Search
Homepage Rankings and Research Companies Channelcast Marketing Matters CRNtv Events WOTC Jobs Cisco Partner Summit Digital 2020 Lenovo Tech World Newsroom Dell Technologies World Digital Experience 2020 HPE Zone Masergy Zenith Partner Program Newsroom Intel Partner Connect Digital Newsroom Dell Technologies Newsroom Fortinet Secure Network Hub IBM Newsroom Juniper Newsroom The IoT Integrator Lenovo Channel-First NetApp Data Fabric Intel Tech Provider Zone

Serious Android Flaw Could Turn Mobile Apps Malicious

A vulnerability in the Android platform's security model could give mobile application authors the ability to turn their legitimate Android application into dangerous malware.

The weakness, discovered by San Francisco-based mobile security startup Bluebox Security, was reported to Google and has been corrected, but the firm said millions of Android devices remain vulnerable. The flaw enables an attacker to bypass the Google Play security mechanism designed to review changes to applications before they are sent to users.

Bluebox Chief Technology Officer Jeff Forristal will present the details of the vulnerability later this month at the 2013 Black Hat conference in Las Vegas.

[Related: Top 5 Android Malware Threats ]

The Android flaw, which has been in the firmware since 2009, enables an attacker to modify the mobile application code without breaking its cryptographic signature, wrote Forristal. In an alert to Android owners last week, Forristal said application changes could be made without being noticed by the app store, device or end user.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," Forristal wrote.

Digital signatures are used by both Google and Apple to determine the validity of a mobile application. The flaw enables the digital signature to remain intact even if modifications are made, Forristal said. Bluebox showed a screenshot of an HTC device showing how the manufacturer's software can be modified to access all permissions on the device.

An attacker can program a legitimate app to make phone calls and record them, send text messages or turn on the camera. "Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet," Forristal wrote.

Millions of mobile phones could continue to be at risk because security updates pushed out by Google must go to individual handset makers before being pushed out to device owners through their mobile carrier.

Breaking or cheating the cryptographic signature used to validate applications is a potentially serious issue opening up device owners to a wealth of serious problems, said Cameron Camp, a security researcher, at Bratislava, Slovakia-based antivirus vendor ESET. Code signing and application isolation or sandboxing are among the security measures used to make mobile devices safer.

"If you can break the crypto or cheat the crypto into thinking it's something that it's not then that is a dangerous problem," Camp said.

Google did not respond to a request from CRN for comment. The company has reportedly updated its official app store, Google Play, to thwart attempts to cheat the app verification process. But Camp said mobile malware writers bypass Google altogether, getting malicious applications onto devices by using third-party app stores.

Android malware has increased significantly, with more than 92 percent of mobile malware targeting the platform, according to Juniper Networks, which released its annual mobile threat report last week. Other reports found a precipitous increase in mobile attacks targeting Android devices. Google has been adding improvements, Camp said, including the addition of Bouncer, a malware scanner that vets apps before they are officially released to Android device owners.

"There are still an awful lot of apps to be analyzing on a daily basis, so determining with any degree of assurance that no malicious code out there is going to be difficult," Camp said.

PUBLISHED JULY 8, 2013

Back to Top

Video

 

trending stories

sponsored resources