News & Information for Technology Purchasers NewsFactor Sites:     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
Build Apps 5x Faster
For Half the Cost Enterprise Cloud Computing
You are here: Home / World Wide Web / Android Security Flaw Is Widespread
DDoS Protection Powered By Verisign
Android Security Flaw Allows Malicious Code To Go Unseen
Android Security Flaw Allows Malicious Code To Go Unseen
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus

Talk about the Android operating system being less secure than other mobile platforms is nothing new. Neither are studies that set out to prove the point.

But a report from start-up Bluebox Security's research team, Bluebox Labs, is highlighting a recently discovered vulnerability in Android's security model that allows a hacker to modify APK code without breaking an application's cryptographic signature. The result: the bug can turn any legitimate application into a malicious Trojan without an app store, the phone or the end user ever discovering it.

"The implications are huge!" said Jeff Forristal, Bluebox chief technology officer, writing in a blog post. "This vulnerability, around at least since the release of Android 1.6 (codename: "Donut"), could affect any Android phone released in the last 4 years -- or nearly 900 million devices -- and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."

A Slick Move

According to Forristal, here's how it works: The vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, allowing for APK code modification without breaking the cryptographic signature.

"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified," he explained. "This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application -- essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been."

Forristal noted that details of Android security bug 8219321 were responsibly disclosed through Bluebox Security's close relationship with Google in February 2013. It's up to device manufacturers to produce and release firmware updates for mobile devices -- and for users to install these updates.

Risk Overblown?

As Forristal sees it, the risk is great for both the individual and the enterprise because a malicious app can access individual data, or gain entry into a corporation. He said the Trojan could give bad actors access to the Android system and all apps, data, e-mail, text messages and documents, as well as retrieve all stored account and service passwords.

What's more, he said it can "essentially take over the normal functioning of the phone and control any function," including making arbitrary phone calls, send arbitrary SMS messages, turning on the camera, and recording calls. Hackers could even turn the phone into a zombie to create a botnet.

Should Android users be scared? Roger Entner, a wireless industry analyst at Recon Analytics, doesn't think so. He told us vulnerabilities in Android do exist, but many times security vendors are offering solutions for problems that don't exist on a wide scale.

"Some security companies publish case studies on what could happen and say you need their antivirus solution even though the virus has never been seen in the wild," Entner said. "They are offering a vaccine to a virus that they are making themselves and saying 'this could be out there.' We haven't seen viruses or malware even in an insignificant fashion in the wild."

Tell Us What You Think


Thomas Swift:

Posted: 2013-07-08 @ 2:05am PT
"It's up to device Relevant Products/Services manufacturers to produce and release firmware updates for mobile devices -- and for users to install these updates." what percent of Android phones from Pay-as-you-go vendors relieve updates and patches? How many actually use anti-virus?

Jon Anderson:

Posted: 2013-07-05 @ 11:14am PT
Roger Entner, sir, you are possibly years behind in security news. Here's a nicely compiled list of in the wild android malware:

"We haven't seen viruses or malware even in an insignificant fashion in the wild."

Guess we know which company to avoid!

Like Us on FacebookFollow Us on Twitter
MAY BE OF INTEREST is the market and technology leader in Software-as-a-Service. Its award-winning CRM solution helps 82,400 customers worldwide manage and share business information over the Internet. Experience CRM success. Click here for a FREE 30-day trial.
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Russian Gang with Stolen IDs Hacks Hosting Company
In August, a Russian cyber gang obtained what researchers called “the largest cache of stolen data." Now, those hackers may be putting their ill-gotten gains to criminal use.
Dairy Queen Latest Retailer To Report Hack
Known for its hot fries and soft-serve ice cream, Dairy Queen just made cyber history as the latest victim of a hack attack. The fast food chain said that customer data at some stores may be at risk.
Lessons from the JPMorgan Chase Cyberattack
JPMorgan Chase is investigating a likely cyberattack. The banking giant is cooperating with law enforcement, including the FBI, to understand what data hackers may have obtained.

Enterprise Hardware Spotlight
AMD's New FX Series CPU Breaks Processing Speed Record
The new FX-8370 processor from Advanced Micro Devices has set a record for silicon processor speed, the company announced. Overclocked, the eight-core chip was measured at 8722.78 MHz.
Intel Intros Lightning-Fast PC Processors
Call it extreme. Intel just took the covers off its first-ever eight-core desktop processor, which is aimed at hardcore power users who expect more than the status quo from their computers.
HP Previews ProLiant Gen9 Data Center Servers
Because traditional data center and server architectures are “constraints” on businesses, HP is releasing new servers aimed at faster, simpler and more cost-effective delivery of computing services.

Mobile Technology Spotlight
Rumor Mill Puts Mobile Wallet in iPhone 6
Apple is moving toward the mobile wallet world with its next iPhone. The tech giant has partnered with retailers, banks and major payment networks to make it happen, according to Bloomberg.
Will iPhone Finally Catch Up with NFC Mobile Payment Ability?
Apple's latest version of the iPhone may have a mobile wallet to pay for purchases with a tap of the phone. The iPhone 6 reportedly is equipped with near-field communication (NFC) technology.
Visual Search To Shop: Gimmick or Game Changing?
Imagine using your phone to snap a photo of the cool pair of sunglasses your friend is wearing and instantly receiving a slew of information about the shades along with a link to order them.

NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech | Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.