Many Android security apps allow you to remotely control your device in the event it's lost or stolen. A remote lock is a common feature, but on Symantec's Norton Mobile Security for Android, the lockscreen seems to do more harm than good.
The issue came to light when Computer Bild commissioned independent testing lab AV-Comparatives to investigate popular Android security apps. The researchers found that Norton Mobile could allow an attacker to bypass the lockscreen for a second. With some planning and fast fingers, researchers showed that they could uninstall Norton giving them unfettered access to the device.
It's a painstaking process, as you can see in the video. An attacker would have to tap the emergency call button, then the back button, and then quickly move to make an action on the homescreen before the lockscreen returned. As an attack it's very tedious, but it does work.
"Practically speaking, the likelihood of anyone exploiting it is extremely slim," Con Mallon, Symantec's Senior Director for Mobility, told SecurityWatch. "This is not a vulnerability that would be stumbled upon and exploited by your average cybercriminal just looking to make a quick profit. It requires several steps and critical timing to take advantage of the vulnerability."
And he's right; though this issue is dramatic, the worst vulnerabilites are those that can be use to attack a large number of victims simultaneously.
Norton is Not Alone
We've seen similar vulnerabilities in the past. Viber famously was used to bypass a device's lockscreen, letting an attacker take complete control of a phone. The company has since fixed the issue (and received an Editors' Choice award for their app).
The issue with Norton is described by Computer Bild as a "code error" but other Android security apps have issues with their remotely-triggered lockscreen. Some allow you to access the homescreen simply by tapping the home button—albeit briefly. Other apps will let you access the task manager, though I've never seen it used to actually shut down the security app itself.
The most common issue I've seen is that the lockscreen will allow you to access the notification tray. This is troubling, since a stranger could come along and see messages as they are delivered to your device. Worse yet, they could toggle wireless data, GPS, and airplane mode on and off, preventing you from sending commands to your device.
I have encountered several of these issues while testing Android security apps for PC Mag, but I have never managed to disable or uninstall a security app using these lockscreen foibles.
Keep Your Device Safe
SecurityWatch has confirmed with Symantec that a fix is in the works, and should be available as early as next week.
It's not clear from the article if the vulnerability works on phones that have a device-level screen lock set, like a passcode. Regardless, you should at least set a passcode for your device. This simple action can provide a critical line of defense for your Android. Hopefully Symantec will release their patch soon.
No comments:
Post a Comment