Android Crypto Key Exploit Discovered, 86% of Devices Affected

Researchers from the mobile security department at IBM published an advisory that could have wide-reaching implications for anyone who relies on the Android operating system to power their mobile device.

Residing in the Android KeyStore, the new exploit could have a significant effect on the way that PIN data, banking information, and cryptographic keys are stored and secured.

The app-based backdoor is particularly malicious due to its targeting of cryptographic information, which is easily one of the most sensitive areas of the entire Android architecture and the last bastion for where data can live without worrying about being bothered by anything else that might be installed on the phone.

Currently the only version of Android which contains a fix for the exploit is KitKat 4.4, with no reports of installations below that threshold holding up under the pressure this new hack presents. Everything underneath the newest release is vulnerable to the problem, which is capable of manifesting itself in a variety of ways including (but not limited to); phishing attacks, infected email attachments, malware-laced apps from Google Play, and over-the-air Wifi cracks that can be performed at any public hotspot.

With so many different attack vectors present for such an extensive crack, you can be sure this problem will become a popular option for hackers looking to take down your phone in the least-impactful way possible, and likely won’t be going away anytime soon without Google’s help. Reportedly the Android security team has been scrambling to find a solution since the news first broke, however it could be upwards of several months before a fix is coded and ready for universal deployment.

Dan Wallach, a professor at Rice University who specializes in Android security, explains what makes this most recent discovery more serious than anything we’ve seen before it.

“Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password.”

Until a proper fix is released, the best way you can protect yourself is through standard methods of personal security, including not opening messages from anyone you don’t recognize, and never downloading an app that hasn’t been reviewed and researched by the Android community first.

It’s familiar problems like these which harken back to the speech that Tim Cook gave at WWDC this year, wherein the Apple CEO took several minutes out of his iOS 8 presentation to compare the update statistics of his own company’s OS to those of its mobile competitor Android.

While almost 90 percent of all iPhone and iPad users have brought their devices up to code with the most recent versions of iOS 7, only a mere 14 percent of Android faithful have taken the time out of their day to install KitKat for themselves. This means that of the 86 percent left out in the cold, all it would take is a sliver of that number to set up a botnet tasked with maintaining the infrastructure that approaches like these depend on in order to spread to a notable number of devices at once.

That in mind, thankfully the crack can only cause as much havoc as you allow it to. If you don’t use your phone to do any banking, then that information will never see the KeyStore and attackers will be left empty handed the next time they try and break in looking for something to steal.

Same goes for social media accounts like Twitter or Facebook. As long as you don’t have an app with access to the vulnerable portion of the phone installed, the crack won’t enable you to record the information which is saved in the critically injured sector.

“The amount of damage you can do, then, has a lot to do with which apps this lets the attacker compromise. If the attacker can compromise your Twitter account, then yeah, they can spew spam in your name. Not very exciting. If the attacker can get anywhere near your money, then it gets more interesting. Likewise, for companies that load VPN credentials into your phone, so you can connect through their firewall to their internal services, there could be a variety of nasty attacks, since you’ve effectively given the attacker the keys to get through the firewall.”

Google remains confident that until they can properly apply a patch which protects users on the firmware front, their Bouncer service should help to mitigate any damage which might come from general direction of their app store. With Bouncer, Google has been able to run every program available on their marketplace through a series of rigorous tests, designed to shake down every last byte of code on the hunt for malware-stuffed lines which could potentially compromise a device at a later date.

By applying new instructions to Bouncer, Google should be able to prevent new apps from picking up the infection or distributing it out of their store, at least until the company can get a better grip on the problem before it spirals too far out of control.

UPDATE: Since publication of this article, VPN Creative was contacted by a member of the IBM security team in charge of the investigation into this issue, and a spokeswoman has assured us that after further dissection, IBM can confirm that only Android version 4.3 is affected by the bug:

“The initial blog post had stated that the vulnerability affected *all *versions of Android, v4.3 and below — we have since been informed by the Android Security Team that this vulnerability only impacts devices running v4.3….which Google currently reports is at 10% of the Android install base (via the Android Developers Dashboard).”