Researchers from Bluebox
Security claim to have discovered vulnerability in Android's security model
that could allow attackers to convert 99 percent of all applications into a
trojan.
According to Bluebox Security
CTO Jeff Forristal, who made a very high-level post on the company's blog on how the vulnerability works,
applications could be modified to do things like steal data or connect to a
botnet and go completely unnoticed by the app store, phone, and end user.
"This
vulnerability, around at least since the release of Android 1.6, could affect any
Android phone released in the last four years — or nearly 900 million
devices."
The core issue
behind the vulnerability revolves around how Android applications are verified
and installed. Each application has a cryptographic signature, to ensure that the
contents of an application have not been tampered with. The vulnerability,
however, allows an attacker to change the contents of an application, but still
leave the signature intact.
It appears to
indicate that the vulnerability may be a simple cryptographic hash collision
attack, often made possible due to a poor choice in the hashing algorithm;
however, Forristal's post doesn't go into further detail.
"This
vulnerability makes it possible to change an application's code without
affecting the cryptographic signature of the application — essentially allowing
a malicious author to trick Android into believing the app is unchanged even if
it has been."
Forristal claims
that it already notified Google of the vulnerability in February this year, and
it was assigned the Android security bug identifier 8219321. Google declined to
comment on whether it was even aware of the alleged vulnerability, or if it had
been contacted by Bluebox. The vulnerability is not noted in the issue tracker
for the Android Open Handset Alliance Project, and IDs for issues only go up
57,000 range at this point in time.
The company has not yet
released any proof of concept code, but claims that it was able to modify
system-level software information on an HTC phone running Android, providing a
screenshot on its blog.
If its claims are true, a
repackaged application would have full access to the Android system and any of
its applications. According to Bluebox, this includes reading any data on the
device, stealing account passwords, making calls and texts, activating onboard
hardware such as the camera or microphone, and, in an extreme case, open mobile
devices up to becoming drones in a mobile botnet.
Forristal said that
fixing the problem will be the responsibility of device manufacturers such as
HTC and Samsung, as they will need to release firmware updates. Users
themselves will also then need to know to install the patch, assuming one is
made available.
Bluebox CTO Jeff Forristal confirmed to CIO that Samsung has already issued a fix for the Galaxy S4, which is
the only smartphone now immune to the vulnerability. Google was notified about the exploit in February and is said
to be working on a fix for its Nexus devices.
previous article
Newer Post
No comments
Post a Comment