Researchers at Bluebox Security have revealed a disturbing flaw in
Android's security model, which the group claims may affect up to 99 percent of Android devices in existence. According to Bluebox, this vulnerability has existed since Android 1.6 (Donut),
which gives malicious app developers the ability to modify the code of a
legitimate APK, all without breaking its cryptographic signature --
thereby allowing the installation to go unnoticed. To pull off the
exploit, a rotten app developer would first need to trick an unknowing
user into installing the malicious update, but hackers could
theoretically gain full control of a user's phone if the "update" posed
as a system file from the manufacturer.
Bluebox claims that it notified Google of the exploit in February. According to
CIO, Bluebox CTO Jeff Forristal has named the
Galaxy S 4
as the only device that's currently immune to the exploit -- which
suggests that a security patch may already exist. Forristal further
claims that Google is working on an update for its Nexus devices. In
response to our inquiry, Google told us that it currently has no
comment. We certainly hope that device manufacturers
do the responsible thing
and distribute timely security patches to resolve this issue. Absent
that, you can protect yourself by installing updates through the Play
Store and Android's built-in system update utility.
Mobile security startup
Bluebox Security
has unearthed a vulnerability in Android’s security model which it says
means that the nearly 900 million Android phones released in the past
four years could be exploited, or some 99% of Android devices. The
vulnerability has apparently been around since Android v1.6 (Donut), and
was disclosed by the firm to Google back in February. The Samsung
Galaxy S4 has already apparently been patched.
It’s likely that Google is working on a
patch for the vulnerability. We’ve reached out to the company for
comment and will update this story with any response.
Bluebox intends to detail the flaw
at the Black Hat USA conference at the end of this month but in the meanwhile it’s written a
blog
delving into some detail. The vulnerability apparently allows a hacker
to turn a legitimate app into a malicious Trojan by modifying APK code
without breaking the app’s cryptographic signature. Bluebox says the
flaw exploits discrepancies in how Android apps are cryptographically
verified and installed. Specifically it allows a hacker to change an
app’s code, leaving its cryptographic signature unchanged — thereby
tricking Android into believing the app itself is unchanged, and
allowing the hacker to wreak their merry havoc.
The flaw is made worse if an attacker
targets a sub-set of apps developed by device makers themselves, or
third parties — such as Cisco with its AnyConnect VPN app — that work
closely with device makers and are granted system UID access. This
sub-set of apps can allow a hacker to tap into far more than just mere
app data, with the potential to steal passwords and account info and
take over the normal running of the phone. Here’s how Bluebox explains
it:
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and
their data) currently installed. The application then not only has the
ability to read arbitrary application data on the device (email, SMS
messages, documents, etc.), retrieve all stored account & service
passwords, it can essentially take over the normal functioning of the
phone and control any function thereof (make arbitrary phone calls, send
arbitrary SMS messages, turn on the camera, and record calls). Finally,
and most unsettling, is the potential for a hacker to take advantage of
the always-on, always-connected, and always-moving (therefore
hard-to-detect) nature of these “zombie” mobile devices to create a
botnet.
While 99% of Android phones being
technically vulnerable to app hackers is a tough stat to ignore, it’s
worth emphasising that just because such a flaw (apparently) exists it
doesn’t mean it has or will be widely exploited — especially as, in this
instance, it has been flagged to Google prior to being made public. And
Google is presumably hard at work on a fix.
That said, the nature of the Android
ecosystem does slow down the patching process. On the fix front, Bluebox
notes that it will be up to device manufacturers to “produce and
release firmware updates for mobile devices (and furthermore for users
to install these updates)”, adding: “The availability of these updates
will widely vary depending upon the manufacturer and model in question.”
Getting timely OS updates has always been a
problem for Android users (Nexus owners are the exception), owing to
Android’s openness necessarily encouraging variation and fragmentation
within the ecosystem, with different manufacturer skins and carrier
additions all standing in the way and delaying updates. That likely
means the window of risk attached to this latest Android vulnerability
takes longer to close for the majority of users than many would be
comfortable with.
In the meantime, Bluebox advises the following:
- Device owners should be extra cautious in identifying the publisher of the app they want to download.
- Enterprises with BYOD implementations should use this news to prompt
all users to update their devices, and to highlight the importance of
keeping their devices updated.
- IT should see this vulnerability as another driver to move beyond
just device management to focus on deep device integrity checking and
securing corporate data.
Android is often linked with malware
not because there’s a high actual risk of users being infected with
malware but because, in relative terms, it’s the biggest target for
mobile malware writers, being as it’s the dominant mobile OS. It’s also
not as locked down as some other mobile platforms, making it an easier
target for hackers. Yet its worth stressing that mobile malware remains a
very marginal risk, even for Android users, and especially if you’re a
mainstream user getting your apps from the likes of Google Play, rather
than alternative third-party app stores or routes.
This latest Android security flaw adds to the general low-level risk
attached to using Android but how widely it ends up being exploited by
malware writers remains to be seen — so how much more actual risk it
introduces into the ecosystem is hard to quantify.
Update: According to a report in
CIO,
Google has already modified its Play Store’s app entry process so that
apps that have been modified using this exploit are blocked and can no
longer be distributed via Play.