06 Jul 2013
Story image

99% of Android mobile phones susceptible to newly found takeover attack

By Alistair Ross

The Bluebox Security Research team have recently released a statement saying that almost all Android mobile phones and tablets are susceptible to an attack that at worst, could lead to the devices being completely overridden by attackers and/or being used for botnets and other nefarious purposes. See the following excerpt from their statement:

The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years – or nearly 900 million devices– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet

What this boils down to is a bug in the way that the apps in the Google Play Store are checked for signature changes. When an app is submitted and security checked prior to being advertised on the Google Play store, a 'signature' is made of the app. Ultimately, if the app is updated, the signature changes. The bug uncovered by Bluebox shows that it's possible for an unscrupulous application author to change the code without updating the signature, meaning that the update goes into the Google Play Store unchecked.

What could these nefarious unchecked apps do to my phone?

Ultimately this could allow complete control of your phone. Your phone could be used in the same way as any malware can wreak havoc with a PC. At worst, this is all sorts of nasty: capturing credit card numbers you enter, using your phone as a botnet member which acts as a denial of service against other servers/websites (which would eat up your 3G data allowance if you are not using WiFi). Not to mention the software (and the authors of the software) could have unfettered access to the photos, contacts, emails and possibly account details stored on your phone.

It's not all alarm bells though

Don't worry too much yet. The main thing to be aware of here is that this is a newly uncovered vulnerability as far as can be ascertained, so hopefully this means that it hasn't been exploited by many/any nefarious developers yet. Google are now aware of this issue and will no doubt be working hard to resolve it. One issue between now and the time it takes to resolve it is that phones will still be vulnerable to the issue, so if a dubious author utilises this exploit method in the next few days it won't be possible for Google to know whether a piece of software on Google Play Store has been updated with crafty code. The issue for Google therefore is, what to do with all of the 800,000+ apps available on the store. Any one of them could potentially be suspect, but it's safe to assume that the big name apps by vendors such as Google, Facebook, Evernote, Twitter, Yahoo and so forth will not be apps of concern.

What should I do?

For today, nothing. Shortly I'd imagine that Google will release a fix, so watch your phone or tablet's software update functionality for an update. Unfortunately, not all vendors release updates that follow Google's lead, so if, for example you have an older Samsung mobile which Samsung no longer support, it is likely that they will not release the update to Android that will resolve this issue. This is perhaps the largest problem affecting the Android community here, the issue has been around since version 1.6 of the Android operating system which was over four years ago. This could mean that a lot of devices out there are vulnerable and will continue to be vulnerable until the owner decides to stop using the device or gets techy and blows away the custom firmware image, replacing it with a stock Google Android one (which won't necessarily work).

Recent stories
More stories