Users Urged To Update After IBM Finds Security Flaw In Android's SDK Dropbox
Android users are urged to update after IBM finds major security vulnerability in its Dropbox software development kit (SDK).
The security vulnerability, named CVE-2015-3825, was uncovered by IBM's elite X-Force Application Security Research Team. It affects more or less half of Android versions 4.3 to 5.1 and can be taken advantage with the proliferation of a mobile malware.
Upon discovery, IBM's X-Force Application Security Research Team developed a working proof-of-concept exploit in a video dubbed DroppedIn, which allows for a targeted app to be linked with an attacker-managed Dropbox account, SC Magazine stated.
Roee Hay, X-Force Application Security Research Team leader, explained that the vulnerability lets hackers insert an arbitrary access token into the Dropbox SDK, completely bypassing the nonce protection. In the remote attack, IBM demonstrated how a saboteur could cause the Dropbox SDK within a targeted app to leak the nonce (arbitrary number used in an authentication protocol) to an attacker-operated server.
Moreover, V3 UK summed up the case saying that once the malware has been executed on the Android device it can replace an app with a fake one that then allows an attacker to steal data or create a phishing attack. The attacker can take over any application on the victim's device by replacing the target app's Android application package. With this advantage, the attacker can then perform actions on behalf of the victim.
Android Wallpaper warns that this situation is much even worse with this SDK flaw. Reports confirm that one vulnerable SDK can easily several apps whose developers are typically unaware of it. With this, users are being advised to use up-to-date software versions.
Moreover, an analyst said that the attack has not yet been witnessed in the wild, but the IBM team created a proof-of-concept demonstrating the feasibility of the attack, V3 UK added.