As we near the end of 2019’s first quarter, there are a number of vulnerabilities in Android and iOS devices leftover from 2018. This can be due to vendors not pushing security updates for specific devices, or things that are proving really difficult to patch. In this article, we’re going to highlight the worst Android and iOS vulnerabilities that have continued into 2019.
Cross-Platform Malware
In the past, viruses were designed for specific operating systems. Windows viruses could not infect Mac or Linux computers, and vice versa. However, a trend has been rising of cross-platform malware that can infect multiple system types. For example, a remote access trojan named CrossRAT was discovered in 2018, which can target Windows, Mac, and Linux computers.
There is also the concern of computer viruses being transferred from smartphones. While the smartphone itself will not be infected with the virus, connecting the phone to a computer (especially if USB autorun is enabled on the computer) can transfer the virus from the phone and execute it on the computer. As an example, you could obtain an Android virus that injects malicious script into your photos, or copies your photos to an .exe file extension that is an executable virus. When you transfer the photos to your computer and try to view them, your computer becomes infected.
As hackers are becoming a lot more creative and trying to target as many systems as possible at the same time, the link between smartphone and computer malware will grow stronger. Which emphasizes the need for a strong computer antivirus. You can read in this guide a comparison of Bitdefender versus Avast, two companies who suggest they offer some of the most effective antivirus protection.
2D Facial Recognition
A growing number of Android and Apple phones have been including facial recognition technology as a way to unlock the devices, but there are numerous security vulnerabilities with the current state of facial recognition. In particular, the kind of facial recognition used by a number of brands like Samsung, Motorola, Lenovo, Sony, Xiaomi, and others, are easily defeated by simply using a photograph.
This article from German researchers has a list of tested phones that were unlocked simply using photographs, and phones that were not defeated so easily. Interestingly, all of the tested Apple phones were able to defeat the photograph method, so it is mainly a concern for specific brands of Android phones. It mostly boils down to phones that use the front-facing camera for facial recognition, rather than dedicated biometric hardware.
Apple MDM Bypass
Security researchers in late 2018 found a vulnerability in Apple’s MDM DEP process. MDM is Mobile Device Management, typically used by small and large business companies to enroll company devices into a single management system. This allows the company to easily push updates, apps, and other things to the phones, all at once.
The security researchers discovered a flaw that allows attackers to trick the MDM pre-enrollment authentication, allowing them to register any device into the MDM server. The attacker can then mine data from the MDM server, such as number of devices in the network, as well as intercept software and updates meant for company devices.
This flaw has yet to be fixed because it would require re-architecturing the DEP process, and possibly hardware changes as well, as the researchers detailed in a 32-page report.
Spectre and Meltdown
Spectre and Meltdown caused a big stir in the Linux and PC hardware community throughout 2018, as its perceived to be a highly dangerous form of remote exploitation. However, as dangerous as these attacks are perceived to be, nobody has yet figured out how to make them work in a real-time attack. This is mostly white paper stuff, but it’s speculation for a very good reason.
It’s very complicated to explain, we’d need to dedicate an entire article to how these attacks work, but know that they rely on specific types of CPU architecture. CPU vendors have been introducing hardware-level mitigation, and the Linux kernel was patched for some mitigation as well.
The problem is that it’s new hardware being patched for mitigation against these attacks. Which leaves pretty much every modern phone on the market vulnerable to these attacks. Should malicious people finally figure out a way to turn the theories into reality, it could be absolutely disastrous.