Researchers at IBM have published a report detailing a serious vulnerability in the KeyStore that affects 86 percent of Android devices. Google’s Android OS stores extremely sensitive information in the KeyStore. Hackers who exploit the security hole will be able to access sensitive information, such as crypotographic keys for several banking apps and virtual private networks, as well as the pattern sequences or PINs used to unlock Android devices.
According to the report from IBM, Google only built the necessary protection against this threat into Android 4.4 KitKat, leaving some 86.4 percent of Android devices vulnerable to the stack-based buffer overflow, which allows hackers to access the information in the KeyStore. Right now, any hacker who finds the security hole can execute malicious code that will force the keys from banking and other apps containing sensitive information to leak and even unlock the unsuspecting victim’s device.
The researchers discovered the flaw nine months ago and alerted Google. Its findings were published last week after the Android Security Team patched the issue for KitKat.
Although the KeyStore vulnerability is very serious, it seems that no one has exploited the flaw yet. In fact, Ars Technica says that hackers have to jump through a lot of hoops to wiggle their way into the KeyStore.
Android has several strong barriers in place that protect the KeyStore from hackers. Measures such as data execution prevention and address space layout randomization are supposed to make it difficult for hackers to execute the correct code and discover flaws in the system. Those who would break into the KeyStore’s vault of sensitive information, would also have to get users to install a malware-infested app on their devices first.
Google is most likely working on a fix for the issue for all earlier versions of Android, but in the meantime, if your device isn’t running KitKat, you are advised to download only apps you trust completely and keep an eye out for any suspicious activity on your Android devices.