Google releases fix to OEMs for major Android loophole

A few days ago the guys at Bluebox Security research discovered a gaping hole in Android’s security model that can be exploited by hackers to convert genuine apps into a malicious Trojan. Now, it seems Google has moved to fix this major security flaw in the system. The company’s Android Communications Manager Gina Scigliano told ZDNet that “a patch has been provided to our partners - some OEMs, like Samsung, are already shipping the fix to the Android devices."

She added, “We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue - and Verify Apps provides protection for Android users who download apps to their devices outside of Play.”

More from News & Analysis

What is the US HIRE Bill and why is India’s $250-billion IT sector worried? Is the internet dead? What's this theory that OpenAI's Sam Altman says might be true?

In a detailed post, Jeff Forristal, the Bluebox CTO said that the flaw in Android’s security model has been around at least since the release of Android 1.6 and is likely to affect any Android phone released in the last 4 years (or nearly 900 million devices). Depending on what the hacker wants to accomplish, the security flaw can be exploited for anything from data theft to making it a mobile botnet.

The most dangerous vulnerability yet?

Once a malicious app is installed from the device manufacturer, it can get access to the Android system and other applications and their data. The malicious app can then read a user’s emails, SMS and documents; it can get all stored account and service passwords, et al. All in all, the malicious app can take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls).

As if that wasn’t scary enough, the post adds that the malicious app can create a mobile botnet. The flaw in Android’s security model exploits the fact that Android apps are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature. Explaining this, he says that all apps within the Play store come with cryptographic signatures that Android uses to find out if a given app is legitimate and to ensure that it hasn’t been tampered with or modified. Owing to this vulnerability, it is possible to change an application’s code without affecting the app’s cryptographic signature in any way. Simply put, the malware manages to “trick” Android into believing that the app hasn’t been modified, even though it has been.

Forristal adds the risk posed by such a malware is manifold, especially if one were to consider the apps developed by device manufacturers or third-party units working with these device manufacturers.