Malicious apps could take over the device through a serialisation vulnerability.
In the latest in a string of vulnerabilities being unearthed in the Android operating system, IBM’s security research team has discovered a serialisation vulnerability affecting over 55 percent of Android phones.
The arbitrary code execution vulnerability could allow a malicious app with no privileges to gain full control of a device.
"Developers take advantage of classes within the Android platform and SDKs," wrote Or Peles, Security Researcher, X-Force Application Security Research Team, IBM Security Systems, on the X-Force blog.
"These classes provide functionality for apps — for example, accessing the network or the phone’s camera.
"The vulnerability we found can be exploited by malware through the communication channel that takes place between apps or services.
"As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device."
Hackers can then replace a legitimate, trusted application with a lookalike to fool the user into inputting personal details.
In the proof-of-concept, demonstrated at USENIX WOOT ’15 in Washington, D.C., the researchers demonstrated how Facebook’s Messenger app could be replaced.
The vulnerability apparently affects the preview version of Android M, as well as versions from Jelly Bean to Lollipop.
Leif-Olof Wallin, Research VP at Gartner, argues that despite the recent slew of vulnerabilities being discovered in Android, Android’s main problem is not the prevalence of vulnerabilities but how they are addressed.
"You tend to find these types of problems and challenges in all operating systems regardless of who’s behind it.
"The main difference is how the problem is being addressed.
"If you look at old-fashioned Windows PCs, you have exploits being identified and resolved quickly. An iOS fix is pushed out as an offer to devices within a couple of days.
"What makes Android more vulnerable is the tiered approach. Google usually responds within a couple of days."
As Wallin explains, this fix is then rolled out to original design manufacturers (ODMs), before it is handed to mobile operators. Mobile operators can then take months to address the issue.
"Google has recognised the challenge and has a plan to mitigate it," Wallin adds, referring to Google’s plans to roll out security fixes for Android that don’t affect product differentiation.
"It will not make Android code less buggy but exploits will be fixed quicker."