Sport & Auto
- About Future
- Digital Future
- Cookies Policy
- Terms & Conditions
- Investor Relations
- Contact Future
The Black Hat USA 2013 security conference does not get underway until July 27, 2013, but there is already plenty to look forward to, with the folks at Bluebox Security dropping a bombshell by claiming to have unearthed a yawning hole in Android’s security fabric and promising to shed some technical light on the vulnerability during the upcoming conference.
Bluebox Security CTO Jeff Forristal announced the discovery in a blog post titled, rather chillingly, “uncovering Android master key that makes 99% of devices vulnerable.” According to the company, the said vulnerability makes it possible for a hacker to “modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.” With nearly 900 million devices running Android 1.6 or later believed to be affected by this vulnerability, the implications, says the company, are massive.
“While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access,” the company’s CTO wrote.
“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls),” Forristal further wrote, adding that the a hacker could also use it to create a botnet.
Based on the blog post, Bluebox has known about the bug since at least February, when it “responsibly disclosed” all the relevant technical details to Google.
“It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.”
Follow Pulkit on Google+