Researcher Says Vulnerability Affects Nearly Every Android Phone

By | July 08, 2013

Posted in: Network Security Trends

Bluebox Security reported this week it had discovered a vulnerability affecting 99 percent of Android cell phones that allows a hacker to do anything from steal data to create a mobile botnet.

“The implications are huge,” Bluebox chief technical officer Jeff Forristal said in a blog post “This vulnerability, around at least since the release of Android 1.6 (codename: ‘Donut’ ), could affect any Android phone released in the last four years,  or nearly 900 million devices.”

Forristal, who will present the research at the Black Hat conference in Las Vegas later this month, said the vulnerability allowed a hacker to modify APK (application package file) code without breaking an application’s cryptographic signature.  A hacker could turn any legitimate application into a malicious Trojan, “completely unnoticed by the app store, the phone, or the end user.”

He said the vulnerability had been reported to Google in February this year. “It’s up to device manufacturers to produce and release firmware updates for mobile devices, and furthermore for users to install these updates,” Forristal said, adding that the availability of updates varied  widely depending on the manufacturer and model.

Forristal said the risk was compounded by the possibility that applications developed by device manufacturers like HTC, Samsung or Motorola could be affected. “Installation of a Trojan application from the device manufacturer can grant the application full access to the Android system and all applications (and their data) currently installed,” he warned.

“The application then not only has the ability to read arbitrary application data on the device (e-mail, SMS messages, documents, etc), retrieve all stored account and service passwords, but it can essentially take over the normal functioning of the phone and control any function thereof -- make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls.

“Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet,” he said.

Forristal said the vulnerability made it possible to change the APK code without affecting the  cryptographic signatures which Android uses to determine if an app is legitimate and to verify that it has not been tampered with or modified -- so a hacker can trick Android into believing the app has not been changed, even if it has been.

You May Also Be Interested In: