Researchers from Bluebox Security claim to have discovered a vulnerability in Android's security model that could allow attackers to convert 99 percent of all applications into a trojan.
According to Bluebox Security CTO Jeff Forristal, who made a very high-level post on the company's blog on how the vulnerability works, applications could be modified to do things like steal data or connect to a botnet and go completely unnoticed by the app store, phone, and end user.
"This vulnerability, around at least since the release of Android 1.6, could affect any Android phone released in the last four years — or nearly 900 million devices."
The core issue behind the vulnerability revolves around how Android applications are verified and installed. Each application has a cryptographic signature, to ensure that the contents of an application have not been tampered with. The vulnerability, however, allows an attacker to change the contents of an application, but still leave the signature intact.
It appears to indicate that the vulnerability may be a simple cryptographic hash collision attack, often made possible due to a poor choice in the hashing algorithm; however, Forristal's post doesn't go into further detail.
"This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application — essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been."
Forristal claims that it already notified Google of the vulnerability in February this year, and it was assigned the Android security bug identifier 8219321. Google declined to comment on whether it was even aware of the alleged vulnerability, or if it had been contacted by Bluebox. The vulnerability is not noted in the issue tracker for the Android Open Handset Alliance Project, and IDs for issues only go up 57,000 range at this point in time.
The company has not yet released any proof of concept code, but claims that it was able to modify system-level software information on an HTC phone running Android, providing a screenshot on its blog.
If its claims are true, a repackaged application would have full access to the Android system and any of its applications. According to Bluebox, this includes reading any data on the device, stealing account passwords, making calls and texts, activating onboard hardware such as the camera or microphone, and, in an extreme case, open mobile devices up to becoming drones in a mobile botnet.
Forristal said that fixing the problem will be the responsibility of device manufacturers such as HTC and Samsung, as they will need to release firmware updates. Users themselves will also then need to know to install the patch, assuming one is made available.
Although it is not clear how far Google has progressed in responding to Bluebox Security's claims, the security company is scheduled to release detailed information on how the vulnerability works at Black Hat 2013. Along with an explanation of how devices can be exploited, Forristal said he would post a link to the related tools and materials from his talk online.