Android's Jelly Bean, Kit Kat Under Security Threat

by CXOtoday News Desk    Mar 03, 2014


A “critical flaw” has been detected in the virtual private network offered by Android operating systems in the Indian cyberspace leading to “hijack” of personal data of users, according to a recent Computer Emergency Response Team of India (CERT-In) report. The suspicious activity has been noticed in two Android versions — 4.3 known as ‘Jelly Bean’ and the latest version 4.4 called ‘Kit Kat’, said the nodal agency for security-related defences in the Indian Internet domain.

VPN technology that is used to create an encrypted tunnel into a private network over public Internet enables organizations to use such connections so that users can securely connect to enterprise networks from remote locations through multiple kinds of devices like laptops, desktops, mobiles and tablets. 

Experts at CERT-In have alerted consumers of this web-based service to guard against the spread of this virus which affects computer systems and mobile phones using the Android system, “as it can allow an attacker to bypass active VPN configuration to redirect secure VPN communications to a third party server or disclose or hijack unencrypted communications,” said the report.

According to CERT-In, the current malicious application is capable of diverting the VPN traffic “to a different network address” and successful exploitation of this issue “could allow attackers to capture entire communication originating from affected device.” The report noted a possibility that attacker can capture sensitive information from the affected device in plain text like email addresses, IMEI number, SMSes, installed applications. Websites which use ‘https’ in their URL will also be safe.

The cyber agency has also suggested some measures to combat this threat. Users should:

-          Apply appropriate updates from original equipment manufacturer

-          do not download and install application from untrusted sources

-          maintain updated mobile security solution or mobile anti-virus solutions on the device

-          exercise caution while visiting trusted or untrusted URLs

-          not click on the URLs received via SMS or email unexpectedly from trusted or received from untrusted users.

Only last month, CERT-In has warned Internet users of multiple vulnerabilities in popular web browsers Google Chrome and Mozilla Firefox. The agency recommended Internet users to upgrade the browsers on their work stations to avoid such threats.