Serious Security Threat Lurks on 86 Per Cent of Android Phones

By Kate Knibbs on at

A bug in the Android KeyStore left an estimated 86 per cent of Android phones vulnerable to major security breaches, according to an advisory IBM researchers published last week.

KeyStore is like the caretaker's closet for Android: it's where all cryptographic keys and other sensitive information lives. So it's a bad place for a vulnerability. The security flaw is what the researchers call a "classic stack-based buffer overflow," and it could allow attackers to execute code to steal phone lock credentials, and then all sorts of sensitive data on the phone, including banking information.

The researchers discovered the problem nine months ago, but waited until the Android Security Team came up with a patch for Android KitKat, which is now available. That still leaves Android users without KitKat (estimated to be 86.4 percent of Android's userbase) open to this kind of attack.

Nobody (as far as we know) actually exploited the vulnerability, so Android is testing its luck. To actually carry out an attack, would-be malicious hackers would have to overcome Android's software protections, including coding and data executing prevention. But just because it hasn't been done yet doesn't mean it can't be done.

The fact that this kind of major vulnerability can go undetected until IBM researchers point it out is pretty scary. It's also unlikely to be the last of its kind, another reminder that even sophisticated operating systems can have big scary holes in their security.

You can read the full report from the researchers below.

Android KeyStore Stack Buffer Overflow (CVE-2014-3100) from IBM Security Systems

[Ars Technica via IBM]

Image credit: JD Hancock under Creative Commons license.