Dive Brief:
-
The majority of enterprise Android phone users have not protected themselves from an exploit that could allow attackers to take over their phones, according to a Duo Labs report.
-
Despite the fact that a security patch was released in January, only a quarter of users have applied the security update, Duo found.
-
Duo estimates 80% of enterprise phones use the Qualcomm chipset, which the exploit targets.
Dive Insight:
Kyle Lady, research and development engineer at Duo Security's Duo Labs, said 60% of enterprise users remain vulnerable to the security flaw.
Through the vulnerability, hackers can get into a phone's Qualcomm Secure Executive Environment, which runs Android’s operating system, to gain access to the phone. In order for the exploit to deploy, a user must first be persuaded to install malware on the device, most likely by downloading an app. From there, hackers can use the Qualcomm and an existing media server vulnerability to take over the phone.
Unless the patch is installed, there isn’t much companies can do to protect their users, Lady explained.
"There really isn't any way for them to force a patch to happen. If it isn't a Nexus phone, the manufacturer has to apply the patch to the software, then send it to the carrier, such as Verizon. The carrier has to approve it, and then send it to customers using that phone. So there's a substantial delay," said Lady.
Nexus phones get automatic updates from Google, Lady said.
To protect themselves, companies can use a mobile device management tool to limit what employees install.
Mobile phone hygiene has become a growing concern for the enterprise. Last August, an Android security gap made it possible for hackers to attack Android phones simply by sending a text message. In October, Zimperium estimated that 95% of Android users across the globe were subject to the vulnerability, dubbed Stagefright.
