Skip to main content

KeyStore vulnerability exposes non-KitKat Android devices to malware

Keystore flaw suffers security hole

A major vulnerability that affects nearly 90 per cent of Android devices on the market has been disclosed by an IBM Security researcher.

The flaw, which the author Roee Hay describes as a "classic stack-based buffer overflow", affects the Android KeyStore service on versions prior to KitKat (Android 4.4).

It means that up to 87% of Android users may be affected by that vulnerability (CVE-2014-3100). It is not known whether other customised versions of Android, notably the one that powers the Amazon Fire devices, are also under threat.

Crytographic keys

KeyStore allows the operating system to identify the real developer behind an app using cryptographic keys. The vulnerability means that hackers should now be able to inject malicious code without the developer or the end user's knowledge.

Android however has some inbuilt security mechanisms that prevent hackers from executing malicious code at will. These include data execution prevention (DEP) and address space layout randomization (ASLR).

It leaves the majority of Android devices with some uncertainty given that a lot of older smartphones and tablets do not have an upgrade route to KitKat.