A newly revealed vulnerability on Android phones is able to bypass the full disk encryption on over half of devices.
The attack, demonstrated by Israeli security researcher Gal Beniamini, can allow an attacker to break through the levels of trust and privileges that are intended to ensure only legitimate code can access secret material, such as DRM keys or disk encryption keys.
Although the attack was patched in the May security update, two-factor authentication specialist Duo Security says that only 43 percent of Android devices are patched and safe from this type of attack, leaving 57 percent still at risk.
From Android 5.0 (Lollipop) onwards the OS automatically protects all of the user's information by enabling full disk encryption based on a Linux Kernel subsystem. It uses a key derived from the user's unlock credentials and bound to the hardware using Android's KeyMaster key store.
On devices with Qualcomm processors though -- and Qualcomm is one of the biggest suppliers to the Android market -- Beniamini's research shows it's possible to get KeyMaster to execute hijacked system calls and send keys to a shared buffer from which they can be read.
Duo says that users need to ensure their phones are patched -- according to its data the Nexus and Galaxy S6 were the most patched phones at around 75 percent with the Galaxy S5 at 45 percent. For businesses it recommends using an endpoint visibility solution to identify unpatched devices that may be putting corporate data at risk.
The Duo Security blog has more information and there's a full technical description of the attack on Beniamini's own blog.