Pierluigi Paganini July 05, 2013

Bluebox Labs recently discovered an Android vulnerability in the OS’s security model that allows hackers to attack 99% of Android devices on the market.

Android vulnerability allows app modification preserving signatures … this is the shocking discovery announced by Bluebox Labs.

During this week we have had the opportunity to discuss about mobile botnets and Android vulnerabilities, cybercrime and state sponsored hackers are targeting with increasing frequency this platforms exposing huge quantity of users to serious risks. No matter if we are speaking about IOS or Android OS, the level of menace is constantly increasing despite the level of awareness is growing too.

This time I’ll discuss about a new Android vulnerability discovered in the popular OS that could allow an attacker to gather the total control of user’s devices.

A hacker could exploit the Android vulnerability to send text messages, to make calls or to compromise a mobile devices making it part of a botnet.

The flaw practically affects any Android handset, uncovering Android master key 99% of devices is vulnerable to cyber attacks, this is the concerning revelation made Bluebox Security, an impressive figure if we think that almost 900 million Android devices globally are exposed to the cyber menace.

The Android vulnerability is not new, it has existed since at least Android 1.6, almost any devices produced during last which means that it potentially affects any Android device released during the last four years.

The repercussions are disturbing for private users, businesses and government offices running Android handsets.

The flaw allows attackers to modify any legitimate application, digitally signed, making possible to trust its code also if it is used for malicious purposed such as to steal data from victims to gain total control of the user’s handset.

“Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years1 – or nearly 900 million devices2– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”

In effect the Android vulnerability allows the hacker to totally bypass Android’s security model based on app-signature, it is enough that the attacker will sign malicious code to obtain full control of the Android device, on the installed applications and data managed.

When users install an application on their devices, a sandbox it is created  for it, and Android archives its digital signature. Every successive updates will be allowed only if they are able to verify the digital signature related to the specific application and èreviously stored.

“This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”

Another concerning news is that Bluebox disclosed the flaw  in February informing Google, but no reply arrived in the company.

The principal manufacturers have the burdensome task to develop a patch, Samsung has already done it for the Galaxy S4 model and the initiative will be followed my other handset providers.

“The screenshot below demonstrates that Bluebox Security has been able to modify an Android device manufacturer’s application to the level that we now have access to any (and all) permissions on the device. In this case, we have modified the system-level software information about this device to include the name “Bluebox” in the Baseband Version string (a value normally controlled & configured by the system firmware).”

Fortunately Google has blocked the distribution of apps exploiting the Android vulnerability present in the Google Play, it is also requested to the users to follow simple recommendations.

• Device owners should be extra cautious in identifying the publisher of the app they want to download.
• Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
• IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate

Pierluigi Paganini

(Security Affairs – Android vulnerability, mobile)