Skip to main content

It’s OK! Android’s latest malware scare probably won’t affect you

Android Malware
Image used with permission by copyright holder

What if hackers could take an existing legitimate app or update with a valid digital signature, and modify it in order to use it as a malicious Trojan to access everything on your Android phone or tablet? When researchers from a mobile security startup called Bluebox Security revealed that they had identified just such a vulnerability that affected “99 percent” of Android devices, it made tech headlines across the Web. But should you be worried?

What is the problem?

“This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years,” explained Jeff Forristal, Bluebox  CTO, in a post on the company blog. He went on to point out that “…a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”

APK, or Android application package, files are at risk because this flaw allows hackers to alter a legitimate app or update, but retain the digital signature that verifies it as secure. They could create a fake app to steal your passwords and use a legitimate digital signature, so that your Android phone thinks it’s made by a company like Samsung, HTC, or even Google itself. Since device manufacturers and trusted partners produce apps with privileged access to your Android system, the risk of something malicious piggybacking its way onto your phone is very serious.

What’s being done about this?

Bluebox revealed Android security bug 8219321 to Google back in February 2013. Google has already updated the Play Store so that there are checks in place to block any malicious apps using this exploit. Google shared the bug with its hardware partners in the Open Handset Alliance and some manufacturers have already released patches to fix this security issue.

How can I avoid malware?

If you are careful never to leave your phone unattended and you only install apps and updates from Google Play then there’s no real cause for concern because you’re not really at risk from this exploit. If you want to make sure you’re not affected, go into Settings > Security and make sure that the allow installation from “unknown sources” box is unchecked.

We’ve discussed the Android app security basics before and they still apply. Criminals are now unable to use the Google Play Store to circulate malware using this exploit so it’s now safe to download apps there. What you should avoid is installing apps or updates from other sources – even the Samsung or Amazon app stores –  at least, for now. Third-party Android app stores and direct links on websites are the most likely delivery methods, but malware could arrive via email, or even transfer onto your device via a USB cable (if you connect your phone to your computer).

“The main problem for spreading malware on Android is to get the user to download and install something from insecure sources (certain third-party markets or directly from the web),” Maik Morgenstern, from the independent security institute, AV-Test, explained to us. “The reported vulnerability doesn’t ‘help’ malware authors here in any way. The would still have a hard time getting their creations in the Google Play Store and even if they succeed, their apps wouldn’t be listed under the original author’s account, of course. [For example,] if they create a trojanized version of Angry Birds, it would be listed under the Malware Authors Name and not under Rovio. So users would hardly stumble over these trojanized apps. If users only download apps from the Google Play Store they should be safe.”

So, I can relax?

The problem with Android is that Google can take action to fix flaws and hacking exploits, but it can’t roll out a system wide update.

“The main problem is the update policy of many manufacturers,” Morgenstern told us. “Old devices don’t receive updates anymore (so these devices will stay vulnerable) and even updates for new devices can take months.” 

It is up to individual manufacturers and mobile carriers (AT&T, Verizon, T-Mobile, Sprint, etc) to push updates out to devices. It’s common for older Android devices to be left behind. If you have an older device that’s at risk and you’re not happy sticking to Google Play then you could be exposed for some time to come. 

Update 7-9-2013: Advice from Bluebox

After this article was published, Bluebox contacted us. They are urging users that the best way reduce the risk of this vulnerability is to “Check with your device manufacturer or your mobile carrier about your specific Android device model and OS version to see if a recent update/fix has been made available.” They also point out that you may need to check the release notes for confirmation that a fix is included in the update. If you can’t find one for your device, they suggest that you should avoid installing anything from outside Google Play for the time being.

The Bluebox CTO, Jeff Forristal, is planning to release technical details of the issue at his talk at Black Hat USA 2013 at the end of the month. It remains to be seen how the major Android device vendors will react. We will keep you posted.

Article originally published 7-8-2013.

Editors' Recommendations

Simon Hill
Former Digital Trends Contributor
Simon Hill is an experienced technology journalist and editor who loves all things tech. He is currently the Associate Mobile…
Wireless charging not working on your Pixel with Android 13? You aren’t alone
Google Pixel 6 Pro in hand.

Android 13 has been hotly anticipated for months, but following its rollout to Pixel users last Monday, many have been reporting issues with wireless charging. As first spotted by 9to5Google, Pixel owners have been posting their issues to Reddit in hopes of finding a simple community fix, but based on the number of complaints, there seems to be more at work.

While the hope is always that companies like Google will put their best foot forward when launching new software, sometimes new bugs are found after pushing an update globally. If your Pixel is having trouble with wireless charging, don't worry: you're not alone.
What does the issue look like?

Read more
T-Mobile wants you to test drive its 5G home internet
T-Mobile CEO Mike Sievert

T-Mobile is taking a bold new step into 5G home internet with a new program that will make it easier for broadband customers to “break up with Big Internet.”

During a live-streamed event today, T-Mobile CEO Mike Sievert unveiled the carrier’s new “Internet Freedom” initiative, which he hopes will fix the “broken” broadband industry by giving folks an easy path to move to wireless 5G home internet.

Read more
Nokia 9 PureView won’t get Android 11 after all; HMD offers a discount instead
Nokia 9 PureView

HMD Global is breaking the update promise it made with the Nokia 9 PureView. The company shared that due to circumstances beyond its control, it would be unable to update the phone to Android 11. Instead, a discount will be offered to the Android 11-capable Nokia XR20 instead as a replacement for eligible Nokia 9 owners.

As part of the Android One program, Nokia phones benefited from the promise of at least two operating system updates, something that was emphasized as one of the selling points of phones like the Nokia 9 PureView, which launched with Android 9 and really should have received Android 11 over a year ago. While HMD Global has been notoriously inconsistent with regard to timing, this is the first time the company has simply declined to push out an update.

Read more