Bluebox's Android signing flaw has now been exploited by hackers

By on July 26, 2013, 4:30 PM
google, android, malware, app, mobile computing, play store, bluebox

Nearly a month ago, mobile security firm Bluebox uncovered a security flaw in Android that affects almost all devices released over the last four years. The vulnerability would allow malicious code to be injected into any application without altering its cryptographic signature. Ultimately, this permits harmful programs to be completely indistinguishable from their authentic counterparts; at least on a surface level. Symantec commented on the vulnerability, saying, “Attackers no longer need to change these digital signature details. They can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code.”

On Tuesday, Symantec spotted the first malware ‘in the wild’ that has successfully exploited the Android app signing flaw. Just a day later, another four contaminated apps were identified, all of which were being downloaded from third-party websites. Overall, Google has been relatively effective at blocking malicious applications from finding their way into the Play Store. Unfortunately, the open concept of the Android platform is proving to be its major downfall. Symantec said, “We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has.”

Before the discovery, malware-ridden code could be easily identified by examining the app details and noticing that the real publisher didn't actually create the program. This is no longer the case.

So what do malware developers intend to do with the flaw? It would appear that the possibilities are endless. The original two contaminated apps are capable of remotely controlling devices, viewing instant messages and texts, stealing phone numbers, and disabling previously installed mobile security software.

The vulnerability is unfortunately not easy for Google to fix, either. The manufacturers have to design and distribute firmware updates for each device, and there is currently no all-inclusive solution.

Although iOS isn’t immune to malware attacks, the same type of vulnerabilities aren’t present, and may never be. Not only does Apple’s app signing security prevent most contaminated apps from running, but its closed ecosystem eliminates the use of third-party downloads for most users. And unlike Android, which has multiple devices running on its OS, in the event of a security breach, Apple can focus their efforts on patching-up the handful of iPhone variants.

Image credit: Android Foundry




User Comments: 14

Got something to say? Post a comment
1 person liked this | hahahanoobs hahahanoobs said:

"Unfortunately, the open concept of the Android platform is proving to be its major downfall."

+1000

windmill007 said:

Ya that "closed" OS isn't looking half bad now is it.

misor misor said:

"Unfortunately, the open concept of the Android platform is proving to be its major downfall."

+1000

hahaha. good one.

I hope this will "force" google and its partners to effectively upgrade all android 2.3.xx to android 4.xx and for google's partners to provide asap the much needed firmware updates.

I wonder how lucky Symantec is in being able to "spot the the first malware in the wild? that has successfully exploited the Android app signing flaw".

(which leads me to somewhat entertain the idea that the malware security businesses are the ones behind the creation of some of these malwares. )

cliffordcooley cliffordcooley, TechSpot Paladin, said:

which leads me to somewhat entertain the idea that the malware security businesses are the ones behind the creation of some of these malwares.
I've always thought this, which is why I will not purchase security software.

Have you heard the phrase we watch each others backs? Thats the relationship between Anti-Mal-ware and Mal-ware. It's all a front to collect revenue. How could you think otherwise when our own government is fighting for secrecy about surveillance tactics? I wouldn't be surprised if push comes to shove and we found out they were all connected. I would be willing to bet our fight against Mal-ware is a fight against governments collecting information and supporting AV software companies to help motivate them in keeping their mouth shut. With the government putting a muzzle on companies, its an easy conspiracy theory to support. Especially when you read about the efforts of companies counter attempts to government surveillance. That would fall right in line with new Mal-ware definitions.

Guest said:

More proof that open source is not inherently secure than closed source.

1 person liked this | cliffordcooley cliffordcooley, TechSpot Paladin, said:

^^ I didn't realize that was an actual debate!

1 person liked this | Darth Shiv Darth Shiv said:

Um I still don't see the issue. Google Play is yet to be affected. So who is getting infected and where are they getting their apps from?

p51d007 said:

One reason why I don't buy my device from a carrier (other than the restrictions & bloatware), is because I want complete control over the device, not the carrier. Heck, you are lucky to get one update from them during the 2 year contract (USA). I root my device as soon as I get it.

This allows me to blow out the rom that comes with it, and customize it how I see fit. I patched my device from this. The nice thing about apple, is that keep complete control over everything, which helps, but their screen size isn't to my liking (I have a 5.3" screen).

"The manufacturers have to design and distribute firmware updates for each device, and there is currently no all-inclusive solution."

St1ckM4n St1ckM4n said:

Um I still don't see the issue. Google Play is yet to be affected. So who is getting infected and where are they getting their apps from?

'Alternate' sources. Since it is possible on Android (and a big 'feature' over iOS, ironically), people will bash Android for it.

It's like downloading Skyrim from getfreegames.com (made up) and complaining that you are infected.

Darth Shiv Darth Shiv said:

'Alternate' sources. Since it is possible on Android (and a big 'feature' over iOS, ironically), people will bash Android for it.

It's like downloading Skyrim from getfreegames.com (made up) and complaining that you are infected.

Well yes agreed if the site is not reputable, it is a risk but Android does have the distinct advantage that there are multiple reputable stores. E.g. apps from the Samsung store.

St1ckM4n St1ckM4n said:

Well yes agreed if the site is not reputable, it is a risk but Android does have the distinct advantage that there are multiple reputable stores. E.g. apps from the Samsung store.

Pretty much. Samsung store, Amazon, etc. Google doesn't control the requirements here, so we aren't even sure how Amazon et al track the authors or such.

It's a huge advantage over iOS (ability to install from other sources), but in this case it's a disadvantage because people and media only see the bad stuff. Simple solution - turn off the option, use Google Play Store...

Guest said:

More proof that open source is not inherently secure than closed source.

This wasn't ever a debate. What's been said is that it's /likely/ open source is more secure than proprietary software, as the source code is there for everyone to read. Proprietary software allows for the developers to put in spyware and tracking. It also allows for the developer to ignore security holes completely until exploited, even though they know it's there (this has been the case with both Microsoft and Apple many times). Android does not have the best of open source communities, but development projects such as Linux continuously patch security holes because they can be seen by anyone and fixed by anyone.

Darth Shiv Darth Shiv said:

This wasn't ever a debate. What's been said is that it's /likely/ open source is more secure than proprietary software, as the source code is there for everyone to read. Proprietary software allows for the developers to put in spyware and tracking. It also allows for the developer to ignore security holes completely until exploited, even though they know it's there (this has been the case with both Microsoft and Apple many times). Android does not have the best of open source communities, but development projects such as Linux continuously patch security holes because they can be seen by anyone and fixed by anyone.

Yes and security algorithms can be vetted by peers for robustness.

One example of poor proprietary implementation was the Philips Mifare (Classic) card specification. A Mifare card encryption could be cracked by a 5 year old laptop in less than a minute because the security algorithm was effectively trivially brute-force crackable. I think Oyster card used those cards. Maybe a few others.

Emexrulsier said:

The iphone isn't that closed... it wedges my door open quite well tbh I'm well impressed!

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.