Vulnerabilities in Google’s Android platform may be discovered on a fairly regular basis, but few date as far back as a flaw revealed by Bluebox Security last night, which appears to put 99 per cent of Android devices at risk of being hacked.
“The implications are huge!” claims Bluebox CTO Jeff Forristal, who outlined the vulnerability in a blog post (opens in new tab). The company’s researchers found that hackers can meddle with an application without breaking its cryptographic signature (and thus alerting Android to the changes), allowing ‘legitimate’ apps to be installed with malicious Trojans capable of stealing and spying on a device’s data.
Alarmingly, the flaw has existed since the release of the Android 1.6 ‘Donut’ OS, now a distant memory some four years ago, meaning 99 per cent of current Android devices are now in danger of being compromised. That’s a staggering 900 million phones and tablets.
Forristal warns that that the vulnerability can enable hackers to effectively seize control of the victim’s device, granting the ability to spy on texts, emails and other files, make and record calls, steal data, and even establish mobile botnets.
Yet keeping the infected app’s cryptographic signature intact means the Google Play store, the phone itself, and the end user are likely to remain unaware of the malicious activity taking place. As the Bluebox CTO states, the vulnerability is “essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”
Pointing out that Trojans could be gaining entry to the enterprise via the individual as well as stealing their data, Forristal adds that “this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android (opens in new tab) – specifically System UID access.”
Details of the flaw were shared with Google back in February 2013, the blog states, but firmware updates to fix the issue will depend on the device manufacturer and model in question.
Google has remained tight-lipped on the problem since the revelations last night, perhaps indicating the flaw has still not been fully shored up. Stay with ITProPortal for news on a fix, as and when it emerges.