Security firm TrendMicro has released a new report that states that 75% of users are vulnerable to multiple attacks.

TrendMicroIn their latest Quarterly Security Roundup, TrendLabs calls out several key vulnerabilities in recent Android OS including the FakeID issue and Android Browser flaws.  The FakeID vulnerability was originally discovered earlier this year by BlueBox Labs and allows malicious apps to impersonate legitimate applications that are trusted by the OS.

This is a widespread vulnerability dating back to the January 2010 release of Android 2.1 and affecting all devices that are not patched for Google bug 13678484, disclosed to Google and released for patching in April 2014. All devices prior to Android 4.4 (“KitKat”) are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of the apps’s data, and being able to do anything the app is allowed to do. Android 4.4 is vulnerable to Fake ID, but not specifically to the Adobe System webview plugin due to a change in the webview component (the switch from webkit to Chromium moved away from the vulnerable Adobe-centric plugin code).  — BlueBox Labs Blog

The Android Browser flaws discussed in the report surround the default Android browser’s enforcement of Same Origin Policy.  This flaw allows malicious apps to access sites that the user might have private data on and then execute JavaScript functions against that site without the user’s knowledge.

A SOP bypass occurs when a is some how able to access the properties of such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while. — Rafay Baloch’s Blog

An additional vulnerability with a more limited scope of affected users was also referenced in the report.  This vulnerability allows apps that use the in-app payment SDK to get their request hijacked by malicious applications.

There appears to be a flaw in the communication between the mobile payment application and the payment client applications. The mobile payment apps used an implicit intent, which can be intercepted by a malicious app via a high priority intent filter. An intent filter can be made “high priority” by combining several system APIs.  — TrendLabs Blog

While Google moves promptly to address these vulnerabilities, perhaps the biggest cause for alarm is the time it takes to get issues updated caused by the fragmentation of the Android Device landscape.

As of May 1, only 2.3% of Android devices in use are actually on the latest version, with more than a third still using Gingerbread – a version last updated in September 2011, and known to have 3-11 vulnerabilities, with the exact number depending on the specific version.  — TrendLabs Blog

While the news is certainly bleak the report does end the section on mobile security with several examples of overall improvement in vulnerability response and manufacturer’s ability to deal with the issues as they arise.

The mobile industry may not be mature enough yet but there is progress. I have seen some app builders setting up response processes and teams. Google has made enhancements in releasing patches and hotfixes to help Android users get updates. Some mobile manufacturers are reacting faster than before in releasing OS-related patches.