99% of Android devices can be completely 'taken over' through a massive vulnerability hole

99% of Android devices can be completely 'taken over' through a massive vulnerability hole
Ouch! Let us reiterate: that one ought to sting. Especially after the latest report already putting Android up there as the most compromised and targeted mobile OS.

Mobile security start-up, Bluebox, has released a statement on their blog that they have discovered a vulnerability in Android's security model, allowing hackers to slip malicious code into Android devices unnoticed by your phone's built-in defensive mechanism. 

The scope of this vulnerability? 99%, or about 900 million Android devices. Nope, no typo there, according to the company, which first notified Google of the threat in February this year. Apparently, the vulnerability goes back all the way to Android 1.6 “Donut”, or any Android device released in the last 4 years.

Spooky, but in a typical horror movie fashion, we want to know more:

If mobile security isn't your strongest suit, here's a breakdown of how it works. Cryptographic signatures are a part of any and all Android apps, their use – to help your droid verify whether the app is legit and if any tampering of the code has taken place. Further spelling it out for us, Bluebox asserts that the glitch allows the not-too-nice folks out there to change app code “without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”

To put this into perspective, the statement claims, apart from the usual Trojan mischief (think SMS tolls), a malicious app taking massive advantage of the hole:

How serious can this get? We don't know, but it's comforting to know that Google is aware of the issue and has already updated their Google Play approval process, blocking out apps with this problem. 

Bluebox CTO, Jeff Forristal, announced that he will cover the issue in technical detail in his upcoming Black Hat USA 2013 talk.

source: BlueBox via VentureBeat


Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless