Android is almost always stereotyped as being ridden with malware and vulnerabilities. This time though, it’s true. Recently, researchers discovered a crypto key vulnerability affecting 86% of Android devices. A vulnerability like this can allow hackers access to your banking information, virtual private network, and lock screen PIN. A crypto key is a parameter that when matched with its counterpart encrypted object, allows that object to be decrypted. Similar to using a physical key to unlock a door. Crypto keys are used as identifiers for apps that require authentication between the user and the app, usually in the form of a password or PIN.
This vulnerability affects Android KeyStore, a specific area of the operating system dedicated to storing crypto keys. The bug impacts devices running Android 4.3 or below, which Google says is about 86% of devices. If the bug is exploited, hackers can access Android KeyStore and leak banking information, passwords and the like. In order to exploit the vulnerability, a hacker would first have to use an app on someone’s device to run malicious code. Luckily, Google has put in place multiple hurdles, like data execution prevention and address space layout randomization, to prevent a bug like this from being exploited. These pieces of software keep hackers from executing the malicious code required to gain access to this vulnerability. Even with all the protections Google has put in place, it doesn’t minimize the seriousness of a vulnerability like this, because it affects such a sensitive region of Android. Dan Wallach, a computer science professor specializing in Android security at Rice University, had this to say in an email to Ars Technica, a popular tech news site;
“Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password. This means that most banking apps, which force you to type your password every time, are probably safe against this particular attack. The amount of damage you can do then, has a lot to do with which apps this lets the attacker compromise. If the attacker can compromise your Twitter account, then yeah, they can spew spam in your name. Not very exciting. If the attacker can get anywhere near your money, then it gets more interesting. Likewise, for companies that load VPN credentials into your phone, so you can connect through their firewall to their internal services, there could be a variety of nasty attacks, since you’ve effectively given the attacker the keys to get through the firewall.”
Another expert, Pau Oliva, a senior mobile security engineer at viaForensics told Ars Technica; “A malicious user exploiting this vulnerability would be able to do RSA key generation, signing, and verification on behalf of the smartphone owner.” For phones running 4.3 or below, Google could also implement features in Bouncer, its server side Play Store protection software, to detect malicious code in apps, and prevent them from showing up in the Play Store. Bouncer could analyse apps for specific code that would only be used for exploiting vulnerabilities. The program isn’t a catch all, and misses things sometimes. Until Google implements a way to prevent this vulnerability, or you buy a device running Android 4.4 or above, be careful. Watch for malicious apps, and keep an eye on apps you install from outside the Play Store.