Researchers find Android hole that could affect millions


The security of Android devices versus Apple's (NASDAQ: AAPL) iOS devices has been an ongoing issue for chief information officers and IT departments dealing with BYOD at their companies.

Android security concerns were heightened last week by North Carolina State University researchers who showed how a vulnerability in Android platforms could be used to send fake SMS messages designed to trick the user into disclosing confidential information or subscribing to bogus premium services.

Security firm Symantec estimated that the vulnerability could affected millions of Android users. The code that contains the vulnerability has been used since August 2010 for legitimate purposes, such as sending advertisements.

"We have recorded more than 250 applications that contain code using this technique including 200 that are currently available on Google Play with millions of combined downloads. Some of the applications use the code to better integrate text messaging with instant messaging or other online services. The vast majority are using an ad network software development kit (SDK), which pushes ads straight into your SMS inbox," explained Symantec researcher Mario Ballano in a blog.

The NC State researchers said the vulnerability does not require the app to request any permission to launch the attack. It is present in multiple Android platforms--Froyo, Gingerbread, Ice Cream Sandwich, and Jelly Bean--and devices--the Google Galaxy Nexus, Google Nexus S, Samsung Galaxy SIII, HTC One X, HTC Inspire, and Xiaomi MI-One.

The researchers warn that the vulnerability, which is present in the Android Open Source Project, could existing in all recent Android platforms.

They informed Google (NASDAQ: GOOG) and received confirmation of the vulnerability from the company, which said it would fix the problem in a future Android release. Meanwhile, the vulnerability continues to exist, although they have no evidence that it is being exploited.

"Before the ultimate fix is out, this threat can be mitigated in several ways. For example, users are encouraged to be cautious when downloading and installing apps (particularly from unknown sources). As always, it is important to pay close attention to received SMS text messages, in order to avoid being duped by possible phishing attacks," one of the researchers, Xuxian Jiang, associate professor at NC State University, wrote in a blog.

Despite growing BYOD security worries, a recent survey of 649 IT and security professionals conducted by the SANS Institute found that only 30 percent felt confident in their BYOD security policies.

Security continues to be a major BYOD headache. This latest Android vulnerability will not make it any easier for IT managers to sleep at night.

For more:
- read Ballano's blog
- check out the SANS Institute survey

Related Articles:
Apple plugs 4 security holes in its new iOS 6
Employee mobile device use opens up firms to malware risks