Android phones vulnerable to flaw that leaves banking apps exposed to hackers


comments

Android users running older versions of Google's ubiquitous software are at risk of attack, according to a new study.

Security researchers have uncovered a major flaw that affects Android's KeyStore - part of the system responsible for encrypted data and cryptographic keys - on older software releases. 

Keys are used to encrypt and hide information as people access certain apps, and the vulnerability means hackers could expose and steal banking data and passwords. 

Google has issued a fix for the flaw to users running Android KitKat 4.4 (pictured)
Users running older versions including Android Froyo (pictured) are vulnerable to attack

Security researchers have uncovered a major flaw that affects Android's KeyStore - part of the system responsible for encrypted data and cryptographic keys. Google has patched the issue in Android KitKat 4.4 (pictured left), but vulnerability still affects older software releases, including Android Froyo 2.2  (pictured right)

HOW TO PROTECT YOURSELF

Android users running older versions of the operating system are being advised to carefully check apps before installing them.

Apps should only be installed from the official Google Play Store.

Where possible, users should also install the most up-to-date version of Android available for their device.

Go to 'Settings' and then 'Update' to check for new releases.

It is also advisable to run antivirus software on devices to scan for any malicious code or apps already installed.

KeyStore is used to identify developers and users when they create, install and use apps.

 

A team of experts at IBM spotted the flaw nine months ago, and flagged the vulnerability to Google.

Google has since issued a fix for its Android 4.4 KitKat software - but that still leaves all older versions of the software at risk.

This is believed to be 86 per cent of all Android handsets in current use.

Google has designed Android so that any installed apps need to be 'digitally signed' with a certificate.

Google has designed Android so that any installed apps need to be 'digitally signed' with a certificate (pictured). This certificate has a private key that is stored by the app's developer. The flaw in this system means attackers can execute code to apps and steal keys on banking, and other, sensitive apps

Google has designed Android so that any installed apps need to be 'digitally signed' with a certificate (pictured). This certificate has a private key that is stored by the app's developer. The flaw in this system means attackers can execute code to apps and steal keys on banking, and other, sensitive apps

WHAT IS ANDROID KEYSTORE?

Android KeyStore explained

Google has designed Android so that any installed apps need to be 'digitally signed' with a certificate.

This certificate has a private key that is stored by the app's developer and Android uses it to identify who created the app.

It is designed to stop hackers from being able to add malicious code to a developer's app without their permission.

The flaw discovered by IBM means attackers can execute code to apps that could leak keys used by banking, and other, sensitive apps. 

It could also reveal PIN or finger patterns used to unlock handsets, for example.

This certificate has a private key that is stored by the app's developer. Android uses this certificate to identify who created the app.

It is designed to stop hackers from being able to add malicious code to a developer's app, without their permission.

The flaw discovered by IBM means attackers can execute such code to apps that could leak and steal keys on banking, and other, sensitive applications. 

It could also reveal PIN or finger patterns used to unlock handsets, for example.

But, to get access to the keys, hackers would need to install a malicious app onto a vulnerable handset in the first place. 

In theory, because banking apps ask for passwords every time they are used, and have added security measures, they are more secure than other apps, for example. But, this doesn't mean they are impenetrable.

Android users running older versions of the system are being advised to carefully check apps before installing them.

Apps should only be installed from the official Google Play Store.

Where possible, users should install the most up-to-date version of Android available.

It is also advisable to run antivirus software on devices to scan for any malicious code or apps already installed.



IFTTT

Put the internet to work for you.

Turn off or edit this Recipe

0 comments:

Post a Comment