Bluebox Discovers Major Android Vulnerability that May Affect 99% Devices

Bluebox Discovers Major Android Vulnerability that May Affect 99% Devices

Open source has its downsides. As the source code is open, hackers can read it and attempt to manipulate the ecosystem. Android, the most popular mobile OS, based on Linux Kernel is not beyond this risk. A report by Bluebox, a mobile security company speaks of a severe vulnerability of Android that has existed over last 4 years, since the release of Android 1.6 codename ‘Donut’.
The report was published by Bluebox Lab, the security research team of the company. It describes how a verified app can turn into a formidable trojan application due to the vulnerability. Android ecosystem requires a cryptographic signature in order to certify an app as being safe and downloadable. Common perception is that in order to tamper with that app, a hacker needs to break the signature. But owing to the vulnerability, the hacker in question can bring modification into the .apk file while bypassing the cryptographic signature. Currently, there are almost 900 million Android devices and as per the report, the vulnerability applies to 99% of them. The report reads;

“This vulnerability…could affect any Android phone released in the last 4 years – or nearly 900 million devices– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”

The report explains the gravity of the danger in the following way;

“The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.”

Jeff Forristal, the chief technical officer at Bluebox didn’t go deep into the vulnerability and how exactly hackers can exploit it. He said that at the Black Hat USA 2013 talk, more elaborate discussion on this will take place. Meanwhile, he suggested the device manufacturers to introduce a more robust firmware setup to keep vulnerability related threats at bay. He also prescribed enterprises to follow a two-way security check; to keep the use of enterprise specific apps at minimum and in case of BYOD model, advice employees to frequently update their devices.