Smartphone users in the UAE and the rest of the Middle East and Africa region are in danger of having their bank, email and social media accounts hacked, amid reports that some 178 million mobile devices are now potentially vulnerable. Network security company Palo Alto Networks announced on Tuesday that there are security risks in the internal storage used by applications on Google Android devices. The company said that nearly all, or 94 per cent, of the popular Android applications are at risk. The Middle East and Africa (MEA) region is home to 524.8 million mobile users. It is estimated that the security threat puts more than 178 million devices in danger within the region. Android is Google’s mobile operating system that is installed on most smartphones and tablets, to enable consumers to watch videos, search for information or send emails on their phone. Android phones also let users download applications that provide easy access to social media, as well as their personal bank accounts
The risk lies in the faulty Andorid Internal Storage, which is a protected area that stores private information of phone users, including passwords and usernames. The company warned that with the security risk, it may be easy for anyone to steal users’ sensitive data and no security enhancements may be able to provide some protection.
“An attacker may be able to steal sensitive information from most of the applications on an Android device using the Android Debug Bridge (ADB) backup/restore function. Most of the security enhancements added by Google to prevent this type of attack can be bypassed,” Palo Alto said in a statement.
The company said anyone using a device running version 4.0 of Android, which is about 85 per cent of Android systems in use today, is potentially vulnerable.
An attacker, however, would need to get their hands on the device to use the backup system ( ADB) either by borrowing or stealing the phone. A potential hacker could also take control of a system to which the device is connected via USB.
“Over 94 per cent of popular Android applications, including pre-installed email and browser applications, use the backup system, meaning users are vulnerable,” The company said.
“Many Android applications will store user passwords in plain text in Android Internal Storage, meaning almost all popular e-mail clients are vulnerable.”
Bashar Bashaireh, Aruba Networks Middle East regional director for the Gulf and Pakistan, said the threats posed by the Android operating system (OS) doesn’t just put individuals at risk, but also the companies in the region.
Several organisations have adopted a new trend called Bring your Own Device (BYOD), to encourage workers to embrace mobility, but the employers are failing to put measures in place to secure mobile devices and applications.
“The threats posed by Android mobile OS are perceived to be the biggest hurdle to enterprise mobility. While the workforce is clearly eager and ready to embrace mobility, employers in the Middle East are scrambling to catch up,” Bashaireh said in a statement sent to Gulf News.
To mitigate risks, users are advised to disable USB debugging when not needed.
Nicolai Solling, Director of Technology Services at Help AG, said that the analysis done by Palo Alto is indeed raising eyebrows, but phone users should not panic.
“The Android Debug Bridge is actually a developer tool, which should be disabled before an application hits the google play store. For some reason, developers forget this or are unaware of the implication,” he said.
“However we should also be aware what is required to exploit this issue before wepanic. In order to utilize the Android Debug Bridge, the attacker needs physical access to the data port of the phone (Typically the Micro USB socket that we also charge our phones on). The data port is generally something that any user should protect, as access to this port can also allow attackers to make backup of data on the phone, etc.”
Solling advised users to be careful when plugging their phones, especially when they need to charge the battery in public places.
“Stay away from external computers if you need that little charge to get you going for another hour of mobile surfing,” he said.
“I would also generally be cautious of using the various charging stands in airports, as these stands can easily camouflage a malicious PC trying to do physical attacks on the data port. Remember that today a PC can be very small, and the electronics can easily be hidden in a power socket or a charger.”
“All of the same it is a good idea to think a little about what is charging your phone as cheap chargers delivers very varying power levels and can limit the life of your expensive gadget.”