Security Vulnerabilities for Android and iOS Hit An All-time High in 2015

  • 1

Quick Heal hopes it has been a good year for you.

But, has it been a good year for your mobile devices as well? It has been an alarming year for both Android and iOS users. If Android users were vulnerable to Stagefright attacks, iOS users had their own share of vulnerabilities with the Masque Attack and XcodeGhost giving rise to riskware and malware attacks.


In 2015, over a billion mobile users have been affected by vulnerabilities that have been identified and named. And, there are hundreds of additional vulnerabilities that were never addressed and unnamed but are no less critical. The severity of these attacks prompted Google and leading manufacturers including Samsung, HTC, Sony and LG amongst others to release regular security patches. Security researchers termed this development as “the single largest software update the world has ever seen.”

Mobile device monsters that have been named in public and addressed adequately by industry stalwarts can surely be our learning guide against unknown and unnamed vulnerabilities.


In July 2015, a security researcher identified a series of high-severity vulnerabilities related to Stagefright. Globally, 950 million Android device users were susceptible to Stagefright attacks this year. It affects almost all Android devices running Froyo 2.2 to Lollipop 5.1.1A.

Stagefright vulnerabilities are usually found in the default media playback framework on Android devices and continue to have a lasting impact on devices if not addressed from the core.

Stagefright attack can be launched in several ways and has severe security implications. An attacker can remotely gain control over your device and steal data by sending an MMS (multimedia message) packaged with an exploit. Except for devices using Google Hangouts, all a victim has to do is open their default SMS message app and the message thread itself for the exploit to work. In Google Hangouts, an attacker gets direct access to the device without the need of opening the message resulting in greater security risks. The Stagefright vulnerability issues were first reported to Google in April, 2015.


XcodeGhost is a malicious version of Xcode, Apple’s official tool for developing iOS and OS X apps. The malware was first identified by Chinese developers. In fact, they had unknowingly uploaded a malicious version of Xcode and it managed to pass through Apple’s code review process. iOS users installed or updated the infected app on their devices.

XcodeGhost malware can potentially trick people into providing personal and sensitive information. In September 2015, Apple App Store published a list of apps that were affected by this malware. Read more on the list of apps here.

Sources claim that XcodeGhost has affected more than 500 million iOS users especially in China and the Asia-Pacific regions. The malware is known to have propagated mostly through the messaging app WeChat. iPhone, iPads and iPod devices are mostly affected by XcodeGhost.

Chinese developers and Apple are working together to remove the malware. In their recent statement to Reuters, Apple stated, “We’ve removed the apps from the App Store that we know have been created with this counterfeit software. We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

As a user, you should immediately uninstall any infected iOS apps listed by Apple or update to a newer version that has removed the malware. According to Chinese developers Palo Alto Networks, resetting your iCloud password, and any other passwords inputted on your iOS device, is also strongly recommended as a precautionary measure. Read more on Palo Alto Networks’ list of infected apps here.


Certifi-gate based attacks are capable of taking complete control of Android devices made by major manufacturers including HTC, LG, Samsung and ZTE amongst others. Certifi-gate attacks came into highlight right after the Stagefright bug and forced Google along with major manufacturers and high profile partners to move faster to fix problems.

Certifi-gate vulnerabilities gives hackers “illegitimate privileged access rights” and full control of your Android devices through apps installed by manufacturers and mobile phone networks. They generally affect remote support applications that allow support staff to remotely take over your screen to fix a problem. Remote support applications like TeamViewer, Rsupport, CommuniTake Remote Care and others are often pre-installed and attackers take advantage of this to gain control of the device by impersonating the apps, leaving users completely vulnerable.

All versions of Android 5.0 (Lollipop) and 4.4 (KitKat) are vulnerable to Certifi-gate. Once detected, the bug cannot be easily fixed as Android offers no way to revoke the certificates that provide the privileged permissions.

A mobile application exploiting the so-called Certifi-gate vulnerability, disclosed at a Black Hat Conference in Las Vegas, has been removed from the Google Play store. Certifi-gate is a wake-up call for manufacturers to be more careful while pre-installing apps and also for mobile developers to catch these problems earlier in the development cycle.

Masque Attack

Masque Attack, an  iOS vulnerability, was discovered in July, 2014. The vulnerability is identified to exist on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, and on jailbroken and non-jailbroken iOS devices.

Masque Attacks are “reverse engineered and weaponized versions of popular social networking and messaging apps, including WhatsApp, Twitter, Facebook, Facebook Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype, Telegram, and VK.” They come with an extra binary designed to steal users’ sensitive information and upload it to a remote server.

Eleven Masque Attack applications were found targeting iOS devices and threatened to demolish, break and hijack iOS apps and make them unusable. These attacks were possible by spoofing legitimate apps and could have been prevented even if the most basic anti-tampering controls were in place to prevent infiltration.

Mobile vulnerabilities or what we popularly call as mobile monsters continue to haunt developers, manufacturers, and consumers. Security patches are currently available for certain models in both iOS and Android devices, but they do not guarantee safety for your mobile device. They are as good as a learning guide. Safeguarding a device has to be ensured right from the development stage.

Nonetheless, with industry giants joining hands to update their security updates on a regular basis, we hope to see a good year for our mobile devices as well in 2016.




Suhita Mazumdar

Suhita Mazumdar


Your email address will not be published.


  1. Avatar muhammad arifDecember 27, 2015 at 2:34 PM

    i am need contic

  2. Avatar prakash pawaskarMay 5, 2016 at 1:42 PM

    quick heal is fastest way of removing dangerous element in tab