A vulnerability in Android's security code has been uncovered by Bluebox Security. The flaw lets hackers alter legitimate, digitally-signed Android application package code.
The vulnerability allows hackers to do this without breaking an application's cryptographic signature, which allows them to turn any legitimate application into a malicious Trojan that goes undetected by the app store, the phone, and the user.
The flaw could jailbreak the device and legitimate apps could be injected with malicious code that would allow hackers to read their sensitive personal data, send SMS messages, create mobile botnets, and even gain access to login details and account information.
Bluebox said it notified Google of the exploit in February. It added that the vulnerability has been around since the release of Android 1.6 "Donut" at the least, and could affect any Android phone released in the last four years, an estimated 900 million devices.
Bluebox CTO Jeff Forristal says compounding the issue is that applications that are developed and pre-installed by the device manufacturers that are platform-signed, and are granted system level access that is one layer away from root access.
This means that should the attackers gain access to a platform-issued application, they can access the full Android system and all applications, and their data that is currently installed, he explains.
In this case, the application can essentially take over the normal functioning of the phone and control any function, including making calls, sending messages and turning on the camera.
What to do
According to Threatpost, although widespread and potentially harmful, the vulnerability is relatively easy and painless to fix. Forristal says the fix is two lines of code in a specific location and requires a firmware update to the device.
He says the responsibility lies with the handset manufacturers to produce and release these firmware updates, and with the end-user to install them. "The availability of these updates will widely vary depending upon the manufacturer and model in question."
Forristal recommends users exercise extra caution when identifying the publisher of any app they are planning to download.
In addition, he says organisations with BYOD implementations should instruct all users to update their devices, and highlight the importance of keeping their devices updated at all times.
"IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data."
Share