Android flaw leaves 99% of devices open to attacks, details to be revealed at BlackHat

Jos

Jos

Posts: 3,073   +97
Staff

Mobile security company Bluebox claims to have discovered a flaw in Android that could leave any device released in the last four years vulnerable to attacks. The method demonstrated allowed modifying an app’s code without affecting its cryptographic signature, inserting malicious code completely unnoticed, leading to anything from data theft to creating botnets. The implications are huge, the researchers say.

Although specifics were left under wraps, the core issue involves discrepancies in how Android applications are verified and installed. As Bluebox explains, all Android apps contain cryptographic signatures to verify their authenticity. But through the use of some sort of “master key”, malicious coders are able trick Android into believing an app is unchanged even if its APK code has been modified.

The vulnerability has reportedly been around since the release of Android 1.6 in 2009 and Google was notified about it in February. But due to the way Android updates work, it’s up to manufacturers to produce and release firmware updates for their specific hardware, and so far only the Galaxy S 4 has been patched.

As proof of the vulnerability’s existence, Bluebox  CTO Jeff Forristal accompanied his blog post with a screenshot from an HTC device that had system-level software information modified to display “Bluebox” in the Baseband Version string (a value normally controlled & configured by the system firmware).

Technical details and related tools will be released at his BlackHat USA 2013 talk by the end of the month.

It’s worth noting that for all the doom and gloom that Bluebox is spelling -- it appears to be a serious issue after all -- falling prey to hackers would require you to download an actual app that has been modified with malicious code. In other words, it requires user action, and most likely downloading from a non-official source.

Permalink to story.

https://www.techspot.com/news/53133-android-flaw-leaves-99-of-devices-open-to-attacks-details-to-be-revealed-at-blackhat.html

 
In other words, be careful what you download and you'll probably be fine. Seems a bit overblown to me...
 
  • Like
Reactions: 9Nails
This just in. If you download a app with malicious code, it may do something bad.
 
I am surprised to not to hear about any vulnerabilities in Windows Phones, is that because they are more secure, or because they only occupy 5% of the market?
 
Run Dr. Web on the tablet and Smart phone. Change the HoSt file so you don't fall prey. All the Android ROM I release have internal protection. Also no tracking either. Beside Play Store there is 1 Mobile Market.
 
I read the original article on the Bluebox website. It seems to be a very fluffed up point they are making and they present no facts to show the supposed master key. Changing baseband? Gee, so l33t h4x0r.
 
ArthurZ said:
I am surprised to not to hear about any vulnerabilities in Windows Phones, is that because they are more secure, or because they only occupy 5% of the market?
Click to expand...
Would think it is more a function of the market share. Pretty clear that any platform has nasty vulnerabilities if people hit them hard enough.
 
Darth Shiv said:
Difference is the hacker can make a hacked app appear signed. That's the difference...
Click to expand...

There's a difference between the hash for the app developer, and the hash for the apk version. Since Bluebox doesn't give any details, we have to assume everything they say is pure BS - until proven otherwise.
 
Do Apple pay for these stories to be published on sites such as Techspot? I'm beginning to wonder.....
 
There's an even bigger flaw in Android that no one knows about. It's where the app is given privileges to run in the background and do LITERALLY what ever the hell it wants. Turn on the camera, microphone, capture the screen, log any type of data and consume battery life.

If Android were designed like Windows Phone, they wouldn't have to worry about malicious applications.
 
If Android was designed like Windows Phone, nobody would buy them.
 
I call bull.

So the only patched device is the Samsung GS4? What about the Nexus devices running the most recent official Android updates?

Also that they "demo" the "exploit" on an HTC phone... considering the Android market is mainly Samsung's S4 vs HTC's One currently.. Most likely it's a marketing ploy by Samsung.
 
I love how when it's Android that is the OS that has massive security vulnerability it's just "overblown" and "no big deal" but if this was iOS or Windows Phone, the world would be ending as we know it.
 
RH00D said:
I love how when it's Android that is the OS that has massive security vulnerability it's just "overblown" and "no big deal" but if this was iOS or Windows Phone, the world would be ending as we know it.
Click to expand...

The difference is this: when it happens to Apple (e.g. lockscreen flaw, getting into contacts/photos, etc) it actually happens. This story is just a rumour at the moment and a bad one at that.

...Unless someone else actually has found some facts to support this.
 
St1ckM4n said:
The difference is this: when it happens to Apple (e.g. lockscreen flaw, getting into contacts/photos, etc) it actually happens. This story is just a rumour at the moment and a bad one at that.

...Unless someone else actually has found some facts to support this.
Click to expand...

So now that Google has a patch to fix this "bad rumor", is it still a "bad rumor"? Or is Google just fixing imaginary problems now?
 
RH00D said:
So now that Google has a patch to fix this "bad rumor", is it still a "bad rumor"? Or is Google just fixing imaginary problems now?
Click to expand...

Yeah I understand your point, and it seems like I'm clutching at straws.. but:-

Just because Google released a patch for a 'glitch' doesn't confirm not deny the claims stated in the OP. The effect could just be the ability to not change APK versions (which could indeed be possible). There is still no evidence to show how one could get the FB app and change significant parts of the OS.
 
You must log in or register to reply here.

Similar threads

D
Google fixes critical Android flaw that could be exploited to hack your phone remotely
Replies
6
Views
285
envirovore
envirovore
Daniel Sims
Windows 11 Android support ends next March
Replies
5
Views
169
trents
T
Jimmy2x
New HTTP/2 vulnerability leaves servers in danger of devastating DoS attacks, even from a single TCP connection
Replies
4
Views
121
bviktor
B

Latest posts

Back