CERT-In Warns; Android KitKat & JB Users Most Vulnerable To Hacking
Users of Android 4.3 or Jelly Bean and Android 4.4 or Kit Kat are most vulnerable to security hacks on their phones, using which their sensitive information can be stolen. This warning has been issued by CERT – In.
The security flaw is majorly witnessed in those enterprise networks which implement a VPN or Virtual Private Network to offer Android OS for its employees. CERT-In or Computer Emergency Response Team – India is a nodal agency to combat hacking, phishing and to make Indian Internet & Mobile users stronger to combat such security threats.
As per the warning, hackers can interpret any communication happening between users of Android 4.3 and Android 4.4 with the VPN server. As per the latest statistics, 8.9% of all Android phones were running version 4.3 while 1.8% were on version 4.4.
This security flaw was first observed by Israeli researches last January, when they were testing Knox, a new security feature introduced by Samsung for enterprise users. Google is aware of this security flaw, and in the next update this will be removed as well. But until that happens, users have been requested to update their Android versions and avoid using VPN while communicating.
Independent users of Android users have less chance of hitting this security flaw; but the enterprise users who are dependent on VPN for their communications are the most vulnerable parties.
“A critical flaw has been reported in Android’s VPN implementation, affecting Android version 4.3 and 4.4 which could allow an attacker to bypass active VPN configuration to redirect secure VPN communications to a third party server or disclose or hijack unencrypted communications,” noted CERT-In.
Further, it added, “It is noted that not all applications are encrypting their network communication. Still there is a possibility that attacker could possibly capture sensitive information from the affected device in plain text like email addresses, IMEI number, SMSes, installed applications,”
Samsung has downplayed the warning, as it said in a statement, “Android development practices encourage (apps to use) SSL/TLS. Where that’s not possible Android provides built-in VPN. Use of SSL/TLS would have prevented an attack based on a user-installed local application, (which exploited VPN flaw),”
What Should You Do?
In its advisory, CERT-In has asked every Android user to follow these:
- Immediately upgrade your Android version, whenever it’s available
- Do not install applications offered by unknown sources
- Do not click on unidentified and dubious links and resources while using email or instant messaging
While on PC or your laptop, in most cases, the individual is the only person who is affected, when it comes to mobile, the hackers gain access to not only the user’s information, but also get their hands on phone contacts, email addresses photos etc of others.