It’s hard to make financial and banking transactions through your smartphone without feeling wary about the security implications, but sometimes users trade safety for comfort and time.
So given the large number of people doing their business on mobile platforms, it’s alarming to know that there is a new vulnerability spotted on Android version 4.3, which accounts for more than 10 percent of handsets.
IBM security experts have recently shed light on the Android bug that works to give hackers access to cryptographic keys belonging to banking and virtual private network activities, as well as sensitive credentials for virtually cracking open the internals of flawed devices.
It has been found that the bug is infecting the Android KeyStore, which stores those sensitive data. The KeyStore flaw allows attackers to administer malicious codes into the device to bring out the keys related to banking, applications, PINs and patterns for unlocking the device.
There is good news for KitKat users, or version 4.4, Google already has a patch for the vulnerability. Although the other versions of Android are not affected by the bug thus far, there’s a good measure it will reach that point, and it’s equally alarming because at least 86 percent of those devices still don’t have the necessary fix.
So the problem also lies in the wide fragmentation of the Android ecosystem, making it less practical for developers to release updates on a regular basis.
Thankfully, the flaw does not serve the hackers with silver platter. The data execution inhibitor and random address space layout randomization prevent hackers to a certain degree from executing malicious code as these software tools provide a good measure of protection for Android devices.
But the fact that the vulnerability lies in the KeyStore cannot be underestimated, because it is the core storage of authentication credentials for the apps, meaning that if a third-party gains control of it, the attacker could slip into other apps and services that the user has previously accessed without having to enter login credentials such as a username and password. Therefore, apps for entering your online banking account could be generally safe from this attack, though there’s still room for caution.
The bad news is that other accounts such as email and social media run the risk of receiving and spreading spam and malware because of the bug. When it comes to corporate networks, the VPN credentials transmitted to a mobile device, especially in BYOD programs common among companies nowadays, could expose the sensitive IT system to attacks and may compromise the whole enterprise.
Then again, prevention is the best tool to ward off security threats. Check apps before you download and install them for potential risks.