• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Android   »   Unpatchable Android?

Unpatchable Android?

  • Posted on:June 18, 2015
  • Posted in:Android, Hacks, Mobile Security, Security
  • Posted by:Christopher Budd (Global Threat Communications)
0

There’s another vulnerability affecting the Android platform that this week once again raises the question: am I vulnerable?

Researchers from NowSecure announced at Black Hat in London this week a vulnerability affecting the SwiftKey keyboard on Android.

The biggest concern is for Samsung Galaxy phones which install the SwiftKey keyboard by default and allow it to run as the operating system.

 

This vulnerability could allow attackers to take total control of a vulnerable Android phone.

Fortunately there is a fix for this vulnerability. But that’s not the end of the story.

Because this issue has again raised the question for Android users (and Samsung users in particular): am I vulnerable?

Just because a vulnerability has been patched doesn’t mean that YOU now have the patch. And for Android especially, it doesn’t mean that you’ll EVER get the patch.

Unlike iOS, the Android platform is very fragmented as far as versions and support. Just because you have an Android phone doesn’t mean you’ll actually get a fix for the vulnerability that affects your phone. In the United States especially, if you use an Android phone, you’re not a customer of Google, who makes Android (unless you bought a Nexus phone from Google directly): you’re a customer of the maker of the phone (for example: Samsung) and the wireless carrier (for example: AT&T, Verizon, Sprint or T-Mobile). Once a vulnerability is patched, it’s still a question of whether you’ll get the patch or not, and that question is answered by your phone maker and your wireless carrier. And the truth is, very often, for older versions of Android especially, that answer is: No, you won’t ever get the patch.

The SwiftKey vulnerability isn’t the first time this question has come up. We’ve documented numerous serious vulnerabilities that affect Android and won’t ever be patched for all users over the past two years alone:

  • The Device Administrator Vulnerability
  • The Master Key Vulnerability
  • The SIM Card and Mactan Vulnerabilities
  • The Reboot Loop Vulnerability
  • The Heartbleed Vulnerability
  • The FakeID Vulnerability
  • The Same Origin Vulnerability
  • Android Installer Hijacking Vulnerability

Now we can add the SwiftKey vulnerability to this list of vulnerabilities that you may never be protected from.

When you consider that the amount of malware affecting Android just passed the 5 million mark in March 2015, this problem becomes all the more urgent and serious. Collectively, the vulnerability and malware situation on Android is comparably bad to that on Microsoft Windows. And just like you wouldn’t connect a Windows system to the Internet without security software, so you shouldn’t connect an Android system to the Internet without security software.

This isn’t a new problem. It’s also not an easy problem: I work in security and was left hanging on an unsupported and unsecured version of Android by my handset maker and carrier for a year and a half in 2013 (a problem I wrote about here). When the experts can’t solve it for themselves, it’s a sign that you’ve got a real, intractable problem.

Let’s be clear: even with this it is possible to use the Android platform safely. If you get your Android phone from Google, you’ll get your security patches from Google directly. Even if you get your Android phone from someone else, you can run security software for an extra layer of protection. And that will provide protections against malware on Android as well. But a key to being secure is understanding your risks. And the fact is that unpatchable vulnerabilities on Android are a real risk you have to be aware of, and account for.

Related posts:

  1. Android Insecurity – Why you need to secure your device
  2. Is Your Android Phone Stale?
  3. Epic Android Vulnerability – What does it mean for you?
  4. Are Your Android Apps Invading Your Privacy?

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.