99% of Android devices can be completely 'taken over' through a massive vulnerability hole

99% of Android devices can be completely 'taken over' through a massive vulnerability hole
Ouch! Let us reiterate: that one ought to sting. Especially after the latest report already putting Android up there as the most compromised and targeted mobile OS.

Mobile security start-up, Bluebox, has released a statement on their blog that they have discovered a vulnerability in Android's security model, allowing hackers to slip malicious code into Android devices unnoticed by your phone's built-in defensive mechanism. 

The scope of this vulnerability? 99%, or about 900 million Android devices. Nope, no typo there, according to the company, which first notified Google of the threat in February this year. Apparently, the vulnerability goes back all the way to Android 1.6 “Donut”, or any Android device released in the last 4 years.

Spooky, but in a typical horror movie fashion, we want to know more:


A screenshot by Bluebox demonstrates complete control over the OS

A screenshot by Bluebox demonstrates complete control over the OS

If mobile security isn't your strongest suit, here's a breakdown of how it works. Cryptographic signatures are a part of any and all Android apps, their use – to help your droid verify whether the app is legit and if any tampering of the code has taken place. Further spelling it out for us, Bluebox asserts that the glitch allows the not-too-nice folks out there to change app code “without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”

To put this into perspective, the statement claims, apart from the usual Trojan mischief (think SMS tolls), a malicious app taking massive advantage of the hole:


How serious can this get? We don't know, but it's comforting to know that Google is aware of the issue and has already updated their Google Play approval process, blocking out apps with this problem. 

Bluebox CTO, Jeff Forristal, announced that he will cover the issue in technical detail in his upcoming Black Hat USA 2013 talk.

source: BlueBox via VentureBeat

FEATURED VIDEO

38 Comments

1. chunk1x

Posts: 248; Member since: Jun 25, 2011

For android fans, they called this problem a YOLO.

10. SuperAndroidEvo

Posts: 4888; Member since: Apr 15, 2011

There is NOTHING that is hack proof. The US Government can be hacked, Verizon, AT&T, Android, Apple & anything under the sun. I always find these articles just so pointless. Just so we know boys & girls.... if you are on the web or if you own a computer or smartphone there is a HUGE vulnerability hole to everything. That includes all the goverments of the world. It's like every week the same article is written but with different titles. lol

13. chunk1x

Posts: 248; Member since: Jun 25, 2011

The problem with hardcore fans of all sides is that take a silly joke way to seriously.

16. alterecho

Posts: 1106; Member since: Feb 23, 2012

Wonder what some replys would have been if it were Apple that was affected.

17. chunk1x

Posts: 248; Member since: Jun 25, 2011

In that iOS camp, denial and end of the world state of mind for iFans. Then followed by angry mob with pitch forks and torches to the unlucky prankster.

26. Jobayer

Posts: 167; Member since: Feb 22, 2013

Dude, if u find them pointless, dont read them . Yes nothing is hack proof .But the problem is there for 4 yrs !!!

39. SuperAndroidEvo

Posts: 4888; Member since: Apr 15, 2011

The reason why I find these articles pointless is because they are CLEARLY stating the obvious. It's like saying humans die if they don't breathe air. We all know that anything computer related can be hacked yet we consistently keep reading the same article with just a different title. Tell us something we don't know. Also buddy please get a clue. lol

2. RaKithAPeiRiZ

Posts: 1488; Member since: Dec 29, 2011

app data and payment records? ..if they hack mine ,all they will find is a phone full of pirated apps

4. grahaman27

Posts: 364; Member since: Apr 05, 2013

Pirated apps is where malicious code can come from.

12. SuperAndroidEvo

Posts: 4888; Member since: Apr 15, 2011

Yeah that phone of his is the dirtiest virus/malware phone on Earth. I hope he at least practices safe sex. lol +1

5. amansingal14

Posts: 309; Member since: Sep 08, 2012

lol +1

8. SonyXperiaNexus

Posts: 374; Member since: Oct 01, 2012

lol, but they can still get your passwords, record your phonecalls, read and send sms and use the camera to see what ur doing, pretty scary if u ask me

18. feres13

Posts: 307; Member since: Dec 23, 2011

I hope that by "pirated apps" you mean apps that aren't from the Play store, not paid apps from the Play store that you got for free

28. Shatter

Posts: 2036; Member since: May 29, 2013

By pirated he means he downloaded paid apps for free.

3. grahaman27

Posts: 364; Member since: Apr 05, 2013

As of right now there is no reason to fear getting malware on your phone if you use your phone like 99% of people do.

6. RaKithAPeiRiZ

Posts: 1488; Member since: Dec 29, 2011

there is nothing to worry because the NSA's already taking care of it

7. boosook

Posts: 1442; Member since: Nov 19, 2012

Come on... this happens only if you install malicious apps downloaded from outside the market, so it will affect only a minority of users which implicitly accept the risk. That's not 99% of Android users. Anyway I agree that this is a nasty bug.

9. SonyXperiaNexus

Posts: 374; Member since: Oct 01, 2012

11. Samsomesh

Posts: 195; Member since: Jun 11, 2012

Google should introduce it's own antivirus that will have access to all the system..:

14. medicci37

Posts: 1361; Member since: Nov 19, 2011

Every time I play wwf last 2 days a very annoying add 4 a new movie keeps playing. & sometimes when I'm not. Anyone know how 2 stop this?

15. darkkjedii

Posts: 30875; Member since: Feb 05, 2011

Android fanboys call this innovation. Android users realize this is an issue.

22. grahaman27

Posts: 364; Member since: Apr 05, 2013

Its not an issue, its an exploit. to say its an issue is like someone saying that being able to jailbreak an iphone is an issue. this is not a virus, this is one exploit. iOS can have the same problem just an FYI.

25. darkkjedii

Posts: 30875; Member since: Feb 05, 2011

It has had it. FYI

36. blingblingthing

Posts: 912; Member since: Oct 23, 2012

It isn't an issue for any tech savvy person, stick to legit sources and stay safe.

19. ama3654

Posts: 295; Member since: Nov 27, 2012

You forgot to mention Galaxy S4 is immune to it. "Bluebox claims that it notified Google of the exploit in February. According to CIO, Bluebox CTO Jeff Forristal has named the Galaxy S 4 as the only device that's currently immune to the exploit " .http://www.engadget.com/2013/07/04/bluebox-reveal​s-android-security-vulnerability/

21. FISTFLY

Posts: 27; Member since: Jul 03, 2013

Does it mention why only Galaxy 4?? Just curious

32. tedkord

Posts: 17181; Member since: Jun 17, 2009

Its a known issue. Samsung patched it prior to release.

20. vickygamit

Posts: 51; Member since: Aug 16, 2012

google will fix it.

23. Kjayhawk

Posts: 294; Member since: Oct 07, 2010

This MASSIVE vulnerability is just the security companies trying to scare you. It can't be found on the play store only through apps that you download from a third party source. Which google tells you specifically that downloading from third party stores can greatly increase your chance of malware. No News here

24. TBomb

Posts: 1259; Member since: Dec 28, 2012

These numbers could also be "accurate" but misleading.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.