Bluebox: Android security flaw exposes 99% of devices to hacker attack


A newly discovered vulnerability identified in Google's (NASDAQ:GOOG) Android mobile operating system enables hackers to modify APK code without breaking an application's cryptographic signature, creating malicious Trojans that go undetected by the app store, device or consumer, mobile security solutions firm Bluebox reports.

"This vulnerability makes it possible to change an application's code without affecting [its] cryptographic signature--essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been," explains Bluebox CTO Jeff Forristal, noting hackers can exploit the flaw to read arbitrary application data on the device (e.g., email, text messages and documents), retrieve all stored account and service passwords and control all functionality. "Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."

Forristal adds that the vulnerability dates back at least as far as the fall 2009 release of Android 1.6, codenamed "Donut," and it could affect any Android phone released in the last four years--close to 900 million units in all, or roughly 99 percent of all devices running the Google OS.

Bluebox notified Google of the security bug in Feb. 2013. "It's up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates)," Forristal states. "The availability of these updates will widely vary depending upon the manufacturer and model in question."

VentureBeat reports that Google fixed the vulnerability soon after Bluebox outlined the issue, sending the patch to manufacturing partners at the beginning of March. "We aren't commenting," a Google spokesperson told the publication.

Mobile malware threats surged 614 percent between March 2012 and March 2013 to eclipse 275,000 total malicious apps, according to a Juniper Networks report issued late last month. Ninety-two percent of all mobile malware identified by Juniper's Mobile Threat Center targets Android, up from 24 percent in 2010. Juniper blames Android's vulnerabilities on the fragmentation afflicting the open-source platform, noting that the vast majority of devices run older versions of the OS, preventing them from receiving new security measures delivered by Google and leaving users exposed even to known threats.

For more:
- read this Bluebox blog post
- read this VentureBeat article

Related articles:
Juniper Networks: Mobile malware threats explode 614 percent year-over-year
Lookout: 1M U.S. Android owners have downloaded adware in past year
Android malware disguised as mobile ad network infects up to 9 million devices
ACLU lobbies FTC to probe carriers over Android security
Report: Android malware doubled in 2012, infecting 3 million devices
Apple exec Schiller takes shot at Android over malware headaches