Leak on Android phones by Google security
Maker Google know for months, say Dutch researchers, but does nothing. They discovered a security flaw in the Android operating system that gives criminals free reign.
Due to a flaw in the Android operating system, which is in the vast majority of smart phones, it is easy to crack the protection of their DigiD, ING banking and Paypal. Criminals can gain simple access to mobile phones. Then they can do anything with these phones, including the unprecedented abuse of SMS authentication method using the above mentioned services.
This was discovered by researchers from the Vrije Universiteit in Amsterdam. The extent of the problem is large; Android is by far the most used operating system. The newly delivered smartphones in 2014 turned 85 percent on Android.
Google knows about it since late 2014, but to our dismay they do nothing about it. This is a big safety hazard, according to researchers Krish-nan. vd Veen and Bos.
The problem is caused by the creator of Android itself Google. Because users have a single Google user account to control different devices (computer, tablet, smartphone), someone who infected a web browser can through the user account simply install malicious apps on a mobile phone. This without the user doing anything on their phones.
The researchers, Radhesh Krish-nan, Victor van der Veen and professor of system and network Herbert Bos, shared their findings at an early stage with Google. Bos: "They know about this since late 2014, but to our dismay they do nothing about it. This is a big security risk. "
Bos also has the National Cyber ​​and Security Centre (NCSC) and the High Tech Crime Team (THTC) informed the police. "In the police they took it seriously." ING also takes the problem seriously. A month ago, the bank said to work on a solution. Bos: "Because it is still not resolved, it is time to inform the public."
Malignant versions
Researcher Krishnan discovered the leak. By gaining access to someone's web browser he could retreive the google user account. Then he installed an app on the mobile phone of the victim. Unseen, he could activate the app then to gain control over the phone. After that everything was possible: camera activation, applications replaced by intercepting malicious versions, messages, install malware.
Bos: "The problem is caused by Google bringing many services as possible under one user account together and allow apps to be put through one browser on a phone. This integration of services is nice for users, but has a downside. "
To combat malware, some banks and DigiD use an additional security method: they send a verification code via SMS to a mobile phone. This is based on the idea that a person's web browser and mobile phone are disconnected systems. On Android and Google, this is not the case.
The problem is caused by Google because of the many services under a single google account.
Bos: 'So it was relatively easy for us to intercept the authentication code unseen. " Criminals can get in this way money from someone's account or log in to DigiD.
Of the major Dutch banks ING only makes use of this method. This week it became known that criminals widely ING customers beset with links to fake websites to - unnoticed - to install a spy app on mobile phones. Within 24 hours, three thousand people had been such app on their phone. This is a different method than the hack describing the VU researchers.
A spokesman for ING says that there has been contact with the investigators. "They have told us that this is possible." ING says' detection measures "to be taken to reduce the risk of fraud. The spokesman: "We can also identify transactions that are not right." Affected customers can thus be compensated.
Google did not respond to a request for clarification.
Facebook
Twitter