Android bug allows app code change without breaking signatures
Posted on 04 July 2013.
Researchers from Bluebox Security have discovered a critical Android flaw that allows attackers to modify the code of any app without breaking its cryptographic signature, and thusly allows them to stealthily plant malicious apps on legitimate app stores and users' phones.

"This vulnerability, around at least since the release of Android 1.6, could affect any Android phone released in the last 4 years – or nearly 900 million devices– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," Jeff Forristal, Bluebox CTO wrote on Wednesday.

He also pointed out that the vulnerability is particularly dangerous if misused to modify applications developed by the device manufacturers or third-parties that work in cooperation with the device manufacturer, as those app are often installed on the device ahead of their sale and are granted full access to Android system and all applications on it.

"The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account and service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)," he concluded.

The flaw was responsibly disclosed with Google in February 2013, and the company will be sharing more details about the bug in a talk at the upcoming Black Hat USA security conference in Las Vegas.

Forristal shared with Computerworld that Samsung Galaxy S4 already has the fix, but given that many device manufacturers and carriers are not exactly known for being prompt in distributing firmware updates and patches, it will surely take quite some time to eradicate the flaw.

In the meantime, users are advised to keep their devices updated and always check that the publisher of the app they want to download is the correct one. "IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data," he concluded.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th