The Zero-day vulnerability presented by IBM’s researchers Or Peles and Roee Hay will affect all Android devices.
The two researchers from IBM’s X-Force Application Security Research Team presented a paper titled One Class to Rule Them All at the USENIX WOOT 2015 Security Conference held in Washington D.C.
In their paper, the researcher duo provided CVE-2014-3153 proof of concept. CVE-2014-3153 is a vulnerability that was identified by them in Android’s Open SSLX509 Certificate class.
The class, if and when leveraged by an attacker/hacker, would let them enhance the privileges of a lower-level app by allowing it super-privileges such as system user status on the android device.
Hackers can Replace Real Apps with Fake Ones:
The CVE-2014-3153 zero-day vulnerability can easily be exploited by attackers as all they need is an entry point into the Android device. That is because they just need to inject a tiny snippet of code to enhance the privileges of an app. That tiny piece of code could be hidden in any low-level app or a game they would like. They may also host it on Play Store.
When the code is accessed and installed by a user, it will be executed and the low-level app would receive system-level privileges.
On the contrary, if the entry point is a “malicious” app and along with the escalation code, it contains additional complex procedures too then the user might get into greater trouble.
This vulnerability could easily be used by an attacker to install malicious APKs on any targeted android device. Later, the attacker could use them to replace authentic apps such as Facebook.
Escalating privileges through this new zero-day vulnerability aren’t limited to replacing real apps with fake ones. Attackers can download just about anything they want to from the device as well as spy on the user. The user would never be notified or prompted with any popups about whatever is happening in the background.
Around 55% of all Android devices to be affected:
Researchers claim that Android devices running the versions between 4.3 and 5.1 will get affected from this vulnerability. This means Jelly Bean, KitKat and Lollipop all will be affected. Moreover, the yet unnamed M version is vulnerable as well. This means around 55% of the Android market is in danger.
The IBM team also took steps to disclose this vulnerability properly and Google has issued patches already.
Report typos and corrections to firstname.lastname@example.org