6 Emerging Android Threats
A peek at some of the Android vulnerabilities and malware that will be revealed at Black Hat USA next month.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt5b6a057d26e71496/64f0dd1dbab19d2b4c06183e/iStock_000019573192_Small.jpg?width=700&auto=webp&quality=80&disable=upscale)
Researchers predict that 2 million new strains of Android malware will emerge this year alone, and that it is becoming more sophisticated and developed more for financially motivated attackers. Globally, Android phones have a far higher market share than other smartphone platforms (78 percent, versus 18.3 percent for iOS, according to IDC.)
So it's no surprise that Android vulnerabilities will be hot topics at the Black Hat Briefings in Las Vegas next month.
Adrian Ludwig of Google will give the general rundown in the "Android Security State of the Union," but other researchers will dig into the details of some new Android threats. Here's a peek at six of them.
Okay, there's plenty of debate about whether or not rooting your own smartphone makes it more vulnerable. Nobody could argue, though, that it would be bad news if attackers could exploit a vulnerability that lets them obtain root access to your phone.
So let's hope attackers don't remotely exploit the hole Wen Xu, intern researcher at KEEN Team (a.k.a. K33n Team), will reveal at Black Hat, because it will make the job easier. Not only will the vulnerability they discovered allow them to root any device running Android version 4.3 or newer (about 30.3 percent of the global mobile/tablet operating system market share), KEEN Team believe they are the first to root 64-bit Android devices.
In the session "Ah! Universal Android Rooting is Back," Xu will show how to root devices by taking advantage of a kernel use-after-free bug that lies in all versions of the Linux kernel.
Stagefright is a multimedia playback engine that runs at the native level of Android. It's a relatively small area of code...that is leaving 95 percent of Android devices critically exposed.
So says Joshua Drake, senior director of platform research and exploitation at Zimperium Enterprise Mobile Security and lead author of the Android Hacker's Handbook, who drilled into the multimedia engine. In his Black Hat session, "Stagefright: Scary Code in the Heart of Android," Drake will describe all the implementation issues he found in Stagefright and how they can be exploited to commit a variety of attacks, including denials of service and remote code execution.
It's bad enough when attackers obtain legitimate passwords -- so what about when they get their hands on fingerprint images? (It's almost like machines looking and feeling human.)
Unfortunately, that's precisely what FireEye researchers Yulong Zhang and Tao Wei will demonstrate in their session "Fingerprints on Mobile Devices: Abusing and Leaking."
The researchers have found severe issues with the Android's current fingerprint scanning framework. They will demonstrate an attack that hijacks a mobile payment authorization process protected by fingerprint authentication. And they will show a fingerprint sensor spying attack that allows them to harvest fingerprint images.
Unfortunately, there's more bad news about fingerprints. Plus, what about when attackers can run exploits within a so-called "trusted" environment?
That's precisely what Qihoo 360 security researcher Di Shen will show can happen on the new Huawei Ascend Mate 7 phone, in the Black Hat session "Attacking Your Trusted Core: Exploiting Trustzone on Android."
TrustZone technology is what supports a Trusted Execution Environment (TEE), in which fingerprint scanning and other functions requiring high degrees of trust (like contactless payments) are run. The Ascend Mate 7 device uses its own bespoke TEE software and the new Huawei Hisilicon Kirin 925 processor; Shen has found vulnerabilities in this architecture.
At Black Hat, Shen will discuss exploit development in TrustZone, show how to run shellcode in the secure world of the TEE, where an attacker might be able to grab fingerprint images, and also how to root the device and disable the latest Secure Enhancements for Android (SE Android).
The Binder inter-process communication mechanism is used to communicate between processes of all different levels of privilege -- from the lowest of the low to the very high-privileged system services. And yet, input parameters to these system services do not undergo input validation/sanitization -- security fundamentals 101 stuff -- before being passed through Binder.
Seems like the perfect place to plant a privilege escalation exploit.
Supply chain dangers aren't only a problem for PCs anymore. According to researchers at CheckPoint, a flaw in the Android customization chain is leaving hundreds of millions of devices running Lollipop -- the most secure Android operating system -- open to hijacking.
CheckPoint's technology leader Avi Bashan and mobile threat prevention area manager Ohad Bobrov will describe the threat in their Black Hat session, "Certifigate: Front-Door Access to Pwning Millions of Androids."
They'll show how attackers can take advantage of vulnerable (or malicious) apps certified by carriers and original equipment manufacturers to gain access to any device. The documented vulnerabilities include hash collisions, certificate forging, and inter-process communications abuse, with nasty payloads including back doors, keyloggers, and data exfiltration.
Supply chain dangers aren't only a problem for PCs anymore. According to researchers at CheckPoint, a flaw in the Android customization chain is leaving hundreds of millions of devices running Lollipop -- the most secure Android operating system -- open to hijacking.
CheckPoint's technology leader Avi Bashan and mobile threat prevention area manager Ohad Bobrov will describe the threat in their Black Hat session, "Certifigate: Front-Door Access to Pwning Millions of Androids."
They'll show how attackers can take advantage of vulnerable (or malicious) apps certified by carriers and original equipment manufacturers to gain access to any device. The documented vulnerabilities include hash collisions, certificate forging, and inter-process communications abuse, with nasty payloads including back doors, keyloggers, and data exfiltration.
Researchers predict that 2 million new strains of Android malware will emerge this year alone, and that it is becoming more sophisticated and developed more for financially motivated attackers. Globally, Android phones have a far higher market share than other smartphone platforms (78 percent, versus 18.3 percent for iOS, according to IDC.)
So it's no surprise that Android vulnerabilities will be hot topics at the Black Hat Briefings in Las Vegas next month.
Adrian Ludwig of Google will give the general rundown in the "Android Security State of the Union," but other researchers will dig into the details of some new Android threats. Here's a peek at six of them.
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024