Serious Security Threat Lurks on 10 Percent of Android Phones

A bug in the Android KeyStore left an estimated 86 percent of Android phones 10 percent of Android phones vulnerable to major security breaches, according to an advisory IBM researchers published last week.

KeyStore is like the janitor's closet for Android; it's where all cryptographic keys and other sensitive information lives. So it's a bad place for a vulnerability. The security flaw is what the researchers call a "classic stack-based buffer overflow," and it could allow attackers to execute code to steal phone lock credentials, and then all sorts of sensitive data on the phone, including banking information.

The researchers discovered the problem nine months ago, but waited until the Android Security Team came up with a patch for Android KitKat, which is now available. That still leaves Android users without KitKat (estimated to be 86.4 percent of Android's userbase) open to this kind of attack.

(Update: IBM just told us the initial blog post from researchers was incorrect. "The initial blog post had stated that the vulnerability affected all versions of Android, v4.3 and below — we have since been informed by the Android Security Team that this vulnerability only impacts devices running v4.3. We have updated the blog post to reflect that information," a spokesperson wrote Gizmodo. So... it's not as bad as we initially thought!)

Nobody (as far as we know) actually exploited the vulnerability, so Android is testing its luck. To actually carry out an attack, would-be malicious hackers would have to overcome Android's software protections, including coding and data executing prevention. But just because it hasn't been done yet doesn't mean it can't be done.

The fact that this kind of major vulnerability can go undetected until IBM researchers point it out is pretty scary. It's also unlikely to be the last of its kind, another reminder that even sophisticated operating systems can have big scary holes in their security.

You can read the full report from the researchers below.

Android KeyStore Stack Buffer Overflow (CVE-2014-3100) from IBM Security Systems

[Ars Technica via IBM]

Image credit: JD Hancock under Creative Commons license.