All the latest UK technology news, reviews and analysis

Android security flaw spotted in China

17 Jul 2013
Google Android Malware

Researchers are sounding alarms over the discovery of yet another security vulnerability in the Android mobile platform.

The flaw, first spotted by researchers in China, would potentially allow an attacker to manipulate an otherwise legitimate Android APK to execute malicious code without detection by the system.

According to researchers at Sophos, the vulnerability itself lies in the way Android handles the compressed APK files themselves. By modifying an application's .dex file to be a certain size, an attacker could potentially instruct the system to skip the execution of legitimate code and instead run attack code.

The result, says Sophos researcher Paul Ducklin, is a method which could allow malware writers to modify and redistribute applications with their attack code embedded inside.

“That's a bug in any language, and a discomfiting one for Google, whose security teams will surely consider this an elementary mistake that ought to have been caught in testing, if not during code review,” said Ducklin.

The discovery of the flaw comes in the wake of another high-profile security disclosure for the Android platform. Known as the 'master lock' vulnerability, that flaw afflicts around 99 percent of Android devices.

According to Ducklin, the new security hole is not likely to be as prevalent. He noted that implementing the attack requires files to be a specific size and length as well as a certain name. He noted that many Android applications do not appear to be compatible with the attack technique.

The flaw has already been addressed by Google and can be patched by installing the latest firmware updates from the company.

As Ducklin noted, however, the Android ecosystem, which relies on hardware vendors to distribute updates, could leave many users running devices that are still vulnerable to attack.

“Although Google has indeed responded quickly by patching both holes, and should be commended for its efficiency, that doesn't get the fixes out into the wider world,” he said.

“It remains to be seen how hard Mountain View will lean on its many handset licensees to push out firmware updates for the 'extra field' and 'master key' flaws, since they go to the heart of application verification on the Android platform.”

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Shaun Nichols

Shaun Nichols is the US correspondent for He has been with the company since 2006, originally joining as a news intern at the site's San Francisco offices.

More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Technical Project Manager / Delivery Manager - Infrastructure

Technical Project Manager / Delivery Coordinator - Windows...

.NET Software Developer - C# / T-SQL - Sheffield - £45,000

.NET Software Developer - C# / T-SQL - Sheffield - £45...

.NET Developers - Sheffield - £25-45K - **NEW .NET TEAM**

.NET Developers - Sheffield - £25-45K - **NEW .NET TEAM...

.NET Technical Architects - ASP.NET MVC - Reading - £65,000

Technical Architect - ASP.NET MVC - Reading - £65,000...
To send to more than one email address, simply separate each address with a comma.