Smartphones & Tablets

Six Android Emerging Threats to be discussed at Black Hat

A lot is happening in the technology field and as new technologies emerge, so also are new flaws that could be used by hackers to steal information. Below are six of the emerging threats that would be discussed in the upcoming Black Hat USA:

Universal Android Rooting Flaw

A lot has been said about the rooting of smartphones and some believe that it actually makes it more palpable to a security breach. The argument about rooting has been long standing and has caused lots of heated arguments but everyone seems to agree that it’ll be a really bad idea for hackers to remotely gain root access to a phone by exploiting this vulnerability.

A KEEN Team researcher, Wen Xu is hoping that cybercriminals fail in their bid to take advantage of the flaw, so as to keep the job simple, normal and easy.  In the session “Ah! Universal Android Rooting is Back, He intends to show how their newly found vulnerability allows them to root devices running Android 4.3 and other latest devices.

StageFright Loophole

This major flaw has the ability to expose over 95% of all Android devices and has caused a lot of stir in the public since its revelation. The stagefright is a multimedia library that runs within Android and it could be abused by attackers to assume total control of an Android smartphone.

A cybersecurity expert at Zimperium Enterprise Mobile Security, Joshua Drake, who also played a key part in the discovery of the vulnerability, in his reserved Black Hate session

“Stagefright: Scary Code in the Heart of Android,”  will delve into all the complex details surrounding the vulnerability. He will also describe a step by step process of how the vulnerability can be exploited by to steal mobile users’ information.

Finger Print Flaw

What’s the worst that could happen? Well, it could get a lot worse if Yulong Zang and Tao Wei’s assertion happens to be true. According to both FireEye researchers, attackers can gain access to a victim’s fingerprint images and compromise his personal information. In their session, “Fingerprints on Mobile Devices: Abusing and Leaking,”  they will demonstrate how Android fingerprint scanning system can be abused by attackers to steal victims money through a payment authorization process.

Exploitation of Trusted Environment and Bypassing and Security Features

It seems the fingerprints security system is being given some special attention this year; a researcher is set to showcase how hackers can run stolen fingerprint images on the so-called trusted environment.

Di Shen of Qihoo 360, a security expert, in his Black Hat session “Attacking Your Trusted Core: Exploiting Trust zone on Android,” will demonstrate how the latest Huawei Ascend 7 that uses the TrustZone fingerprint software ‘Trust Execution Environment’ (TEE), can be exploited by attackers. He will further discuss the running of shellcode in the Trusted Execution environment, the process of rooting devices and the disabling of Android’s Secure Enhancements.

Binder Call Flaw

Most people don’t know this but a Binder mechanism is a system that aids the communication of processes that operate at differing privilege levels and these levels can range from the highest to the lowest of system services.

Surprisingly, the service inputs to this binder are not properly validated before inputted into the system and this gives hackers the loophole to attack.

In the Black Hat session, “Fuzzing Android System Services by Binder Call to Escalate Privilege,” Guang Gong of 360 will showcase the available methods that can be used to exploit this loophole.

Supply Chain Vulnerability in Apps

Avi Bashan and Ohad Bobrov from CheckPoint technology would demonstrate in their Black Hat session “Certifigate: Front-Door Access to Pwning Millions of Androids,” that a vulnerability exists in the Android customization chain that is capable of leaving the system open to hacking. They’ll demonstrate a process keyloggers, certificate forging and other loopholes can be harnessed to gain access to mobile devices.

Leave a Comment