Security researchers at Ben Gurion University have uncovered what they say is a network vulnerability on Google Android devices that could be used to allow malware to bypass VPN.
According to the university’s Cyber Security Labs Team, the vulnerability has been verified in both Android Jelly Bean 4.3 and Android KitKat 4.4.
“At first we could not reproduce it with the original vulnerability code since KitKat has a modified security implementation,” according to the team’s blog. “Following an elaborate investigation we were able to reproduce the same vulnerability where a malicious app can bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure.”
Researchers contacted Google with their findings. A video presentation of the attack can be viewed here. According to the researchers, the findings are based on the same vulnerability they demonstrated weeks ago on the Samsung Galaxy S4 phone to circumvent the protections available in the KNOX security solution.
Early this month, Google and Samsung downplayed the researchers’ report, noting that their exploit uses legitimate Google Android network functions “in an unintended way to intercept unencrypted network connections from/to applications on the mobile device” and did not demonstrate a vulnerability in KNOX or Android.
The researchers responded with a point-by-point refutation of the vendors’ joint response, noting among other things they had tested the attack on Samsung S4 devices “straight out of the box.”
“In the first finding we reported to Samsung the vulnerability details and an example exploit where an attacker can intercept, block, and alter data communications (non SSL/TLS and non VPN),” the team explained in a blog post. “We also stressed the point that other kind of attacks can take place via the same vulnerability. In our continued investigation of the vulnerability we found that an attacker can, in fact, do much more harm. This finding revealed that an attacker can bypass the VPN (even if configured properly) and again, the secure communications can be intercepted in clear text.”
Once the vulnerability has been resolved, more details will be posted, the team blogged.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
