Android, the world’s most popular mobile OS, based on Linus Linux Kernel happens to be one of the most affected as far as vulnerabilities are concerned. The enormous user base of the Operating System puts it in a position similar to that commanded by Windows for the desktop.
With its massive number of users, high exploitation and research of its security vulnerabilities is a very common thing thanks to the huge bug bounty programs rewards that follow. The open source nature of the Android operating system itself is another issue that works as a “double-edged” sword. This is where Android users can install the operating system, look around, and help make it more secure from vulnerabilities through regular inspections.
The full disk encryption flaw that can only be rectified by developing new hardware has once again brought Android’s vulnerabilities landscape to the limelight. Many of the vulnerabilities have over the years captured public interest due to the widespread coverage and here’s an overview of the major vulnerabilities that have over the last few years targeted Android.
Stagefright & Stagefright 2
Discovered by Zimperium, a security research firm, this is the most notable exploit to date. It was so significant that it pushed the debate of offering regular Android updates from technology sites and dedicated developer forums such as XDA into the limelight. It is also one of the vulnerabilities that showcased the careless attitude that smartphone makers had adopted of not considering it their responsibility to offer updates to the devices they supplied. Smartphone users observed this norm, whereby their devices were offered Android updates after the first one-and-a-half year and even early sometimes.
It was one of the vulnerabilities that recently affected over a billion Android devices. Possible risks included devices being taken over without the users knowing about the vulnerability or the hack. The hacker only needed these vulnerabilities to send a video via an MMS and the OS would open up the gate for the attack.
Google managed to solve the problem through Address Space Layout Randomization (ASLR). The hacker would require searching every Android device for the vulnerability, but even this method was not to solve the flaw, but only to make it quite hard to exploit.
Stagefright 2 was invented immediately after, and it found almost similar types of problems in the libstagefright and libutils, processing MP4 video or MP3 audio files. The two vulnerabilities had effects on Android phones right from version 1.0 to the current Lollipop 5.0 version.
Researchers found an issue called Audio Effect where there was a failure by Android to monitor the buffer sized in media player apps. Hackers could make malicious apps that would take advantage of this vulnerability to create an overflow of heap.
It enabled the program to record video, audio, take photos, and read files becoming a privacy nightmare. All Android devices starting from version 2.3 to 5.1.1 were affected by the bug. Upon being informed about this and other vulnerabilities in June 2015, Google solved it in AOSP a month later.
This vulnerability is part of Android OS where the system does not correctly validate the chain of the application certificate. Any rogue application can supply a fake identity certificate that would allow the rogue vulnerabilities to enjoy escalated privilege status, thus causing all sorts of havoc on the device.
There was no particular fixed Android version to this issue by Google after it was reported to them in July 2014. Instead, different smartphone makers opted to maintain the patched functionality range of Android 4.1 to Android 4.4.
BeNews was the first application that served as a backdoor for vulnerabilities. It was designed specifically to slip via the Google Play Store and feature as an app. In order to lure users and establish trust, the app used the name BeNews – a formerly news website. It targeted Android 2.2 all the way to Android 4.4.4 where it downloaded malware while continuing to gain privilege escalation.