Researchers at the Cyber Security Labs at Ben Gurion University have discovered yet another security hole in Google’s Android mobile operating system. The vulnerability, as described by the researchers, “enables malicious apps to bypass active VPN configuration (no ROOT permission required) and redirect secure data communications to a different network address.” The Israeli researchers had initially found the security flaw on Jelly Bean 4.3 and later testing showed the same problem on KitKat 4.4.
They demonstrate the vulnerability in the video below:
VPN (virtual private network) technology, if implemented properly, should allow people to connect to various access points or networks via a secure ‘tunnel.’ The technology also allows companies and organizations with sensitive data to prevent ‘snooping’ by cyber crooks and others with malicious intents.
Android is the most popular mobile OS currently on the market, and this is one of the reasons why hackers are constantly targeting this platform when fishing for private and user-sensitive data. According to IT experts at the CSL, the VPN exploit works on both Android 4.3 and 4.4, two of Google’s latest updates to their mobile ecosystem.
The vulnerability is especially harmful to Samsung-based devices running the South Korea-based company’s KNOX modification of Android. Samsung, however, argues that the researchers were using a conventional man-in-the-middle attack, which can easily be fixed using secure transmission methods/protocols like SSL.
While the use of SSL and TLS should be standard practice in just about any type of data transmission, the ability to bypass Android’s ROOT access is a clear sign that Google does not yet have a firm grasp on its own system’s security measures. Casual mobile users may be oblivious to the practice of securing their data transmission using encryption. Reliance on Android’s lackluster built-in security measures, which require certain apps to gain access to the basic Linux kernel, doesn’t help much if hackers can easily snoop a person’s VPN connection.
“These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure,” the researcher added in a blog post.
The VPN exploit works on Android’s built in VPN tool as well as some other clients, but the researchers did mention that there were some that the exploit could not penetrate. However, the exploit does work on various non-Samsung Android handsets from other vendors. This is proof that the VPN hole on Android is widespread, and IT professionals in corporate settings need to make note of this when BYOD policies are implemented.
If you’re on an Android device and are looking for a VPN, why not check out our great article on some of the best ones for Android?