A mobile security company has discovered a security flaw in the Android operating system that surprisingly has been present since Android v1.6 (Donut). This affects close to 900 million Android smartphones released in the past four years which accounts to 99% of the devices.
The Bluebox Security research team discovered this security flaw and already reported it to Google last February. Google is already working on a patch to this problem for their Nexus devices. The Samsung Galaxy S4 is the only device so far to be already patched an unaffected by this.
Details of this flaw haven’t been revealed yet but the mobile security company plans to do it at the Black Hat USA conference later this month. What is known is that the flaw allows anyone to turn a legitimate app into a malicious one by modifying its APK code without breaking its cryptographic signature.
Every Android app has a cryptographic signature that is used to verify its authenticity. A hacker, with the use of a “master key”, can trick the Android operating system that an app is legitimate even if its code has already been changed.
Here’s how the company describes the flaw “Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.”
Bluebox CTO Jeff Forristal even posted a screenshot in his blog post showing an HTC device after the exploit was done. It clearly shows “Bluebox” in the baseband version. This data is normally controlled and configured by the system.
Bluebox has provided information on how to avoid putting your device at risk
- Device owners should be extra cautious in identifying the publisher of the app they want to download.
- Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
- IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.