Google releases fix to OEMs for Blue Security Android security hole

Google releases fix to OEMs for Blue Security Android security hole

Summary: Google has found a fix for a vulnerability in Android's security model that could allow attackers to convert 99 percent of all applications into Trojan malware.


It doesn't get much scarier than this. Bluebox Security claimed to have discovered a vulnerability in Android's security model that could allow attackers to convert 99 percent of all applications into Trojan malware. Google has told ZDNet that the hole has been patched and that it has been released to original equipment manufacturers (OEM)s.


Bluebox Security CTO Jeff Forristal had said that this Master Key vulnerability has been "around at least since the release of Android 1.6, [and] could affect any Android phone released in the last four years — or nearly 900 million devices."

This security vulnerability is in how Android applications are verified and installed. Each application has a cryptographic signature, to ensure that the contents of an application have not been tampered with. The security hole, however, enables attackers to change the contents of an application while leaving the signature intact.

Gina Scigliano, Google's Android Communications Manager, said that while Google didn't have a statement, she could "confirm that a patch has been provided to our partners - some OEMs, like Samsung, are already shipping the fix to the Android devices."

Thus, Android users will, as they always have, need to reply upon their hardware vendors for this update.

They may not need to worry too much. Scigliano added, "We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue - and Verify Apps provides protection for Android users who download apps to their devices outside of Play."

Related Stories:

Topics: Android, Google, Mobile OS, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Only 99%?

    Thank goodness it's not ALL applications. Phew! Guess I'm safe.
    • And no...

      ...Verizon Wireless has NOT issued the patch yet. Surprised?
      • Patched in February by Google

        This was patched in February by Google. That is 5 months before it was discovered by anyone else. If Microsoft had this kind of track record it would be a different world.

        Google even kept it quite and let the OEM and carriers take their time pushing out OTAs. What more do you want? I can't even remember Apple patching anything 5 months before it was discovered. You want a completely secure device Never ever turn it on.
        • right.

          Apple releases OS security updates on a regular basis -- today's patch could easily be a would-be vulnerability 5 mos from now...except since Apple is also the hardware provider, their customers get the fix immediately. still waiting on these hardware providers to update their customers....

          you get the difference, right?
          • Not really

            I am a Nexus owner so, no I don't get it. My update came when it was released?
          • Apple? really?

            is that the Apple that released new versions of "PATCHED" iOS without fixing up the passcode vulnerability?
            Is that the same Apple that banned an app developer after he told Apple he created an app with malware in it and it was live in the appstore for weeks to prove that Apple doesn't really know how to vet apps for malware?
            Is this the same Apple that took 4 generations of iphones to admit they were calculating signal strength wrong in their firmware? and then employ a PR "fix" after antennagate by making all signal bars TALLER!
            Is this the same Apple that spends money closing down siriproxy servers instead of fixing up the Siri protocol which makes all iOS devices with Siri exploitable via Siri proxies?
            It can't be surely! Apple is pure goodness.
          • Hardly comparable

            The pass code vulnerability required someone to have physical access to the device. Sure, it's important, but nothing like installing malware infested apps.

            If it were a PC, all bets are off if you have physical access to the device. It's an open book for those who know what they're doing.

            For years I could bypass Android lock screens simply by mashing buttons, the buffer would fill up and the foreground process (the lock screen) would simply crash. I used that several times to save customer data when they'd been locked out. That's fixed now though.
          • Errr?

            Wasn't it Apple who took over 2 years to fix a Java update?
          • No java is on purpose

            Java is one of the standard NSA/CIA approved trojan horse platforms that are required to further national security.
          • @mdelvecchio

            Meh, just last year Apple left unpatched for months his custom version of Java while a patch over a critical vulnerability targeted by the OS X trojan Flashback was long available from Oracle... I wouldn't exactly brag about their reactivity, outside of censoring/modifying Siri results turned in derision in the press... :)
        • Hmmmm

          Trying to figure out if that comment about Microsoft is against Microsoft or helps them?
          In any case, every company keeps unfixed vulnerabilities quiet until someone squeals - like the dimwit from Google a month or so ago.
      • Clever!

        Thanks for the heads-up.

        That's a clever strategy to get customers to upgrade their handsets and enter into a new contract.

        My last Android was a Galaxy S. (The First one), Samsung dropped support for it years ago. I imagine I'll never see it be a secure device or platform, similar to the iPhone platform, which often continues to support the hardware for years. You get what you pay for....
        donald duck 313
        • yes but

          yes, but Donald, with the galaxy S, despite it being 4+ years old, you can easily download and install a jelly bean rom that works awesomely.. one of our colleagues here has one just like that and loves it.

          Lets see you put iOS 7 on a 3G or a 3Gs iPhone... And better yet on the Galaxy S, jellybean is as smooth as butter and completely usable.
          • Hmm

            You have some points, but Android is very rarely "smooth as butter" (butter out of the freezer maybe) even on the latest hardware. It has to do with the nature of Android by design, largely garbage collection, and the huge ram footprint that is required. They all stutter, nothing like an iOS experience really.

            The 3GS from 2009 still runs iOS6. That phone is now four years old. I doubt it will get iOS7 though.
    • safe unless you pirate apps.

      As the article says, you still have to install a malicious app to have it compromise all of your other ones.. or you have to download other apps that have already been modified.

      If you are getting your apps from Google Play or the Amazon store, you are safe, only people that side load apps provided over the net are in danger here.

      Just like any windows app you download from the net.. there is a danger it doesn't just do what it says it does. Get your apps from trusted sources and you are as safe as you can be with any connected device.
    • 99% chinese whispers and THE TRUTH

      Bluebox originally CLAIMED that it makes 99% of Android devices vulnerable, and ZDnet's army of chinese whispering journalists has copied each other and now it's "99% of apps"

      The truth:
      1. Bluebox has an app in the appstore that claims to check if your device has this vulnerability. I ran it on my Dell Streak 5 running CM7 Gingerbread from nearly 2 years ago and it said it's not vulnerable!??!! It also said it couldn't scan a bunch of apps on it because the app is avoiding scanning? um, what the? and yet this "security firm" is making claims about 99% vulnerability. More like 99% FUD.
      2. App in Google Play cannot be changed by a 3rd party so the assumption that hackers can inject malicious code into existing playstore app is wrong.
      3. You have to sideload any malware modified versions of playstore apps.
      4. You can still sideload any malware modified versions of playstore apps even with the patch, if you WANT to. All you have to do is accept the installation despite the permission requests and certificate notifications.
      5. I wasted my time reading about this vulnerability.
    • Meh

      Meh, you would have to install some shady app containing the exploit from some shady 3rd party app store not verifying their apps, then avoid any free antivirus detecting the exploit, to possibly be hacked. If you don't feel safe it is maybe because you ignore those little facts not exactly underlined among this ludicrous FUD, or that you are another insecure Apple fanboi.
  • Too little, too late

    Android is a poorly designed mobile OS and Linux in not secure as it claims to be.

    Its time to dump the malware infected and a spyware OS.
    • Did. No windows here.

      Way too easily infected and a spyware OS.
      • Way too easily infected and a spyware OS.

        Apparently, so is Android. Hence the need for this patch, and not only that, Google sells all of your information for a pittance.

        Now, was your comment about "Way too easily infected and a spyware OS." aimed at Android?

        And as for choice, Android (Google) does their best to lock you into their App Store. If you download from somewhere else, they don't support anything.

        Now, where is your choice that you crow about so often? Apparently not in the Android world.

        A little introspection might be appropriate here.