About 80 percent of Android mobile devices are affected by a Linux flaw that could allow attackers to intercept communications and obtain sensitive information, researchers said.
The bug, disclosed last week at the Usenix security conference in Austin, Texas, affects about 1.4 billion devices, according to mobile security researchers Lookout.
The bug, which affects the Transmission Control Protocol (TCP), was discovered in version 3.6 of the Linux kernel, released in 2012, and Lookout found that it is present in Android 4.4 (“KitKat”) and all later versions, including the latest developer preview of Android Nougat.
“The issue should be concerning to Android users as attackers are able to execute this spying without traditional ‘man-in-the-middle’ attacks,” Lookout said in an advisory. “CISOs should be aware that this new vulnerability affects their Linux environments and Linux-based server connections (e.g. to popular websites) in addition to Android devices.”
While the bug is difficult to exploit – meaning it presents only a “moderate” risk – it could be used in targeted attacks to intercept sensitive information that hasn’t been encrypted, Lookout said.
“Targeted attacks would be able to access and manipulate unencrypted sensitive information, including any corporate emails, documents, or other files,” Lookout stated.
Attackers could inject malicious code into unencrypted traffic, for instance sending a user a script that would present a false login window in order to obtain security credentials, researchers said.
While most Linux systems can be patched using routine procedures, the bug presents more of a risk for Android devices, which in many cases have sluggish or nonexistent patching processes.
While awaiting Android patches, Lookout said organisations can mitigate the bug’s risk by encrypting their communications or, on rooted devices, executing a command via the sysctl tool that makes the bug more difficult to exploit.
Lookout said it expects Google to release an Android patch in its next monthly update, and Google confirmed in a statement that it is aware of the issue and is “taking the appropriate actions”.
The bug, designated CVE-2016-5696, was disclosed last week by researchers from the University of California, Riverside and the US Army Research Laboratory, and a patch was released last month.
Are you a security pro? Try our quiz!
Google clashes with US Justice Department in closing arguments as government argues Google used illegal…
Prominent Stanford University AI scientist Fei-Fei Li reportedly completes funding round for start-up based on…
Apple shares surge on optimism that new AI-focused hardware launches will drive renewed sales, starting…
Biden vetoes Republican-backed measure amidst dispute over 'joint employer' status for contract workers, affecting tech…
Lawyers in US social media addiction action say strict controls on Douyin in China show…
More than 10,000 London black cab drivers sue Uber claiming company acted illegally to obtain…