Linux Flaw Exposes 1.4 Billion Android Devices to Spying

A huge number of Android users are vulnerable to a flaw that allows attackers to intercept communications and—if unencrypted—inject malicious code or content, according to a mobile security company.

“We can estimate then that all Android versions running the Linux Kernel 3.6 (approximately Android 4.4 KitKat) to the latest are vulnerable to this attack or 79.9 percent of the Android ecosystem,” says a Lookout blog post.

The recently discovered Linux flaw lets hackers anywhere online to detect when two parties are communicating over a transmission control protocol connection, such as web mail, news feeds or direct messages. At the Usenix Security Symposium, researchers demonstrated how they could shut down connections and, in the case of a legit but unencrypted USA Today web page, insert JavaScript to collect usernames and passwords.

“Targeted attacks would be able to access and manipulate unencrypted sensitive information, including any corporate emails, documents or other files,” says the Lookout blog post.

A Google representative told Ars Technica the company was taking appropriate actions and the Android security team rates the risk as “moderate.”

Until a patch is issued, the Lookout blog suggests encrypting traffic, using HTTPS with transport layer security and using a virtual private network.