It is like a tug of war with Android and its security options. For the past few weeks many number of vulnerabilities has been revealed targeting Android devices. Recently another vulnerability has been revealed that targets Android platform.
This new vulnerability allows the attacker to gain full access to the device with the app that has no privilege assigned by the users.
Actually all the applications installed will have the permission list granted by the user and the app is not allowed to use any other resource than granted. This vulnerability allows the app with no privilege or few privilege granted by the user to super app with root privilege.
The vulnerability is due to the residing of #OpenSSLX509Certificate flaw which takes care of the permissions granted by the user to the application. The vulnerability has been categorized under #CVE-2015-3825.
The vulnerability has been revealed by the Security Researchers at IBM and the vulnerability has been presented with the Proof of concept and the same has been reported to Google.
All the attacker need to do is to install a small application that can be given few or no permission and then the application can then download additional components and may get the system-level access permission.
Once the system-level access is achieved then it is a cake-walk for an attacker to control the device. The complete detail about the vulnerability can be found here.
The video demonstration can be found here.
The patch has not yet been released and the version that is yet to release i.e. Android M is also vulnerable to this vulnerability.
P.S : The post is to create awareness and not to create any negative impact.
No comments:
Post a Comment