News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
GET RECOGNIZED
Let an ISACA® certification elevate your career.
Register today and save
You are here: Home / Mobile Tech / Android Security Flaw Is Widespread
Gartner's #1 for endpoint backup
Android Security Flaw Allows Malicious Code To Go Unseen
Android Security Flaw Allows Malicious Code To Go Unseen
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
JULY
05
2013



Talk about the Android operating system being less secure than other mobile platforms is nothing new. Neither are studies that set out to prove the point.

But a report from start-up Bluebox Security's research team, Bluebox Labs, is highlighting a recently discovered vulnerability in Android's security model that allows a hacker to modify APK code without breaking an application's cryptographic signature. The result: the bug can turn any legitimate application into a malicious Trojan without an app store, the phone or the end user ever discovering it.

"The implications are huge!" said Jeff Forristal, Bluebox chief technology officer, writing in a blog post. "This vulnerability, around at least since the release of Android 1.6 (codename: "Donut"), could affect any Android phone released in the last 4 years -- or nearly 900 million devices -- and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."

A Slick Move

According to Forristal, here's how it works: The vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, allowing for APK code modification without breaking the cryptographic signature.

"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified," he explained. "This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application -- essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been."

Forristal noted that details of Android security bug 8219321 were responsibly disclosed through Bluebox Security's close relationship with Google in February 2013. It's up to device manufacturers to produce and release firmware updates for mobile devices -- and for users to install these updates.

Risk Overblown?

As Forristal sees it, the risk is great for both the individual and the enterprise because a malicious app can access individual data, or gain entry into a corporation. He said the Trojan could give bad actors access to the Android system and all apps, data, e-mail, text messages and documents, as well as retrieve all stored account and service passwords.

What's more, he said it can "essentially take over the normal functioning of the phone and control any function," including making arbitrary phone calls, send arbitrary SMS messages, turning on the camera, and recording calls. Hackers could even turn the phone into a zombie to create a botnet.

Should Android users be scared? Roger Entner, a wireless industry analyst at Recon Analytics, doesn't think so. He told us vulnerabilities in Android do exist, but many times security vendors are offering solutions for problems that don't exist on a wide scale.

"Some security companies publish case studies on what could happen and say you need their antivirus solution even though the virus has never been seen in the wild," Entner said. "They are offering a vaccine to a virus that they are making themselves and saying 'this could be out there.' We haven't seen viruses or malware even in an insignificant fashion in the wild."

Tell Us What You Think
Comment:

Name:

Thomas Swift:

Posted: 2013-07-08 @ 2:05am PT
"It's up to device Relevant Products/Services manufacturers to produce and release firmware updates for mobile devices -- and for users to install these updates." what percent of Android phones from Pay-as-you-go vendors relieve updates and patches? How many actually use anti-virus?

Jon Anderson:

Posted: 2013-07-05 @ 11:14am PT
Roger Entner, sir, you are possibly years behind in security news. Here's a nicely compiled list of in the wild android malware:

http://forensics.spreitzenbarth.de/android-malware/

"We haven't seen viruses or malware even in an insignificant fashion in the wild."

Guess we know which company to avoid!

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY BE OF INTEREST
Protect 100% of your Data The prevalence of laptops and mobile devices in the enterprise makes corporate data increasingly vulnerable to loss and breach. And yet, workforce productivity is now inextricably linked to mobility. Click here to access the white paper "Top 10 Endpoint Backup Mistakes" to learn more about how to confidently protect data across platforms and devices while also providing features designed to enhance the end user experience.
MORE IN MOBILE TECH
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Dairy Queen Latest Retailer To Report Hack
Dairy Queen is known for its hot fries and sweet treats, but it just made cyber history as the latest victim of a hack attack. The fast food chain said that customer data at some stores may be at risk.
 
Lessons from the JPMorgan Chase Cyberattack
JPMorgan Chase is investigating a likely cyberattack. The banking giant is cooperating with law enforcement, including the FBI, to understand what data hackers may have obtained.
 
Who Is the Hacker Group Lizard Squad?
Are they dangerous or just obnoxious? That’s what many are wondering about the hacker group Lizard Squad, which tweeted out a bomb threat that grounded a flight with a Sony exec aboard.
 

Enterprise Hardware Spotlight
Intel Intros Lightning-Fast PC Processors
Call it extreme. Intel just took the covers off its first-ever eight-core desktop processor, which is aimed at hardcore power users who expect more than the status quo from their computers.
 
HP Previews ProLiant Gen9 Data Center Servers
Because traditional data center and server architectures are “constraints” on businesses, HP is releasing new servers aimed at faster, simpler and more cost-effective delivery of computing services.
 
Apple Set To Release Largest iPad Ever
Tech giant Apple seems to have adopted the mantra “go big or go home.” The company is planning to introduce its largest iPad ever: a 12.9-inch behemoth that will dwarf its largest existing models.
 

Mobile Technology Spotlight
iWatch Watch: What Will Apple Ask Us To Wear?
There are still more questions than answers when it comes to details about the smart watch Apple seems poised to debut on Sept. 9. In fact, nobody seems completely sure that it will be a smart watch at all.
 
Samsung Maps Its Way with Nokia's 'Here' App for Galaxy Phones
Korean electronics giant Samsung has opted to license Here, Nokia’s mapping app -- formerly known as Nokia Maps -- for its Tizen-powered smart devices and Samsung Gear S wearable.
 
Will iPhone Finally Catch Up with NFC Mobile Payment Ability?
Apple's latest version of the iPhone may have a mobile wallet to pay for purchases with a tap of the phone. The iPhone 6 reportedly is equipped with near-field communication (NFC) technology.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.