It has been a summer of discontent for the Android security community, as a host of vulnerabilities large and small has arisen to plague the world's most popular mobile OS. The revelation this week of a cross-site scripting flaw in the default browser installed on large numbers of pre-version 4.4 Android devices is merely the latest entry in a list that makes for unsettling reading.
Blackphone credential hijack
Even Android devices designed specifically for rock-solid security and privacy have been undermined by exploits. The Blackphone, a security-minded handset developed by encrypted communications firm Silent Circle, was revealed to have a potential man-in-the-middle bug built into its software, which would have allowed an attacker to replace SSL certificates and hijack credentials for various services. (The flaw was fixed within 11 days of a private disclosure by Bluebox Security, who discovered it initially in mid-August.)
Major Android apps fail at basic security, report finds
Researchers from the University of New Haven revealed that popular Android apps like Instagram, OkCupid, Grindr and many others stored photos and other data on servers that didn't even require authentication to access. Which means that anyone with the link can grab the file at their leisure. Moreover, many of the same apps didn't encrypt chat logs, or even use SSL to secure communications between users.
Koler ransomware snags porn seekers
A clever, location-aware piece of ransomware infected Android users browsing compromised adult websites earlier this year. First reported by BitDefender, the Koler malware checked to see where in the world the victim was located, and then displaying a fake message from law enforcement, to the effect that the device has been seized, and asking for a $300 ransom to unlock the phone. The app doesn't actually encrypt any files, like true ransomware, and can be defeated via uninstalling in safe mode, but more than 6,000 victims were fooled in Australia alone.
While it was obviously not an Android-exclusive problem, the Heartbleed vulnerability that threatened OpenSSL affected hundreds of millions of Android apps before large-scale patching began in late April. Worth noting here is that only devices running version 4.1.1 of Android were affected on a device level, although vulnerable apps were far more common.
A vulnerability that can let malware masquerade as an innocent Android app can hijack that app's permissions, allowing attackers to do more or less whatever they want to a victim's device, was discovered by Bluebox Software earlier this year. Exploiting a missing certificate validation bug, FakeID principally targets apps with extensive permissions. A patch was issued to device manufacturers in the spring, and many have already issued updates -- a free scanner from Bluebox can identify whether a device is vulnerable.
Two self-replicating text message worms were discovered this summer, dubbed Selfmite and Samsapo.A, spreading among contacts via malicious links sent in SMS. Infected devices were forced to send personal information to a C&C domain, in the case of Samsapo, while Selfmite tried to get users to install a secondary payload called Self-Timer.
Not malicious in and of itself, but a Linux Kernel exploit found in June led quickly to the TowelRoot tool, developed by famous hacker George Hotz. There are lots of legitimate reasons to root an Android phone, such as trying out custom ROMs, and TowelRoot makes for an easy way to accomplish that. But security experts warned that its mechanisms could easily be repackaged into malicious software.
So what now?
As ever, the best way to stay safe is to install apps only from the Google Play store -- unless you're very, very sure you know what you're doing -- and to disable third-party app installs in your device's settings. For businesses managing Android devices, make sure updates are rolling out as quickly as possible, and ensure that remote wipe/backup services are in place.