Android Phones – 60% Percent Are at Risk
Thinking about buying a new Android phone soon? Well, before you do, you many want to consider something other than how cool the phone looks or how many megapixels its camera boasts. Yes, before you rush out and buy your new toy, you should take a second look and consider security.
Hackers, Hackers Everywhere
It’s no secret that hackers are running rampant everywhere these days, and nothing anyone can do seems to be able to stop them. In fact, a new Ponemon Institute report reveals that in 2015 more than half of all small businesses suffered breaches in one way or another. What’s more concerning, though, is that –security wise — things do not appear to be getting any better for SMBs.
Mostly, hackers are no longer targeting easy-to-exploit PC users who use weak passwords. No, many hackers are evolving and moving on to the more lucrative field of exploiting and taking over smartphones.
In case you haven’t noticed, smartphones now control many of us to the point that most of us can’t even imagine living without one within arm’s reach. Of course, hackers know this and use that obsession to demand exorbitant amounts of cash, (or bitcoin as it’s their preferred currency,) to unlock phones they exploit. This phenomenon, known as ransomware, is becoming increasingly troublesome and common even for less affluent users who never dreamed they might become targets.
Hackers Doing a Number on Small Businesses
Recently, Duo Labs released a report that essentially states that nearly 60% percent of all Android devices in use today are vulnerable to critical encryption-bypass exploits that enable an attacker to take total control of the devices remotely. What’s worse is that this is the second report that the lab has released — on the same exploit — in the last six months.
In January of this year, Gal Beniamini, a respected security consultant and penetration tester, posted a series of posts detailing vulnerabilities of Android devices powered by Qualcomm processors. This is significant because more than 60% of all Android devices in use today utilize Qualcomm chips. This vulnerability has been given the designation CVE-2015-6639.
Beniamini showed how it was relatively easy for a hacker to bypass the encryption on the vulnerable units to gain access to sensitive data such as DRM and encryption keys. Shortly after Beniamini posted the details of his exploits, Duo Labs released its first report on the matter. This was in January 2016.
Manufacturers Were Made Aware of the Problem – Twice
To their credit, Google released very quickly a patch meant to neutralize the exploit (CVE-2015-6639). However, the vast majority of Android devices manufacturers failed to push the update to their customers leaving the vast majority of Android device with no protection at all against the exploit. That is, with the exception of Google and Samsung, who pushed updates for their popular Nexus and Galaxy models almost right away.
On June 30, Gal Beniamini released another series of posts that showed how he was still able to access sensitive data and take over units previously patched with the fix meant to stop the CVE-2015-6639 vulnerability. This exploit (dubbed CVE-2016-2431) allows an attacker to bypass virtually all of the trust and privilege levels on vulnerable Android devices to gain control of the units remotely and circumvent encryption protocols.
Google was made aware of the second vulnerability quickly and did release a patch for the exploit in May. Nevertheless, and again with the exception of Google and Samsung, virtually all other manufacturers failed to push updates to fix the exploit. And, as of the date of this writing, it appears that other Android device makers have still not pushed the fix to their customers.
As I mentioned above, Duo Labs released a second report on the status of this critical vulnerability at the beginning of this month (July, 2016.) In the report, Duo detailed that as many as 57% of all Android devices are still vulnerable to the CVE-2015-6639 and CVE-2016-2431 exploits. Duo also stated that the only reason the number of devices declined even a little (3% or so) is because popular models sold by Google and Samsung represent significant shares of the Android device market.
What You Can Do
So, what does all this mean? Well, to put it simply, Duo states that the only Android device brands they can recommend without reservation are Google and Samsung. Until other manufacturers start taking security updates seriously (and stop waiting to push only major release updates,) it’s a buyer-beware market when it comes to buying phones or tablets from makers other than Google or Samsung.
Duo recommends that users update their versions of Android as soon as possible and apply all available security patches. Duo also suggests that if the manufacturer of your phone has not released an update or patch, that you contact them and demand that they do so immediately. If enough users complain or demand updates, the device makers will be more likely to get in gear and push the patches already provided by Google.
So, for now anyway, either buy a phone from Google or Nexus or wait for other manufacturers to get their acts together and start taking exploits and patches more seriously. Or, I guess you do have a third option – wait for the next major Android release that has all of the exploit patches already in place.
If you use your phone to only take cat pictures, it may not matter too much if it’s vulnerable. If you keep sensitive data or information on your Android device, though, the vulnerabilities and exploits mentioned in this article are something you should definitely keep in mind.