Android's 6 biggest security flaws 2016

You could be forgiven for losing track of Android security flaws. In the last year or so, several shockingly big ones have appeared – including a brand new one made public in August 2016 by Check Point - affecting huge numbers of Android handsets and even Marshmallow (6.x), supposedly the latest and greatest version of Google’s mobile OS.

In fact, Android has suffered a steady stream of flaws great and small, which wouldn’t matter if it wasn’t for a single unconformable fact – Android is complex to patch. Here we outline the biggest flaws to affect Android in recent times, all publicised since mid-2014.

QuadRooter vulnerabilities

Made public: August 2016, Severity: 5/5, Versions affected: Handsets with Qualcomm modem chipsets, about 80 percent of all Android phones. Fixed? Qualcomm patch released via handset makers

As has often been the case with Android, the vulnerability revealed by QuadRoooter (CVE-2016-2503, 2504, 2059, 5340) is the fundamental fragmentation of the platform itself. Without that, fixing these this multi-faceted flaw would be quick and easy.

Israeli security firm Check Point has acquired a nose for sniffing out major Android security issues having spotted the ‘Certifi-Gate’ mRST flaw (see below) in 2015.   However, QuadRooter is unusual in that it covers four security issues found on the chipset drivers for Qualcomm LTE modems common to many recent Android handsets rather than the operating system itself.  This means it will require a Qualcomm patch distributed by each maker. This will end up taking a long time and may never come to pass on many models, a frankly unacceptable situation.

The QuadRooter flaws would all require malicious apps to be downloaded to the device (a common occurrence) after which any of them take over the handset after tricking users into privilege escalation as well as access data and GPS location.

To confirm the worst, users can download an app from the Play Store that checks individual handsets to see whether they are affected. Users should assume the answer is affirmative.

The ‘Certifi-gate’ mRST flaw

Made public:  August 2015, Severity: 3/5, Versions affected: up to Android 5.1 Fixed? Not yet – phone makers will have to update support plug-ins

Discovered by Check Point, this is a flaw in two mobile Remote Support Tool plug-ins used by many handset makers, including Samsung, LG, HTC, Huawei and ZTE running Android versions up to 5.1. Attackers could exploit it by sneaking a bogus app onto a phone which exploits the flaw in a way that elevates the attacker’s permissions. From that point on, the attacker would have complete remote control over the smartphone. The products affected are Rsupport, CommuniTake Remote Care and TeamViewer.

Although harder to exploit than ‘Stagefright’ (see below), revealed last week, getting a malicious app on to phones via Google App Store would be well within the realms of possibility. It will also be very difficult to fix because the flaw exists in an element added to smartphones by handset makers or carriers rather than Google. It will require them to act and that will take time – possibly a long time in some cases.

“These remote support tools can’t be removed by the end user and can only be patched by the network operator,” Check Point’s VP of product management, Gabi Reish told Techworld.

‘Stagefright’ MMS flaw

Made public: July 2015 Severity: 5/5 Versions affected:  all up to Android 5.1 Fixed? Only for a few. Some networks have deactivated auto-MMS while Google has sent a patch to carriers

Arguably the most serious security flaw ever to hit Android, this one affecting a media playback component of the OS nobody usually thinks much about called Stagefright. Discovered by a researcher working for a firm called Zimperium, attackers could exploit the issue by sending a malicious video message to almost any Android handset on the plant, which would execute automatically. Incredibly, no user interaction is needed and the message could even render itself invisible by deleting itself.

The issue affects around 95 percent of users, bar users of the secure Blackphone and after Google issued a patch, stock Nexus devices. Everyone else will have to wait for the patch via carriers.

Android Installer hijacking

Made public:  March 2015, Severity: 1/5 Versions affected:  up to Android 4.3 using third-party apps Fixed? All versions after 4.3

Affecting older smartphones only – that was still around half of all Android smartphones at the time of its discovery – this offered a novel way  of attackers to replace one installer (or APK file) with another one when using third-party app stores, in effect letting a malicious app replace a legitimate one without the user realising it. Discovered by Palo Alto Networks

Android FakeID flaw

Made public:  July 2014 Severity: 2/5 Versions affected: up to Android 4.31 Fixed? Only for devices from Android 4.4 onwards

Discovered by small security firm Bluebox Security, this offers a way for a malicious app to hijack the trusted status of a legitimate app through (by forging its digital certificate), effectively escaping any sandboxing security on the device. This was an alarmingly simple flaw in its execution, affecting every Android handset from 2.1 to 4.3.

Linux futex ‘TowelRoot’

Made public:  June 2014 Severity: 2/5 Versions affected: Most phones running Android up to 4.4 Fixed? Anything updated after 3 June 2014 should be safe

An unusual kernel-level flaw affecting something called the futex subsystem, the flaw vulnerability was originally discovered and disclosed by a white hat called Pinkie Pie. However, not long after it was incorporated into a tool designed to root Android 4.4 called TowelRoot (from noted hacker George Hotz), which effectively functioned as a benign proof-of-concept exploit.