Security firm claims 99 percent of Android apps open to takeover

Security firm claims 99 percent of Android apps open to takeover

Summary: A four-year-old flaw in how Android apps are verified has meant that almost any application can be converted into a trojan, according to security firm Bluebox Security.

SHARE:

Researchers from Bluebox Security claim to have discovered a vulnerability in Android's security model that could allow attackers to convert 99 percent of all applications into a trojan.

According to Bluebox Security CTO Jeff Forristal, who made a very high-level post on the company's blog on how the vulnerability works, applications could be modified to do things like steal data or connect to a botnet and go completely unnoticed by the app store, phone, and end user.

"This vulnerability, around at least since the release of Android 1.6, could affect any Android phone released in the last four years — or nearly 900 million devices."

The core issue behind the vulnerability revolves around how Android applications are verified and installed. Each application has a cryptographic signature, to ensure that the contents of an application have not been tampered with. The vulnerability, however, allows an attacker to change the contents of an application, but still leave the signature intact.

It appears to indicate that the vulnerability may be a simple cryptographic hash collision attack, often made possible due to a poor choice in the hashing algorithm; however, Forristal's post doesn't go into further detail.

"This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application — essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been."

Forristal claims that it already notified Google of the vulnerability in February this year, and it was assigned the Android security bug identifier 8219321. Google declined to comment on whether it was even aware of the alleged vulnerability, or if it had been contacted by Bluebox. The vulnerability is not noted in the issue tracker for the Android Open Handset Alliance Project, and IDs for issues only go up 57,000 range at this point in time.

The company has not yet released any proof of concept code, but claims that it was able to modify system-level software information on an HTC phone running Android, providing a screenshot on its blog.

If its claims are true, a repackaged application would have full access to the Android system and any of its applications. According to Bluebox, this includes reading any data on the device, stealing account passwords, making calls and texts, activating onboard hardware such as the camera or microphone, and, in an extreme case, open mobile devices up to becoming drones in a mobile botnet.

Forristal said that fixing the problem will be the responsibility of device manufacturers such as HTC and Samsung, as they will need to release firmware updates. Users themselves will also then need to know to install the patch, assuming one is made available.

Although it is not clear how far Google has progressed in responding to Bluebox Security's claims, the security company is scheduled to release detailed information on how the vulnerability works at Black Hat 2013. Along with an explanation of how devices can be exploited, Forristal said he would post a link to the related tools and materials from his talk online.

Topics: Security, Android, Google, Mobile OS, Mobility

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • Google has become synonymous with failure

    Google's operating system has become notorious for viruses and security failures.

    But Android is really just Java (deliberately used by Google without permission, and with a UI designed to imitate iOS).
    Tim Acheson
    • where's that virus?

      It's not a virus. Viruses only affect M$'s broken OS and will continue to do so. It's an exploit and it affects all the OSs out there. Besides, Android is still virus free
      shellcodes_coder
    • Virus?

      Go look up the definition.

      Wow, you have time to run your own pathetic hate page but don't understand basic concepts?
      This is malware, it has to trick google into allowing it into the play store and be individually downloaded by a user. What part of that constitutes a virus? Pathetic attempt at mis-information or you really know SFA!
      Little Old Man
    • You have become synonymous with inaccuracy

      Android is not Java. Android is a Linux based OS, that can run Java applications. Also, Android began development in 2003, and was acquired by Google in 2005. It was announced to be released in 2007, and was first released to the public in 2008. IOS, was announced in early 2007, and released later that year. I would hardly call Android a ripoff of iOS, in fact, iOS is more of a ripoff of Android. Besides, the whole theme and design of Android looks absolutely nothing like iOS. Not to mention most of the features in iOS, such as the notification bar, and quick settings, have been in Android since its initial release.

      The whole statement about malware in this article is ridiculous. It does not apply to users who actually download trusted apps from the Play Store. No one could repackage an app, and replace the old one with the new one, unless they had directly hacked their developer account. The only way this really applies to, is those people who think they can get away with pirating apps from not so trustworthy websites. I have never loaded any pirated apps, and I also have never acquired any Trojans or viruses.
      Chad_S
      • Chad_S

        Love the avatar mate :)
        Boothy_p
      • Android ...

        ... pre iOS looked NOTHING like it does now. The general design and layout of Android is at best highly derivative of iOS and at worst carbon-copy rip-off.
        bitcrazed
        • Of course, the old icons in a grid argument

          Yes, I would agree. Were it not for the fact we've seen them somewhere before, where was it now................
          Little Old Man
        • Android and iOS do not look very similar.

          iOS looks nothing like Android does today. The only similarity, is the app grid layout, which has been standard to most mobile and desktop OS platforms since the 1990's. iOS has more of a bubbly, and colorful feel, while Android has a more flat, dark and modern theme.
          Chad_S
    • You don't need permission to use a language

      ...because languages cannot be copyrighted or patented. Oracle tried to sue Google over the SSO of the API and lost that case badly because the SSO of an API cannot be protected either.

      Google used Java much to the delight of its designer and original owner, Sun, in order to reduce the learning curve for developers. Compare this with Apple's insistence on the use of Objective C, a language that although just as 'unprotectable' as Java, seems to be used by Apple alone.

      By the way, Apple too has had problems with malware getting into its AppStore. If Microsoft's equivalent actually takes off, they too will suffer this risk. Android is not alone with this problem.

      As for the stupid comment about viruses, others have done a good job of shooting holes in it, so I shall not bother.
      BRC-4c5c4
      • There is ambig difference ...

        ... between Google's store and Apple & Microsoft's stores: The latter have strict app validation and certification processes whereas Google let's almost any app into the party.

        Further, because Android allows you to install any app from any store, users can, and do, install a great deal of malware-ridden trashware ... and then wonder why their data leaks and their phones/tablets start to misbehave.

        Ad on top of this, it turns out that Android has a pretty major root vulnerability allowing malicious 3rd parties root access to 95% of all Android devices. So much for open source advocates' claims that many eyes find all bugs.

        Android is, essentially now facing the same issues as Win 95/98/XP did.
        bitcrazed
        • Nearly right

          You almost won a prize there.
          While google will let almost any app into play, they validate the app and require signing. Is that true of apple? Validating them is... In fact, you can even use google to validate non-play apps should you wish to download from piratedfilth.russia
          Now, android allows you to install any app from any store - why yes, there is truth to that, android says you can do what you like if you wish to take the risk. However BY DEFAULT, that option is not turned off. Heard of install from non-trusted sources? Know where it is in the menu system to turn it off? 99% android users will not ever see that option let alone turn it on. This exploit is more critical to rooted phones, if you root a phone without knowing what you're doing, it's no different than jailbreaking and you run the same risks.
          You should really do some reading on subjects you're commenting on. You clearly do not know anything about security within android and on individual handsets.
          Little Old Man
  • Poorly designed OS

    The OS is dumped to the market for free. Anybody could abuse it, the beneficiary is Google.
    All personal data on Android smart phones are stolen either by big companies, thugs or shrewd developers.

    Stay out of google products. There are way better and safer alternatives out there.
    OwlllllllNet
    • Meh!

      -1
      daikon
    • Free != Bad, Paid for != Good

      While you have a reputation for asinine comments, this one really is scraping the bottom of the barrel.

      Open Source and free software does have a valid business model. Many companies survive and thrive on it. Just because they don't charge an up front fee for it doesn't make it bad. Just because a company charges for its software doesn't make it good. In fact, there is a strong argument that by publishing the source code and having lots of eyes going over it means that security issues are discovered faster and can be fixed sooner. The proprietary model relies on the principle of "security by obscurity", well recognised as one of the worst methods.
      BRC-4c5c4
  • hmm

    If this gets any worse It may start to rival windows..........although with windows 18 million viruses/malware bugs android has some way to go to beat Microsofts appalling record.
    DejaVu2
    • Given how popular and widely used

      Android is becoming I'm not surprised. It starting to make sense to attack an os other than windows if it's as widely used as android. If reality malware and viruses really just help confirm the popularity of an os. It's likely that any wide spread flexible and customizable os will suffer from such things.
      Sam Wagner
  • how does it work?

    so the flaw makes it possible to change the code without affecting the signature, but how can the code be changed?
    Jean-Pierre-
    • 2 simplest ways

      Somehow persuade google to allow an app with this exploit into play or by hacking the developers update stream and push out infected updates.
      Little Old Man
  • Linux security is flawed by design

    It is the OS job to keep the system safe and secure from malware. Linux is unable to keep its users safe because it is badly designed and has just had security slapped on as a band aid.
    toddbottom3
    • "It is the OS job to keep the system safe and secure from malware."

      Your beloved Windows has been failing miserably on this score for decades now.
      TheGonz