The developers of Google, before and after the release of the new version of Android, are always working on security issues of its mobile operating system, and even the latest security patches have been no exception.
Among the many bugs unearthed, there were two in particular that attackers could exploit for insight on users’ devices. The first flaw, created for “research purposes”, would become harmful only if modified, and would still have been difficult to detect for hackers. The second, however, is similar to known malware Stagefright, and it was easier to put into practice, because it would be enough to send a JPEG image via Gmail or Google Talk to infect the device, and probably would have found it easy to spread.
The first vulnerability was disclosed by Mark Brand, collaborator of Google’s Project Zero security team. Listed as CVE 2016-3861 the bug allows hackers to execute malware or acquire local privileges on vulnerable smartphones. In addition to these major changes, Google has removed from the Play Store two malware apps, CallJam and DressCode, that stole credit to unsuspecting users by calling toll numbers and were also capable of compromising the local networks.
Brand warns that it is “a serious mistake” because it can be exploited in a variety of ways. He also said that CVE 2016-3861 is not particularly difficult to detect, this suggests that other researchers were already aware of this. Brand did not say exactly what version of Android are vulnerable, but confirmed that the bug is definitely in the latest smartphones (because it came with the security patch of September).
The vulnerabilities were made public the same week that the Checkpoint security firm revealed that the infected applications, available since April, had been downloaded over 2.5 million times from Play Store. The malware family DressCode seems to have been used to generate fraudulent clicks on ads of applications that allow attackers to violate the internal and retrieve sensitive files networks.