Android

99% of Android devices can be completely 'taken over' through a massive vulnerability hole

Chris P. posted by Chris P.   /  Jul 04, 2013, 9:11 AM
99% of Android devices can be completely 'taken over' through a massive vulnerability hole
Ouch! Let us reiterate: that one ought to sting. Especially after the latest report already putting Android up there as the most compromised and targeted mobile OS.

Mobile security start-up, Bluebox, has released a statement on their blog that they have discovered a vulnerability in Android's security model, allowing hackers to slip malicious code into Android devices unnoticed by your phone's built-in defensive mechanism. 

The scope of this vulnerability? 99%, or about 900 million Android devices. Nope, no typo there, according to the company, which first notified Google of the threat in February this year. Apparently, the vulnerability goes back all the way to Android 1.6 “Donut”, or any Android device released in the last 4 years.

Spooky, but in a typical horror movie fashion, we want to know more:

“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.”

A screenshot by Bluebox demonstrates complete control over the OS

A screenshot by Bluebox demonstrates complete control over the OS

If mobile security isn't your strongest suit, here's a breakdown of how it works. Cryptographic signatures are a part of any and all Android apps, their use – to help your droid verify whether the app is legit and if any tampering of the code has taken place. Further spelling it out for us, Bluebox asserts that the glitch allows the not-too-nice folks out there to change app code “without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”

To put this into perspective, the statement claims, apart from the usual Trojan mischief (think SMS tolls), a malicious app taking massive advantage of the hole:

“Has the ability to read arbitrary application data […], retrieve all stored account & service passwords […], make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, record calls,”

How serious can this get? We don't know, but it's comforting to know that Google is aware of the issue and has already updated their Google Play approval process, blocking out apps with this problem. 

Bluebox CTO, Jeff Forristal, announced that he will cover the issue in technical detail in his upcoming Black Hat USA 2013 talk.

source: BlueBox via VentureBeat

FEATURED VIDEO

Options

38 Comments

chunk1x
Reply

1. chunk1x

Posts: 248; Member since: Jun 25, 2011

For android fans, they called this problem a YOLO.

posted on Jul 04, 2013, 9:17 AM

SuperAndroidEvo
Reply

10. SuperAndroidEvo

Posts: 4888; Member since: Apr 15, 2011

There is NOTHING that is hack proof. The US Government can be hacked, Verizon, AT&T, Android, Apple & anything under the sun. I always find these articles just so pointless. Just so we know boys & girls.... if you are on the web or if you own a computer or smartphone there is a HUGE vulnerability hole to everything. That includes all the goverments of the world. It's like every week the same article is written but with different titles. lol

posted on Jul 04, 2013, 9:41 AM

chunk1x
Reply

13. chunk1x

Posts: 248; Member since: Jun 25, 2011

The problem with hardcore fans of all sides is that take a silly joke way to seriously.

posted on Jul 04, 2013, 9:49 AM

alterecho
Reply

16. alterecho

Posts: 1106; Member since: Feb 23, 2012

Wonder what some replys would have been if it were Apple that was affected.

posted on Jul 04, 2013, 10:09 AM

chunk1x
Reply

17. chunk1x

Posts: 248; Member since: Jun 25, 2011

In that iOS camp, denial and end of the world state of mind for iFans. Then followed by angry mob with pitch forks and torches to the unlucky prankster.

posted on Jul 04, 2013, 10:17 AM

Jobayer
Reply

26. Jobayer

Posts: 167; Member since: Feb 22, 2013

Dude, if u find them pointless, dont read them . Yes nothing is hack proof .But the problem is there for 4 yrs !!!

posted on Jul 04, 2013, 12:45 PM

SuperAndroidEvo
Reply

39. SuperAndroidEvo

Posts: 4888; Member since: Apr 15, 2011

The reason why I find these articles pointless is because they are CLEARLY stating the obvious. It's like saying humans die if they don't breathe air. We all know that anything computer related can be hacked yet we consistently keep reading the same article with just a different title. Tell us something we don't know. Also buddy please get a clue. lol

posted on Jul 05, 2013, 8:04 AM

RaKithAPeiRiZ
Reply

2. RaKithAPeiRiZ

Posts: 1488; Member since: Dec 29, 2011

app data and payment records? ..if they hack mine ,all they will find is a phone full of pirated apps

posted on Jul 04, 2013, 9:19 AM

grahaman27
Reply

4. grahaman27

Posts: 364; Member since: Apr 05, 2013

Pirated apps is where malicious code can come from.

posted on Jul 04, 2013, 9:23 AM

SuperAndroidEvo
Reply

12. SuperAndroidEvo

Posts: 4888; Member since: Apr 15, 2011

Yeah that phone of his is the dirtiest virus/malware phone on Earth. I hope he at least practices safe sex. lol +1

posted on Jul 04, 2013, 9:45 AM

amansingal14
Reply

5. amansingal14

Posts: 309; Member since: Sep 08, 2012

lol +1

posted on Jul 04, 2013, 9:23 AM

SonyXperiaNexus
Reply

8. SonyXperiaNexus

Posts: 374; Member since: Oct 01, 2012

lol, but they can still get your passwords, record your phonecalls, read and send sms and use the camera to see what ur doing, pretty scary if u ask me

posted on Jul 04, 2013, 9:31 AM

feres13
Reply

18. feres13

Posts: 307; Member since: Dec 23, 2011

I hope that by "pirated apps" you mean apps that aren't from the Play store, not paid apps from the Play store that you got for free

posted on Jul 04, 2013, 10:17 AM

Shatter
Reply

28. Shatter

Posts: 2036; Member since: May 29, 2013

By pirated he means he downloaded paid apps for free.

posted on Jul 04, 2013, 1:05 PM

grahaman27
Reply

3. grahaman27

Posts: 364; Member since: Apr 05, 2013

As of right now there is no reason to fear getting malware on your phone if you use your phone like 99% of people do.

posted on Jul 04, 2013, 9:21 AM

RaKithAPeiRiZ
Reply

6. RaKithAPeiRiZ

Posts: 1488; Member since: Dec 29, 2011

there is nothing to worry because the NSA's already taking care of it

posted on Jul 04, 2013, 9:27 AM

boosook
Reply

7. boosook

Posts: 1442; Member since: Nov 19, 2012

Come on... this happens only if you install malicious apps downloaded from outside the market, so it will affect only a minority of users which implicitly accept the risk. That's not 99% of Android users. Anyway I agree that this is a nasty bug.

posted on Jul 04, 2013, 9:30 AM

SonyXperiaNexus
Reply

9. SonyXperiaNexus

Posts: 374; Member since: Oct 01, 2012

http://cdn.meme.li/instances/300x300/39412914.jpg

posted on Jul 04, 2013, 9:38 AM

Samsomesh
Reply

11. Samsomesh

Posts: 195; Member since: Jun 11, 2012

Google should introduce it's own antivirus that will have access to all the system..:

posted on Jul 04, 2013, 9:43 AM

medicci37
Reply

14. medicci37

Posts: 1361; Member since: Nov 19, 2011

Every time I play wwf last 2 days a very annoying add 4 a new movie keeps playing. & sometimes when I'm not. Anyone know how 2 stop this?

posted on Jul 04, 2013, 9:55 AM

darkkjedii
Reply

15. darkkjedii

Posts: 30875; Member since: Feb 05, 2011

Android fanboys call this innovation. Android users realize this is an issue.

posted on Jul 04, 2013, 9:57 AM

grahaman27
Reply

22. grahaman27

Posts: 364; Member since: Apr 05, 2013

Its not an issue, its an exploit. to say its an issue is like someone saying that being able to jailbreak an iphone is an issue. this is not a virus, this is one exploit. iOS can have the same problem just an FYI.

posted on Jul 04, 2013, 10:42 AM

darkkjedii
Reply

25. darkkjedii

Posts: 30875; Member since: Feb 05, 2011

It has had it. FYI

posted on Jul 04, 2013, 11:34 AM

blingblingthing
Reply

36. blingblingthing

Posts: 912; Member since: Oct 23, 2012

It isn't an issue for any tech savvy person, stick to legit sources and stay safe.

posted on Jul 04, 2013, 9:28 PM

ama3654
Reply

19. ama3654

Posts: 295; Member since: Nov 27, 2012

You forgot to mention Galaxy S4 is immune to it. "Bluebox claims that it notified Google of the exploit in February. According to CIO, Bluebox CTO Jeff Forristal has named the Galaxy S 4 as the only device that's currently immune to the exploit " .http://www.engadget.com/2013/07/04/bluebox-reveal​s-android-security-vulnerability/

posted on Jul 04, 2013, 10:20 AM

FISTFLY
Reply

21. FISTFLY

Posts: 27; Member since: Jul 03, 2013

Does it mention why only Galaxy 4?? Just curious

posted on Jul 04, 2013, 10:29 AM

tedkord
Reply

32. tedkord

Posts: 17181; Member since: Jun 17, 2009

Its a known issue. Samsung patched it prior to release.

posted on Jul 04, 2013, 3:54 PM

vickygamit
Reply

20. vickygamit

Posts: 51; Member since: Aug 16, 2012

google will fix it.

posted on Jul 04, 2013, 10:29 AM

Kjayhawk
Reply

23. Kjayhawk

Posts: 294; Member since: Oct 07, 2010

This MASSIVE vulnerability is just the security companies trying to scare you. It can't be found on the play store only through apps that you download from a third party source. Which google tells you specifically that downloading from third party stores can greatly increase your chance of malware. No News here

posted on Jul 04, 2013, 11:01 AM

TBomb
Reply

24. TBomb

Posts: 1259; Member since: Dec 28, 2012

These numbers could also be "accurate" but misleading.

posted on Jul 04, 2013, 11:29 AM

view all comments
Want to comment? Please Log in or sign up.

Featured stories

Apple-iPhone-11-Max-design-camera-dummy-unit
Here's what the iPhone 11 Max will probably look like
Note-10-Exynos-9825-Snapdragon-855-Plus-top-benchmarks
Note 10 may be the fastest Android alive as new Exynos 9825 and Snapdragon 855+ benchmarks leak
What-is-Note-10-Sound-on-Display-soundcasting-all-screen-design-technology-explained
Here's how Note 10 may use Sound on Display tech to get an 'all-screen' design
iPad-2019-price-deal-which-to-buy
iPads 2019 buying guide: choose the best iPad for you
samsung-galaxy-note-10-release-date-august-23-korea-report
Samsung Galaxy Note 10 release date may have been revealed
samsung-should-not-kill-the-s-pen
Rebuttal: No, Samsung should absolutely not ditch the S Pen
2020-iPhones-under-display-camera-design
Notches are silly, 2020 iPhones ironic, and the front camera hiding trend is all wrong
Sprint-5G-network-Chicago-launch
Sprint expands its 5G network to one more city in the US

Popular stories

best-buy-samsung-galaxy-s10-family-deals-massive-discounts-carrier-activation
Best Buy is now offering discounts of between $400 and $500 on the entire Galaxy S10 family
best-buy-massive-sale-moto-g7-family-moto-z3-play-more
Best Buy is running a massive sale on Moto G7 phones, the Moto Z3 Play, and more
amazon-prime-day-deals-google-pixel-3-3-xl-3a-xl-revealed
Amazon Prime Day deals on Google Pixel 3, 3 XL, and 3a XL revealed but not available yet
Update-bricks-Verizon-Galaxy-S10-units
Samsung says there is only one fix for Verizon Galaxy S10 units bricked by the latest update
Parts-for-OnePlus-7-Pro-cost-324-dollars
Leaked data reveals how much the parts inside the 6GB OnePlus 7 Pro cost
amazon-fire-hd-8-tablet-woot-deal-refurbished-warranty
Amazon's crazy popular Fire HD 8 tablet is on sale for a crazy cheap $39.99 (refurbished)
woot-deals-google-pixel-3-pixel-2-original-pixel-refurbished-warranty
Woot is deeply discounting every high-end Google Pixel phone ever released (refurbished)
moto-g6-us-unlocked-official-android-9-0-pie-update-rollout
Official Android Pie update widely released for US unlocked Moto G6, this time for real

Hot phones

Latest Stories

View more
This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.