Android’s CyanogenMod Vulnerable to Zero-Day Threat

By on Oct 17, 2014

Have you installed CyanogenMod on your Android device? If yes, you’re likely vulnerable to a newly discovered zero-day threat (an attack that takes advantage of a previously unknown vulnerability). If you have no idea what CyanogenMod is—don’t worry, chances are your device is secure.

At the Ruxcon Security Conference in Australia last week, a security researcher presented findings that demonstrated how CyanogenMod, an open source operating system on Android, may be vulnerable to Man-in-the-Middle (MITM) attacks. This type of attack occurs when an attacker uses malware or another malicious strategy to intercept the information you send across the Web. Picture a childhood game of “monkey in the middle,” with the monkey being the bad guy and the ball being your data. In a MITM attack, the monkey always wins.

So what happened?

The researcher who discovered this vulnerability is claiming that reused code is to blame. He has said that developers at CyanogenMod copied and pasted code that was discovered to have SSL vulnerabilities back in 2012. This isn’t the first time that the convenient reuse of code has had negative consequences for your security. In fact, according to Computer World, code reuse consistently tops the list of biggest cybersecurity threats.

Installed on more than 12 million devices worldwide, this vulnerability on CyanogenMod is no small threat. Luckily, it appears easily fixable—once it’s actually acknowledged and addressed by the CyanogenMod team, that is. Until then, if you have CyanogenMod installed on your device, you’d be wise to uninstall it as soon as possible.

MITM attacks are a convenient way for hackers to snatch your data out of thin air. Here are some simple tips to avoid that from happening:

  • Make sure the websites you use are secured. Look for “https:” at the beginning of a web address instead of just “http:” which indicates that the site you’re on is using encryption.
  • Secure your home Wi-Fi. Make sure you alter the default password on your home router. If you’ve already thrown out the instructions for your router and aren’t sure how to do this, consult the Internet for instructions on your specific make and model, or call the manufacturer.
  • Beware of public Wi-Fi. Avoid accessing or transmitting personal information over public Wi-Fi. This goes for email, banking information, and financial transactions.
  • Use comprehensive mobile security. Install McAfee® Mobile Security on your Android or iOS device for free. The Android version provides app protection, which reviews permissions of downloaded apps to see if they’re requesting too much of your data. It also provides you with an app reputation report that takes into account the app category as well as the developer reputation. In addition, it will warn you if you’re connected to an unsecured Wi-Fi network, protect you against malware, and more.

 

Gary_Davis_1_Waist-Up_72dpi-copy1-200x300

About the Author

Gary Davis

Gary Davis was previously McAfee's Consumer Security Evangelist providing security education and advice to businesses and consumers. He is a sought-after speaker on trends in digital security, appearing at conferences and events, as well as security and consumer lifestyle broadcast outlets and publications such as ABC, NBC, FOX, the Wall Street Journal, USA Today, Money ...

Read more posts from Gary Davis

Subscribe to McAfee Securing Tomorrow Blogs