Another serious vulnerability has been found in Android, one that security researchers at IBM say affects versions 4.3 to 5.1 –on the most recent smart phones — or 55 per cent of the devices on the market.

“In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device,” the researchers say in a blog. “In addition to this Android serialization vulnerability, the team also found several vulnerable third-party Android software development kits (SDKs), which can help attackers own apps.”

What researchers found has not been seen in the wild yet but, they say, “shows that with the right focus and tools, malicious apps have the ability to bypass even the most security-conscious users.”

The problem is in a single vulnerable class in the Android platform, called OpenSSLX509Certificate, that the researchers were able to create an exploit for.  As they explain, developers use classes within the Android platform and SDKs to provide functionality for apps — for example, accessing the network or the phone’s camera. The vulnerability can be exploited by malware through the communication channel that takes place between apps or services. As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device.

Researchers note a similar technique was revealed in leaked documents from the Italian-based software company Hacking Team, whose platform is used by law enforcement and intelligence agencies. A fake news app called BeNews that was built to bypass Google Play’s filtering by requiring a benign set of privileges. Once the user ran the app, it then downloaded additional code with an exploit used to escalate permissions using the Futex vulnerability (CVE-2014-3153).

The good news is that Google has fixed the two OpenSSLX509Certificate instances,  patched Android 5.1 ,5.0, Android M and backported the patch to Android 4.4. A number of SDK makers have also patched their code. The bad news is that not all handset makers test and clear Google updates for all of the devices they’ve made, nor do all wireless operators carry Android updates. Carriers who bother first test updates to make sure they are compatible with their networks, a time-consuming effort. Only Nexus devices get updates direct from Google.

IBM offers the video above to explain how their proof of concept attack works. It attacks the highly privileged system_server process, allowing privilege escalation to the system user with a rather relaxed SELinux profile (due to system_server‘s many responsibilities), which enables the attacker to cause a lot of damage.

For instance, they write, an attacker can take over any application on the victim’s device by replacing the target app’s Android application package (APK). This can then allow the attacker to perform actions on behalf of the victim. In addition, they were able to run shell commands to exfiltrate data from all applications installed on the device by exploiting the Android Keychain app. We could also change the SELinux policy and, on some devices, also load malicious kernel modules.