The Indian speciality cyber crisis management centre called Cert-In, created to deal with Cyber warfare, has issued a advisory about the flaws that exist in Android 4.3 Jelly Bean and Android 4.4 Kitkat. Cert-In says the flaw is critical and can lead to hijacking of personal data of Android 4.3 and Android 4.4 Kitkat users.
As per Cert-In the flaw is in Android’s VPN implementation which can allow a probable hacker/attacker/cyber criminal to bypass the active original secure VPN configuration with their own unsecure configuration. Once the attacker gains access to the active VPN configuration through a malicious App, they can redirect all the secure VPN communications to a third party server (unsecure) or just hijack/leak all the unencrypted communications happening on that particular Android device.
For the uninitiated the Virtual Private Network or VPN as it is popularly called is a private encrypted network which is created by the user for communicating outside of the public Internet. VPN is generally used by big organizations to allow its employees to securely connect to enterprise networks from remote locations via multiple kinds of devices i.e. laptop, desktop, mobiles, tablet etc.
This security flaw in Android’s VPN implementation allows a malicious App which is programmed to bypass active VPN configuration (no root permissions required) and divert the VPN traffic to a different network address. Successful exploitation of this issue could allow attackers to capture entire communication originating from affected device. The only limitation is that the would be attackers can capture and view the data in plain text. However plain text details of bank account details, email credentials and other communications can be more than damning for the potential victim.
Normally Android Apps directly connect to the server using SSL and its communications are encrypted regardless of whether it passes over VPN or not. In this scenario if the attackers were to breach the VPN flaw with their malicious App, they can capture the encrypted data but the same will not be of any use to them. But the problem lies with the facts that not all Android Apps encrypt their network communications and this then creates the needed backdoor for the probable hacker who can then get all the communications in plain text format.
Cert-In has given following recommendations/countermeasures which should be used by Android 4.3 Jelly Bean and Android 4.4 KitKat users :
1. Apply appropriate updates from OEM as and when available.
2. Do not download and install application from untrusted sources especially the APK files available on the wild.
3. Download applications only from trusted sources, reputed application market & Google play store only.
4. Install and maintain updated mobile security solution or mobile antivirus solution on the device.
5. Exercise caution while visiting trusted/untrusted URLs.
6. Do not click on the URLs received via SMS or email unexpectedly from trusted or received from untrusted users(Phishing mails).
7. Check for the permissions required by an application prior installation.
Tripwire researches who conducted the primary study into this flaw have said that,
“These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure.”
A video detailing the exploit is given below :