Browser vulnerability caps rough few months for Android security

It has been a summer of discontent for the Android security community.

It has been a summer of discontent for the Android security community, as a host of vulnerabilities large and small has arisen to plague the world's most popular mobile OS. The revelation this week of a cross-site scripting flaw in the default browser installed on large numbers of pre-version 4.4 Android devices is merely the latest entry in a list that makes for unsettling reading.

Blackphone credential hijack

Even Android devices designed specifically for rock-solid security and privacy have been undermined by exploits. The Blackphone, a security-minded handset developed by encrypted communications firm Silent Circle, was revealed to have a potential man-in-the-middle bug built into its software, which would have allowed an attacker to replace SSL certificates and hijack credentials for various services. (The flaw was fixed within 11 days of a private disclosure by Bluebox Security, who discovered it initially in mid-August.)

Major Android apps fail at basic security, report finds

Researchers from the University of New Haven revealed that popular Android apps like Instagram, OkCupid, Grindr and many others stored photos and other data on servers that didn't even require authentication to access. Which means that anyone with the link can grab the file at their leisure. Moreover, many of the same apps didn't encrypt chat logs, or even use SSL to secure communications between users.

Koler ransomware snags porn seekers

A clever, location-aware piece of ransomware infected Android users browsing compromised adult websites earlier this year. First reported by BitDefender, the Koler malware checked to see where in the world the victim was located, and then displaying a fake message from law enforcement, to the effect that the device has been seized, and asking for a $300 ransom to unlock the phone. The app doesn't actually encrypt any files, like true ransomware, and can be defeated via uninstalling in safe mode, but more than 6,000 victims were fooled in Australia alone.


While it was obviously not an Android-exclusive problem, the Heartbleed vulnerability that threatened OpenSSL affected hundreds of millions of Android apps before large-scale patching began in late April. Worth noting here is that only devices running version 4.1.1 of Android were affected on a device level, although vulnerable apps were far more common.


A vulnerability that can let malware masquerade as an innocent Android app can hijack that app's permissions, allowing attackers to do more or less whatever they want to a victim's device, was discovered by Bluebox Software earlier this year. Exploiting a missing certificate validation bug, FakeID principally targets apps with extensive permissions. A patch was issued to device manufacturers in the spring, and many have already issued updates -- a free scanner from Bluebox can identify whether a device is vulnerable.

The worms

Two self-replicating text message worms were discovered this summer, dubbed Selfmite and Samsapo.A, spreading among contacts via malicious links sent in SMS. Infected devices were forced to send personal information to a C&C domain, in the case of Samsapo, while Selfmite tried to get users to install a secondary payload called Self-Timer.


Not malicious in and of itself, but a Linux Kernel exploit found in June led quickly to the TowelRoot tool, developed by famous hacker George Hotz. There are lots of legitimate reasons to root an Android phone, such as trying out custom ROMs, and TowelRoot makes for an easy way to accomplish that. But security experts warned that its mechanisms could easily be repackaged into malicious software.

So what now?

As ever, the best way to stay safe is to install apps only from the Google Play store -- unless you're very, very sure you know what you're doing -- and to disable third-party app installs in your device's settings. For businesses managing Android devices, make sure updates are rolling out as quickly as possible, and ensure that remote wipe/backup services are in place.

Join the CSO newsletter!

Error: Please check your email address.

Tags Silent Circleconsumer electronicsInstagramsecurityblackphonesmartphonesAndroidOKCupid

More about BitDefenderGoogleLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jon Gold

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts