Serious crypto key vulnerability leaves 86 percent of Android devices at risk

Yet another major malware threat has been discovered on Android and this time a whole lot of devices could be affected. Researchers say nearly 86 percent of all Android phones have this vulnerability which allows attackers to obtain highly sensitive data such as cryptographic keys for banking services and enterprise VPN credentials, as well as PINs or patterns used to unlock these devices.   The threat is seen in the Android KeyStore, a part of OS which handles storage of keys and sensitive credentials. The advisory published by IBM security researchers this week shows that by exploiting the weakness, a hacker could run malicious software that can leave sensitive data open. The advisory noted that Google issued a patch for the stack-based buffer overflow in 4.4.x i.e KitKat, but the remaining versions of the OS remain under threat. According to the last platform numbers, KitKat accounted for a mere 13.6 percent of all activated Android devices, leaving a whopping 86.4 percent devices with no fix.   Having said that attackers would need to overcome several security obstacles laid down by Google before they can execute any malicious code. Ars Technica reports “Attackers would also have to have an app installed on a vulnerable handset. Still, the vulnerability is serious because it resides in KeyStore, arguably one of the most sensitive resources in the Android OS.”   Dan Wallach, an Android security expert told the website, “Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password. This means that most banking apps, which force you to type your password every time, are probably safe against this particular attack.”