99% of Android devices can be completely 'taken over' through a massive vulnerability hole

99% of Android devices can be completely 'taken over' through a massive vulnerability hole
Ouch! Let us reiterate: that one ought to sting. Especially after the latest report already putting Android up there as the most compromised and targeted mobile OS.

Mobile security start-up, Bluebox, has released a statement on their blog that they have discovered a vulnerability in Android's security model, allowing hackers to slip malicious code into Android devices unnoticed by your phone's built-in defensive mechanism. 

The scope of this vulnerability? 99%, or about 900 million Android devices. Nope, no typo there, according to the company, which first notified Google of the threat in February this year. Apparently, the vulnerability goes back all the way to Android 1.6 “Donut”, or any Android device released in the last 4 years.

Spooky, but in a typical horror movie fashion, we want to know more:


If mobile security isn't your strongest suit, here's a breakdown of how it works. Cryptographic signatures are a part of any and all Android apps, their use – to help your droid verify whether the app is legit and if any tampering of the code has taken place. Further spelling it out for us, Bluebox asserts that the glitch allows the not-too-nice folks out there to change app code “without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”

To put this into perspective, the statement claims, apart from the usual Trojan mischief (think SMS tolls), a malicious app taking massive advantage of the hole:


How serious can this get? We don't know, but it's comforting to know that Google is aware of the issue and has already updated their Google Play approval process, blocking out apps with this problem. 

Bluebox CTO, Jeff Forristal, announced that he will cover the issue in technical detail in his upcoming Black Hat USA 2013 talk.

source: BlueBox via VentureBeat

FEATURED VIDEO

38 Comments

37. piyath

Posts: 2445; Member since: Mar 23, 2012

Hackers do not bother to hack Apple cuz it is a fruit and it is useless..

35. skyguy7567

Posts: 148; Member since: Nov 17, 2012

Bought Norton Security. Using my Xperia Z without concern. Deeper research into the software of different android manufacturers show that Samsung's pre-set android system to be the most vulnerable to hacks and similar attacks.

34. Zero0

Posts: 592; Member since: Jul 05, 2012

Don't you have to install from outside the Play Store for this to happen, though? You can't just arbitratily modify code on someone's device, you have to change the files somehow before you can get in. It's a hole, but most people won't be affected. And it probably could be easily fixed with an MD5 check or something along those lines. Google Play Services might even be able to roll out such a security patch.

33. mas11

Posts: 1034; Member since: Mar 30, 2012

And yet even the best hackers can't exploit most Motorola bootloaders.

27. clevername

Posts: 1436; Member since: Jul 11, 2008

Idk why people don't wanna see what's written. Stop thinking this is only for apps downloaded outside of the play store. The article said google has updated their play approval process to block these apps. Which means the problem IS with apps in the play store. The big problem is what about the apps already in the play store that don't have to go through googles new approval process. So regardless of where a user gets their app from or how they use the phone they are vulnerable. just the risk of an open os. Its up to the user to decode if its worth it.

30. Kjayhawk

Posts: 294; Member since: Oct 07, 2010

No, Google play services removed blocked the exploits and heres my favorite part the exploit was found by a SECURITY SERVICE it is not being used by any hackers, there is no app that you can download on the google play store that has this defect (Theres malware on the play store just not this one). Unknown till now, as far as were concerned ZERO DEVICES are being harmed from this. If anything you should be glad this was found by a security company rather than a group of hackers. As for downloading apps from a third party source you have been warned by google to be careful when downloading apps.

31. Chris.P

Posts: 567; Member since: Jun 27, 2013

That's not, strictly speaking, the way of it. Sure, Google has taken steps to remedy the situation, and sure - third-party app stores are the OS version of the Wild West :) This is still at the very least news worthy, because the range of flawed devices is just enormous, no - almost all-inclusive. Moreover, even though there is no way to know for sure how many devices (if any at all) have been compromised, this exploit has, apparently, been out in the wild for _4_ years, 98% from the length of which Google had no clue whatsoever. Could the company be overplaying it? Usually - yes. But in this case you have a documented case, to be discussed during the Black Hat conference and Google has taken steps to fix it. In other words, the threat is/was there :).

38. roscuthiii

Posts: 2383; Member since: Jul 18, 2010

As I don't see an "update" notation, I will have to assume this part here: "How serious can this get? We don't know, but it's comforting to know that Google is aware of the issue and has already updated their Google Play approval process, blocking out apps with this problem." had already taken place by the time of your writing of the article. Which means your sensationalizing the story and fear mongering. Especially taking the title into consideration. As a private security consultant, how about I clue you in on something else. 100% of people who live in a home are vulnerable to burglary. That's basically all your article is.

24. TBomb

Posts: 1758; Member since: Dec 28, 2012

These numbers could also be "accurate" but misleading.

23. Kjayhawk

Posts: 294; Member since: Oct 07, 2010

This MASSIVE vulnerability is just the security companies trying to scare you. It can't be found on the play store only through apps that you download from a third party source. Which google tells you specifically that downloading from third party stores can greatly increase your chance of malware. No News here

20. vickygamit

Posts: 54; Member since: Aug 16, 2012

google will fix it.

19. ama3654

Posts: 295; Member since: Nov 27, 2012

You forgot to mention Galaxy S4 is immune to it. "Bluebox claims that it notified Google of the exploit in February. According to CIO, Bluebox CTO Jeff Forristal has named the Galaxy S 4 as the only device that's currently immune to the exploit " .http://www.engadget.com/2013/07/04/bluebox-reveal​s-android-security-vulnerability/

21. FISTFLY

Posts: 27; Member since: Jul 03, 2013

Does it mention why only Galaxy 4?? Just curious

32. tedkord

Posts: 17520; Member since: Jun 17, 2009

Its a known issue. Samsung patched it prior to release.

15. darkkjedii

Posts: 31799; Member since: Feb 05, 2011

Android fanboys call this innovation. Android users realize this is an issue.

22. grahaman27

Posts: 364; Member since: Apr 05, 2013

Its not an issue, its an exploit. to say its an issue is like someone saying that being able to jailbreak an iphone is an issue. this is not a virus, this is one exploit. iOS can have the same problem just an FYI.

25. darkkjedii

Posts: 31799; Member since: Feb 05, 2011

It has had it. FYI

36. blingblingthing

Posts: 986; Member since: Oct 23, 2012

It isn't an issue for any tech savvy person, stick to legit sources and stay safe.

14. medicci37

Posts: 1361; Member since: Nov 19, 2011

Every time I play wwf last 2 days a very annoying add 4 a new movie keeps playing. & sometimes when I'm not. Anyone know how 2 stop this?

11. Samsomesh

Posts: 195; Member since: Jun 11, 2012

Google should introduce it's own antivirus that will have access to all the system..:

9. SonyXperiaNexus

Posts: 374; Member since: Oct 01, 2012

7. boosook

Posts: 1442; Member since: Nov 19, 2012

Come on... this happens only if you install malicious apps downloaded from outside the market, so it will affect only a minority of users which implicitly accept the risk. That's not 99% of Android users. Anyway I agree that this is a nasty bug.

3. grahaman27

Posts: 364; Member since: Apr 05, 2013

As of right now there is no reason to fear getting malware on your phone if you use your phone like 99% of people do.

6. RaKithAPeiRiZ

Posts: 1488; Member since: Dec 29, 2011

there is nothing to worry because the NSA's already taking care of it

2. RaKithAPeiRiZ

Posts: 1488; Member since: Dec 29, 2011

app data and payment records? ..if they hack mine ,all they will find is a phone full of pirated apps

4. grahaman27

Posts: 364; Member since: Apr 05, 2013

Pirated apps is where malicious code can come from.

12. SuperAndroidEvo

Posts: 4888; Member since: Apr 15, 2011

Yeah that phone of his is the dirtiest virus/malware phone on Earth. I hope he at least practices safe sex. lol +1

5. amansingal14

Posts: 309; Member since: Sep 08, 2012

lol +1

8. SonyXperiaNexus

Posts: 374; Member since: Oct 01, 2012

lol, but they can still get your passwords, record your phonecalls, read and send sms and use the camera to see what ur doing, pretty scary if u ask me

18. feres13

Posts: 307; Member since: Dec 23, 2011

I hope that by "pirated apps" you mean apps that aren't from the Play store, not paid apps from the Play store that you got for free

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless