Researchers have a released a warning to all Android users over a high-risk vulnerability that can be found on devices running version 4.3 or lower, which is about 86 percent of all Android devices.
Exploiting the security issue allows hackers to acquire confidential information that is stored in Android devices,
The advisory on the vulnerability was published by security researchers from IBM, stating that the exploit can be accessed through the Android KeyStore, which is a secured storage within the Android operating system for key-value pairs, or crypto keys. Hackers can exploit the KeyStore vulnerability by operating an app on their targeted device to run a malicious code.
Thankfully, Google has put several defense systems in place to prevent the KeyStore bug from being abused, including the prevention of data execution and the randomization of address space layout. These systems block hackers from running the required malicious code for the bug.
However, despite all the defense systems in place, this vulnerability is still a very serious issue due to KeyStore being such an integral part of the Android operating system.
"Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone's user to any service where they've got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password," said Rice University professor and Android security specialist Dan Wallach.
Wallach adds that while the hacker will not be able to get into the user's apps that always ask for passwords to log in such as some banking apps, the attacker will still be able to compromise some of the installed apps. Phones that have VPN credentials to allow the device to get through a firewall into a company's internal services are more dangerous, as hackers getting into these phones means that they are also able to break through the company's firewall.
There are other risks that Android users face with this exploit, as explained by viaForensics senior engineer for mobile security Pau Oliva.
"A malicious user exploiting this vulnerability would be able to do RSA key generation, signing, and verification on behalf of the smartphone owner," said Oliva.
The IBM security research team, led by Roee Hay, informed the Android Security team of the bug on September 9 of last year. The team obtained a response that acknowledged the vulnerability on the same day. Hay's team requested for updates on the vulnerability on October 22, with the Android Security Team getting back to them on November 11 with a confirmation that the issue had been resolved.