Newsletters
News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
This ad will display for the next 20 seconds. Please click for more information, or scroll down to pass the ad, or Close Ad.
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
APC Free White Paper
Optimize your network investment &
Enter to win a Samsung Galaxy Note

www.apc.com
World Wide Web
24/7/365 Network Uptime
Average Rating:
Rate this article:  
Android Security Flaw Allows Malicious Code To Go Unseen
Android Security Flaw Allows Malicious Code To Go Unseen

By Jennifer LeClaire
July 5, 2013 10:32AM

    Bookmark and Share
"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified," said Bluebox Security CTO Jeff Forristal. "This vulnerability makes it possible to change an application's code without affecting the cryptographic signature."
 


Talk about the Android operating system being less secure than other mobile platforms is nothing new. Neither are studies that set out to prove the point.

But a report from start-up Bluebox Security's research team, Bluebox Labs, is highlighting a recently discovered vulnerability in Android's security model that allows a hacker to modify APK code without breaking an application's cryptographic signature. The result: the bug can turn any legitimate application into a malicious Trojan without an app store, the phone or the end user ever discovering it.

"The implications are huge!" said Jeff Forristal, Bluebox chief technology officer, writing in a blog post. "This vulnerability, around at least since the release of Android 1.6 (codename: "Donut"), could affect any Android phone released in the last 4 years -- or nearly 900 million devices -- and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."

A Slick Move

According to Forristal, here's how it works: The vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, allowing for APK code modification without breaking the cryptographic signature.

"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified," he explained. "This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application -- essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been."

Forristal noted that details of Android security bug 8219321 were responsibly disclosed through Bluebox Security's close relationship with Google in February 2013. It's up to device manufacturers to produce and release firmware updates for mobile devices -- and for users to install these updates.

Risk Overblown?

As Forristal sees it, the risk is great for both the individual and the enterprise because a malicious app can access individual data, or gain entry into a corporation. He said the Trojan could give bad actors access to the Android system and all apps, data, e-mail, text messages and documents, as well as retrieve all stored account and service passwords.

What's more, he said it can "essentially take over the normal functioning of the phone and control any function," including making arbitrary phone calls, send arbitrary SMS messages, turning on the camera, and recording calls. Hackers could even turn the phone into a zombie to create a botnet.

Should Android users be scared? Roger Entner, a wireless industry analyst at Recon Analytics, doesn't think so. He told us vulnerabilities in Android do exist, but many times security vendors are offering solutions for problems that don't exist on a wide scale.

"Some security companies publish case studies on what could happen and say you need their antivirus solution even though the virus has never been seen in the wild," Entner said. "They are offering a vaccine to a virus that they are making themselves and saying 'this could be out there.' We haven't seen viruses or malware even in an insignificant fashion in the wild."
 

Tell Us What You Think
Comment:

Name:

Thomas Swift:

Posted: 2013-07-08 @ 2:05am PT
"It's up to device Relevant Products/Services manufacturers to produce and release firmware updates for mobile devices -- and for users to install these updates." what percent of Android phones from Pay-as-you-go vendors relieve updates and patches? How many actually use anti-virus?

Jon Anderson:

Posted: 2013-07-05 @ 11:14am PT
Roger Entner, sir, you are possibly years behind in security news. Here's a nicely compiled list of in the wild android malware:

http://forensics.spreitzenbarth.de/android-malware/

"We haven't seen viruses or malware even in an insignificant fashion in the wild."

Guess we know which company to avoid!



APC has an established a reputation for solid products that virtually pay for themselves upon installation. Who has time to spend worrying about system downtime? APC makes it easy for you to focus on business growth instead of business downtime with reliable data center systems and IT solutions. Learn more here.


 World Wide Web
1.   Google Maps, Now with Time Travel
2.   NYPD Twitter Campaign Backfires
3.   Net Gets Faster, But Easier to Attack
4.   Verizon Report Exposes Cyberthreats
5.   Aereo CEO Speaks Out on Future


advertisement
How Are Web Sites Post-Heartbleed?
Questions on open source, security.
Average Rating:
Heartbleed Exploit Could Cost Millions
But it could have been prevented.
Average Rating:
Don't Reset Passwords for Heartbleed?
Added caution needed to ensure security.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
What Verizon's Data Breach Report Can Teach Enterprises
It’s probably not a jaw-dropper, but cyberespionage is officially on the rise. And the use of stolen or misused credentials is still the leading way the bad guys gain access to corporate information.
 
Top Cyberthreats Exposed by Verizon Report
Beyond Heartbleed, there are cyberthreats vying to take down enterprise networks, corrupt smartphones, and wreak havoc on businesses. Verizon is exposing these threats in a new report.
 
Where Do Web Sites Stand, Post-Heartbleed?
A security firm says the vast majority of Web sites have patched themselves to protect against the Heartbleed bug, but now there are questions raised on the reliability of open-source programs.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | Small Business | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters | XML/RSS Feed

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.