Bluebox's Android signing flaw has now been exploited by hackers

D

David Tom

Posts: 149   +3

bluebox android google malware app mobile computing play store

Nearly a month ago, mobile security firm Bluebox uncovered a security flaw in Android that affects almost all devices released over the last four years. The vulnerability would allow malicious code to be injected into any application without altering its cryptographic signature. Ultimately, this permits harmful programs to be completely indistinguishable from their authentic counterparts; at least on a surface level. Symantec commented on the vulnerability, saying, “Attackers no longer need to change these digital signature details. They can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code.”

On Tuesday, Symantec spotted the first malware ‘in the wild’ that has successfully exploited the Android app signing flaw. Just a day later, another four contaminated apps were identified, all of which were being downloaded from third-party websites. Overall, Google has been relatively effective at blocking malicious applications from finding their way into the Play Store. Unfortunately, the open concept of the Android platform is proving to be its major downfall. Symantec said, “We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has.”

Before the discovery, malware-ridden code could be easily identified by examining the app details and noticing that the real publisher didn't actually create the program. This is no longer the case.

So what do malware developers intend to do with the flaw? It would appear that the possibilities are endless. The original two contaminated apps are capable of remotely controlling devices, viewing instant messages and texts, stealing phone numbers, and disabling previously installed mobile security software.

The vulnerability is unfortunately not easy for Google to fix, either. The manufacturers have to design and distribute firmware updates for each device, and there is currently no all-inclusive solution.

Although iOS isn’t immune to malware attacks, the same type of vulnerabilities aren’t present, and may never be. Not only does Apple’s app signing security prevent most contaminated apps from running, but its closed ecosystem eliminates the use of third-party downloads for most users. And unlike Android, which has multiple devices running on its OS, in the event of a security breach, Apple can focus their efforts on patching-up the handful of iPhone variants.

Image credit: Android Foundry

Permalink to story.

https://www.techspot.com/news/53386-blueboxs-android-signing-flaw-has-now-been-exploited-by-hackers.html

 
hahahanoobs said:
"Unfortunately, the open concept of the Android platform is proving to be its major downfall."

+1000
Click to expand...
hahaha. good one. :)
I hope this will "force" google and its partners to effectively upgrade all android 2.3.xx to android 4.xx and for google's partners to provide asap the much needed firmware updates.

I wonder how lucky Symantec is in being able to "spot the the first malware in the wild? that has successfully exploited the Android app signing flaw".
(which leads me to somewhat entertain the idea that the malware security businesses are the ones behind the creation of some of these malwares. :) )
 
misor said:
which leads me to somewhat entertain the idea that the malware security businesses are the ones behind the creation of some of these malwares.
Click to expand...
I've always thought this, which is why I will not purchase security software.

Have you heard the phrase we watch each others backs? Thats the relationship between Anti-Mal-ware and Mal-ware. It's all a front to collect revenue. How could you think otherwise when our own government is fighting for secrecy about surveillance tactics? I wouldn't be surprised if push comes to shove and we found out they were all connected. I would be willing to bet our fight against Mal-ware is a fight against governments collecting information and supporting AV software companies to help motivate them in keeping their mouth shut. With the government putting a muzzle on companies, its an easy conspiracy theory to support. Especially when you read about the efforts of companies counter attempts to government surveillance. That would fall right in line with new Mal-ware definitions.
 
More proof that open source is not inherently secure than closed source.
 
Um I still don't see the issue. Google Play is yet to be affected. So who is getting infected and where are they getting their apps from?
 
  • Like
Reactions: Arris
One reason why I don't buy my device from a carrier (other than the restrictions & bloatware), is because I want complete control over the device, not the carrier. Heck, you are lucky to get one update from them during the 2 year contract (USA). I root my device as soon as I get it.
This allows me to blow out the rom that comes with it, and customize it how I see fit. I patched my device from this. The nice thing about apple, is that keep complete control over everything, which helps, but their screen size isn't to my liking (I have a 5.3" screen).

"The manufacturers have to design and distribute firmware updates for each device, and there is currently no all-inclusive solution."
 
Darth Shiv said:
Um I still don't see the issue. Google Play is yet to be affected. So who is getting infected and where are they getting their apps from?
Click to expand...

'Alternate' sources. Since it is possible on Android (and a big 'feature' over iOS, ironically), people will bash Android for it.

It's like downloading Skyrim from getfreegames.com (made up) and complaining that you are infected.
 
St1ckM4n said:
'Alternate' sources. Since it is possible on Android (and a big 'feature' over iOS, ironically), people will bash Android for it.

It's like downloading Skyrim from getfreegames.com (made up) and complaining that you are infected.
Click to expand...
Well yes agreed if the site is not reputable, it is a risk but Android does have the distinct advantage that there are multiple reputable stores. E.g. apps from the Samsung store.
 
Darth Shiv said:
Well yes agreed if the site is not reputable, it is a risk but Android does have the distinct advantage that there are multiple reputable stores. E.g. apps from the Samsung store.
Click to expand...

Pretty much. Samsung store, Amazon, etc. Google doesn't control the requirements here, so we aren't even sure how Amazon et al track the authors or such.

It's a huge advantage over iOS (ability to install from other sources), but in this case it's a disadvantage because people and media only see the bad stuff. Simple solution - turn off the option, use Google Play Store...
 
More proof that open source is not inherently secure than closed source.
Click to expand...
This wasn't ever a debate. What's been said is that it's /likely/ open source is more secure than proprietary software, as the source code is there for everyone to read. Proprietary software allows for the developers to put in spyware and tracking. It also allows for the developer to ignore security holes completely until exploited, even though they know it's there (this has been the case with both Microsoft and Apple many times). Android does not have the best of open source communities, but development projects such as Linux continuously patch security holes because they can be seen by anyone and fixed by anyone.
 
Guest said:
This wasn't ever a debate. What's been said is that it's /likely/ open source is more secure than proprietary software, as the source code is there for everyone to read. Proprietary software allows for the developers to put in spyware and tracking. It also allows for the developer to ignore security holes completely until exploited, even though they know it's there (this has been the case with both Microsoft and Apple many times). Android does not have the best of open source communities, but development projects such as Linux continuously patch security holes because they can be seen by anyone and fixed by anyone.
Click to expand...
Yes and security algorithms can be vetted by peers for robustness.

One example of poor proprietary implementation was the Philips Mifare (Classic) card specification. A Mifare card encryption could be cracked by a 5 year old laptop in less than a minute because the security algorithm was effectively trivially brute-force crackable. I think Oyster card used those cards. Maybe a few others.
 
You must log in or register to reply here.

Similar threads

D
Google fixes critical Android flaw that could be exploited to hack your phone remotely
Replies
6
Views
285
envirovore
envirovore
A
A critical vulnerability in ownCloud servers is being exploited en masse
Replies
2
Views
221
Burty117
Burty117
A
Microsoft left a kernel-level, zero-day bug in Windows for six months before patching it
Replies
9
Views
225
LimyG
LimyG

Latest posts

Back