Android Has a 4-Year-Old Vulnerability, Affects Most

Bluebox Security research team Bluebox Labs has discovered a security vulnerability that has quietly resided in Google's Android platform since the release of 1.6 "Donut."

Company CTO Jeff Forristal said in a recent blog that this newly-discovered vulnerability allows a hacker to modify APK code without breaking an application's cryptographic signature. That means any legitimate app, even Android system apps, can be turned into malware without Google Play, the device and the end-user being made aware of the change.

All Android apps contain cryptographic signatures which the platform uses to determine if the app is legitimate, and to determine if the app has been tampered with or modified. But there are discrepancies on how these apps are cryptographically verified and installed, which in turn allow the APK to be modified without breaking the code. Thus a malicious author could trick Android into believing the installed app is unchanged from the original, even one provided by device makers.

"Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013," he said. "It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question."

He also provided an example performed by the team that shows they were able to modify an Android device manufacturer's own app, allowing them to have access to any and all permissions. They were even able to modify the system-level software information to include the name "Bluebox" in the Baseband Version string, a value that is normally controlled and configured by the system firmware.

"This vulnerability, around at least since the release of Android 1.6 (codename: “Donut”), could affect any Android phone released in the last four years – or nearly 900 million devices – and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," he said.

The question is, where do we go from here? Infected apps could already be listed on Google Play (which isn't exactly malware-free despite Google's efforts). The technical details surrounding the issue, including the related tools and material, won't be made public until Forristal's presentation at Black Hat USA 2013 in Las Vegas at the end of the month. However, Chester Wisniewski, a senior security adviser at Sophos, indicates the problem only resides with third-party markets.

"The risk is when users install applications from third-party websites," Wisniewski told NBC News via email. "This practice is ALWAYS dangerous, this just makes it extra difficult to determine if an app has been tampered with. It should be assumed that an app HAS been tampered with anytime it is acquired from a source other than the original manufacturer or the Play Store."

"I have not seen any evidence of Amazon being less thorough than Google, but have not personally investigated their processes," he added.

Forristal said his presentation will "review how the vulnerability was located, how an exploit was created, and why the exploit works, giving insight into the vulnerability problem and the exploitation process." Working proof-of-concept applications will also be running for all major Android device vendors.

  • IAmVortigaunt
    "It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question."

    Don't hold your breath...
    Reply
  • rwinches
    The fix has already been released
    http://tech2.in.com/news/software/google-releases-fix-to-oems-for-major-android-loophole/907298
    Reply
  • velosteraptor
    I find it Ironic that this security company finds a pretty severe vulnerability that affects close to a billion devices, and by bringing it to googles attention, also brings it to the attention of the worlds hackers. Its more than likely that bringing this vulnerability to light will do much more harm than good, as 90% of android phones will never get an update to fix the vulnerability.

    Fragmentation at its finest.
    Reply
  • ccovemaker
    A security company trying to sell products or services using a "security flaw" that only they knew about is not news.
    Reply
  • sykozis
    As usual, Toms is late to this story. This story ran last week on other sites.
    Reply
  • sna
    hey guys , want to know the Vulnerability in all MS windows ? it is inside the stupid Auto Update !

    nothing is safe trust me on that. there is a way to fool windows for updates that are malwares ! ALLWAYS.
    Reply
  • dalethepcman
    Once again android security blown out of proportion.
    "The risk is when users install applications from third-party websites,"

    This article is like having a title of "Researchers found a flaw in every apple device in the world, hackers rejoice." When the actual issue involves a usb drive physically connected to the machine.

    If you want to keep your phone (and all the data it contains) safe, don't use third party app stores, don't directly download and install APK's.
    Reply
  • maddad
    It always amazes me how you can say something bad about IOS or Windows all day long, but if you say something bad about Android people want to cry foul. Android is not perfect, and it never will be. Just like any other operating system, there will be bugs and hackers will find a way to exploit these bugs. The main problem with Android; is that Google will of course patch any bugs they find, but because of the fragmentation, your phone manufacture may not patch your particular version. "Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013," It was reported to Google 5 months ago, plenty of time to issue a patch. One company says it can affect any Android App. Another security company says only third party Apps. Who can we believe? I would say only "Google"! But I haven't seen a response from them yet!
    Reply
  • ninjustin
    The problem with this is, there's not really a problem. Only if you call clicking on a random link on a web page and allowing it to download and install apps on your phone a security flaw.

    Updates should come directly from the app store you are using and not directly from a site unless you know the source is absolutely trustworthy.

    This is basic security on any OS.
    Reply
  • Estix
    "New flash: installing a virus on your phone may cause your phone to get infected with a virus"
    Reply