Android flaw leaves 99% of devices open to attacks, details to be revealed at BlackHat

By on July 4, 2013, 2:00 PM

Mobile security company Bluebox claims to have discovered a flaw in Android that could leave any device released in the last four years vulnerable to attacks. The method demonstrated allowed modifying an app’s code without affecting its cryptographic signature, inserting malicious code completely unnoticed, leading to anything from data theft to creating botnets. The implications are huge, the researchers say.

Although specifics were left under wraps, the core issue involves discrepancies in how Android applications are verified and installed. As Bluebox explains, all Android apps contain cryptographic signatures to verify their authenticity. But through the use of some sort of “master key”, malicious coders are able trick Android into believing an app is unchanged even if its APK code has been modified.

The vulnerability has reportedly been around since the release of Android 1.6 in 2009 and Google was notified about it in February. But due to the way Android updates work, it’s up to manufacturers to produce and release firmware updates for their specific hardware, and so far only the Galaxy S 4 has been patched.

As proof of the vulnerability’s existence, Bluebox  CTO Jeff Forristal accompanied his blog post with a screenshot from an HTC device that had system-level software information modified to display “Bluebox” in the Baseband Version string (a value normally controlled & configured by the system firmware).

Technical details and related tools will be released at his BlackHat USA 2013 talk by the end of the month.

It’s worth noting that for all the doom and gloom that Bluebox is spelling -- it appears to be a serious issue after all -- falling prey to hackers would require you to download an actual app that has been modified with malicious code. In other words, it requires user action, and most likely downloading from a non-official source.




User Comments: 23

Got something to say? Post a comment
madboyv1, TechSpot Paladin, said:

This was from the "More From TechSpot" list: [link]

Man I remember back in the day when that was awesome.

Anyways, for such a wide spread vulnerability I hope manufacturers will get off their asses and get this patched reasonably quickly, but that's probably just wishful thinking. I'll just be careful of what I install. =p

1 person liked this | Guest said:

Ah so that's how an NSA backdoor looks like. Gotcha.

1 person liked this | Phraun said:

In other words, be careful what you download and you'll probably be fine. Seems a bit overblown to me...

1 person liked this | bexwhitt said:

Stick to google play then.

Guest said:

This just in. If you download a app with malicious code, it may do something bad.

ArthurZ ArthurZ said:

I am surprised to not to hear about any vulnerabilities in Windows Phones, is that because they are more secure, or because they only occupy 5% of the market?

1 person liked this | Lionvibez said:

This just in. If you download a app with malicious code, it may do something bad.

Dude you should run for president!

tipstir tipstir, TS Ambassador, said:

Run Dr. Web on the tablet and Smart phone. Change the HoSt file so you don't fall prey. All the Android ROM I release have internal protection. Also no tracking either. Beside Play Store there is 1 Mobile Market.

St1ckM4n St1ckM4n said:

I read the original article on the Bluebox website. It seems to be a very fluffed up point they are making and they present no facts to show the supposed master key. Changing baseband? Gee, so l33t h4x0r.

1 person liked this | Darth Shiv Darth Shiv said:

This just in. If you download a app with malicious code, it may do something bad.

Difference is the hacker can make a hacked app appear signed. That's the difference...

Darth Shiv Darth Shiv said:

I am surprised to not to hear about any vulnerabilities in Windows Phones, is that because they are more secure, or because they only occupy 5% of the market?

Would think it is more a function of the market share. Pretty clear that any platform has nasty vulnerabilities if people hit them hard enough.

St1ckM4n St1ckM4n said:

Difference is the hacker can make a hacked app appear signed. That's the difference...

There's a difference between the hash for the app developer, and the hash for the apk version. Since Bluebox doesn't give any details, we have to assume everything they say is pure BS - until proven otherwise.

Guest said:

Do Apple pay for these stories to be published on sites such as Techspot? I'm beginning to wonder.....

roxxas2 said:

There's an even bigger flaw in Android that no one knows about. It's where the app is given privileges to run in the background and do LITERALLY what ever the hell it wants. Turn on the camera, microphone, capture the screen, log any type of data and consume battery life.

If Android were designed like Windows Phone, they wouldn't have to worry about malicious applications.

Darth Shiv Darth Shiv said:

Do Apple pay for these stories to be published on sites such as Techspot? I'm beginning to wonder.....

Apple has got a bit of bad press for nasty iOS bugs recently too iirc

Guest said:

If Android was designed like Windows Phone, nobody would buy them.

1 person liked this | Vrmithrax Vrmithrax, TechSpot Paladin, said:

This just in. If you download a app with malicious code, it may do something bad.

Dude you should run for president!

Nah, he makes too much sense and is obviously too honest for the job...

1 person liked this | Lionvibez said:

Nah, he makes too much sense and is obviously too honest for the job...

lol you may have a point.

Misdirection, lies, and companies in your pocket seem to be the only way to win these days.

Guest said:

I call bull.

So the only patched device is the Samsung GS4? What about the Nexus devices running the most recent official Android updates?

Also that they "demo" the "exploit" on an HTC phone... considering the Android market is mainly Samsung's S4 vs HTC's One currently.. Most likely it's a marketing ploy by Samsung.

RH00D RH00D said:

I love how when it's Android that is the OS that has massive security vulnerability it's just "overblown" and "no big deal" but if this was iOS or Windows Phone, the world would be ending as we know it.

St1ckM4n St1ckM4n said:

I love how when it's Android that is the OS that has massive security vulnerability it's just "overblown" and "no big deal" but if this was iOS or Windows Phone, the world would be ending as we know it.

The difference is this: when it happens to Apple (e.g. lockscreen flaw, getting into contacts/photos, etc) it actually happens. This story is just a rumour at the moment and a bad one at that.

...Unless someone else actually has found some facts to support this.

RH00D RH00D said:

The difference is this: when it happens to Apple (e.g. lockscreen flaw, getting into contacts/photos, etc) it actually happens. This story is just a rumour at the moment and a bad one at that.

...Unless someone else actually has found some facts to support this.

So now that Google has a patch to fix this "bad rumor", is it still a "bad rumor"? Or is Google just fixing imaginary problems now?

St1ckM4n St1ckM4n said:

So now that Google has a patch to fix this "bad rumor", is it still a "bad rumor"? Or is Google just fixing imaginary problems now?

Yeah I understand your point, and it seems like I'm clutching at straws.. but:-

Just because Google released a patch for a 'glitch' doesn't confirm not deny the claims stated in the OP. The effect could just be the ability to not change APK versions (which could indeed be possible). There is still no evidence to show how one could get the FB app and change significant parts of the OS.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.