Sign in with
Sign up | Sign in

Android Has a 4-Year-Old Vulnerability, Affects Most

By - Source: Bluebox Security | B 18 comments

A security vulnerability has resided within Android since v1.6 "Donut." Yikes!

Bluebox Security research team Bluebox Labs has discovered a security vulnerability that has quietly resided in Google's Android platform since the release of 1.6 "Donut."

Company CTO Jeff Forristal said in a recent blog that this newly-discovered vulnerability allows a hacker to modify APK code without breaking an application's cryptographic signature. That means any legitimate app, even Android system apps, can be turned into malware without Google Play, the device and the end-user being made aware of the change.

All Android apps contain cryptographic signatures which the platform uses to determine if the app is legitimate, and to determine if the app has been tampered with or modified. But there are discrepancies on how these apps are cryptographically verified and installed, which in turn allow the APK to be modified without breaking the code. Thus a malicious author could trick Android into believing the installed app is unchanged from the original, even one provided by device makers.

"Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013," he said. "It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question."

He also provided an example performed by the team that shows they were able to modify an Android device manufacturer's own app, allowing them to have access to any and all permissions. They were even able to modify the system-level software information to include the name "Bluebox" in the Baseband Version string, a value that is normally controlled and configured by the system firmware.

"This vulnerability, around at least since the release of Android 1.6 (codename: “Donut”), could affect any Android phone released in the last four years – or nearly 900 million devices – and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," he said.

The question is, where do we go from here? Infected apps could already be listed on Google Play (which isn't exactly malware-free despite Google's efforts). The technical details surrounding the issue, including the related tools and material, won't be made public until Forristal's presentation at Black Hat USA 2013 in Las Vegas at the end of the month. However, Chester Wisniewski, a senior security adviser at Sophos, indicates the problem only resides with third-party markets.

"The risk is when users install applications from third-party websites," Wisniewski told NBC News via email. "This practice is ALWAYS dangerous, this just makes it extra difficult to determine if an app has been tampered with. It should be assumed that an app HAS been tampered with anytime it is acquired from a source other than the original manufacturer or the Play Store."

"I have not seen any evidence of Amazon being less thorough than Google, but have not personally investigated their processes," he added.

Forristal said his presentation will "review how the vulnerability was located, how an exploit was created, and why the exploit works, giving insight into the vulnerability problem and the exploitation process." Working proof-of-concept applications will also be running for all major Android device vendors.

Discuss
Display all 18 comments.
This thread is closed for comments
  • 7 Hide
    IAmVortigaunt , July 9, 2013 8:21 AM
    "It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question."

    Don't hold your breath...
  • 0 Hide
    rwinches , July 9, 2013 8:27 AM
    The fix has already been released
    http://tech2.in.com/news/software/google-releases-fix-to-oems-for-major-android-loophole/907298
  • 5 Hide
    velosteraptor , July 9, 2013 8:36 AM
    I find it Ironic that this security company finds a pretty severe vulnerability that affects close to a billion devices, and by bringing it to googles attention, also brings it to the attention of the worlds hackers. Its more than likely that bringing this vulnerability to light will do much more harm than good, as 90% of android phones will never get an update to fix the vulnerability.

    Fragmentation at its finest.
  • -3 Hide
    ccovemaker , July 9, 2013 8:42 AM
    A security company trying to sell products or services using a "security flaw" that only they knew about is not news.
  • 1 Hide
    sykozis , July 9, 2013 9:22 AM
    As usual, Toms is late to this story. This story ran last week on other sites.
  • -5 Hide
    sna , July 9, 2013 9:33 AM
    hey guys , want to know the Vulnerability in all MS windows ? it is inside the stupid Auto Update !

    nothing is safe trust me on that. there is a way to fool windows for updates that are malwares ! ALLWAYS.
  • 1 Hide
    dalethepcman , July 9, 2013 10:11 AM
    Once again android security blown out of proportion.
    "The risk is when users install applications from third-party websites,"

    This article is like having a title of "Researchers found a flaw in every apple device in the world, hackers rejoice." When the actual issue involves a usb drive physically connected to the machine.

    If you want to keep your phone (and all the data it contains) safe, don't use third party app stores, don't directly download and install APK's.
  • 5 Hide
    maddad , July 9, 2013 10:33 AM
    It always amazes me how you can say something bad about IOS or Windows all day long, but if you say something bad about Android people want to cry foul. Android is not perfect, and it never will be. Just like any other operating system, there will be bugs and hackers will find a way to exploit these bugs. The main problem with Android; is that Google will of course patch any bugs they find, but because of the fragmentation, your phone manufacture may not patch your particular version. "Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013," It was reported to Google 5 months ago, plenty of time to issue a patch. One company says it can affect any Android App. Another security company says only third party Apps. Who can we believe? I would say only "Google"! But I haven't seen a response from them yet!
  • 1 Hide
    ninjustin , July 9, 2013 12:07 PM
    The problem with this is, there's not really a problem. Only if you call clicking on a random link on a web page and allowing it to download and install apps on your phone a security flaw.

    Updates should come directly from the app store you are using and not directly from a site unless you know the source is absolutely trustworthy.

    This is basic security on any OS.
  • -3 Hide
    Estix , July 9, 2013 12:15 PM
    "New flash: installing a virus on your phone may cause your phone to get infected with a virus"
  • -2 Hide
    __-_-_-__ , July 9, 2013 1:51 PM
    no worries. tizen is on the way. a trully open OS.
  • 4 Hide
    back_by_demand , July 9, 2013 2:47 PM
    "no worries. tizen is on the way. a trully open OS. "

    So, it will be immune to virus, malware, vulnerabilities and stupid users?

    What f**king planet are you on?
  • 2 Hide
    sundragon , July 9, 2013 4:21 PM
    Quote:
    Once again android security blown out of proportion.
    "The risk is when users install applications from third-party websites,"

    This article is like having a title of "Researchers found a flaw in every apple device in the world, hackers rejoice." When the actual issue involves a usb drive physically connected to the machine.

    If you want to keep your phone (and all the data it contains) safe, don't use third party app stores, don't directly download and install APK's.


    Actually, it's a huge issue for everyone who doesn't use the Google Play store - Most of China and the rest of the world use third party Android stores... Saying this is blown out of proportion is apologizing for Google's huge mistake - Most of the planet doesn't use the Google Play store and unless they bought a Google or Samsung device, there is a snowballs chance in hell they are gonna get an update. Before you can utter "root" that is not an acceptable answer for 99.9% of the Android users who are not techy people... As a matter of pricipal, manufacturers and Google should provide free updates for security to protect their users. Google designed the OS in a flawed manner.

    This issue illustrates the broken update system Google chose for Android - I bought a Google Nexus and I recommend Samsung devices for friends who want Android because they are supported.

    Android is based on Linux that gets updates all the time. It runs on waaaay more hardware than all the Android handsets put together. Google chose a stupid way to design an OS (No separation of hardware drivers from core OS) and this is what happens. It would be like Dell saying your year old laptop is stuck on Vista and we'll decide when to give you an OS update or security fix... Oh you want an update, buy a new laptop... What, your year old Toyota has a faulty brake line, sorry no recall, you'll have to buy a new Toyota... If this situation was placed in any other customer support example it would be criminal.

    FWIW, IOS 7 will work on the iPhone 4, which is now almost 4 years old. It may not have all the bells and whistles but it's more than any 4 year old Android device.

    The sad thing is that even if Jelly Bean 4.2.2 has the flaw, it can run on most of your devices with dual core SOCs - which means almost any Android device thats 2-4 years old...

    Lame beans and they need to fix this by fixing the core of the issue instead of issuing bandaids - Redesign the way the OS is built so manufacturers can build the drivers but the core OS gets updates regularly.

    Google is far from stupid, they just don't want to take on the overhead of managing an OS, which leaves their users high and dry - If MS can do it and ALL the (free open sourced) Linux distributions can do it, the mighty all knowing Google should grow up and do it as well...

    P.S. this is the primary reason Android is panned for most intelligence and security uses - there is no proper update system which is utterly unacceptable.
  • 0 Hide
    olaf , July 9, 2013 10:18 PM
    first off , this is OOOOOOOOLLLLLDDDDD news, people been banging this drum since Friday the least if not earlier, second it does't affect you if you stick to the play store and not some shady market or forum for hacked APK's , also if u don't have "unknown sources" selected it does't affect you. Media exaggerating again without stating all the facts.
  • 1 Hide
    okibrian , July 9, 2013 11:46 PM
    Quote:
    The fix has already been released
    http://tech2.in.com/news/software/google-releases-fix-to-oems-for-major-android-loophole/907298


    Wow!, that was fast. It only took them 4 years to find and fix it.
  • 0 Hide
    okibrian , July 9, 2013 11:53 PM
    Quote:
    The problem with this is, there's not really a problem. Only if you call clicking on a random link on a web page and allowing it to download and install apps on your phone a security flaw.

    Updates should come directly from the app store you are using and not directly from a site unless you know the source is absolutely trustworthy.

    This is basic security on any OS.


    Really? Try clicking on that link on any unjail broke iOS device and let me know what happens. Here's a hint, it will not install.
  • 0 Hide
    sna , July 10, 2013 7:53 AM
    Quote:
    Quote:
    Once again android security blown out of proportion.
    "The risk is when users install applications from third-party websites,"

    This article is like having a title of "Researchers found a flaw in every apple device in the world, hackers rejoice." When the actual issue involves a usb drive physically connected to the machine.

    If you want to keep your phone (and all the data it contains) safe, don't use third party app stores, don't directly download and install APK's.


    Actually, it's a huge issue for everyone who doesn't use the Google Play store - Most of China and the rest of the world use third party Android stores... Saying this is blown out of proportion is apologizing for Google's huge mistake - Most of the planet doesn't use the Google Play store and unless they bought a Google or Samsung device, there is a snowballs chance in hell they are gonna get an update. Before you can utter "root" that is not an acceptable answer for 99.9% of the Android users who are not techy people... As a matter of pricipal, manufacturers and Google should provide free updates for security to protect their users. Google designed the OS in a flawed manner.

    This issue illustrates the broken update system Google chose for Android - I bought a Google Nexus and I recommend Samsung devices for friends who want Android because they are supported.

    Android is based on Linux that gets updates all the time. It runs on waaaay more hardware than all the Android handsets put together. Google chose a stupid way to design an OS (No separation of hardware drivers from core OS) and this is what happens. It would be like Dell saying your year old laptop is stuck on Vista and we'll decide when to give you an OS update or security fix... Oh you want an update, buy a new laptop... What, your year old Toyota has a faulty brake line, sorry no recall, you'll have to buy a new Toyota... If this situation was placed in any other customer support example it would be criminal.

    FWIW, IOS 7 will work on the iPhone 4, which is now almost 4 years old. It may not have all the bells and whistles but it's more than any 4 year old Android device.

    The sad thing is that even if Jelly Bean 4.2.2 has the flaw, it can run on most of your devices with dual core SOCs - which means almost any Android device thats 2-4 years old...

    Lame beans and they need to fix this by fixing the core of the issue instead of issuing bandaids - Redesign the way the OS is built so manufacturers can build the drivers but the core OS gets updates regularly.

    Google is far from stupid, they just don't want to take on the overhead of managing an OS, which leaves their users high and dry - If MS can do it and ALL the (free open sourced) Linux distributions can do it, the mighty all knowing Google should grow up and do it as well...

    P.S. this is the primary reason Android is panned for most intelligence and security uses - there is no proper update system which is utterly unacceptable.


    That's why I am waiting for Ubuntu Phones , I hope they succeed and replace Android.

    http://www.ubuntu.com/phone

  • 0 Hide
    dalethepcman , July 25, 2013 10:32 AM
    Quote:
    Actually, it's a huge issue for everyone who doesn't use the Google Play store - Most of China and the rest of the world use third party Android stores... Most of the planet doesn't use the Google Play store and unless they bought a Google or Samsung device....

    I bought a Google Nexus and I recommend Samsung devices for friends who want Android because they are supported.

    ....Redesign the way the OS is built so manufacturers can build the drivers but the core OS gets updates regularly.

    P.S. this is the primary reason Android is panned for most intelligence and security uses - there is no proper update system which is utterly unacceptable.


    "Most the planet doesn't use the play store." - This is installed by default on EVERY android device. How can you honestly say most the planet doesn't use it? That's like saying most iPhone users don't use iTunes. What planet are you from?

    "I bought a Google Nexus and I recommend Samsung devices for friends who want Android because they are supported." - I can tell you with 100% certainty, that Nexus devices receive updates and Samsung (and all other) devices do not with very very few exceptions.

    "Redesign the way the OS is built so manufacturers can build the drivers but the core OS gets updates regularly" - The reason android phones don't get updates has nothing to do with drivers, and everything to do with making money. Why would a for profit company want to give its customers free updates, when they have been willing to pay hundreds of dollars for them? The update problem is not so much Google's as they release updates for any vanilla android devices, it is the manufacturer's and carriers as they choose to not update users phones so they will have to buy a replacement device.

    Google doesn't care if you buy a new android phone, they make their $'s off you having any android phone. Manufacturers and carriers make their $'s from selling you new hardware and overpriced contracts.

    p.s. Android phones are not secure, that's why every security agency uses and approves of them...
    cnet
    endgadget
    CNN