share of the previous versions 4.1 – 4.3 (Jelly Bean) takes a little less than a third. More recent versions 5.0-5.1 (Lollipop) is installed only on the fifth of the devices, and the newest – 6.0 (Marshmallow) and all units are used (0,2%).
Now, you can select eight vulnerabilities that continue to operate actively in the attacks on the operating system Android:
- Heartbleed (CVE-2014-0160, OpenSSL). About her we wrote at length in several articles;
- Stagefright (CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829 ). This series of vulnerabilities in the multimedia-engine has recently become even more urgent.
- Shellshock or Bashdoor (CVE-2014-6271). The shell and the parser of CGI-scripts Bash performs without checking commands embedded in the definition of the function. This issue was also discussed in detail earlier.
The following vulnerabilities affect mostly older devices (with Android 2.x), but in some cases can be used on newer firmware with Android 4.x.
- Serialization (CVE-2015-3825) – the class certificates remain vulnerable OpenSSL X509;
- Futex / TowelRoot (CVE-2014-3153) – an error in the subsystem implementation of semaphores and mutexes;
- Keystore buffer (CVE-2014-3100) – a buffer overflow in the function encode_key Android 4.3;
- Fake ID (Google bug 13678484) – incorrect certificate chain verification applications in the Android v.2.1 – 4.4.
- Master Key (CVE-2013-4787) – an error in the validation of the system components on the Android APK under 4.2.1;
From the means of identifying vulnerabilities, we selected a few free applications from the official store Google Play. Each of them has been tested on smart phones with different versions of the OS Android. The results of our research and expert commentary please read the following article.