Android security hole could enable attackers to bypass VPN

An Android vulnerability could enable an attacker to bypass a secure virtual private network (VPN) connection and divert traffic from the Android device to a system controlled by the attacker, according to researchers at Ben-Gurion University's Cyber Security Labs in Israel.

Enterprises use VPNs to provide security access to corporate networks for mobile and remote workers. A VPN establishes an encrypted tunnel into the corporate network using the public Internet.

However, utilizing this Android vulnerability, hackers are able to bypass the encryption altogether, the researchers argue in a blog. The study found the vulnerability initially in the 4.3 Jelly Bean build, but subsequent investigation revealed the same problem in 4.4 KitKat.

"We were able to reproduce the same vulnerability where a malicious app can bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure," the researchers explain.

The researchers said they contacted Google about the Android vulnerability and were waiting for a response.

In an Editor's Corner a few months ago, I pointed out that Android malware is a growing concern for IT pros, particularly with the flood of personally owned mobile devices coming into the enterprise.

Recent research by security firms has identified a rapid rise in Android malware. "Android malware can place a company's future at risk by exposing strategic information or stealing passwords," Sophos warns in its Security Threat Report 2013.

For more:
- check out the researchers' blog

Related Articles:
The Android Strain
Flood of BYOD devices challenges IT security pros