NEW YORK, July 4 2013 – A mobile security research startup called Bluebox announced via a blog post that it has discovered a security vulnerability with the Android operating system security model with “huge” implications, according to Bluebox Chief Technical Officer Jeff Forristal. The vulnerability affects any Android device released in the last 4 years, some 900 million devices.
Here’s what you need to know:
All Android applications contain a cryptographic signature, or in lay terms, a digital fingerprint which is used to determine the applications authenticity and integrity. The vulnerability exploits this check and balance system by allowing changes to the applications installer package file (APK), changing the very nature of the application itself without breaking the coded signature or fingerprint of the installation package, allowing a malicious application author to essentially trick you (and your Android device) into accepting the modified application.
Assuming Google Play does not detect the application and publishes the malicious app for user download, a user looking for “Angry Birds” in the Google Play store could accidentally pick the wrong application and be served up a Trojan that could take over the entire device, soup to nuts.
Forristal noted that, “Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.”
According to Forristal, Bluebox was able to gain “any and all” permissions on the device using the exploit. He went on to say that it is up to the device manufacturers to develop and push firmware updates for their own devices, and get users to install the updates. Google has yet to comment publicly on the discovery.
How to protect your device:
While the vulnerability exists, Android users should be especially cautious to download and install applications only from trusted, well-known publishers. Enterprise security managers are encouraged to reevaluate device management and look deeper into device integrity and policies that secure corporate data. As always, users should always keep devices updated with the latest operating system updates. Users can track updates to this vulnerability by following @Blueboxsec on twitter.
This article is the copyrighted property of the writer and Communities @ WashingtonTimes.com. Written permission must be obtained before reprint in online or print media. REPRINTING TWTC CONTENT WITHOUT PERMISSION AND/OR PAYMENT IS THEFT AND PUNISHABLE BY LAW.