Android Vulnerabilities Uncovered By BlueBox Team
July 5, 2013

99 Percent Of Android Devices Vulnerable To Hacking

Michael Harper for - Your Universe Online

Security research team BlueBox has discovered a bug in Google's Android operating system which could make 99 percent of all devices vulnerable to a frightening attack. A vulnerability in the OS could theoretically allow attackers to take control of an otherwise legitimate app. From here the attacker could steal information or control the device itself.

According to BlueBox CTO Jeff Forristal, this vulnerability has been present in Android for the last four years and could affect as many as 900 million devices around the world. BlueBox alerted Google about this vulnerability in February and will explain how the bug affects Android later this month at the Black Hat USA Security Conference in Las Vegas, Nevada.

"The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature," writes Forristal on the BlueBox corporate blog.

"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified. This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application - essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been."

A hacker could also use this bug to gain complete access to the operating system. Some phone manufacturers - such as Samsung or Motorola - install their own software features into Android, requiring their own firmware for the device. Like any other developer, the phone manufacturers also need to have their specific software signed with this cryptographic key. Were a hacker to take advantage of this bug and change the key to the firmware, they could have complete control of the phone and its tasks. Here they could access stored passwords, make and record phone calls, and send SMS messages.

"Finally, and most unsettling," says Forristal, "is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these "zombie" mobile devices to create a botnet."

BlueBox says the details of this bug were "responsibly disclosed" to Google last February, but it remains up to the device manufacturers to build and distribute firmware updates that will kill this bug. Distributing this updated firmware to more than 90 million Android devices running version 1.6 and higher could prove to be more difficult than writing the new code.

Android is often criticized for its "fragmentation," meaning when security updates or operating system updates are rolled out, they must go through a channel which includes Google, phone manufacturers and finally, carriers. Though a fix may soon be written, it could take much longer before users are able to install it to their devices.

Forristal recommends Android owners take extra caution when downloading apps. While the Google Play app store is often the safest route, this bug could potentially slip through even the safety regulations found there. Furthermore, enterprises should alert all Android users who take part in bring your own device programs.