Half of Androids Vulnerable, Half of App Makers Eschew Security, iOS Jailbreak Coming – Mobile Security Weekly

This week’s edition includes some worrying numbers: half of Android users are at risk from a new vulnerability, and half of app makers spending $0 on security. And the iOS world may be in for another shake as hackers from around the world head to Beijing this weekend with the aim of defeating the new versions of iOS and releasing a jailbreak.

Half of all Android users at risk from newly discovered vulnerability

Researchers have discovered a serious Android security vulnerability that enables threat actors to replace legitimate apps with malware during installation. Only some hardware manufacturers have released patches to address the issue, leaving half of Android users vulnerable.

Known as Android Installer Hijacking, the process involves exploiting APKs (Android application packages) during the installation of otherwise safe apps. When the victim downloads an app, the APK can be swapped in the background and the malware is installed instead. While this is purely theoretical at the moment, the malicious payload can be anything from a premium SMS service to an advanced mRAT (Mobile Remote Access Trojan).

It’s important to note that works only when apps are being downloaded from third-party app stores or when a user clicks on an app promotion advertisement hosted by a mobile advertisement library.

http://arstechnica.com/security/2015/03/android-hijacking-bug-may-allow-attaclers-to-install-password-stealers/

Why is this Significant?

A wide-scale threat such as this deserves all the attention it’s getting. This time, attackers can exploit a what is effectively an oversight in the way Android goes through an installation process, but this is just another example in a long list of ways that Google is letting users down from a security standpoint.

Study Shows Half of App Makers Spend Nothing On Security

A new study, focusing on some of the biggest organizations in the world (including Fortune 500 companies), has found that 40% of companies fail to scan their apps for vulnerabilities before making them available to the public. Furthermore, the average company tests less than half of the mobile apps they build, and 33% never test their apps at all. Perhaps the most startling figure is that a whopping 50% of companies dedicate zero budget towards securing the mobile apps they build for customers.

http://venturebeat.com/2015/03/25/study-half-of-app-makers-spend-0-on-security/

Why is this Significant?

With users uploading their most private and confidential personal and work information to mobile apps, it’s astounding how little protection they’re receiving. App makers and organizations simply must continue investing in mobile security, and specifically the security of the apps that connect to their networks, in order to keep their sensitive data safe.

Are we on the brink of a Jailbreak for iOS 8.2?

With the release iOS 8.1.3, Apple succeeded in closing the vulnerabilities used by the different hacking teams to create the iOS jailbreaks. As we’ve mentioned at many stages, although iOS isn’t vulnerable straight out of the box, a jailbroken iPhone is far more vulnerable.

This weekend, hackers from around the world will meet at the Mobile Security Summit, or MSS, in Beijing, China, on March 27. Rumour has it that jailbreaking iOS 8.2 will be high on the list of topics, with TaiG (the group responsible for the previous jailbreak) leading the way.

http://www.iphonehacks.com/2015/03/ios-8-2-jailbreak-status-update.html

Why is this Significant?

In TaiG’s own words, the event has been self-proclaimed as the “most authoritative annual domestic first mobile security summit” in the history of jailbreak conventions. Besides this interesting development, enterprises should be wary of so many capable minds joining forces and rekindling the jailbreak flame.