Ouch! Let us reiterate: that one ought to sting. Especially after the latest report already putting Android up there as the most compromised and targeted mobile OS.
Mobile security start-up, Bluebox, has released a statement on their blog that they have discovered a vulnerability in Android's security model, allowing hackers to slip malicious code into Android devices unnoticed by your phone's built-in defensive mechanism.
The scope of this vulnerability? 99%, or about 900 million Android devices. Nope, no typo there, according to the company, which first notified Google of the threat in February this year. Apparently, the vulnerability goes back all the way to Android 1.6 “Donut”, or any Android device released in the last 4 years.
Spooky, but in a typical horror movie fashion, we want to know more:
“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.”
A screenshot by Bluebox demonstrates complete control over the OS
If mobile security isn't your strongest suit, here's a breakdown of how it works. Cryptographic signatures are a part of any and all Android apps, their use – to help your droid verify whether the app is legit and if any tampering of the code has taken place. Further spelling it out for us, Bluebox asserts that the glitch allows the not-too-nice folks out there to change app code “without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”
To put this into perspective, the statement claims, apart from the usual Trojan mischief (think SMS tolls), a malicious app taking massive advantage of the hole:
“Has the ability to read arbitrary application data […], retrieve all stored account & service passwords […], make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, record calls,”
How serious can this get? We don't know, but it's comforting to know that Google is aware of the issue and has already updated their Google Play approval process, blocking out apps with this problem.
Bluebox CTO, Jeff Forristal, announced that he will cover the issue in technical detail in his upcoming Black Hat USA 2013 talk.
Chris Panayotov is a former mobile tech reviewer of phones, tablets and wearables at PhoneArena. However, his contribution to PhoneArena content includes not just reviews, but all kinds of regular and experimental features, such as news stories, buying guides, and an exclusive column on the most notable phones out of Asia.
Recommended Stories
Loading Comments...
COMMENT
All comments need to comply with our
Community Guidelines
Phonearena comments rules
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: