Bluebox Security research team Bluebox Labs has discovered a security vulnerability that has quietly resided in Google's Android platform since the release of 1.6 "Donut."
Company CTO Jeff Forristal said in a recent blog that this newly-discovered vulnerability allows a hacker to modify APK code without breaking an application's cryptographic signature. That means any legitimate app, even Android system apps, can be turned into malware without Google Play, the device and the end-user being made aware of the change.
All Android apps contain cryptographic signatures which the platform uses to determine if the app is legitimate, and to determine if the app has been tampered with or modified. But there are discrepancies on how these apps are cryptographically verified and installed, which in turn allow the APK to be modified without breaking the code. Thus a malicious author could trick Android into believing the installed app is unchanged from the original, even one provided by device makers.
"Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013," he said. "It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question."
He also provided an example performed by the team that shows they were able to modify an Android device manufacturer's own app, allowing them to have access to any and all permissions. They were even able to modify the system-level software information to include the name "Bluebox" in the Baseband Version string, a value that is normally controlled and configured by the system firmware.
"This vulnerability, around at least since the release of Android 1.6 (codename: “Donut”), could affect any Android phone released in the last four years – or nearly 900 million devices – and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," he said.
The question is, where do we go from here? Infected apps could already be listed on Google Play (which isn't exactly malware-free despite Google's efforts). The technical details surrounding the issue, including the related tools and material, won't be made public until Forristal's presentation at Black Hat USA 2013 in Las Vegas at the end of the month. However, Chester Wisniewski, a senior security adviser at Sophos, indicates the problem only resides with third-party markets.
"The risk is when users install applications from third-party websites," Wisniewski told NBC News via email. "This practice is ALWAYS dangerous, this just makes it extra difficult to determine if an app has been tampered with. It should be assumed that an app HAS been tampered with anytime it is acquired from a source other than the original manufacturer or the Play Store."
"I have not seen any evidence of Amazon being less thorough than Google, but have not personally investigated their processes," he added.
Forristal said his presentation will "review how the vulnerability was located, how an exploit was created, and why the exploit works, giving insight into the vulnerability problem and the exploitation process." Working proof-of-concept applications will also be running for all major Android device vendors.