Computer Emergency Response Team of India (CERT-In) has issued an advisory numbered CIAD-2014-0012 pertaining to a critical VPN flaw in Android 4.3 Jelly Bean and Android 4.4 KitKat revealing that the vulnerability could allow attackers to bypass active VPN configurations and redirect secure communications to capture the traffic.
“This security flaw in Android’s VPN implementation allows a malicious application to bypass active VPN configuration (no root permissions required) and divert the VPN traffic to a different network address”, notes CERT-In in its advisory.
“Successful exploitation of this issue could allow attackers to capture entire communications originating from affected device”.
The vulnerability was first reported by security researchers over at the Ben Gurion University (BGU), Israel. Researchers had claimed at the time that they had tested a number of smartphones from different vendors running Android 4.3 and Android 4.4 to confirm the discovered vulnerability.
The security researchers also created a video POC to demonstrate the existence of the VPN flaw.
Users not using VPNs on their Android devices will not be affected by this vulnerability and neither are those users affected whose apps or communications rely on SSL.
Having said that it will be diligent on users’ part if they keep their smartphone’s OS and apps updated; don’t install apps from untrusted sources; check for permissions and privileges that the app is requesting before installing them; and don’t click on URLs from untrusted sources they may receive on their mobile through SMS or emails.
