What if hackers could take an existing legitimate app or update with a valid digital signature, and modify it in order to use it as a malicious Trojan to access everything on your Android phone or tablet? When researchers from a mobile security startup called Bluebox Security revealed that they had identified just such a vulnerability that affected “99 percent” of Android devices, it made tech headlines across the Web. But should you be worried?
What is the problem?
“This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years,” explained Jeff Forristal, Bluebox CTO, in a post on the company blog. He went on to point out that “…a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”
APK, or Android application package, files are at risk because this flaw allows hackers to alter a legitimate app or update, but retain the digital signature that verifies it as secure. They could create a fake app to steal your passwords and use a legitimate digital signature, so that your Android phone thinks it’s made by a company like Samsung, HTC, or even Google itself. Since device manufacturers and trusted partners produce apps with privileged access to your Android system, the risk of something malicious piggybacking its way onto your phone is very serious.
What’s being done about this?
Bluebox revealed Android security bug 8219321 to Google back in February 2013. Google has already updated the Play Store so that there are checks in place to block any malicious apps using this exploit. Google shared the bug with its hardware partners in the Open Handset Alliance and some manufacturers have already released patches to fix this security issue.
How can I avoid malware?
If you are careful never to leave your phone unattended and you only install apps and updates from Google Play then there’s no real cause for concern because you’re not really at risk from this exploit. If you want to make sure you’re not affected, go into Settings > Security and make sure that the allow installation from “unknown sources” box is unchecked.
We’ve discussed the Android app security basics before and they still apply. Criminals are now unable to use the Google Play Store to circulate malware using this exploit so it’s now safe to download apps there. What you should avoid is installing apps or updates from other sources – even the Samsung or Amazon app stores – at least, for now. Third-party Android app stores and direct links on websites are the most likely delivery methods, but malware could arrive via email, or even transfer onto your device via a USB cable (if you connect your phone to your computer).
“The main problem for spreading malware on Android is to get the user to download and install something from insecure sources (certain third-party markets or directly from the web),” Maik Morgenstern, from the independent security institute, AV-Test, explained to us. “The reported vulnerability doesn’t ‘help’ malware authors here in any way. The would still have a hard time getting their creations in the Google Play Store and even if they succeed, their apps wouldn’t be listed under the original author’s account, of course. [For example,] if they create a trojanized version of Angry Birds, it would be listed under the Malware Authors Name and not under Rovio. So users would hardly stumble over these trojanized apps. If users only download apps from the Google Play Store they should be safe.”
So, I can relax?
The problem with Android is that Google can take action to fix flaws and hacking exploits, but it can’t roll out a system wide update.
“The main problem is the update policy of many manufacturers,” Morgenstern told us. “Old devices don’t receive updates anymore (so these devices will stay vulnerable) and even updates for new devices can take months.”
It is up to individual manufacturers and mobile carriers (AT&T, Verizon, T-Mobile, Sprint, etc) to push updates out to devices. It’s common for older Android devices to be left behind. If you have an older device that’s at risk and you’re not happy sticking to Google Play then you could be exposed for some time to come.
Update 7-9-2013: Advice from Bluebox
After this article was published, Bluebox contacted us. They are urging users that the best way reduce the risk of this vulnerability is to “Check with your device manufacturer or your mobile carrier about your specific Android device model and OS version to see if a recent update/fix has been made available.” They also point out that you may need to check the release notes for confirmation that a fix is included in the update. If you can’t find one for your device, they suggest that you should avoid installing anything from outside Google Play for the time being.
The Bluebox CTO, Jeff Forristal, is planning to release technical details of the issue at his talk at Black Hat USA 2013 at the end of the month. It remains to be seen how the major Android device vendors will react. We will keep you posted.
Article originally published 7-8-2013.