Android

99% of Android devices can be completely 'taken over' through a massive vulnerability hole

Chris P.
posted by Chris P.
Jul 04, 2013, 9:11 AM
99% of Android devices can be completely 'taken over' through a massive vulnerability hole
Ouch! Let us reiterate: that one ought to sting. Especially after the latest report already putting Android up there as the most compromised and targeted mobile OS.

Mobile security start-up, Bluebox, has released a statement on their blog that they have discovered a vulnerability in Android's security model, allowing hackers to slip malicious code into Android devices unnoticed by your phone's built-in defensive mechanism. 

The scope of this vulnerability? 99%, or about 900 million Android devices. Nope, no typo there, according to the company, which first notified Google of the threat in February this year. Apparently, the vulnerability goes back all the way to Android 1.6 “Donut”, or any Android device released in the last 4 years.

Spooky, but in a typical horror movie fashion, we want to know more:

“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.”

If mobile security isn't your strongest suit, here's a breakdown of how it works. Cryptographic signatures are a part of any and all Android apps, their use – to help your droid verify whether the app is legit and if any tampering of the code has taken place. Further spelling it out for us, Bluebox asserts that the glitch allows the not-too-nice folks out there to change app code “without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”

To put this into perspective, the statement claims, apart from the usual Trojan mischief (think SMS tolls), a malicious app taking massive advantage of the hole:

“Has the ability to read arbitrary application data […], retrieve all stored account & service passwords […], make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, record calls,”

How serious can this get? We don't know, but it's comforting to know that Google is aware of the issue and has already updated their Google Play approval process, blocking out apps with this problem. 

Bluebox CTO, Jeff Forristal, announced that he will cover the issue in technical detail in his upcoming Black Hat USA 2013 talk.

source: BlueBox via VentureBeat

FEATURED VIDEO

Options

38 Comments

piyath
Reply

37. piyath

Posts: 2445; Member since: Mar 23, 2012

Hackers do not bother to hack Apple cuz it is a fruit and it is useless..

posted on Jul 04, 2013, 11:29 PM

skyguy7567
Reply

35. skyguy7567

Posts: 148; Member since: Nov 17, 2012

Bought Norton Security. Using my Xperia Z without concern. Deeper research into the software of different android manufacturers show that Samsung's pre-set android system to be the most vulnerable to hacks and similar attacks.

posted on Jul 04, 2013, 8:55 PM

Zero0
Reply

34. Zero0

Posts: 592; Member since: Jul 05, 2012

Don't you have to install from outside the Play Store for this to happen, though? You can't just arbitratily modify code on someone's device, you have to change the files somehow before you can get in. It's a hole, but most people won't be affected. And it probably could be easily fixed with an MD5 check or something along those lines. Google Play Services might even be able to roll out such a security patch.

posted on Jul 04, 2013, 5:09 PM

mas11
Reply

33. mas11

Posts: 1034; Member since: Mar 30, 2012

And yet even the best hackers can't exploit most Motorola bootloaders.

posted on Jul 04, 2013, 5:01 PM

clevername
Reply

27. clevername

Posts: 1436; Member since: Jul 11, 2008

Idk why people don't wanna see what's written. Stop thinking this is only for apps downloaded outside of the play store. The article said google has updated their play approval process to block these apps. Which means the problem IS with apps in the play store. The big problem is what about the apps already in the play store that don't have to go through googles new approval process. So regardless of where a user gets their app from or how they use the phone they are vulnerable. just the risk of an open os. Its up to the user to decode if its worth it.

posted on Jul 04, 2013, 12:47 PM

Kjayhawk
Reply

30. Kjayhawk

Posts: 294; Member since: Oct 07, 2010

No, Google play services removed blocked the exploits and heres my favorite part the exploit was found by a SECURITY SERVICE it is not being used by any hackers, there is no app that you can download on the google play store that has this defect (Theres malware on the play store just not this one). Unknown till now, as far as were concerned ZERO DEVICES are being harmed from this. If anything you should be glad this was found by a security company rather than a group of hackers. As for downloading apps from a third party source you have been warned by google to be careful when downloading apps.

posted on Jul 04, 2013, 2:39 PM

Chris.P
Reply

31. Chris.P

Posts: 567; Member since: Jun 27, 2013

That's not, strictly speaking, the way of it. Sure, Google has taken steps to remedy the situation, and sure - third-party app stores are the OS version of the Wild West :) This is still at the very least news worthy, because the range of flawed devices is just enormous, no - almost all-inclusive. Moreover, even though there is no way to know for sure how many devices (if any at all) have been compromised, this exploit has, apparently, been out in the wild for _4_ years, 98% from the length of which Google had no clue whatsoever. Could the company be overplaying it? Usually - yes. But in this case you have a documented case, to be discussed during the Black Hat conference and Google has taken steps to fix it. In other words, the threat is/was there :).

posted on Jul 04, 2013, 3:32 PM

roscuthiii
Reply

38. roscuthiii

Posts: 2383; Member since: Jul 18, 2010

As I don't see an "update" notation, I will have to assume this part here: "How serious can this get? We don't know, but it's comforting to know that Google is aware of the issue and has already updated their Google Play approval process, blocking out apps with this problem." had already taken place by the time of your writing of the article. Which means your sensationalizing the story and fear mongering. Especially taking the title into consideration. As a private security consultant, how about I clue you in on something else. 100% of people who live in a home are vulnerable to burglary. That's basically all your article is.

posted on Jul 05, 2013, 12:34 AM

TBomb
Reply

24. TBomb

Posts: 1758; Member since: Dec 28, 2012

These numbers could also be "accurate" but misleading.

posted on Jul 04, 2013, 11:29 AM

Kjayhawk
Reply

23. Kjayhawk

Posts: 294; Member since: Oct 07, 2010

This MASSIVE vulnerability is just the security companies trying to scare you. It can't be found on the play store only through apps that you download from a third party source. Which google tells you specifically that downloading from third party stores can greatly increase your chance of malware. No News here

posted on Jul 04, 2013, 11:01 AM

vickygamit
Reply

20. vickygamit

Posts: 54; Member since: Aug 16, 2012

google will fix it.

posted on Jul 04, 2013, 10:29 AM

ama3654
Reply

19. ama3654

Posts: 295; Member since: Nov 27, 2012

You forgot to mention Galaxy S4 is immune to it. "Bluebox claims that it notified Google of the exploit in February. According to CIO, Bluebox CTO Jeff Forristal has named the Galaxy S 4 as the only device that's currently immune to the exploit " .http://www.engadget.com/2013/07/04/bluebox-reveal​s-android-security-vulnerability/

posted on Jul 04, 2013, 10:20 AM

FISTFLY
Reply

21. FISTFLY

Posts: 27; Member since: Jul 03, 2013

Does it mention why only Galaxy 4?? Just curious

posted on Jul 04, 2013, 10:29 AM

tedkord
Reply

32. tedkord

Posts: 17520; Member since: Jun 17, 2009

Its a known issue. Samsung patched it prior to release.

posted on Jul 04, 2013, 3:54 PM

darkkjedii
Reply

15. darkkjedii

Posts: 31799; Member since: Feb 05, 2011

Android fanboys call this innovation. Android users realize this is an issue.

posted on Jul 04, 2013, 9:57 AM

grahaman27
Reply

22. grahaman27

Posts: 364; Member since: Apr 05, 2013

Its not an issue, its an exploit. to say its an issue is like someone saying that being able to jailbreak an iphone is an issue. this is not a virus, this is one exploit. iOS can have the same problem just an FYI.

posted on Jul 04, 2013, 10:42 AM

darkkjedii
Reply

25. darkkjedii

Posts: 31799; Member since: Feb 05, 2011

It has had it. FYI

posted on Jul 04, 2013, 11:34 AM

blingblingthing
Reply

36. blingblingthing

Posts: 986; Member since: Oct 23, 2012

It isn't an issue for any tech savvy person, stick to legit sources and stay safe.

posted on Jul 04, 2013, 9:28 PM

medicci37
Reply

14. medicci37

Posts: 1361; Member since: Nov 19, 2011

Every time I play wwf last 2 days a very annoying add 4 a new movie keeps playing. & sometimes when I'm not. Anyone know how 2 stop this?

posted on Jul 04, 2013, 9:55 AM

Samsomesh
Reply

11. Samsomesh

Posts: 195; Member since: Jun 11, 2012

Google should introduce it's own antivirus that will have access to all the system..:

posted on Jul 04, 2013, 9:43 AM

SonyXperiaNexus
Reply

9. SonyXperiaNexus

Posts: 374; Member since: Oct 01, 2012

http://cdn.meme.li/instances/300x300/39412914.jpg

posted on Jul 04, 2013, 9:38 AM

boosook
Reply

7. boosook

Posts: 1442; Member since: Nov 19, 2012

Come on... this happens only if you install malicious apps downloaded from outside the market, so it will affect only a minority of users which implicitly accept the risk. That's not 99% of Android users. Anyway I agree that this is a nasty bug.

posted on Jul 04, 2013, 9:30 AM

grahaman27
Reply

3. grahaman27

Posts: 364; Member since: Apr 05, 2013

As of right now there is no reason to fear getting malware on your phone if you use your phone like 99% of people do.

posted on Jul 04, 2013, 9:21 AM

RaKithAPeiRiZ
Reply

6. RaKithAPeiRiZ

Posts: 1488; Member since: Dec 29, 2011

there is nothing to worry because the NSA's already taking care of it

posted on Jul 04, 2013, 9:27 AM

RaKithAPeiRiZ
Reply

2. RaKithAPeiRiZ

Posts: 1488; Member since: Dec 29, 2011

app data and payment records? ..if they hack mine ,all they will find is a phone full of pirated apps

posted on Jul 04, 2013, 9:19 AM

grahaman27
Reply

4. grahaman27

Posts: 364; Member since: Apr 05, 2013

Pirated apps is where malicious code can come from.

posted on Jul 04, 2013, 9:23 AM

SuperAndroidEvo
Reply

12. SuperAndroidEvo

Posts: 4888; Member since: Apr 15, 2011

Yeah that phone of his is the dirtiest virus/malware phone on Earth. I hope he at least practices safe sex. lol +1

posted on Jul 04, 2013, 9:45 AM

amansingal14
Reply

5. amansingal14

Posts: 309; Member since: Sep 08, 2012

lol +1

posted on Jul 04, 2013, 9:23 AM

SonyXperiaNexus
Reply

8. SonyXperiaNexus

Posts: 374; Member since: Oct 01, 2012

lol, but they can still get your passwords, record your phonecalls, read and send sms and use the camera to see what ur doing, pretty scary if u ask me

posted on Jul 04, 2013, 9:31 AM

feres13
Reply

18. feres13

Posts: 307; Member since: Dec 23, 2011

I hope that by "pirated apps" you mean apps that aren't from the Play store, not paid apps from the Play store that you got for free

posted on Jul 04, 2013, 10:17 AM

view all comments
Want to comment? Please Log in or sign up.

Featured stories

Here's why Galaxy Z Flip's folding glass display cover is still protected by a plastic film
Here's why Galaxy Z Flip's folding glass display cover is still protected by a plastic film
The Google "Pixel 5" was just mentioned for the first time
The Google "Pixel 5" was just mentioned for the first time
The Samsung Galaxy Z Fold 2 and Note 20 could come sooner than you think
The Samsung Galaxy Z Fold 2 and Note 20 could come sooner than you think
With the Galaxy S20 series, Samsung finally nailed this one feature
With the Galaxy S20 series, Samsung finally nailed this one feature
Sorry, but Samsung's Galaxy Z Flip doesn't make any sense in our modern smartphone world
Sorry, but Samsung's Galaxy Z Flip doesn't make any sense in our modern smartphone world
Samsung Galaxy Z Flip vs Motorola Razr: Specs, size, features, and price comparison
Samsung Galaxy Z Flip vs Motorola Razr: Specs, size, features, and price comparison
No, Samsung did not lie about the display on the Galaxy Z Flip
No, Samsung did not lie about the display on the Galaxy Z Flip
Apple iPhone history: the evolution of the smartphone that started it all
Apple iPhone history: the evolution of the smartphone that started it all

Popular stories

This important feature just disappeared on some Pixel 4 phones
This important feature just disappeared on some Pixel 4 phones
Samsung's S20 Ultra price put to shame by new Snapdragon 865 flagship with 108MP camera
Samsung's S20 Ultra price put to shame by new Snapdragon 865 flagship with 108MP camera
No, Samsung did not lie about the display on the Galaxy Z Flip
No, Samsung did not lie about the display on the Galaxy Z Flip
First night Galaxy S20 Ultra camera samples and 5G speed test on Verizon
First night Galaxy S20 Ultra camera samples and 5G speed test on Verizon
Android texts might get this iMessage feature soon
Android texts might get this iMessage feature soon
Here's what the Google Pixel 5 XL could look like
Here's what the Google Pixel 5 XL could look like

Hot phones

Latest Stories

View more news
This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless