All the latest UK technology news, reviews and analysis

Android master key leaves 99 percent of Google smartphone and tablet users open to attack

04 Jul 2013

A vulnerability in 99 percent of all Android devices could be used to hack into companies' networks, according to Bluebox security, in what appears to be one of the worst exploits of the open operating system seen in recent months.

Bluebox Security chief technology officer Jeff Forristal said, if exploited by hackers, the flaw could be used to turn legitimate applications on the device into defence-dodging Trojans.

"The Bluebox Security research team recently discovered a vulnerability in Android's security model that allows a hacker to modify APK code without breaking an application's cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user," he wrote.

The vulnerability has reportedly been around since Android 1.6 Jelly Bean and could be used to target any Google phone or tablet released in the last four years, including popular handsets like the HTC One and Samsung Galaxy S4.

Forristal said the vulnerability is particularly dangerous because of the way many big-name companies have granted Android devices running on their networks additional privileges.

"While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in co-operation with the device manufacturer (e.g. Cisco with AnyConnect VPN) that are granted special elevated privileges within Android – specifically System UID access," he wrote.

The Bluebox chief added that the vulnerability could also theoretically be used to set up an Android botnet, letting criminals use millions of Android devices to their ends. Were the event to occur, the network could cause havoc, letting criminals mount numerous denial-of-service attacks, or rake in billions of pounds via spam campaigns and the like.

At the time of publishing Google had not responded to V3's request for comment on Bluebox's research. F-Secure security expert Sean Sullivan told V3 while BlueBox's research looks legitimate, the potential for harm is limited and could be solved in a variety of ways. "The real question is how practical is it? That cannot be known until the details are disclosed at Black Hat," he said.

"From our reading of Bluebox's post, the issue is something that Google Play could be able to (or already does) mitigate. Interaction with Play would cause Google to recognise the altered apps. But there could be an issue with apps from third-party markets. All in all, it is difficult to determine if this vulnerability makes for something useful in terms of crimeware. So there's no way yet to say if consumers and/or businesses should be concerned."

In the interim before Black Hat, Forristal said business should rethink their bring your own device (BYOD) policies as regards Android. "Device owners should be extra cautious in identifying the publisher of the app they want to download. Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated," he wrote.

"IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data."

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Collateral IT Project Manager

Collateral IT Project Manager- City Based My client...

Business Intelligence Analyst

Citywire is a global publishing company with offices...

CRM System Support & Development Manager

At the University of Derby, people are at the heart of...

HTML Email Developer

At the University of Derby, people are at the heart of...
To send to more than one email address, simply separate each address with a comma.