Android bug allows app code change without breaking signatures

Researchers from Bluebox Security have discovered a critical Android flaw that allows attackers to modify the code of any app without breaking its cryptographic signature, and thusly allows them to stealthily plant malicious apps on legitimate app stores and users’ phones.

“This vulnerability, around at least since the release of Android 1.6, could affect any Android phone released in the last 4 years – or nearly 900 million devices- and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet,” Jeff Forristal, Bluebox CTO wrote on Wednesday.

He also pointed out that the vulnerability is particularly dangerous if misused to modify applications developed by the device manufacturers or third-parties that work in cooperation with the device manufacturer, as those app are often installed on the device ahead of their sale and are granted full access to Android system and all applications on it.

“The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account and service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls),” he concluded.

The flaw was responsibly disclosed with Google in February 2013, and the company will be sharing more details about the bug in a talk at the upcoming Black Hat USA security conference in Las Vegas.

Forristal shared with Computerworld that Samsung Galaxy S4 already has the fix, but given that many device manufacturers and carriers are not exactly known for being prompt in distributing firmware updates and patches, it will surely take quite some time to eradicate the flaw.

In the meantime, users are advised to keep their devices updated and always check that the publisher of the app they want to download is the correct one. “IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data,” he concluded.

Don't miss