x PhoneArena is hiring! Reviewer in the USA
  • Hidden picShow menu
  • Home
  • News
  • 99% of Android devices can be completely 'taken over' through a massive vulnerability hole

99% of Android devices can be completely 'taken over' through a massive vulnerability hole

Posted: , by Chris P.

Share Share

Tags :

99% of Android devices can be completely 'taken over' through a massive vulnerability hole
Ouch! Let us reiterate: that one ought to sting. Especially after the latest report already putting Android up there as the most compromised and targeted mobile OS.

Mobile security start-up, Bluebox, has released a statement on their blog that they have discovered a vulnerability in Android's security model, allowing hackers to slip malicious code into Android devices unnoticed by your phone's built-in defensive mechanism. 

The scope of this vulnerability? 99%, or about 900 million Android devices. Nope, no typo there, according to the company, which first notified Google of the threat in February this year. Apparently, the vulnerability goes back all the way to Android 1.6 “Donut”, or any Android device released in the last 4 years.

Spooky, but in a typical horror movie fashion, we want to know more:

“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.”

A screenshot by Bluebox demonstrates complete control over the OS

A screenshot by Bluebox demonstrates complete control over the OS

If mobile security isn't your strongest suit, here's a breakdown of how it works. Cryptographic signatures are a part of any and all Android apps, their use – to help your droid verify whether the app is legit and if any tampering of the code has taken place. Further spelling it out for us, Bluebox asserts that the glitch allows the not-too-nice folks out there to change app code “without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”

To put this into perspective, the statement claims, apart from the usual Trojan mischief (think SMS tolls), a malicious app taking massive advantage of the hole:

“Has the ability to read arbitrary application data […], retrieve all stored account & service passwords […], make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, record calls,”

How serious can this get? We don't know, but it's comforting to know that Google is aware of the issue and has already updated their Google Play approval process, blocking out apps with this problem. 

Bluebox CTO, Jeff Forristal, announced that he will cover the issue in technical detail in his upcoming Black Hat USA 2013 talk.

source: BlueBox via VentureBeat

39 Comments
  • Options
    Close





posted on 04 Jul 2013, 09:17 13
Reply

1. chunk1x (Posts: 248; Member since: 25 Jun 2011)


For android fans, they called this problem a YOLO.

posted on 04 Jul 2013, 09:41 19
Reply

10. SuperAndroidEvo (Posts: 4888; Member since: 15 Apr 2011)


There is NOTHING that is hack proof. The US Government can be hacked, Verizon, AT&T, Android, Apple & anything under the sun.

I always find these articles just so pointless.

Just so we know boys & girls.... if you are on the web or if you own a computer or smartphone there is a HUGE vulnerability hole to everything. That includes all the goverments of the world.

It's like every week the same article is written but with different titles. lol

posted on 04 Jul 2013, 09:49 3
Reply

13. chunk1x (Posts: 248; Member since: 25 Jun 2011)


The problem with hardcore fans of all sides is that take a silly joke way to seriously.

posted on 04 Jul 2013, 10:09 2
Reply

16. alterecho (Posts: 1099; Member since: 23 Feb 2012)


Wonder what some replys would have been if it were Apple that was affected.

posted on 04 Jul 2013, 10:17 2
Reply

17. chunk1x (Posts: 248; Member since: 25 Jun 2011)


In that iOS camp, denial and end of the world state of mind for iFans. Then followed by angry mob with pitch forks and torches to the unlucky prankster.

posted on 04 Jul 2013, 12:45 1
Reply

26. Jobayer (Posts: 167; Member since: 22 Feb 2013)


Dude, if u find them pointless, dont read them . Yes nothing is hack proof .But the problem is there for 4 yrs !!!

posted on 05 Jul 2013, 08:04
Reply

39. SuperAndroidEvo (Posts: 4888; Member since: 15 Apr 2011)


The reason why I find these articles pointless is because they are CLEARLY stating the obvious. It's like saying humans die if they don't breathe air.

We all know that anything computer related can be hacked yet we consistently keep reading the same article with just a different title.

Tell us something we don't know.

Also buddy please get a clue. lol

posted on 04 Jul 2013, 09:19 8
Reply

2. RaKithAPeiRiZ (Posts: 1488; Member since: 29 Dec 2011)


app data and payment records? ..if they hack mine ,all they will find is a phone full of pirated apps

posted on 04 Jul 2013, 09:23 11
Reply

4. grahaman27 (Posts: 361; Member since: 05 Apr 2013)


Pirated apps is where malicious code can come from.

posted on 04 Jul 2013, 09:45 2
Reply

12. SuperAndroidEvo (Posts: 4888; Member since: 15 Apr 2011)


Yeah that phone of his is the dirtiest virus/malware phone on Earth. I hope he at least practices safe sex. lol

+1

posted on 04 Jul 2013, 09:23 3
Reply

5. amansingal14 (Posts: 309; Member since: 08 Sep 2012)


lol
+1

posted on 04 Jul 2013, 09:31 3
Reply

8. SonyXperiaNexus (Posts: 374; Member since: 01 Oct 2012)


lol, but they can still get your passwords, record your phonecalls, read and send sms and use the camera to see what ur doing, pretty scary if u ask me

posted on 04 Jul 2013, 10:17
Reply

18. feres13 (Posts: 307; Member since: 23 Dec 2011)


I hope that by "pirated apps" you mean apps that aren't from the Play store, not paid apps from the Play store that you got for free

posted on 04 Jul 2013, 13:05 4
Reply

28. Shatter (Posts: 2036; Member since: 29 May 2013)


By pirated he means he downloaded paid apps for free.

posted on 04 Jul 2013, 09:21 5
Reply

3. grahaman27 (Posts: 361; Member since: 05 Apr 2013)


As of right now there is no reason to fear getting malware on your phone if you use your phone like 99% of people do.

posted on 04 Jul 2013, 09:27 2
Reply

6. RaKithAPeiRiZ (Posts: 1488; Member since: 29 Dec 2011)


there is nothing to worry because the NSA's already taking care of it

posted on 04 Jul 2013, 09:30 7
Reply

7. boosook (Posts: 1442; Member since: 19 Nov 2012)


Come on... this happens only if you install malicious apps downloaded from outside the market, so it will affect only a minority of users which implicitly accept the risk. That's not 99% of Android users.
Anyway I agree that this is a nasty bug.

posted on 04 Jul 2013, 09:38 1
Reply

9. SonyXperiaNexus (Posts: 374; Member since: 01 Oct 2012)


http://cdn.meme.li/instances/300x300/39412914.jpg

posted on 04 Jul 2013, 09:43
Reply

11. Samsomesh (Posts: 195; Member since: 11 Jun 2012)


Google should introduce it's own antivirus that will have access to all the system..:

posted on 04 Jul 2013, 09:55
Reply

14. medicci37 (Posts: 1335; Member since: 19 Nov 2011)


Every time I play wwf last 2 days a very annoying add 4 a new movie keeps playing. & sometimes when I'm not. Anyone know how 2 stop this?

posted on 04 Jul 2013, 09:57 8
Reply

15. darkkjedii (Posts: 24930; Member since: 05 Feb 2011)


Android fanboys call this innovation. Android users realize this is an issue.

posted on 04 Jul 2013, 10:42 11
Reply

22. grahaman27 (Posts: 361; Member since: 05 Apr 2013)


Its not an issue, its an exploit. to say its an issue is like someone saying that being able to jailbreak an iphone is an issue.

this is not a virus, this is one exploit. iOS can have the same problem just an FYI.

posted on 04 Jul 2013, 11:34 2
Reply

25. darkkjedii (Posts: 24930; Member since: 05 Feb 2011)


It has had it. FYI

posted on 04 Jul 2013, 21:28 2
Reply

36. blingblingthing (Posts: 578; Member since: 23 Oct 2012)


It isn't an issue for any tech savvy person, stick to legit sources and stay safe.

posted on 04 Jul 2013, 10:20 3
Reply

19. ama3654 (Posts: 295; Member since: 27 Nov 2012)


You forgot to mention Galaxy S4 is immune to it.

"Bluebox claims that it notified Google of the exploit in February. According to CIO, Bluebox CTO Jeff Forristal has named the Galaxy S 4 as the only device that's currently immune to the exploit "

.http://www.engadget.com/2013/07/04/bluebox-reveal​s-android-security-vulnerability/

posted on 04 Jul 2013, 10:29
Reply

21. FISTFLY (Posts: 27; Member since: 03 Jul 2013)


Does it mention why only Galaxy 4?? Just curious

posted on 04 Jul 2013, 15:54 2
Reply

32. tedkord (Posts: 14130; Member since: 17 Jun 2009)


Its a known issue. Samsung patched it prior to release.

posted on 04 Jul 2013, 10:29
Reply

20. vickygamit (Posts: 31; Member since: 16 Aug 2012)


google will fix it.

posted on 04 Jul 2013, 11:01 2
Reply

23. Kjayhawk (Posts: 294; Member since: 07 Oct 2010)


This MASSIVE vulnerability is just the security companies trying to scare you. It can't be found on the play store only through apps that you download from a third party source. Which google tells you specifically that downloading from third party stores can greatly increase your chance of malware. No News here

posted on 04 Jul 2013, 11:29 1
Reply

24. TBomb (Posts: 846; Member since: 28 Dec 2012)


These numbers could also be "accurate" but misleading.

Want to comment? Please login or register.

Latest stories