While there are a number of advantages to Android being an open platform, it is also the number-one targeted mobile operating system by hackers. In fact, according to a recent report conducted by security firm McAfee, Android was susceptible to over 14,000 threats in the first quarter alone.
Look no further than the Bluebox Security research team, which has discovered a massive Android security flaw that could affect any Android smartphone released in the past four years — which is said to be up to 900 million devices — running software as old as Android 1.6 Donut.
The team at Bluebox Labs claims that the vulnerability allows a user to modify APK code, the file format used by Android applications, without breaking an application’s cryptographic signature. A hacker could then modify a legitimate application into a malicious one, unbeknownst to Google Play, the end user or the smartphone itself.
The vulnerability — Android security bug 8219321 – presents major security issues for Android users, who could have their data stolen or entire smartphone compromised as part of a mobile botnet. Even worse, a malicious user could gain access to the entire Android operating system and applications installed.
Bluebox CTO Jeff Forristal, who will be speaking about this flaw at the Black Hat USA 2013 hacking conference next July 27th – August 1st, explains the technical details of the vulnerability:
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
Forristal elaborates on how the vulnerability works, claiming that it “involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.”
All Android applications have a cryptographic signature, which allows Google to determine if an app has been modified or tampered with. Bypassing this security feature essentially tricks Android into believing that an app remains unchanged, when it actually has been.
Bluebox Labs disclosed the security flaw to Google in February, although it is up to hardware manufacturers and carriers to release appropriate software updates to address the issue. Due to the fragmentation issues of Android, that is often a very difficult and elongated process.
Android users are recommended to pay close attention to the publisher of the app they wish to install, and recognize the importance of updating to the latest software version available.