Slow patching puts Android users at further risk

Android users aren't receiving security patches in timely manner, exposing them to threats as seen at Black Hat

If Android users weren't already feeling a bit paranoid about the growing security threats to their mobile platform, they might after hearing some of the news coming out of Black Hat USA 2012. Despite Google's obvious efforts to boost security in the Android ecosystem, hackers continue to find weaknesses -- and carriers' and hardware makers' slowness in pushing Android security patches out to users isn't helping.

One such vulnerability was discussed and demonstrated by Charlie Miller, a research consultant at Accuvant Labs. Miller has discovered a means of exploiting Android's Beam file-sharing feature to execute files on target devices. To pull off the hack, an attacker puts the target phone a few centimeters away from a quarter-sized chip or touches it to another NFC (near-field communications)-enabled phone. The attacker-controlled chip or device beams then code to the target phone, after which the attack can run malware on it.

In one demo, Miller showed how by simply initiating a peer-to-peer NFC sessions between two smartphones an attacker could run malicious code on the target device without any notification or permission. In the second demonstration, Miller was able to activate a target Android smartphone by exploiting NFC connections and Bluetooth components, then install and execute files on it.

Separate from Miller, Trustwave researchers Nicholas J. Percoco and Sean Schulte demonstrated yesterday a weakness in Google's Bouncer, a service that automatically scans applications in the Android application market for malware. In their Black Hat demo, the duo showed how they submitted for the marketplace a legitimate, malware-free app that passed Bouncer security -- but were then able to covertly update the app using a JavaScript bridge, adding functionality that would enable an attacker to view a target user's files or load a malicious website on the device.

Previously, Android malware has spread through some form of user interaction, according to The Verge. Trustwave's technique needed only to be installed with its legitimate base and updated with the cloaked malicious payload, resulting in almost full control of the device.

While a good chunk of the blame for these security vulnerabilities lie with Google, carriers and device makers deserve some credit. Georg Wicherski of CrowdStrike and Miller demonstrated how they could infect an Android phone by exploiting a browser vulnerability discovered in February. The vulnerability was publicly disclosed by the Chrome development team and fixed, but carriers and device manufacturers have not pushed those fixes out to all Android users, thereby leaving them vulnerable, according to Reuters.

Indeed, carriers and device manufacturers have demonstrated a consistently disappointing track record in terms of pushing the latest and greatest patches to users in a timely manner. A study released last October showed that 11 of 18 Android phones were no longer supported by their manufacturers within a year of their release.

Although Apple's iOS platform isn't completely immune to malware, the company seems to be doing a far better job than Google in keeping users' mobile devices patched in a timely manner. Granted, Apple has it slightly easier in that it's not at the mercy of as many carriers as Google, nor does it have to deal with multiple hardware vendors. But each time a new exploit emerges targeting Android users, Google risks losing customers to Apple -- and perhaps even to Microsoft when Windows Phone 8 materializes. 

This story, "Slow patching puts Android users at further risk," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies