Security investigators at Lookout have discovered a flaw in the Linux operating system, upon which Android is based, that could potentially cause attackers to intercept and inject malicious code into communications sent and received from the device. By communications, we mean Internet traffic and this must be unencrypted in order to be vulnerable. However, theoretically it does mean that an Android device connected to an unencrypted website could have malware inserted into this open communication. The critical vulnerability, labelled as CVE-2016-5696, was introduced into the Linux kernel with version 3.6, which was introduced in 2012 and became a part of Android from version 4.4 KitKat. It is still present in the current version of Android, 6.0 Marshmallow, and in the next release, 7.0 Nougat. According to Statista, almost 80% of Android devices in use today are vulnerable to the flaw, which means approximately 1.4 billion devices could be compromised.
The process of injecting malware into a communications stream could take under a minute. Lookout report that it takes around 10 seconds for an attacked to determine if two parties are connected – such as an Android smartphone or tablet, and an unencrypted website. If they are connected, it can take as little as 45 seconds to inject malicious content into this traffic. This malicious content could include Java Script into non-encrypted HTML that pops up a message telling the user that he or she has been logged out of the website they are using. It would not take much effort to ensure that this prompt matches the genuine website log-in box. The user enters in their credentials, which are captured by the attacker. This sort of attack is not restricted to web browsers but could be used for both email and instant messenger services.
That the attack will take around a minute is some comfort for Android users as it means customers are unlikely to suffer from a walk-by malware injection, but it does mean a well prepared attacker could quickly and easily capture details from an unsuspecting Android user – providing the user is using an unencrypted connection, such as an open public Wi-Fi hotspot, without a VPN (virtual private network, a secure tunnel to and from a source device and whatever networked resource it is connected to). Should the device be connected to a resource via an encrypted connection, an attacker might be able to disrupt or disconnect this connection but should be unable to break into it.
Google have responded to CVE-2016-5696 and are “taking the appropriate actions.” As the flaw is a part of the Linux kernel rather than an Android specific vulnerability, Google’s engineers need to incorporate the same fixes that Linux maintainers have performed into the core Android base. Given how quickly Google respond to critical vulnerabilities, such as QuadRoot, we would expect a fix to be introduced in the September or perhaps October security update to the platform. It’s interesting to note that the Android security team consider the risk from this threat to be “moderate” rather than “high” or “critical.” Meanwhile, to keep our devices safe, the message here is to avoid using open, unencrypted networks such as coffee shop or public Wi-Fi, or consider using a VPN for an added layer of security.