Android users are being urged to update their devices after the discovery of a new vulnerability that allows hackers to override app permissions and steal data.
The security flaw, designated CVE-2015-3825, was uncovered by IBM's X-Force Application Security Research Team. It affects over 55 percent of Android versions 4.3 to 5.1 and can be exploited with the use of mobile malware.
The vulnerability was presented at the Workshop on Offensive Technologies in Washington DC, and has since been patched by Google, which recently announced the rollout of monthly updates following the discovery of the Stagefright MMS flaw.
The IBM research report, entitled One Class to Rule Them All, explained that the most recent zero-day allows "arbitrary code execution in the context of many apps and services and results in elevation of privileges".
The team focused on the OpenSSLX509Certificate which is one of the classes developers use when adding functionality, such as network or camera access, when making applications.
IBM found that the vulnerability could be exploited by malware inserted through the communication channel between apps and services.
"As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device," the report stated.
Security researcher Or Peles said that the attack has not yet been witnessed in the wild, but the IBM team created a proof-of-concept demonstrating the feasibility of the attack.
"The exploit we created attacks the highly privileged system_server process. Exploiting system_server allows for privilege escalation to the system user with a rather relaxed SELinux profile (due to system_server's many responsibilities) which enables the attacker to cause a lot of damage," he said.
"An attacker can take over any application on the victim's device by replacing the target app's Android application package. This can then allow the attacker to perform actions on behalf of the victim."
In real terms, once the malware has been executed on the Android device it can replace an app with a fake one that then allows an attacker to steal data or create a phishing attack.
The report also showed how third-party Android SDKs can be exploited. The team discovered six openly vulnerable kits including MyScript, GraceNote and Jumio.
"As opposed to vulnerabilities found in final products, such as operating systems or applications where an automatic update mechanism is usually available, the situation is by far worse for SDKs," the report said.
"One vulnerable SDK can affect dozens of apps whose developers are usually unaware of it, taking months to update."
IBM has advised Android users to use up-to-date software versions.
Several high-profile security vulnerabilities have hit Android devices in recent weeks, notably the Stagefright flaw that affected up to 95 percent of phones and tablets. Just after this, the Certifi-gate flaw was found to give malicious applications unrestricted access to a device.
Google has now promised monthly security updates to the Nexus range (5, 6, 7, 9, 10 and Nexus Player) to address the concerns raised by Stagefright. The fixes will be released to the public at the same time via the Android Open Source Project.
Other vendors, including Samsung and LG, have quickly followed suit by offering monthly updates.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers