900 million Android phones vulnerable to hacking from 'master key'

Researchers have uncovered a so-called master key for Google's Android operating system that could potentially render up to 99 percent of Android devices vulnerable—or worse, turn them into zombies.

 

Bluebox Security said its Bluebox Labs team found the vulnerability lets hackers modify APK code without breaking an app's cryptographic signature.

 

"The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: Donut ), could affect any Android phone released in the last four years – or nearly 900 million devices," Bluebox chief technology officer Jeff Forristal said in a blog post.

 

"This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been," he added.

 

Also, depending on the type of application, a hacker can exploit the vulnerability for "anything from data theft to creation of a mobile botnet," Forristal said.

 

If exploited, the malicious parties can turn any legitimate app into a malicious Trojan, with the app store, phone or user none the wiser, Forristal warned.

 

Even worse, Forristal said the risk could be compounded by apps made by manufacturers or third parties that work in cooperation with the device manufacturer that get special elevated privileges within Android.

 

Forristal said a Trojan app from the device manufacturer can grant the app full access to Android system and all installed apps plus their data.

 

"The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account and service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)," he said.

 

Zombies

 

Most unsettling, Forristal said, is the potential for a hacker to take advantage of the devices being turned into botnets.

 

As botnets, they can be hard to detect because of the device's "always-on, always-connected, and always-moving (therefore hard-to-detect) nature."

 

Cryptographic signatures

 

Forristal said the vulnerability involves flaws in how Android apps are cryptographically verified and installed.

 

This allows the modification of APK code without breaking the cryptographic signature, he said.

 

Forristal said Bluebox has disclosed details of Android security bug 8219321 in February 2013.

 

"It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question," he said.

 

Recommendations

 

In the meantime, Forristal advised device owners to be "extra cautious in identifying the publisher of the app they want to download."

 

Also, he advised enterprises with BYOD (Bring Your Own Device) implementations to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.

 

He also urged IT departments to "move beyond just device management to focus on deep device integrity checking and securing corporate data."

 

Google Play

 

On the other hand, tech site The Next Web said apps on the Google Play store are immune from such tampering, and a hacker would need to lure a user into downloading a malicious version of an app in other ways.

 

This may include a third-party app store or fake app links.

 

"A phishing email with a link to a fake update for a popular app, for example, might generate some downloads," it said.

 

"This is yet another reason to stick to official apps stores for downloads, although some Android owners — particularly those in China, where the Google Play store is skeletal — do frequent third-party app stores, while the fragmentation of Android is a reason others download apps from the Web," it added. — TJD, GMA News