A software security flaw that allows a hacker to modify Android applications undetected places 99 percent of Android devices at risk, according to researchers at mobile security startup Bluebox. The vulnerability, which has existed since at least the release of Android 1.6 (“Donut”), could be exploited to seize full functionality of a smartphone or tablet, in effect turning it into a “zombie” device.
Inside the vulnerability
The vulnerability targets a weakness in the Android security model that enables a malicious user to change Android APK code without tampering with an application’s cryptographic signature, Bluebox CTO Jeff Forristal wrote in a blog post explaining the flaw. All applications use such signatures to verify applications are legitimate and have not been tampered with. However, due to discrepancies in the way applications are verified and installed, a hacker could modify APK code without breaking the signature, effectively tricking the operating system into treating the app as safe.
An attacker could use the vulnerability for ends ranging from data theft to the creation of a mobile botnet, Forristal added. Particularly troubling is the fact that it can be used not only to modify consumer applications but also the applications developed by device manufacturers like Samsung or third-party companies like Cisco, which are granted elevated privileges including system UID access. As a result, a Trojan application signed by these manufacturers can gain full access to the Android system, all applications and all data on a device.
“The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account and service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls),” Forristal wrote. “Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet.”
CITEWorld’s Chris Nerney noted that the occurrence of mobile botnets is already a real threat, with one system discovered last year in China that included nearly 100,000 Android devices. Forristal will discuss the bug in full during a talk at the Black Hat USA conference.
Assessing the threat
Any Android device released in the past four years could be affected, which translates to as many as 900 million users at risk, Forristal noted. The company disclosed the flaw to Google in February, and it notified partners, including the members of the Open Handset Alliance, at the beginning of March, IDG News reported. One device, the Samsung Galaxy S4, has already released a patch, Forristal told IDG.
The Google Play store has been updated to block any malicious apps exploiting the problem, and Google told Forristal that no existing apps in the store were affected, according to IDG News. However, such apps can still be distributed via email, websites or third-party app stores. Once a malicious app is manually installed to replace one that was installed through Google Play, it will no longer interact with the store.
The patchwork nature of device manufacturers, carriers and firmware versions will likely make it difficult to ensure many end users receive patches protecting them from this vulnerability, IDG News Service noted. In particular, many affected devices may no longer be supported by manufacturers. Bluebox advised owners and enterprises to update their devices and to be cautious in confirming publishers’ identities before installing new applications.
The flaw also should serve as a wake-up call to device manufacturers and embedded software developers as to the importance of securing their systems to avoid such exploits. Using tools such as static analysis software, organizations can catch firmware flaws that could enable extensive malicious attacks.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.