Duo Security researcher Kyle Lady says attackers can compromise more than half of enterprise Android phones by chaining two operating system and chip vulnerabilities.
The flaws affect scores of phones on the market from the most popular Lollipop version 5 Android system, second-placed KitKat version 4.4, and the barely-used modern Marshmallow version 6.
Some 60 percent of enterprise Android phones are affected based on tests of half a million phones.
Affected users can apply a January patch if one is available, although Android handsets other than Nexus units are locked into custom vendor ROMs and as such must hope manufacturers will distribute Google’s security updates.
About 27 per cent of those devices were Android relics and so old they could not be owned using the attacks.
Users need to download an attacker’s app to be compromised, a gaffe which could be considered game-over regardless of any vulnerabilities in Android.
Malware developers are constantly finding success in uploading malicious applications to the Google Play Store, slipping undetected past Mountain View’s security checks.
From there it exploits functions like accessibility, screen overlay, and root rights. The Marshmallow platform is much more hardened than Lollipop and significantly more so than Kitkat.
Submitted by: Arnfried Walbrecht