Newsletters
News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
This ad will display for the next 20 seconds. Click for more information, or
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
APC Free White Paper
Optimize your network investment &
Enter to win a Samsung Galaxy Note

www.apc.com
Mobile Tech
Tame your scariest paperwork. Find Out How
Average Rating:
Rate this article:  
Android Security Flaw Allows Malicious Code To Go Unseen
Android Security Flaw Allows Malicious Code To Go Unseen

By Jennifer LeClaire
July 5, 2013 10:32AM

    Bookmark and Share
"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified," said Bluebox Security CTO Jeff Forristal. "This vulnerability makes it possible to change an application's code without affecting the cryptographic signature."
 



Talk about the Android operating system being less secure than other mobile platforms is nothing new. Neither are studies that set out to prove the point.

But a report from start-up Bluebox Security's research team, Bluebox Labs, is highlighting a recently discovered vulnerability in Android's security model that allows a hacker to modify APK code without breaking an application's cryptographic signature. The result: the bug can turn any legitimate application into a malicious Trojan without an app store, the phone or the end user ever discovering it.

"The implications are huge!" said Jeff Forristal, Bluebox chief technology officer, writing in a blog post. "This vulnerability, around at least since the release of Android 1.6 (codename: "Donut"), could affect any Android phone released in the last 4 years -- or nearly 900 million devices -- and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."

A Slick Move

According to Forristal, here's how it works: The vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, allowing for APK code modification without breaking the cryptographic signature.

"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified," he explained. "This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application -- essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been."

Forristal noted that details of Android security bug 8219321 were responsibly disclosed through Bluebox Security's close relationship with Google in February 2013. It's up to device manufacturers to produce and release firmware updates for mobile devices -- and for users to install these updates.

Risk Overblown?

As Forristal sees it, the risk is great for both the individual and the enterprise because a malicious app can access individual data, or gain entry into a corporation. He said the Trojan could give bad actors access to the Android system and all apps, data, e-mail, text messages and documents, as well as retrieve all stored account and service passwords.

What's more, he said it can "essentially take over the normal functioning of the phone and control any function," including making arbitrary phone calls, send arbitrary SMS messages, turning on the camera, and recording calls. Hackers could even turn the phone into a zombie to create a botnet.

Should Android users be scared? Roger Entner, a wireless industry analyst at Recon Analytics, doesn't think so. He told us vulnerabilities in Android do exist, but many times security vendors are offering solutions for problems that don't exist on a wide scale.

"Some security companies publish case studies on what could happen and say you need their antivirus solution even though the virus has never been seen in the wild," Entner said. "They are offering a vaccine to a virus that they are making themselves and saying 'this could be out there.' We haven't seen viruses or malware even in an insignificant fashion in the wild."
 

Tell Us What You Think
Comment:

Name:

Thomas Swift:

Posted: 2013-07-08 @ 2:05am PT
"It's up to device Relevant Products/Services manufacturers to produce and release firmware updates for mobile devices -- and for users to install these updates." what percent of Android phones from Pay-as-you-go vendors relieve updates and patches? How many actually use anti-virus?

Jon Anderson:

Posted: 2013-07-05 @ 11:14am PT
Roger Entner, sir, you are possibly years behind in security news. Here's a nicely compiled list of in the wild android malware:

http://forensics.spreitzenbarth.de/android-malware/

"We haven't seen viruses or malware even in an insignificant fashion in the wild."

Guess we know which company to avoid!



APC has an established a reputation for solid products that virtually pay for themselves upon installation. Who has time to spend worrying about system downtime? APC makes it easy for you to focus on business growth instead of business downtime with reliable data center systems and IT solutions. Learn more here.


 Mobile Tech
1.   Virgin Mobile Offers Custom Plans
2.   Asana Revamps Mobile App
3.   Android 'Fake ID' Puts Millions at Risk
4.   FTC Wants Fix for Mobile Cramming
5.   Facebook To Force Use of Messenger


advertisement
Android 'Fake ID' Puts Millions at Risk
Users: stick to apps from Google Play.
Average Rating:
Dell, BlackBerry Downplay Threat
Say Apple-IBM alliance can't hurt them.
Average Rating:
BlackBerry Acquires Secusmart
German security firm offers street cred.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Tor Internet Privacy Service Warns Users It Was Breached
You may never have heard of the Tor Project, but the Internet privacy service is making headlines. Tor’s devs say users might be victims of an attack launched against the project earlier this year.
 
Canadian Government Charges China With Cyberattack
The government of Canada is not happy with China. Canadian officials have accused "a highly sophisticated Chinese state-sponsored actor" of launching a cyberattack on its National Research Council.
 
Researchers Working To Fix Tor Security Exploit
Developers for the Tor privacy browser are scrambling to fix a bug revealed Monday that researchers say could allow hackers, or government surveillance agencies, to track users online.
 

Enterprise Hardware Spotlight
Apple Updates MacBook Pros, Cuts Prices Up to $100
The popular MacBook Pro laptop line just got an update and a price cut of as much as $100. The MacBook Pro with Retina display now includes faster processors and double the memory.
 
Dell, BlackBerry Not Sweating Apple-IBM Alliance
IBM's recent move to partner with Apple to sell iPhones and iPads loaded with corporate applications has excited investors in both companies, but two rivals say they are unperturbed for now.
 
Watson Gets His First Customer Service Gig
Since appearing on Jeopardy, IBM's Watson supercomputer has been making a living using his super-intelligent knowledge base for business verticals. Now, Watson's been hired for his first customer service job.
 

Mobile Technology Spotlight
Virgin Mobile Offers Custom Smartphone Plans
As the wireless carrier wars continue heating up, Virgin Mobile just threw the customization coal onto the fire. The firm has debuted a no-annual-contract plan with rates based on individual use.
 
Collaboration Provider Asana Revamps Mobile App
Asana, a collaboration software provider started by a Facebook founder, is now out with a rebuilt native iOS mobile app. It replaces one that even the company admits was not up to par.
 
Facebook: You Will Use Messenger, and You Will Like It
Starting this week, Facebook users with Android and iOS phones will be forced to use the separate Messenger app to send Facebook messages. Pending messages will still be visible in the main app.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.