Duo’s mobile application, X-Ray, is used to assess vulnerabilities that exist in any Android device. But what is unusual about this security app is that it doesn’t look at the other apps security issues, it looks at the OS and examines it for exploits that are known but not yet patched. According to their blog, they developed this particular program because most carriers are lax at rolling out patches and plugging holes that are already known. The application has been available for several months now, and a first look at the results collected so far astounded many.
Co-Founder and CTO of Duo, Jon Olberheide, said that so far there have been more than 20,000 downloads of the application that are reporting in, and he asserts that even with numbers this high, the estimates up to this point are probably conservative. So far the app reports that most vulnerabilities that haven’t been patched are root exploits. A way of gaining access to one of the lowest levels of the Operating System. Often this access is used in order to install custom firmware, or applications, but while these exploits are usually used by the device owners, malicious applications can use the exact exploits to get control of the OS. According to developers at BitDefender, root access exploits have been the most common problem that has been experienced so far.
And this has been nothing new to the Android community. The first three months of 2012 showed that the most commonly used hacks were root level exploits. Rage Against The Cage, Asroot, GingerBreak, and Exploid are the most used programs to hack the systems, but there are others that can take advantage of the root level security holes. According to the Duo CTO, the root level access could be due to the owner of the device accessing the root permissions and not closing them. He also says that this “exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far.” He will be giving a more detailed account of the study when he speaks at the Rapid7 United Summit Conference.
To check an Android devices vulnerabilities all a person has to do is download the app, X-Ray, then install and run it. The app will present the user with a list of security risks, and in many instances the exploit can be patched. People that wish to keep their root level access to the OS have only a few other options for maintaining security. Most are using personal VPNs and limiting application access to the internet through the VPN client. Others are using encrypted proxies, though less frequently, and still others are just “taking the risk.”