Researchers have discovered a Crypto key vulnerability that could affect 86% of Android devices. The exploit allows hackers access to the users banking information, lock screen PIN and virtual private network.
Crypto keys are used as identifiers for apps that require authentication between the user and the app, usually in the form of a PIN or password. A crypto key when matched with its counterpart encrypted object, allows that object to be decrypted.
Researchers found that this vulnerability affects Android Key Store that is dedicated to storing crypto keys. The malware impacts devices running Android 4.3 or below, which Google points runs on 86% of devices. The bug allows hackers to access Android Key Store and leak banking information, passwords, etc.
A hacker would have to first run a malicious code on a user's device, to exploit the vulnerability. Google says that it has put in place multiple hurdles, address space layout randomization and data execution prevention to prevent the bug from being exploited. However this still doesn’t minimize the seriousness of the bug since it affects such a sensitive region of Android.
Another expert, Pau Oliva, a senior mobile security engineer at viaForensics stated; “A malicious user exploiting this vulnerability would be able to do RSA key generation, signing, and verification on behalf of the smartphone owner.”
Recent CISCO report says that 99 percent of all mobile malware is targeted towards Android devices. Google runs Bouncer for Android devices running 4.3 or below to detect malicious code in apps. Google has also launched 'Verify Apps' that checks your device to make sure installed apps don't get infected by malware. However malicious apps can still bypass the protective filter and researchers advice Android users to carefully check apps before installing third party apps.
Source: ArsTechnica