All the latest UK technology news, reviews and analysis


Android security flaw spotted in China

17 Jul 2013
Google Android Malware

Researchers are sounding alarms over the discovery of yet another security vulnerability in the Android mobile platform.

The flaw, first spotted by researchers in China, would potentially allow an attacker to manipulate an otherwise legitimate Android APK to execute malicious code without detection by the system.

According to researchers at Sophos, the vulnerability itself lies in the way Android handles the compressed APK files themselves. By modifying an application's .dex file to be a certain size, an attacker could potentially instruct the system to skip the execution of legitimate code and instead run attack code.

The result, says Sophos researcher Paul Ducklin, is a method which could allow malware writers to modify and redistribute applications with their attack code embedded inside.

“That's a bug in any language, and a discomfiting one for Google, whose security teams will surely consider this an elementary mistake that ought to have been caught in testing, if not during code review,” said Ducklin.

The discovery of the flaw comes in the wake of another high-profile security disclosure for the Android platform. Known as the 'master lock' vulnerability, that flaw afflicts around 99 percent of Android devices.

According to Ducklin, the new security hole is not likely to be as prevalent. He noted that implementing the attack requires files to be a specific size and length as well as a certain name. He noted that many Android applications do not appear to be compatible with the attack technique.

The flaw has already been addressed by Google and can be patched by installing the latest firmware updates from the company.

As Ducklin noted, however, the Android ecosystem, which relies on hardware vendors to distribute updates, could leave many users running devices that are still vulnerable to attack.

“Although Google has indeed responded quickly by patching both holes, and should be commended for its efficiency, that doesn't get the fixes out into the wider world,” he said.

“It remains to be seen how hard Mountain View will lean on its many handset licensees to push out firmware updates for the 'extra field' and 'master key' flaws, since they go to the heart of application verification on the Android platform.”

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Shaun Nichols
About

Shaun Nichols is the US correspondent for V3.co.uk. He has been with the company since 2006, originally joining as a news intern at the site's San Francisco offices.

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
12%
5%
10%
4%
20%
3%
46%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

PHP Web Developer - Milton Keynes

PHP Developer - MySQL / HTML / CSS / JavaScript - Innovative...

Senior Server Engineer/3rd Line Support

DV Cleared Senior Server Engineer/3rd Line Support Engineer...

1st Line Application Support - Southampton, Hampshire - £20K

1st Line Application Support - Southampton, Hampshire...

Java Software Engineer

Role: Java Software Engineer Duration: 6 months...
To send to more than one email address, simply separate each address with a comma.