All the latest UK technology news, reviews and analysis


Android security flaw spotted in China

17 Jul 2013
Google Android Malware

Researchers are sounding alarms over the discovery of yet another security vulnerability in the Android mobile platform.

The flaw, first spotted by researchers in China, would potentially allow an attacker to manipulate an otherwise legitimate Android APK to execute malicious code without detection by the system.

According to researchers at Sophos, the vulnerability itself lies in the way Android handles the compressed APK files themselves. By modifying an application's .dex file to be a certain size, an attacker could potentially instruct the system to skip the execution of legitimate code and instead run attack code.

The result, says Sophos researcher Paul Ducklin, is a method which could allow malware writers to modify and redistribute applications with their attack code embedded inside.

“That's a bug in any language, and a discomfiting one for Google, whose security teams will surely consider this an elementary mistake that ought to have been caught in testing, if not during code review,” said Ducklin.

The discovery of the flaw comes in the wake of another high-profile security disclosure for the Android platform. Known as the 'master lock' vulnerability, that flaw afflicts around 99 percent of Android devices.

According to Ducklin, the new security hole is not likely to be as prevalent. He noted that implementing the attack requires files to be a specific size and length as well as a certain name. He noted that many Android applications do not appear to be compatible with the attack technique.

The flaw has already been addressed by Google and can be patched by installing the latest firmware updates from the company.

As Ducklin noted, however, the Android ecosystem, which relies on hardware vendors to distribute updates, could leave many users running devices that are still vulnerable to attack.

“Although Google has indeed responded quickly by patching both holes, and should be commended for its efficiency, that doesn't get the fixes out into the wider world,” he said.

“It remains to be seen how hard Mountain View will lean on its many handset licensees to push out firmware updates for the 'extra field' and 'master key' flaws, since they go to the heart of application verification on the Android platform.”

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Shaun Nichols
About

Shaun Nichols is the US correspondent for V3.co.uk. He has been with the company since 2006, originally joining as a news intern at the site's San Francisco offices.

More on Security
What do you think?
blog comments powered by Disqus
Poll

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?
21%
13%
4%
21%
31%
10%

Popular Threads

Powered by Disqus
Sony Xperia Z2 Tablet powered by Android KitKat 4.4

Sony Xperia Z2 Tablet video

We take a look at the lightweight, waterproof tablet

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv33

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery

rdc2

iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Software Development Engineer

Develop: Customise: Configure. Maximise your technical...

Service Desk / Helpdesk / Desktop Analyst - Marlow

We are looking for a friendly, reliable and experienced...

MS Dynamics Solution Architect

Background Rapha creates the finest cycling clothing...

Project Manager

Hotcourses – Project Manager Salary - £30k to £38k...
To send to more than one email address, simply separate each address with a comma.