Phone in hand with text

Android Vulnerability

Published 16 May 2017

Whilst Android bases it’s operating system upgrades on dessert based names, not everything is sweet about Google’s operating system.

Android has fast become the number one mobile operating system, even giving strong competition to the likes of Microsoft Windows from a user install base.

Unlike other mobile operating systems, you aren’t locked into one manufacturer which gives users a real sense of choice, that’s one of Android’s biggest selling points, to “be together, not the same”. Unfortunately, whilst Android bases it’s operating system upgrades on dessert based names, not everything is sweet about Google’s operating system.

One of the reasons that users choose Android is endless customisation, but with customisation can often lead to slower updates, many of which can be critical to protecting your device. Android released it’s latest operating system Android Nougat back in August 2016, but as of 2017 only approx 1.2% of devices have this latest version.

Standardisation Attempt

Google tried to get manufacturers to release monthly security patches to fix critical issues, but even this is at the mercy of OEM’s such as Samsung, LG and Sony to name a few. What does this mean to you, your device could be left vulnerable.

A perfect example of this is a new vulnerability called “Cloak & Dagger”, this exploit takes advantage of a vulnerability in Android’s UI called “Draw on Top”. Android will often present users with popup windows to grant access to system functions calling on ‘Draw on Top’ to do this, but a team of security researches have found ways to manipulate this to show genuine content on the screen and complete malicious activities beneath the surface. A hacker can utilise this to gain access to another permission called BIND_ACCESSIBILITY_SERVICE or a11y, which can be used for stealing your passwords and pins. Combine these two together and a person could have considerable access control over your phone, including access to calls, messages, camera and microphone etc.

Think you'll be able to spot it? The researches claim they tested this on 20 subjects, none of which had realised what was going on.

Google needs to do a lot of work to resolve not only this vulnerability, but its long standing battle with third party OEM’s to update devices, there are steps you can take to protect yourself.

  1. Only download applications from reputable sources, namely, Google Play.
  2. Check apps that you have installed and review their permissions, to do this, go into Settings > Apps > Configure Apps > App Permissions
  3. Check for suspicious changes to your devices by going to Settings > Security > Device Administrators
  4. Check for any pending software updates by going to Settings > About > System Updates
  5. See what version of security patch you are on by going to Settings > About > Android Security Patch Level

Finally, why not reach out to Bridewell to see what we can do to assist your organisation? We've got a range of penetration and mobile device testing services available, we can look to give you re-assurance when others can't.

To find out more, visit our mobile testing services or contact one of the team on 03303 110 940.