A vulnerability in 99 percent of all Android devices could be used to hack into companies' networks, according to Bluebox security, in what appears to be one of the worst exploits of the open operating system seen in recent months.
Bluebox Security chief technology officer Jeff Forristal said, if exploited by hackers, the flaw could be used to turn legitimate applications on the device into defence-dodging Trojans.
"The Bluebox Security research team recently discovered a vulnerability in Android's security model that allows a hacker to modify APK code without breaking an application's cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user," he wrote.
The vulnerability has reportedly been around since Android 1.6 Jelly Bean and could be used to target any Google phone or tablet released in the last four years, including popular handsets like the HTC One and Samsung Galaxy S4.
Forristal said the vulnerability is particularly dangerous because of the way many big-name companies have granted Android devices running on their networks additional privileges.
"While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in co-operation with the device manufacturer (e.g. Cisco with AnyConnect VPN) that are granted special elevated privileges within Android – specifically System UID access," he wrote.
The Bluebox chief added that the vulnerability could also theoretically be used to set up an Android botnet, letting criminals use millions of Android devices to their ends. Were the event to occur, the network could cause havoc, letting criminals mount numerous denial-of-service attacks, or rake in billions of pounds via spam campaigns and the like.
At the time of publishing Google had not responded to V3's request for comment on Bluebox's research. F-Secure security expert Sean Sullivan told V3 while BlueBox's research looks legitimate, the potential for harm is limited and could be solved in a variety of ways. "The real question is how practical is it? That cannot be known until the details are disclosed at Black Hat," he said.
"From our reading of Bluebox's post, the issue is something that Google Play could be able to (or already does) mitigate. Interaction with Play would cause Google to recognise the altered apps. But there could be an issue with apps from third-party markets. All in all, it is difficult to determine if this vulnerability makes for something useful in terms of crimeware. So there's no way yet to say if consumers and/or businesses should be concerned."
In the interim before Black Hat, Forristal said business should rethink their bring your own device (BYOD) policies as regards Android. "Device owners should be extra cautious in identifying the publisher of the app they want to download. Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated," he wrote.
"IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data."