All the latest UK technology news, reviews and analysis


Android master key leaves 99 percent of Google smartphone and tablet users open to attack

04 Jul 2013
key-to-the-kingdom

A vulnerability in 99 percent of all Android devices could be used to hack into companies' networks, according to Bluebox security, in what appears to be one of the worst exploits of the open operating system seen in recent months.

Bluebox Security chief technology officer Jeff Forristal said, if exploited by hackers, the flaw could be used to turn legitimate applications on the device into defence-dodging Trojans.

"The Bluebox Security research team recently discovered a vulnerability in Android's security model that allows a hacker to modify APK code without breaking an application's cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user," he wrote.

The vulnerability has reportedly been around since Android 1.6 Jelly Bean and could be used to target any Google phone or tablet released in the last four years, including popular handsets like the HTC One and Samsung Galaxy S4.

Forristal said the vulnerability is particularly dangerous because of the way many big-name companies have granted Android devices running on their networks additional privileges.

"While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in co-operation with the device manufacturer (e.g. Cisco with AnyConnect VPN) that are granted special elevated privileges within Android – specifically System UID access," he wrote.

The Bluebox chief added that the vulnerability could also theoretically be used to set up an Android botnet, letting criminals use millions of Android devices to their ends. Were the event to occur, the network could cause havoc, letting criminals mount numerous denial-of-service attacks, or rake in billions of pounds via spam campaigns and the like.

At the time of publishing Google had not responded to V3's request for comment on Bluebox's research. F-Secure security expert Sean Sullivan told V3 while BlueBox's research looks legitimate, the potential for harm is limited and could be solved in a variety of ways. "The real question is how practical is it? That cannot be known until the details are disclosed at Black Hat," he said.

"From our reading of Bluebox's post, the issue is something that Google Play could be able to (or already does) mitigate. Interaction with Play would cause Google to recognise the altered apps. But there could be an issue with apps from third-party markets. All in all, it is difficult to determine if this vulnerability makes for something useful in terms of crimeware. So there's no way yet to say if consumers and/or businesses should be concerned."

In the interim before Black Hat, Forristal said business should rethink their bring your own device (BYOD) policies as regards Android. "Device owners should be extra cautious in identifying the publisher of the app they want to download. Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated," he wrote.

"IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data."

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
13%
3%
10%
4%
22%
4%
44%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

.NET Developer, ASP.NET, C# - Computer Gaming Company - London

.NET Developer (ASP.NET, C#, C#.NET, VB.NET, dot NET...

ASP.NET MVC, C# Developer - World Class Entertainment Company

ASP.NET MVC, C# Developer (.NET, C#.NET, dot NET, Web...

C# Developer - Financial Consultancy - Limited Travel - London

C# Developer (.NET, ASP.NET, C#.NET, dot NET, Web Application...

SunSystems Technical Manager

SunSystems Technical Manager Summary: Sun Systems...
To send to more than one email address, simply separate each address with a comma.