Another major security flaw has been discovered in the Android OS. The flaw has been detected in the virtual private network of the Android operating systems in the Indian cyberspace. Personal information of the user and details of the phone can be obtained by exploiting this flaw. The flaw has been noticed in the last two versions of Android - version 4.3 (Jelly Bean) and version 4.4 (KitKat). Internet security investigators have been alerting Android users regarding the flaw.
The technology behind VPN is that it's used to extend a private network across a public network like the Internet. Data can be shared across a public network as if it were directly connected to a private network. This is obtained by creating a virtual point-to-point connection and also using security measures such as encryption. Employees of an organisation use such connections to securely connect to their enterprise networks from remote locations through various devices such as laptops, desktops, mobiles and tablets. The Computer Emergency Response Team of India (CERT-In) said that the flaw allows an attacker to bypaas active VPN configuration to redirect the communication to a third party server. Also, attackers can easily obtain un-encrypted communications. The CERT-In team also mentioned that the attacker could also capture information of the affected device such as IMEI number, contacts, SMSes and installed applications.
As for precautions, the CERT-In team has advised users to install updates from original equipment manufactures. There may also be a lot of applications ready to exploit this weakness, hence download and install applications only from trusted sources. Also, install an anti-virus solution on the device. Exercise caution while surfing the internet, do not visit untrusted URLs and avoid clicking on URLs received via an unexpected SMS or email.
In the last month, a similar flaw was also detected by Ben Gurion University's (BGU) Cyber Security Labs. As given in the report, the researchers have filed a report with Google but have not received a reply back. They also posted a video showing the vulnerability. Watch it here below.
Source: Times of India