Android OEMs slow to roll out Bluebox Security patch

Android OEMs slow to roll out Bluebox Security patch

Summary: Google released the Bluebox Security fix days ago but only a handful of OEMs have released the patch to customers. On the bright side, there's now an Android app available to scan for the security hole.


The scary news was that Bluebox Security had worked out a way to break Android's security model. In theory, this could be exploited with almost any Androids apps. The hopeful news was that Google quickly released a patch for the security hole to phone original equipment manufacturers (OEM)s . The annoying news is that almost none of the OEMs have released the patch.

OEMs are being painfully slow about releasing the Bluebox Security patch, but Bluebox itself has released a scanner app for it.

Worse still, there's now a proof of concept for the security hole. This proof of concept means that as surely as the sun will rise in the east in the morning we'll soon see real malware using it.

What's a user to do? Well, for starters, there's no real need to panic if you just follow a few simple, security rules with your Android device to avoid apps that have been compromised with this exploit.

What the OEMs should be doing, and for the most part aren't, is releasing the patch so there will be no reason to worry about it. At this time, the only Android smartphones and tablets I'm certain have have the patch are the Samsung Galaxy S4, the HTC One, and hardware using the latest version of the alternative Android firmware CyanogenMod.

According to Gina Scigliano, Google's Android Communications Manager, Google has "not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue - and Verify Apps provides protection for Android users who download apps to their devices outside of Play." Verify Apps in a security program in Android 4.2 and higher. It scan any apps you want to download and install against Google’s database of safe apps.

Scigliano also said that "Nexus devices will receive the fix in an upcoming software update."

In the meantime, if you want to make darn sure that there are no compromised apps on your system Bluebox Security has released an Android program, Bluebox Security Scanner for apps that try to take advantage of this security flaw.

In addition, Bluebox Security Scanner checks to see if your device is vulnerable or patched for the Bluebox "Master key" security flaw. The scanner also checks to see if your system is set to allow non-Google Play application installs. Non-Google Play Android markets are the most likely vector for any corrupted Android apps.

To sum up, if you're careful about where you download your Android software you should be safe whether your system is patched or not. That said, it would sure be nice for the OEMs to get on with integrating Google's patch into their customized versions of Android so we can all have safer devices and we wont need to worry about the problem anymore at all.

Related Stories:

Topics: Security, Android, Google, Networking, Smartphones, Tablets

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • 7 days should be more than enough ...

    • yes, it is enough

      • eulampius: "yes, it [7 days] is enough"

        o Bluebox Security notified Google of the Android flaw in February, 2013
        o Google informed their Open Handset Alliance (OHA) partners of the Android flaw in early March, 2013
        o Patches for the vulnerability started rolling out in early July, 2013

        It's all here:

        "Android flaw lets attackers modify apps without breaking signatures
        July 3, 2013

        Funny that Linux is first in supercomputing, but many of its fans can't even count. Or get confused between days and months.

        I wonder how close Amazon is to patching this Android flaw for its Android Open Source Project-based devices. Hopefully, they're as nimble as are the CyanogenMod developers.

        Finally, Google and its OHA partners, Amazon and Android device users should consider themselves fortunate that Bluebird Security researchers had the ethics to not openly disclose this Android vulnerability as Google's Tavis Ormandy recently did with a Microsoft Windows vulnerability. Recall that this particular Android vulnerability goes back to at least Android version 1.6.
        Rabid Howler Monkey
  • Android has a security hole??

    Wait, it can't be!!! what about all that baloney about Linux based operating systems being incredibly secure and no one would ever be able to crack that beautiful security model!!!!

    Welcome to the world of hackers. Nothing is secure and the best part is that the distribution model for Android stinks. At least with Windows or iOS, a specific vendor has responsibility to get security patches out.

    With Android, Google isn't responsible for anything. Security costs money so the phone vendors have no interest in it...

    Nice way to secure the OS, just don't do anything and hope nothing happens.
    • It's not a security failure in the Linux core..

      It's a security failure in Android. Android *runs* on Linux - it isn't Linux.
      • IS or ON

        And next time someone needs to pump up Linux, they will argue that Android IS Linux.
        • Madfry

          So true.
          Dreyer Smit
        • It's called "context".

          Android is a Linux distribution; it is not the Linux kernel.

          This security bug is about circumventing an application's cryptographic signature, and not about breaking the kernel's security model.

          So I would say that Cynical99's comment is out of context, and I suspect deliberately so.
          • Speaking of distribution

            I think Cynical99 was mocking the issue where Linux fans point out that Android IS Linux when something good is reported, but when something bad is reported Android is the failure, not Linux.

            Anyhow, there is a security flaw and regardless of where that failures blame is placed, you bring up a great point about Android being a Linux distribution.

            In that respect, why is it so freaking hard for the Android distributions to get updates or patches? This exploit is highlighting just how entirely flawed the Android distribution really is in that regard. Imagine any type of exploit that could be found in the various flavors and versions of Android. All of them suffer the same problem of an almost complete inability to deliver a solution to those issues.
          • And yet his "mocking" is an example of the problem.

            When something "is Linux", there is always a context. So to point and cry:

            "There is a security flaw in Linux oranges! What are your Linux apples worth now?"

            is frankly silly.
          • @Zogg

            How it is a Linux distribution, without a Linux kernel? In my understanding, anything on top of the kernel or something in the OS layer makes a distribution.
      • My choice will be either Jolla or Ubuntu Phone...

        ...and one thing is sure: i won't buy iPhone or Windows Phoney.
      • @TheWerewolf

        Every one argues that Android is "a" Linux because it runs on Linux. :-P

        I agree though that it is not a failure in Linux core. If it was, all the Linux cores would be fixed by now(except Android, that I am sure).

        The most popular version of Linux is haunted with security failures. Ironic, isn't it?
    • despite the fact

      that Android has a security hole, despite another fact that it is possible to install a trojan, there has been no case yet of infection the celebrated MS Windows way: via
      -- inserting a media
      -- clicking on a web link, visiting a webpage
      -- opening a document, email attachment
      -- through MS Remote Procedure Call

      Now some real evidence. The main reason this mess mess exists with Android is the same mess Linus Torvalds was referring to. Many SoC manufacturers are busy writing hacks for their own systems, more so, these hacks are proprietary. They rarely bother pushing their code upstream. Hopefully, things will change.
      >>With Android, Google isn't responsible for anything.
      Neither is Microsoft. Please reread your Windows EULA.
      • @eulampius

        I think he is talking about the responsibility of making the fix available to the end user. If it is otherwise(like data lost or such cases), his argument is moot.
    • Planned obsolescence

      I've said it many times before but it looks to me like Google, their hardware partners and the telecoms have a plan to not bother with updates, forcing users to buy new phones if they want the latest and greatest. No wonder they can brag about the number of activations. They sell more phones because that's the only way to get updates. Quite a racket those guys got going.
      Andre Richards
  • The reason why....

    I won't recommend Android to anyone. You don't know if or when you'll get security updates, or even software upgrades. And when you're hit by some malware attack somehow it's your fault for not buying the latest phone or forcing updates.

    It's also the reason why I won't recommend HTC to anyone anymore. They're notoriously slow with updates.
    Dreyer Smit
    • Thats why youre best off on iOS

      The reason why i wouldnt recommend iOS to anyone....
      is with Android YOU DONT HAVE TO WAIT for an oem to push an update.
      Something that you iphone owners seem to ignore constantly when it suits you.
      • @Funkmonkey

        With iOS, even if you do not jailbreak, YOU DONT HAVE TO WAIT for an oem to push an update. Read SJVN's article about how to prevent the security hole. He mentioned not to do what you do with your suggestion.

        Even though I hate Apple, Apple's route is the good way to go. Hold the key with you rather than distribute the key to whoever wants it.
  • What happened to the promise of Android

    I was an Android early adopter, got one before Android saw its big boost in popularity in 2009, and I loved the notion of an open source mobile OS, but somewhere along the way, while Google was busy whoring Android out to every taker, Android just fell apart. Google could have retained some degree of quality control with Android phones. Sure, it's open source so anyone can use it, but Google owns the Android trademark and could have easily withheld the use of that by OEMs and telecoms to promote a product if it didn't meet certain quality expectations, one being the ability of said OEMs and the telecoms to delivery timely updates. But Google didn't see the value in that and just rushed in to upstage Apple.

    I don't get it. It had so much going for it, but iOS is really where it's at now, despite being a closed platform. Android went from being the promise of something new and exciting and even potentially revolutionary to a complete and utter clusterf**k. They can't even get a simple update pushed out. What happened?
    Andre Richards