The Android phone you are presently using could help a remote hacker get rich, provided you are using banking apps and store other sensitive data on your handset.
Ars Technica points out to a report by IBM Security Services that the vulnerability lies in the Android KeyStore, which is a highly sensitive area of the Google operating system. Exploiting the bug, the attacker can execute a malicious code that can leak out keys used by banking and other sensitive apps such as VPN services and also reveal finger patterns and PIN numbers to unlock the phone.
At present, Google states that they have managed to patch the issue on Android KitKat v4.4.X and above, while the older versions (which amount to almost 86% smartphone users who are below KK) have no such fix as yet.
However, though the attacker cannot gain access to this area with ease, he would have to gain access into the phone using a third-party app into the vulnerable handset.
Using the vulnerability, the attacker can get hold of important, personal and private information, such as your twitter details, your banking passwords, VPN credentials, and a lot more.
IBM Security Intelligence states that, successfully exploiting this vulnerability leads to a malicious code execution under the keystore process. Such code can:
- Leak the device’s lock credentials. Since the master key is derived by the lock credentials, whenever the device is unlocked, ‘Android::KeyStoreProxy::password’ is called with the credentials.
- Leak decrypted master keys, data and hardware-backed key identifiers from the memory.
- Leak encrypted master keys, data and hardware-backed key identifiers from the disk for an offline attack.
- Interact with the hardware-backed storage and perform crypto operations (e.g., arbitrary data signing) on behalf of the user.
Ars Technica warns, ‘Android users who rely on their devices for managing money and storing confidential information are once again advised to carefully vet apps before installing them and to think long and hard before installing apps available in markets outside of Google Play.’
