by Android is a mobile operating system. It is developed and maintained by Google, and is based on a modified version of Linux. Android apps come packaged as APKs (Android PacKages). They are (mostly) developed by third parties and written in Android Java. Apps must go through a vetting process before they are allowed to be posted on Google Play. However, Android does not prevent users from side-loading apps from unauthorized sources. This provides an attacker with additional opportunities (particularly social engineering) to compromise an Android device.
Most mobile device users do not understand that their phone must be protected with the same diligence as their laptop or desktop. As a consequence, many Android devices lack basic security measures such as strong authentication and endpoint protection. CVEdetails.com lists over 1,800 Android-related security vulnerabilities. Exploit-db.com lists nearly 130 exploits. Metasploit has nearly 30 Android-related modules. Here are some common Android vulnerabilities. Not all have CVE numbers.
|
Vulnerability |
Description |
|
Physical theft |
Their small size makes Android devices especially vulnerable to theft and loss. |
|
Weak or no passwords |
Many users do not enable passwords or use weak passwords on their device. |
|
Lack of data encryption |
Many apps, including those that use the SQLite database, store data in cleartext. |
|
Ability to side-load apps |
Android allows users to install unsigned apps from any source, even on devices that are not rooted. |
|
Rooted device |
Many Android users root their device, overwriting firmware-based security controls so that they can have more control over the phone. Unfortunately, this makes it easier to compromise the phone, as users now have root level privileges. |
|
SQL injection |
The SQLite database, which is the most commonly used database in mobile devices, is vulnerable to a SQL injection attack. |
|
Unauthorized access or excessive permissions by apps |
Many apps either request more permissions than they actually need, or do not request permissions at all to access resources such as contacts, microphone, camera, location services, etc. |
|
Data leakage from syncing |
Security vulnerabilities in cloud-based services could expose the Android device to attack, especially if the user uses the same password for multiple websites. |
|
Lack of antivirus/malware protection |
Most users do not install endpoint protection on their devices. This leads to virus infections, unsafe surfing, malicious downloads, SMiShing, etc. |
|
Missing updates and patches |
As with any system, the OS and its apps need periodic patching. This often does not happen, or users roll back the updates to recover disk space or improve performance. |
|
QuadRooter vulnerabilities |
This is a set of four vulnerabilities affecting devices that use Qualcomm chipsets (about 900 million devices). Any of the four could escalate privilege and grant an attacker root access. CVE-2016-2503. |
|
Certifi-Gate mRST flaw |
A flaw in mobile remote support tools allows an attacker to install a malicious app and gain control of the device. Affects versions up to 5.1 (Lollipop). No CVE #. |
|
Stagefright MMS flaw |
Considered the most serious Android flaw to date. Allows an attacker to send a malicious video message that can be processed by the native media playback library without user knowledge. Permits escalation of privilege and remote arbitrary code execution. Affects versions up to 5.1. CVE-2015-3864. Metasploit module exploit/android/browser/stagefright_mp4_tx3g_64bit |
|
Android Installer hijacking |
This allows attackers to replace legitimate APK with malicious one. Affects older devices up to v4.1 (Jelly Bean). No CVE #. https://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/ |
|
Android FakeID flaw |
This allows a malicious app to hijack the trusted status of a legitimate app by forging its digital signature, thus escaping sandboxing. Affects versions 2.1 (Eclair) to 4.3 (Jelly Bean). No CVE #. |
|
TowelRoot |
This is a kernel level flaw that allows a user or attacker to quickly root older devices, up to version 4.4 (KitKat). https://towelroot.en.uptodown.com/android |
|
Janus vulnerability |
An attacker could add malicious code in the form of a DEX file to an APK without changing the APK digital signature. CVE-2017-13156. |
|
Cross-platform protocol vulnerabilities |
As a Linux variant, Android is susceptible to exploits that impact common protocols or features, such as POODLE, KRACK and Dirty COW. |
Note: For more information on Android vulnerabilities, see https://androidvulnerabilities.org/ and https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224