Researchers have uncovered an Android security hole
that can be exploited by cybercriminals to turn any legitimate application into
a malicious Trojan by modifying the APK code without breaking the targeted
app’s cryptographic signature.
Experts from Bluebox Labs, the research team of Bluebox
Security, say the vulnerability could affect almost 900 million Android
devices. More precisely, Android versions starting with 1.6 are said to be
impacted.
Hackers can exploit the flaw for a wide range of purposes,
including data theft and the creation of a mobile botnet. And the worst part is
that the modified application can go completely unnoticed not only by the end
user, but also by the phone and even the app store.
Modifying regular apps is bad enough, but experts warn that the
security hole can also be leveraged against applications that are granted
special elevated privileges (System UID access), such as the ones developed by
the device manufacturers, or third parties that work with the device
manufacturers.
Installing a Trojan application that has full permissions allows
the attacker to read sensitive data from the phone, and basically take complete
control of the device.
“Finally,
and most unsettling, is the potential for a hacker to take advantage of the
always-on, always-connected, and always-moving (therefore hard-to-detect)
nature of these ‘zombie’ mobile devices to create a botnet,” Jeff Forristal,
Bluebox CTO,explained.
So how
does it work?
All Android applications contain cryptographic signatures that the
operating system uses to determine if an application is legitimate, and if it
has been tampered with.
However,
the vulnerability leverages the discrepancies in how apps are cryptographically
verified and installed, allowing an attacker to modify the APK code without
breaking the cryptographic signature.
The
vulnerability has been reported to Google in February 2013. However, now it’s
up to the device manufacturers to develop and release firmware updates for
their products.
Technical details of the vulnerability will be presented by
experts at the upcoming BlackHat USA 2013 security conference.
No comments:
Post a Comment