Security researchers have revealed two separate threats this week they say could put up to 90% of the world’s two billion-plus smartphones at risk of password theft, stolen data and –in some cases – let hackers take full control of devices.
One vulnerability involves flaws in the way scores of manufacturers of Apple, Google Android and BlackBerry devices, among others, have implemented an obscure industry standard that controls how everything from network connections to user identities are managed.
The threat could enable attackers to remotely wipe devices, install malicious software, access data and run applications on smartphones, Mathew Solnik, a mobile researcher with Denver-based cyber security firm Accuvant, said in a phone interview.
A separate threat specifically affecting up to three-quarters of devices running older Android software has been unearthed by researchers at Bluebox Security of San Francisco. Dubbed “Fake ID”, the vulnerability allows malicious applications to trick trusted software from Adobe, Google and others on Android devices without any user notification, the company said on Wednesday.
“Essentially, anything that relies on verified signature chains of an Android application is undermined by this vulnerability,” Bluebox said in a statement referring to devices built before Google updated its core software late last year.
These risks could not be independently verified by Reuters.
Solnik stressed the threat to smartphone management software identified by Accuvant remained remote to average users, and said only a few dozen mobile communications experts in the world would currently be able to replicate the technique. But by publicising the risks, his company hopes to avert this becoming a danger on a global scale.
The global smartphone industry has been scrambling for the past few years to respond to an increasing number of vulnerabilities uncovered in mobile technology.
Both research groups will present their findings at next week’s Black Hat hacking conference, in Las Vegas, which is highlighting research on mobile technology, among other themes.
An Apple spokesman declined immediate comment.
BlackBerry said it was aware of Accuvant’s findings and was seeking more details.
“BlackBerry has been working closely with Accuvant. Internal and external security researchers serve a critical role in improving industry security standards,” a spokeswoman said.
A Google spokesperson declined to comment on the general vulnerability raised by Accuvant about many smartphone devices. He confirmed that Google had quickly distributed a patch to Android phone makers on learning of the issue from Bluebox.
In general, Android’s open software development process encourages individuals and security firms to report security issues, allowing the company to push patches to manufacturers, which in turn must implement the fixes.
The spokesperson said it has scanned all apps in Google Play, Android’s application marketplace, and elsewhere, and has found no risks to users. “We have seen no evidence of attempted exploitation of this vulnerability,” he said.
Christina Richmond, a security services analyst with research firm IDC, said detecting these vulnerabilities is positive in that the phone industry has a chance to act on these findings before they can be exploited by bad actors.
“These security threats have become everyday issues for billions of smartphone users worldwide,” she said. “Mr and Mrs end-user need to understand the risk of not updating their phone’s software.”
The disclosures come as market share statistics released on Thursday by mobile research firm Strategy Analytics show Android capturing a dominant 85% share of smartphones shipped worldwide in the second quarter. All major rivals from Apple iOS to Microsoft to BlackBerry lost market share.
Security researchers say Android’s rapid growth and dominant market share has come with an Achilles’ heel.
Until late last year, successive versions of Android were distinct creatures, making it hard, if not impossible for developers to update products for each software release, and meaning most Android security features could not be back-dated.
The “Fake ID” vulnerability is widespread in Android phones, dating back to the January 2010 release of Android 2.1 software, and affects all devices not patched by Google, Bluebox said.