The Inquirer-Home

Android 'master key' flaw leaves 99 percent of Google devices open to attack

Hackers could cause havoc if exploited, warns Bluebox Security
Thu Jul 04 2013, 15:10
A man in an alleyway using a mobile phone

SECURITY OUTFIT Bluebox has reported that a vulnerability in 99 percent of all Android devices could be used to hack into companies' networks.

Bluebox Security CTO Jeff Forristal said that the flaw, if exploited by hackers, could be used to turn legitimate applications on the device into defence dodging Trojans.

"The Bluebox Security research team recently discovered a vulnerability in Android's security model that allows a hacker to modify APK code without breaking an application's cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user," he wrote.

The vulnerability reportedly has been present since Android 1.6 and could be used to target any Google phone or tablet released in the last four years, including popular handsets like the HTC One and Samsung Galaxy S4.

Forristal said the vulnerability is particularly dangerous because of the way many big companies have granted Android devices running on their networks additional privileges.

"While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in co-operation with the device manufacturer (e.g. Cisco with Anyconnect VPN) that are granted special elevated privileges within Android - specifically System UID access," he wrote.

The Bluebox CTO added that the vulnerability could also theoretically be used to set up an Android botnet, letting criminals use millions of Android devices to their ends. Were the event to occur, the network could cause havoc, letting criminals mount numerous denial of service attacks or rake in billions of pounds via spam campaigns and the like.

At the time of publishing Google had not responded to The INQUIRER's request for comment on Bluebox's research.

F-Secure security expert Sean Sullivan told The INQUIRER that while Bluebox's research looks legitimate, the potential for harm is limited and could be solved in a variety of ways. "The real question is how practical is it? That cannot be known until the details are disclosed at Black Hat," he said.

"From our reading of Bluebox's post, the issue is something that Google Play could be able to (or already does) mitigate. Interaction with Play would cause Google to recognise the altered apps. But there could be an issue with apps from third-party markets. All in all, it is difficult to determine if this vulnerability makes for something useful in terms of crimeware. So there's no way yet to say if consumers and/or businesses should be concerned."

In the interim before Black Hat, Forristal said businesses should rethink their bring your own device (BYOD) policies as regards Android. "Device owners should be extra cautious in identifying the publisher of the app they want to download. Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated," he wrote.

"IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data."

Bluebox didn't mention whether any company with a stake in the smartphone market had sponsored its research targeting Android security. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015