Bluebox Security, a relatively unknown mobile security startup, recently made a big name for itself by uncovering a huge four-year-old point of vulnerability in Android’s security model that has put almost 900 million Android phones (or around 99% of Android devices, if you’re keeping score at home) at risk of exploitation.
This particular vulnerability makes it easy for a hacker to turn a legitimate application that a user may have installed on his or her phone into a malicious Trojan by simply modifying its APK code, and they can do this without breaking the app’s cryptographic signature, meaning it is incredibly difficult to detect. By changing an app’s code, but not its signature, Android will not recognize that the app has been changed.
But that’s not even the worst of it! It turns out that a sub-set of applications developed by device makers or third party developers that work intimately with devices makers (think Cisco’s AnyConnect VPN app) open Android devices up to even greater risk, as they can provide attackers with system UID access, allowing them to access more than just app data, but potentially also passwords and account information; it even makes it possible for hackers to take over the functioning of the entire device.
It seems likely that Google is already hard a work creating a patch for the system flaw, and it appears that the Samsung Galaxy S4 has already been patched. In the meantime, Bluebox suggests that device owners remain extra cautious in identifying the publisher of an app they want to download moving forward, and that enterprises with BYOD implementations being prompting all users to update their devices, while highlighting the importance of keeping their devices updated.
However, to ease the mind of some worried Android users, know that it is probably okay to continue downloading apps from more mainstream sources like Google Play, and that they should mostly be weary of third-party app stores or app providers. Especially because Google recently modified the entry process to get an application in the Play Store, and now apps that have been modified with this exploit have been blocked and won’t be distributed through the Play Store any longer.
[Thanks WildCat, via TechCrunch]