I mentioned in my last post that I just bought a new Android phone. This week (the week of 17 December 2012) in the news there were two stories about Android phone vulnerabilities. Before I mention them, I need to say that they are not new concepts, just new exploits along the same lines as prior threats.
I read about the first issue in this article at ZDNet. It allows apps to gain access to system memory and read and write system memory, including that part where the kernel (the operating system core code) is stored. The article mentions that there is proof-of-concept code to allow users to gain root (administrator) privilege. This is called “privilege escalation” and is a common goal of attackers. It would allow them, for instance, to access data stored on your phone or perhaps to take pictures or record conversations without your knowing.
The article goes on to report that there is a temporary fix for the vulnerability, but that manufacturers have yet to release an official fix. I urge you to read the article as it lists devices known to be vulnerable.
The next Android vulnerability is older, but I just read about it this week. It seems an unprivileged app can send text messages with arbitrary content and with a forged sending phone number. So a rogue app on your phone could send your friend SMS messages that appeared to come from me. That is a form of impersonation, but it could also be a path to a denial-of-service attack – if you send forged SMS messages you might be charged for them or have your service cut off.
How could the impersonation attack be use by bad guys besides running up your texting bill? Consider this: you receive a text asking for some personal information; because the sender appears to be someone you know and trust you supply that information. That’s a phishing attack and if you supply the information, the attacker may be able to exploit it to his or her advantage.
Each of these attacks needs to be fixed by Google, of course. Until then you could a) consider installing the patch noted in the article I linked to above, b) only run apps you trust, c) watch your outgoing text usage, and d) even if you don’t use Android, be wary of texts asking for personal information. I will clearly do b,c and d. If you’ve been following this blog you probably could have guessed that I do d anyway. I’m not sure I’ll do a because I need to check to see if my device is vulnerable, and I’m kind of wary of third party patches. If you have an Android phone, let us know in the comments what you are doing about these issues.
We’ve seen these kinds of exploits before on other platforms, of course. There is nothing new under the sun. You’ll learn about these issues and many more in Learning Tree’s System and Network Security Introduction course. I hope to see you there.