IBM security researchers have warned of a vulnerability affecting about 10% of Android phones. The vulnerability could allow attackers to gain access to sensitive information including cryptographic keys for some banking services and virtual private networks.
Where’s the vulnerability located? Inside the Android KeyStore, a sensitive portion of the Android system that stores cryptographic keys and similar information according to a report published lasta week by IBM researchers.
What do you need to do? Users with Android version 4.4, aka KitKat, are fine. Google has patched it on that version. Version 4.3 is the affected OS with about 10.3% of phones affected. A previous report stated all versions below 4.4 were affected, but has since been updated.
Even with the vulnerability, it’s no easy feat for attackers to utilize it. IBM’s security research team lead Roee Hay says Google has multiple barriers in place to prevent hackers from exploiting the bug. Some of these barriers include built-in data execution prevention and address space layout randomization.
The attacker must also have an app installed on a vulnerable phone in order to access user info.
Dan Wallach, a professor specializing in Android security at Rice University, explained the seriousness of the vulnerability to ArsTechnica.
“Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password.”
Apps such as banking and other sensitive apps require you to repeatedly type in your password when accessing them. This would probably make them safer against the attack according to Wallach.
How do you protect yourself? Be mindful of the apps you install, and be especially careful when installing apps from stores outside of Google Play.