Kaspersky Lab has revealed mobile devices running Android 4.1 (Jelly Bean) or older are open to attack by a malicious script that seeks to find devices with antiquated security.
The script, which was originally designed to use a Flash vulnerability in Windows machines, has been tweaked to uncover which version of Android a device is running and will then inject it with malicious code that is resisted by newer versions of the operating system.
“The exploitation techniques we’ve found during our research were nothing new, but borrowed from proof of concepts, previously published by white hat researchers,” Victor Chebyshev, security expert at Kaspersky Lab. “This means that vendors of Android devices should account for the fact that the publication of PoCs would inevitably lead to the appearance of ‘armed’ exploits.”
Specifically, the exploit tells the browser to execute malicious code. Two other scripts were also discovered by the researchers. One is able to send an SMS to any number, presumably with the aim of spreading the infection, while the other creates malicious Trojan files on the SD-card of the attacked device, which also allows the interception and triggering of SMS messages.
“Users of these devices deserve to be protected with corresponding security updates, even if the devices are no longer being sold at the time,” Chebyshev advised.
Although Google patched the security holes between 2012 and 2014, security updates to older devices are being rolled out slowly by vendors and some have completely missed out on updates because manufacturers have stopped supporting them, allowing them targeted by criminals.