Saturday, January 25, 2014

Android VPN Vulnerability Exposed | Android OS Will Remain Vulnerable to This Exploit?

Leave a Comment
Android
For some time security researchers, including myself, have been encouraging Android users to avoid using public Wi-Fi hotspots as this type of internet connection is rife with data theft, this advice remains true. There were formerly two ways to provide a secure browsing experience in public: using your mobile data plan (3G, 4G, LTE), or using a mobile VPN (Virtual Private Network). However, researchers from Ben Gurion University have discovered a vulnerability that allows a malicious application to bypass the VPN settings and redirected user data to an alternate server. The researchers have notified Google of this vulnerably and have created a proof-of-concept application to demonstrate the malicious activity. The full details of the hack process have not yet been released and will not be released publicly until Google develops a patch.

The Cyber Security team from Ben Gurion University has published an article outlining the preliminary results of their research which includes a video demonstrating the VPN vulnerability in action. In the video the researchers activate the malicious proof-of-concept application, then correctly configure and activate a legitimate VPN service, and finally send an email from the device. In a normally functioning VPN the email would be sent encrypted to the VPN servers and then delivered to the destination address. In the video we see that malicious application exploits the vulnerability to capture the email in plaintext and forwards it to an alternate server (in this case a computer) running detection software where the email and its contents are captured. The article goes on to clarify that the vulnerability can also be used to capture data sent via SSL but in this case the captured data is encrypted.

The implications of this are very concerning, using this vulnerability cyber criminals can gain access to any sensitive information transmitted via VPN. This exploit defeats one of the most reliable ways to provide data security while using public Wi-Fi. Please be assured that this vulnerability is exclusive to Android and is not an exploit in the design of VPNs or even mobile VPNs. If you chose to access the internet through public Wi-Fi using any other device VPNs are still the best form of security to protect your private information. The use of a VPN remains essential.

Equally concerning is this exploit requires no VPN related permissions nor root access to the device suggesting that an application requesting very innocuous permissions may be capable of executing this malicious activity. This Android VPN exploit has been verified on Android 4.3 but research into this vulnerability on Android 4.4 is ongoing. Regardless of the exploit being verified on Android OS 4.4 any patch released by Google will not be retroactive. This means that all affected versions of the Android OS will remain vulnerable to this exploit. Android updates are never retroactive; this is why it is incredibly important for Android users to stay current with Android updates.

Once Google has released the patch for this vulnerability we anticipate that the researchers will publish the methodology of this hack. When the methodology becomes public we can expect cyber criminals quickly incorporate this vulnerability into new malware that is capable of stealing sensitive data sent via VPN connection. VPN use on Android devices is not particularly popular and as such we do not expect that malware exploiting this vulnerability will be widespread.

The most secure way for Android users to access the internet is via their mobile data plans. Until this vulnerability has been patched and the update has been released to the public it is unsafe to use VPN services to connect to the internet. Android device manufacturers and mobile service carriers are well known for delaying the Android update process to incorporate additional applications and customize the Android OS. This means that when Google releases the update you may be waiting several months for the manufacturer of your device and your carrier to release the necessary update. Until your device has received the update it especially important to install and use Antivirus software to detect malicious applications that are designed to intercept and steal your sensitive data. 

About Author: James Green is a security researcher for Android antivirus company Armor for Android. James has worked in the Android security field for several years and provides privacy and security advice to Android users.

0 comments :

Post a Comment