VPN related security flaw detected in Android's Jelly Bean

Internet security sleuths have alerted consumers of this web-based service to guard against the spread of this virus which affects computer systems and mobile phones using the Android system. The suspicious activity has been noticed in two Android versions: 4.3 known as 'Jelly Bean' and the latest version 4.4 called 'KitKat'.

The Computer Emergency Response Team of India (CERT-In) said in an advisory released to users of its network “A critical flaw has been reported in Android’s (virtual private network) VPN implementation, affecting Android version 4.3 and 4.4 which could allow an attacker to bypass active VPN configuration to redirect secure VPN communications to a third party server or disclose or hijack unencrypted communications.”

The CERT-In is the nodal agency to combat hacking, phishing and to fortify security-related defences of the Indian Internet domain.

VPN technology is used to create an encrypted tunnel into a private network over public Internet. Organisations and group of people use such connections to enable employees or acquaintances to securely connect to enterprise networks from remote locations through multiple kinds of devices like laptops, desktops, mobiles and tablets.

The Agency also created a video POC to demonstrate the existence of the VPN flaw.

Users not using VPNs on their Android devices will not be affected by this vulnerability and neither are those users affected whose apps or communications rely on SSL.

Having said that it will be diligent on users’ part if they keep their smartphone’s OS and apps updated; don’t install apps from untrusted sources; check for permissions and privileges that the app is requesting before installing them; and don’t click on URLs from untrusted sources they may receive on their mobile through SMS or emails.