IBM researchers have called attention to a serious Android crypto key theft vulnerability but the vulnerability affects only version 4.3, which runs on about 10.3 percent of handsets, reports Dan Goodin in Ars Technica, in a June 30 update of his report. IBM researchers had shed light on the vulnerability, which may allow attackers to steal credentials, including cryptographic keys for banking services and virtual private networks, and PINs or patterns to unlock vulnerable devices. Pau Oliva, senior mobile security engineer at viaForensics, said in Ars Technica that a malicious user exploiting this vulnerability would be able to do RSA key generation, signing, and verification on behalf of the smartphone owner. The bug resides in Android KeyStore, said Goodin. This is the sensitive region of the operating system dedicated to storing cryptographic keys and similar credentials, according to the security advisory posted by Roee Hay, who leads the application security research team at IBM.
Read more at: Phys.org