Report Comment to a Moderator Our Moderators review all comments for abusive and offensive language, and ensure comments are from Verified Users only.
Please report a comment only if you feel it requires our urgent attention.
I understand, report it. Cancel

Android security hole could endanger 99% of devices

By Dan Pearson

Android security hole could endanger 99% of devices

Thu 04 Jul 2013 7:33am GMT / 3:33am EDT / 12:33am PDT

APK code loophole leaves door open for malware

A security flaw has allegedly been discovered in the APK code of android-powered devices which will allow malware to be loaded under the guise of an authentic cryptographic signature.

The loophole could affect 99 per cent of all Android devices and is essentially a security "master key" says Bluebox Security CTO Jeff Foristal. Because the modifications to the APK code do not affect an app's signature, neither handsets, tablets or the various Android marketplaces will be able to distinguish trojan programs from genuine code, meaning that data can be hijacked and hardware 'zombied'.

Forristal says that the issue dates back four years to Android 1.6, or Donut, and thus could affect nearly 900 million operating systems.

"While the risk to the individual and the enterprise is great," writes Forristal, "(a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) - that are granted special elevated privileges within Android - specifically System UID access.

"Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."

Forristal will be making more details of the discovery public at the 2013 Black Hat security convention, where he's speaking later this year. Forristal says the bug was reported to Google in February, 2013.

From Recommendations by Taboola


Paul Shirley Programmers

214 192 0.9
It's a pity you cut the part where they point out Google already check for and filter out this exploit in the Play store.

Just have to hope the fix doesn't bork hacking apps. Right now recovering large amounts of space is possible with any zip tool and system privileges dont depend on the signing key ;)

Posted:3 years ago


Paul Johnson Managing Director / Lead code monkey, Rubicon Development

1,219 2,667 2.2
Popular Comment
If true, this is probably the first time any one thing has worked on 99% of all Android devices.

Posted:3 years ago


Nicholas Pantazis Senior Editor, VGChartz Ltd

1,025 1,486 1.4
@ Paul Johnson lol, even as an Android owner, pretty funny. It's very much the new Windows.

@ Paul Shirley Indeed, this article is pretty sensationalist. I doubt the fix would have any effect on rooting apps.

Posted:3 years ago


Paul Johnson Managing Director / Lead code monkey, Rubicon Development

1,219 2,667 2.2
Hehe, it was a cheap shot but I just couldn't resist. :)

Posted:3 years ago


David M Lopez Studying Game Art and Design, Art Institute of California - San Diego

8 2 0.3
What are they do about it?

Posted:3 years ago


Login or register to post

Take part in the GamesIndustry community

Register now