A new security hole in Android phones could leave 86 percent of its users at risk to having their passwords and critical information compromised, according to a report in PC Magazine.

ibm android security

IBM discovers Android security flaws

By exploiting the security flaw, which was first discovered by International Business Machines Corp. (NYSE:IBM), hackers can obtain banking and virtual private network credentials, PINs, and unlock patterns, the report said.  IBM security researchers uncovered the bug in September and quietly warned Android’s security team.  Two months later Android released a patch for 4.4 KitKat operating system, but users who have not upgraded operating systems do not yet have a fix, leaving them exposed to hackers.

The Google developer website says nearly 13.6 percent of Android devices are on 4.4 KitKat, 10.3 percent are running version 4.3. Most (29 percent) are running 4.1.x, while 19 percent are on 4.2.x. Studies have shown Android users update their phone’s operating system on a much less frequent basis than Apple IOS users, which, according to the report, “isn’t exactly foolproof.”

Problem centered in Android KeyStore

In an IBM blog post revealing the vulnerability, the firm revealed the problem is centered in the Android KeyStore. This is where cryptographic keys and other credentials used to enter secure environments are stored. By entering through this slightly open door, hackers can gather banking and virtual private network credentials, PINs, and unlock patterns to secure items the phone may be accessing.

The door is only slightly open because, based on IBM application security research team lead Roee Hay, Android has built barriers in place to slow and often stop hackers from successfully exploiting the vulnerability.

IBM: Android operating system isn’t a pushover

The IBM security team dug into the weeds as they outlined that, with built-in data execution prevention and address space layout randomization, the Android operating system isn’t a pushover. Essentially the hacker would be required to have an application installed on the smart phone for them to infiltrate user information.  But, according to the PC Magazine report, this doesn’t soften the blow.  The real weakness resides in access to KeyStore, which is one of the most sensitive resources in the OS.

“Generally speaking, this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone’s user to any service where they’ve got a corresponding app,” Dan Wallach, Rice University professor specializing in Android security, was quoted as saying on the IBM security site.

Applications that require a password to be retyped each time—banking services, for example—are at lower risk than more easily compromised apps, like Twitter, Wallach said. Similarly, users should keep an eye on those apps that load VPN credentials onto their phone, which essentially hand hackers a key to bypass the firewall.