Bluebox Security has discovered a vulnerability in Android’s security model that could allow a hacker to modify APK code without breaking any cryptographic codes. This, they say, could potentially turn any legitimate app on any one of 900m devices worldwide into a malicious Trojan or turn phones into zombie devices for botnet attacks.
The Bluebox Security research team say the vulnerability has existed since the release of Android 1.6 (Donut) and could affect any Android device release in the last four years – that’s up to 900m devices.
Depending on the type of application, Bluebox says a hacker can exploit the vulnerability for anything from data theft to the creation of a mobile botnet.
The risk, it says, is compounded when you consider applications developed on the device by the device manufacturers or third parties that are granted special elevated system UID privileges within Android, including HTC, Samsung, Motorola and LG.
“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed,” said Jeff Forristal, CTO of Bluebox.
Forristal will be releasing details of the issue at his Black Hat USA 2013 talk later this month.
Smartphones could be harnessed to zombie botnet attacks
“The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents), retrieve all stored account and service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet,” Forristal said.
The vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, allowing for APK code modification without breaking the cryptographic signature.
“All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.
“Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013. It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question,” Forrestal said.
Android defender image via Shutterstock