Android ‘Master Key’ Security Hole
18 July, 2013
Mobile security startup Bluebox Security has unearthed vulnerability in Android’s security model which it says means that the nearly 900 million Android phones released in the past four years worldwide could be exploited, or some 99% of Android devices. The vulnerability has apparently been around since Android v1.6 (Donut), and was disclosed by the firm to Google back in February. The Samsung Galaxy S4 has already apparently been patched.
The vulnerability apparently allows a hacker to turn a legitimate app
into a malicious Trojan by modifying APK code without breaking the app’s cryptographic signature. Bluebox says the flaw exploits discrepancies in how Android apps are cryptographically verified and installed. Specifically it allows a hacker to change an app’s code, leaving its cryptographic signature unchanged — thereby tricking Android into believing the app itself is unchanged, and allowing the hacker to wreak their merry havoc.
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
While 99% of Android phones being technically vulnerable to app hackers is a tough stat to ignore, it’s worth emphasizing that just because such a flaw (apparently) exists it doesn’t mean it has or will be widely exploited — especially as, in this instance, it has been flagged to Google prior to being made public. And Google is presumably hard at work on a fix. So famous and recognized “ Andro” as Georgians call Android could be “free cheese in a mousetrap”.
Getting timely OS (Operating System) updates has always been a problem for Android users (Nexus owners are the exception), owing to Android’s openness necessarily encouraging variation and fragmentation within the ecosystem, with different manufacturer skins and carrier additions all standing in the way and delaying updates. That likely means the window of risk attached to this latest Android vulnerability takes longer to close for the majority of users than many would be comfortable with.
In the meantime, Bluebox advises the following:
Device owners should be extra cautious in identifying the publisher of the app they” want to download.
Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.