Bluebox's Android signing flaw has now been exploited by hackersBy David Tom 14 comments
Nearly a month ago, mobile security firm Bluebox uncovered a security flaw in Android that affects almost all devices released over the last four years. The vulnerability would allow malicious code to be injected into any application without altering its cryptographic signature. Ultimately, this permits harmful programs to be completely indistinguishable from their authentic counterparts; at least on a surface level. Symantec commented on the vulnerability, saying, "Attackers no longer need to change these digital signature details. They can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code."
On Tuesday, Symantec spotted the first malware 'in the wild' that has successfully exploited the Android app signing flaw. Just a day later, another four contaminated apps were identified, all of which were being downloaded from third-party websites. Overall, Google has been relatively effective at blocking malicious applications from finding their way into the Play Store. Unfortunately, the open concept of the Android platform is proving to be its major downfall. Symantec said, "We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has."
Before the discovery, malware-ridden code could be easily identified by examining the app details and noticing that the real publisher didn't actually create the program. This is no longer the case.
So what do malware developers intend to do with the flaw? It would appear that the possibilities are endless. The original two contaminated apps are capable of remotely controlling devices, viewing instant messages and texts, stealing phone numbers, and disabling previously installed mobile security software.
The vulnerability is unfortunately not easy for Google to fix, either. The manufacturers have to design and distribute firmware updates for each device, and there is currently no all-inclusive solution.
Although iOS isn't immune to malware attacks, the same type of vulnerabilities aren't present, and may never be. Not only does Apple's app signing security prevent most contaminated apps from running, but its closed ecosystem eliminates the use of third-party downloads for most users. And unlike Android, which has multiple devices running on its OS, in the event of a security breach, Apple can focus their efforts on patching-up the handful of iPhone variants.
Image credit: Android Foundry