Skip to main content

It’s OK! Android’s latest malware scare probably won’t affect you

Android Malware
Image used with permission by copyright holder

What if hackers could take an existing legitimate app or update with a valid digital signature, and modify it in order to use it as a malicious Trojan to access everything on your Android phone or tablet? When researchers from a mobile security startup called Bluebox Security revealed that they had identified just such a vulnerability that affected “99 percent” of Android devices, it made tech headlines across the Web. But should you be worried?

What is the problem?

“This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years,” explained Jeff Forristal, Bluebox  CTO, in a post on the company blog. He went on to point out that “…a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”

Recommended Videos

APK, or Android application package, files are at risk because this flaw allows hackers to alter a legitimate app or update, but retain the digital signature that verifies it as secure. They could create a fake app to steal your passwords and use a legitimate digital signature, so that your Android phone thinks it’s made by a company like Samsung, HTC, or even Google itself. Since device manufacturers and trusted partners produce apps with privileged access to your Android system, the risk of something malicious piggybacking its way onto your phone is very serious.

What’s being done about this?

Bluebox revealed Android security bug 8219321 to Google back in February 2013. Google has already updated the Play Store so that there are checks in place to block any malicious apps using this exploit. Google shared the bug with its hardware partners in the Open Handset Alliance and some manufacturers have already released patches to fix this security issue.

How can I avoid malware?

If you are careful never to leave your phone unattended and you only install apps and updates from Google Play then there’s no real cause for concern because you’re not really at risk from this exploit. If you want to make sure you’re not affected, go into Settings > Security and make sure that the allow installation from “unknown sources” box is unchecked.

We’ve discussed the Android app security basics before and they still apply. Criminals are now unable to use the Google Play Store to circulate malware using this exploit so it’s now safe to download apps there. What you should avoid is installing apps or updates from other sources – even the Samsung or Amazon app stores –  at least, for now. Third-party Android app stores and direct links on websites are the most likely delivery methods, but malware could arrive via email, or even transfer onto your device via a USB cable (if you connect your phone to your computer).

“The main problem for spreading malware on Android is to get the user to download and install something from insecure sources (certain third-party markets or directly from the web),” Maik Morgenstern, from the independent security institute, AV-Test, explained to us. “The reported vulnerability doesn’t ‘help’ malware authors here in any way. The would still have a hard time getting their creations in the Google Play Store and even if they succeed, their apps wouldn’t be listed under the original author’s account, of course. [For example,] if they create a trojanized version of Angry Birds, it would be listed under the Malware Authors Name and not under Rovio. So users would hardly stumble over these trojanized apps. If users only download apps from the Google Play Store they should be safe.”

So, I can relax?

The problem with Android is that Google can take action to fix flaws and hacking exploits, but it can’t roll out a system wide update.

“The main problem is the update policy of many manufacturers,” Morgenstern told us. “Old devices don’t receive updates anymore (so these devices will stay vulnerable) and even updates for new devices can take months.” 

It is up to individual manufacturers and mobile carriers (AT&T, Verizon, T-Mobile, Sprint, etc) to push updates out to devices. It’s common for older Android devices to be left behind. If you have an older device that’s at risk and you’re not happy sticking to Google Play then you could be exposed for some time to come. 

Update 7-9-2013: Advice from Bluebox

After this article was published, Bluebox contacted us. They are urging users that the best way reduce the risk of this vulnerability is to “Check with your device manufacturer or your mobile carrier about your specific Android device model and OS version to see if a recent update/fix has been made available.” They also point out that you may need to check the release notes for confirmation that a fix is included in the update. If you can’t find one for your device, they suggest that you should avoid installing anything from outside Google Play for the time being.

The Bluebox CTO, Jeff Forristal, is planning to release technical details of the issue at his talk at Black Hat USA 2013 at the end of the month. It remains to be seen how the major Android device vendors will react. We will keep you posted.

Article originally published 7-8-2013.

Simon Hill
Former Digital Trends Contributor
Simon Hill is an experienced technology journalist and editor who loves all things tech. He is currently the Associate Mobile…
You won’t believe how cheap this iPad is, thanks to Cyber Monday
apple ipad 10 2 air deals amazon summer sale 2020 inch hero 720x720

Most shoppers who are on the lookout for Cyber Monday tablet deals are likely hoping to take advantage of Cyber Monday iPad deals. If you're one of them, here's an offer that you shouldn't miss -- $59 off for the Wi-Fi, 64GB version of the 2021 Apple iPad, which brings the device's price on Amazon down to a more affordable $270 from its sticker price of $329. You'll have to hurry though because this is your last chance to take advantage of the discount if you missed out on Black Friday. Whenever an iPad's price is slashed, it sells out quickly, like most of the similar offers involving Apple's tablets. There's no other major shopping event this year, so buy the iPad now if you want to receive it ahead of the holiday season.

Why you should buy the 2021 Apple iPad
The 10th-generation Apple iPad was released last month, so the price of the 9th-generation Apple iPad was expected to get slashed in this year's Cyber Monday deals. However, despite the launch of its predecessor, the 2021 iPad shouldn't be considered obsolete, especially if you want to buy Apple's tablet on a tight budget. Between the 2022 iPad and 2021 iPad, last year's model is better suited for light browsing with its larger bezels. This year's model replaces the Lightning port with a USB-C port and moves the selfie camera to above the screen in the landscape orientation -- if neither change excites you, then you're fine with going with the 2021 iPad, especially since both models can run the latest iPadOS 16.

Read more
Relax, the EU’s scary USB-C rule won’t rob you of fast-charging benefits
iPhone 14 Pro and a Lightning cable.

The EU lawmakers have approved a new mandate that will require a wide range of electronic devices to adopt the USB–C standard for charging. The European Parliament’s overwhelming decision covers everything from smartphones and laptops to digital cameras and headphones.

The first key takeaway? Adios, Lightning port! You won’t be missed. The EU’s updated rule, which comes into effect in 2024, is premised on the hope that by standardizing the charging port, customers will no longer have to spend money on proprietary chargers covering Apple’s Lightning port on iPhones and Microsoft’s Surface Connect socket for laptops.

Read more
Google wants you to know Android apps aren’t just for phones anymore
Person holding Samsung Galaxy smartphone showing Google Play Store.

When most people think of the Google Play Store, the first thing that comes to mind is smartphones. However, the spread of the Android ecosystem is far broader than that, and Google is taking steps to increase awareness of this and make it easier for folks to find apps on the Play Store for their smart TVs, watches, and even cars.

In a blog post today, the Google Play team announced three significant changes that should make it easier for Android fans to discover apps for all their devices, right from their phone. This includes recommendations of apps for non-phone devices, a search filter to focus on only games optimized for non-phone devices, and even a remote install feature that will let you deliver those apps to your Android TV, Wear OS watch, or Android Automotive-equipped car.

Read more