An HTC Android phone after the exploit is used (Photo : Bluebox Labs)
A massive hole in the security of almost all Android systems has been exposed by a small cybersecurity research firm called Bluebox Labs. The bug, if exploited, could give hackers access to almost any Android phone, let them do almost anything with it, and could go unnoticed by the app store, the phone, and the phone's user.
According to TechCrunch, the exploitable bug in the Android system affects 99 percent of Android smartphones. Apparently the bug in the Android code could allow hackers to modify the code in Android application package files, or ".apk" files, which are the files used to distribute and install application software on to Android systems. The bug allows such modifications to take place without breaking the application's cryptographic signature, which means the modifications could easily go unnoticed.
What this means is that, according to Jeff Forristal, Bluebox's CTO, writing on the Bluebox blog, hackers could use the bug "to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone or the end user."
As Forristal puts it: "The implications are huge!"
The Android vulnerability has existed ever since Android 1.6 "Donut" was released in September 2009, and continues up through every new Android update to this day (although Samsung has apparently patched the Galaxy S4 already, according to TechCrunch). That means that about 900 million of the Android phones released in the past 4 years - HTCs, Samsung phones, Motorola, LG, and others - are all vulnerable to attack.
Once downloaded, malicious software can do anything from stealing data, monitoring phone use, or creating a mobile botnet of so-called "zombie" smartphones, which the hacker can take over and use for whatever end they want.
Bluebox explains that the bug exploit involves variance in how Android applications are verified as non-malicious - the so-called cryptographic signature. All Android apps have cryptographic signatures, which the Android system uses to verify that you're not downloading malicious software whenever you download an app from Google Play or elsewhere. The vulnerability allows a change in an app's code, without breaking the cryptographic signature. Basically, it makes any app a possible wolf in sheep's clothing.
Before making this massive vulnerability public, Bluebox Labs alerted Google of the problem, back in February 2013. Bluebox Labs will go into more technical detail, along with talking about how Bluebox found the bug, how it works, and other materials, at Bluebox's presentation at the Black Hat USA 2013 conference. The Black Hat USA conference involves highly technical security presentations from government agencies to corporate security officials and even hackers, which takes place at the end of July into August 1 at Caesars Palace in Las Vegas Nevada.
After that talk, Bluebox will post a follow-up blog with a link to materials from the talk. Until then, Bluebox Labs suggests that Android phone owners and enterprise professionals take the following precautions:
- Device owners should be extra cautious in identifying the publisher of the app they want to download.
- Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
- IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.
Stay tuned here, as we'll provide updates to this huge cybersecurity story as they become available. In the mean time, be careful downloading Android users!