Mobile: Android Operating System Increasingly at Risk

TLP: WHITE

Summary

The NJCCIC assesses with high confidence that vulnerabilities, exploits, and malware variants targeting the Android operating system (OS) will continue to proliferate as Android maintains a majority share of the global mobile device market and users increasingly rely on mobile devices for email, web browsing, banking, and shopping – both for professional and personal use. Additionally, as more organizations establish ‘bring your own device’ (BYOD) policies to reduce costs and increase connectivity, state-sponsored espionage groups and cybercriminals are likely to dedicate more resources to developing mobile exploits as a means to compromise user credentials, steal data, and to serve as an initial breach vector onto corporate networks. The threats targeting mobile devices range from various criminal schemes such as ransomware, exploits kits, and malvertising, to malicious applications that masquerade as legitimate software and stealthily exfiltrate user data, including phone call audio, text messages, photos, and emails. The NJCCIC recommends organizations and individual users implement strategies to mitigate the risk associated with the developing threat posed by mobile devices; this not only includes the patching of vulnerabilities and implementation of endpoint protections, but the training and awareness of best practices and the ability to recognize a potential threat.

Threat Overview

Android is an open source, Linux-based, mobile OS marketed by Google Inc. and commercially available through a range of device manufacturers and mobile carriers. The Android OS reportedly powers more than one billion mobile devices, representing 82.8 percent of the global smartphone market. The OS runs on a wide variety of smartphones, tablets, televisions, wristwatches, and an increasing number of home automation devices. Android gained popularity with users and device manufacturers alike due to its affordability and openness, allowing for easy customization of the platform. Likewise, it appeals to application developers because of low barriers to entry into the Android application marketplace, Google Play. However, these characteristics are also advantageous to malicious actors who have capitalized on the ability to inject malicious code, develop malware, and carry out fraud schemes targeting the Android ecosystem.
 

• In 2014, the security firm Symantec found that fourteen percent of all Android applications—nearly one million in total— were actually malware in disguise. In the first half of 2015, researchers at the digital security company G DATA observed a 25 percent increase in new Android malware, from an average of 4,900 per day in the first quarter to 6,100 per day in the second quarter. By the end of 2015, G DATA predicts there will be two million new Android malware variants in circulation. In addition to volume, the sophistication of Android malware has increased as threat actors refine their malicious code and employ techniques previously seen only affecting desktop and server operating systems.
   
• Since 2009, a total of 77 Common Vulnerabilities and Exposures (CVEs) affecting the Android OS have been documented, with nearly half of those discovered in 2015 alone. In August, IBM researchers identified a severe serialization vulnerability that opens the door to application privilege escalation. In July, a Zimperium researcher discovered the widely reported vulnerability called “Stagefright” which allows for remote code execution via multimedia messages. One of the key challenges in mitigating Android vulnerabilities is the lack of a centralized system for the dissemination of patches; instead, developers, device manufacturers, and network carriers are responsible for deploying security updates. This often results in a window of opportunity for hackers to exploit.

Recommendations

The NJCCIC recommends that all Android OS users immediately apply patches and updates supplied by their network carriers and application developers. Users are urged to avoid downloading third-party applications from unauthorized sources, and avoid “rooting” their devices, which allows the user to retain administrative privileges and provides attackers with ample opportunity to control a device. Organizations operating with BYOD policies are urged to educate employees on mobile threats and vulnerabilities, implement monitoring and endpoint protection on all mobile devices, and establish the capability to remotely wipe lost or compromised devices.

Traffic Light Protocol: WHITE information may be distributed without restriction.