New vulnerability puts 55 per cent of Android devices to risk

A new vulnerability in Android devices was discovered, which puts some 55 per cent of all Android devices at risk.

This high-severity serialisation vulnerability, discovered by researchers at IBM, allows malicious apps with no privileges the ability to become a “super app” and take over the device.

IBM has explained the vulnerability in great detail in its paper titled One Class To Rule Them All, “since the single vulnerable class that we found in the Android platform, OpenSSLX509Certificate, was enough to take over the device using our attack technique.”

"In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a 'super app' and help the cyber criminals own the device," IBM said.

"In addition to this Android serialisation vulnerability, the team also found several vulnerable third-party Android SDKs which can help attackers own apps."

IBM said that the vulnerability, titled CVE-2015-3825, is embedded in the heart of Android and affects versions from Jelly Bean to Lollipop and the Android M preview 1.

"The single vulnerable class that we found in the Android platform, OpenSSLX509Certificate, was enough to take over the device using our attack technique," added the firm.

"Developers take advantage of classes within the Android platform and SDKs. These classes provide functionality for apps - for example, accessing the network or the phone's camera.

"The vulnerability we found can be exploited by malware through the communication channel that takes place between apps or services. As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device."

Google is yet to comment on this discovery.